This business associate agreement (this “BAA”) supplements and is made a part of the Chiron Health, Inc., (“Chiron Health”) Telemedicine Platform Services Terms and Conditions entered into in connection with the order form (this BAA together with such terms and conditions and such order form, the “Agreement”) submitted by you (“Provider” or “Covered Entity”) for the provision of Telemedicine Platform Services by Chiron Health.
Recitals.
Whereas, Chiron Health provides Telemedicine Support Services to Provider pursuant to the Agreement;
Whereas, Provider may wish to disclose Protected Health Information (“PHI”), which may include Electronic Protected Health Information (“ePHI”), in its capacity as a Covered Entity, to Chiron Health pursuant to the terms of the Agreement and this BAA;
Whereas, the Department of Health and Human Services has issued regulations under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), including the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164, sub-parts A and E (the “Privacy Rule”), as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and the Standards for Security of Electronic Protected Health Information, 45 C.F.R. Parts 160, 162 and 164 (the “Security Rule”), as amended by the HITECH Act (collectively, the “Privacy and Security Rules”); and
Whereas, Sections 164.502(e) and 164.504(e) of the Privacy and Security Rules set forth requirements for the Covered Entity to enter into written agreements with Business Associates that will have access to Covered Entity’s PHI (as defined below); and
Whereas, Covered Entity and Chiron Health intend to protect the privacy and provide for the security of PHI disclosed to Chiron Health in compliance with the terms of the Agreement, this BAA and HIPAA; and
Whereas, the purpose of this BAA is to set forth obligations of the parties in connection with the Agreement as well as those necessary to satisfy HIPAA and HITECH Act requirements, including, without limitation, those relating to Business Associates and Business Associate Agreements;
Now Therefore, for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties, intending to be legally bound, hereby agree as follows:
Definitions. The terms used, but not otherwise defined, shall have the meaning ascribed to them in the Agreement and, as applicable, the HIPAA Regulations.
“Disclosure” with respect to PHI, means the release, transfer, provision of access to or divulging in any other manner of PHI outside the entity holding the PHI.
“Electronic Protected Health Information” or “ePHI” shall mean PHI transmitted by Electronic Media (as defined in 45 C.F.R. § 160.103) or maintained in Electronic Media.
“Individual” shall have the meaning given to such term under the Privacy and Security Rules and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
“Protected Health Information” or “PHI” shall have the meaning given to such term under the Privacy and Security Rules, limited to the information created or received by Chiron Health from or on behalf of Covered Entity. “PHI” includes, without limitation, ePHI.
Permitted Use or Disclosure of PHI By Chiron Health. The parties agree that except as otherwise limited in this BAA, Chiron Health shall be permitted to use or disclose PHI provided or made available from Covered Entity to perform any function, activity or service for, or on behalf of, Covered Entity consistent with the scope of services, provided that such use or disclosure would not violate HIPAA if done by Covered Entity.
Use for Management and Administration. Chiron Health may use PHI created or received in its capacity as a Business Associate of the Covered Entity, if such use is necessary for the proper management and administration of Chiron Health or to carry out the legal responsibilities of Chiron Health.
Disclosure for Management and Administration. Chiron Health may disclose PHI created or received in its capacity as a Business Associate of the Covered Entity for the proper management and administration of Chiron Health if the disclosure is required by law or Chiron Health obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and used, or further disclosed, only as required by law or for the purpose for which it was disclosed to the person, and the person agrees to notify Chiron Health of any instances that it becomes aware in which the confidentiality of the PHI has been breached.
This Section of the Addendum shall survive the termination or expiration of the Addendum or the Agreement.
Chiron Health Obligations. Chiron Health covenants and agrees that it shall:
Not use or further disclose PHI other than as permitted or required under this BAA or as required by applicable law or regulation.
Use appropriate safeguards to prevent the use or disclosure of PHI that it creates, receives, maintains or transmits on behalf of the Covered Entity, or as required by law.
Require any of its agents or subcontractors to whom Chiron Health provides PHI received from Covered Entity, or created or received by Chiron Health on behalf of Covered Entity, to agree, in writing, to adhere to the same restrictions and conditions with respect to PHI that apply to Chiron Health under this BAA.
To the extent that Chiron Health maintains PHI in a Designated Record Set, make available to Covered Entity within 15 days of receiving an oral or written request from Covered Entity, such information as is necessary to fulfill Covered Entity’s obligations to provide PHI: (i) pursuant to an Individual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); (ii) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526; and (iii) that may be required to provide an accounting of disclosures pursuant to 45 C.F.R. § 164.528. Chiron Health will provide an accounting directly to an Individual when required by Covered Entity and HIPAA. Chiron Health shall also, as directed by Covered Entity, incorporate any amendments to PHI into copies of such PHI maintained by Chiron Health. In the event Chiron Health receives a direct request from an Individual for a copy of his/her PHI or for an accounting of disclosures, Chiron Health shall provide such information directly to Covered Entity for transmission to the Individual.
Make available to the Secretary all internal practices, books and records relating to the use and disclosure of PHI received from, or created by, Chiron Health on behalf of Covered Entity, for purposes of determining Covered Entity’s or Chiron Health’s compliance with federal privacy laws and regulations.
During the term of the Agreement, notify Covered Entity as soon as possible, but no later than 10 business days after Discovery, of any use or disclosure of PHI not provided for by this BAA, except as limited in the paragraph directly below, including Breaches of Unsecured PHI or Security Incidents. Such notice will be supplemented as soon as practicable, and will include, as information becomes available: (i) a brief description of the incident, including the date of the Breach and the date of the discovery of the Breach; (ii) the identification of each individual whose Unsecured PHI was Breached; (iii) a description of the types of Unsecured PHI that were involved in the Breach; (iv) any steps individuals should take to protect themselves from potential harm resulting from the Breach; and (v) a brief description of actions that Chiron Health is undertaking to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breaches.
Chiron Health will report to Covered Entity on no less than a quarterly basis any Security Incidents involving PHI of which Chiron Health becomes aware in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in Chiron Health’s systems in a manner that risks the confidentiality, integrity or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
Use, request and disclose to its subcontractors, agents or other third parties, only the minimum PHI necessary, in Chiron Health’s judgment, to accomplish the intended purpose of the use, disclosure or request.
This Section of the Addendum shall survive the termination or expiration of the Addendum or the Agreement.
Covered Entity Obligations. Provider, as a Covered Entity, covenants and agrees that it shall:
Promptly notify Chiron Health of any limitation(s) in its Notice of Privacy Practices, to the extent that such limitation may affect Chiron Health’s Use or Disclosure of PHI.
Promptly notify Chiron Health, in writing, of any changes in, or revocation of, permission by Individual to Use or Disclose PHI, if such changes may affect Chiron Health’s Use or Disclosure of PHI.
Promptly notify Chiron Health, in writing, of any restriction on the Use and/or Disclosure of PHI to which Covered Entity has agreed, to the extent that such restriction may affect Chiron Health’s Use or Disclosure of PHI.
Obtain any patient authorizations or consents that may be required under state or federal law to transmit PHI to Chiron Health and to enable Chiron Health to Use and Disclose PHI as contemplated by the Agreement and this BAA.
Not ask Chiron Health to Use or Disclose PHI in any manner that would be impermissible under applicable laws or regulations.
This Section of the Addendum shall survive the termination or expiration of the Addendum or the Agreement.
Audit. Covered Entity shall have the right to request documentation sufficient to determine Chiron Health’s compliance with HIPAA requirements relating to the creation, use, access or disclosure of PHI, as it relates to the privacy and security requirements contained in this BAA. Covered Entity shall provide Chiron Health with reasonable written notice prior to such request, unless the request is in response to a recent known or suspected Breach and/or is being conducted in an effort to provide information to any regulatory authority.
Limited Liability. In no event shall Chiron Health be liable to Provider for any losses or costs of Provider or third-parties or for any matters relating to Provider’s Telemedicine Medical Services (as defined in the Agreement) or any other aspects of its practice of medicine or its obligations as a Covered Entity under HIPAA, including, any lost reimbursement or revenues or lost profits, or special, incidental, punitive or consequential damages advised of the possibility of such damages. Furthermore, in no event shall Chiron Health’s liability to Provider under any circumstances exceed the amount of compensation actually received by Chiron Health from Provider under the Agreement.
Provider shall indemnify, defend and hold Chiron Health harmless from and against any and all third party claims, liability, suits, losses, damages and judgments, joint or several, and shall pay all costs and expenses (including counsel’s fees and expenses) as they are incurred in connection with the investigation of, preparation for or defense of any pending or threatened claim or any action or proceeding arising therefrom the Provider’s provision of Telemedicine Medical Services or with respect to Provider’s practice of medicine or that Chiron Health otherwise incurs as a result of having performed services on behalf of Provider under the Agreement or this BAA.
This Section of the Addendum shall survive the termination or expiration of the Addendum or the Agreement.
Termination. Notwithstanding any other provision under the Agreement, and in accordance with HIPAA, each party agrees that the Agreement and Addendum may be terminated by the other party without penalty should the party reasonably determine that the other party has materially violated an obligation under HIPAA and that continued performance of the party’s obligations under the Agreement and/or Addendum would constitute further violation of HIPAA. Notwithstanding the foregoing, Provider shall remain responsible, as provided in the Agreement, for Chiron Health’s fees and expenses up to and including the effective date of the termination.
Judicial or Administrative Proceedings. Provider may terminate the Agreement, effective immediately, upon a finding or stipulation that Chiron Health has violated any standard or requirement of HIPAA or other security or privacy laws in any administrative or civil proceeding in which Chiron Health has been joined.
Return or Destruction of PHI. Upon termination, cancellation, or expiration of the Agreement, Chiron Health shall return to Covered Entity any and all PHI received from, or created by, Chiron Health on behalf of Covered Entity that is maintained by Chiron Health in any form whatsoever, including any copies or replicas. If returning the PHI to Covered Entity is infeasible, Chiron Health shall destroy, consistent with HIPAA, any and all PHI maintained by Chiron Health in any form whatsoever, including any copies or replicas. Should the return or destruction of the PHI be determined by Chiron Health, in its sole discretion, to be infeasible, the parties agree that the terms of this BAA shall extend to the PHI until otherwise indicated by Covered Entity, and any further use or disclosure of the PHI by Chiron Health shall be limited to that purpose which renders the return or destruction of the PHI infeasible.
This Section of the Addendum shall survive the termination or expiration of the Addendum or the Agreement.
Records Access. Chiron Health shall make available, upon written request from Provider, the Secretary, the Comptroller General of the United States, or any other duly authorized agent or representative, the Agreement, this BAA, and Chiron Health’s books, documents and records. Chiron Health shall preserve and make available such books, documents and records for a period of 4 years after the end of the term of the Agreement or such other longer period required by law. If Chiron Health is requested to disclose books, documents or records pursuant to this Section for any purpose, Chiron Health shall, to the extent permitted by law, notify Provider of the nature and scope of such request, and shall make available, upon written request of the Provider, all such books, documents or records.
Amendment to Comply with Law. The parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this BAA may be required to ensure compliance with such developments. A reference in this BAA to a section in the Privacy Rule, Security Rule, HIPAA or the HITECH Act means the section as in effect or as amended. The parties agree to take such action as is necessary to comply with the standards and requirements of HIPAA, the HITECH Act and other applicable laws and regulations relating to the security or confidentiality of PHI. Upon either party’s request, the other party agrees to promptly enter into good faith negotiations concerning the terms of an amendment to this BAA.
No Third Party Beneficiaries. Except as expressly set forth herein, nothing in this BAA is intended to confer, nor shall anything herein confer or be construed to confer, upon any person other than Provider, Chiron Health, and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
Intellectual Property. All intellectual property, including, without limitation, products relating to Chiron Health’s business, is the property of Chiron Health, and the Provider shall not be allowed to possess or use them except as authorized under the terms of the Agreement or this BAA. Provider’s right to use such intellectual property in accordance with the terms of the Agreement and, as applicable, this BAA, shall expire upon the termination of the Agreement and Provider shall not have any further right to use such intellectual property.
This Section of the Addendum shall survive the termination or expiration of the Addendum or the Agreement.
Force Majeure. Neither party shall be liable for non-performance, defective performance or late performance of any of its obligations under the Agreement to the extent and for such periods of time as such non-performance, defective performance or late performance is due to reasons outside such party’s control, including acts of God, action of any governmental authority, civil disturbances, strikes, information systems interruptions or failures or other acts beyond the parties’ control; provided, however, that in any such event, each party shall use its good faith efforts to perform its duties and obligations under this Agreement.
Governing Law. This BAA shall be governed by and construed in accordance with the internal laws (and not the law of conflicts) of Texas.
Term. This BAA shall become effective on the Addendum Effective Date and shall expire when all of the PHI provided by Covered Entity to Chiron Health is destroyed or returned to Covered Entity.
