Business Associate Agreement

hero_background_default-1

THIS BUSINESS ASSOCIATE AGREEMENT (this "Agreement") is made effective on the date (the “Effective Date”) the Order Form Agreement is signed by and between Customer “Customer”) and Linus Health, Inc. (“Linus Health” or “Linus”) and incorporated into and made a part of the Order Form Agreement. The Customer and Linus Health are sometimes referred to herein as a "Party" or collectively as the “Parties."

RECITALS

WHEREAS, Customer and Linus Health have entered into an arrangement, and may in the future enter into additional arrangements (collectively, the “Underlying Agreements”) pursuant to which Linus Health performs functions on behalf of or provides certain services to Customer or for its patients, clients or customers; and

WHEREAS, the Underlying Agreements may from time to time require the receipt, Use and/or Disclosure of Protected Health Information (“PHI”); and

WHEREAS, Customer and Linus Health acknowledge that each Party has obligations to maintain the privacy and security of PHI under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended from time to time, and its implementing regulations, 45 C.F.R. Parts 160 and 164, and as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and may have additional obligations under legislation or rules passed, enacted, or promulgated in the future relating to the privacy and security of PHI (collectively, “HIPAA Rules”); and

WHEREAS, the Parties intend this Agreement to satisfy the requirements for a written agreement pursuant to the HIPAA Rules.

NOW THEREFORE, in consideration of the mutual promises and conditions contained herein, and for other good and valuable consideration, the Parties agree as follows:

SECTION 1
Definitions

  1. Business Associate.  “Business Associate” shall have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Linus Health.

  2. Covered Entity.  “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean the Customer.

  3. Unless otherwise provided in this Agreement, capitalized terms, including the following: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and Use shall have the same meaning as those terms in the HIPAA Rules.

SECTION 2
Effect and Interpretation

The provisions of this Agreement apply to the Use or Disclosure of any PHI by the Parties under the Agreement. In the event of any conflict or inconsistency between the Underlying Agreements and this Agreement concerning the Use or Disclosure of PHI, the terms of this Agreement will prevail unless the Parties mutually agree that the applicable terms of the Underlying Agreements would be more protective of PHI. The provisions of this Agreement are intended in their totality to comply with the HIPAA Rules as they concern Business Associate Agreements. The provisions of the Underlying Agreements will remain in full force and effect and are supplemented by this Agreement only to the extent necessary to effectuate the provisions set forth herein.

SECTION 3
Obligations and Activities of Linus Health

Linus Health will comply with the HIPAA Rules, including those that impose certain administrative, physical, and technical safeguards, including policy, procedure, and documentation requirements to protect the confidentiality, integrity, and availability of the PHI that it creates, receives, maintains, or transmits on behalf of Customer as required by HIPAA Rules.

Linus Health will not Use or Disclose PHI, other than as permitted or required by this Agreement, the Underlying Agreements, or as Required by Law.

Linus Health will use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this Agreement.

Linus Health will mitigate, to the extent practicable, any harmful effect that is known to Linus Health of a Use or Disclosure of PHI by Linus Health in violation of the requirements of this Agreement, the Underlying Agreements, and/or HIPAA Rules.

Linus Health will report to Customer any  Breach of Unsecured PHI as required at 45 CFR 164.410, within ten (10) business days of Linus Health's discovery of such Breach. Such notice will include the information required for Customer to report the Breach to the extent reasonably known, including identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Linus Health to have been, accessed, acquired, or disclosed, a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known, and a description of the types of PHI that were involved in the Breach in accordance with HIPAA Rules.

Linus Health will report to Customer any Security Incident that results in a Breach of Unsecured PHI as soon as practicable but no later than five (5) business days after Linus Health becomes aware of such Security Incident.  Upon Customer’s request, Linus Health will report any attempted but unsuccessful Security Incident of which Linus Health becomes aware. If the HIPAA Rules are amended to remove the requirement to report unsuccessful attempts at unauthorized access, the requirement hereunder to report such unsuccessful attempts will no longer apply as of the effective date of the amendment.  

Notwithstanding the foregoing, the parties agree to the following reporting procedure for Security Incidents that do not result in unauthorized access, use, disclosure, modification, destruction of information, or interference with system operations (“Unsuccessful Security Incidents”). For Unsuccessful Security Incidents, the parties agree that this paragraph constitutes notice of such Unsuccessful Security Incidents. By way of example, the parties consider the following to be illustrative of Unsuccessful Security Incidents when they do not result in actual unauthorized access, use, disclosure, modification, destruction of electronic PHI, or interference with an information system: (i) pings on firewall; (ii) port scans; (iii) attempts to log on to a system or enter a database with an invalid password or username; (iv) denial-of service attacks that do not result in a server being taken off-line; and (v) malware (worms, viruses, etc.).

Linus Health will ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of      Linus Health agrees in writing to privacy and security restrictions and conditions at least as stringent as those that govern Linus Health under this Agreement with respect to such information.

In the event that Linus Health maintains PHI in a Designated Record Set, Linus Health will make available PHI in a Designated Record Set, within ten (10) days of Customer's request and in the manner requested, to Customer, or as directed by Customer to an Individual, in order to meet the requirements under 45 C.F.R. §164.524.  If a request for access to PHI from an Individual is sent directly to Linus Health, such request will be forwarded immediately to Customer.

In the event that Linus Health maintains PHI in a Designated Record Set, Linus Health will make any amendment(s) to PHI in its possession contained in a Designated Record Set that Customer directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Customer or an Individual, and in the time and manner designated by Customer. If Linus Health receives a request by an Individual for amendment(s) to PHI in accordance with 45 C.F.R. §164.526, Linus Health will immediately forward such request to Customer.

Linus Health will document and maintain Disclosures of PHI, including the date of the Disclosure, the name and address of the entity or person who received the PHI, a brief description of the PHI disclosed, a brief statement of the purpose of the Disclosure, and any other information related to such Disclosures as would be required for Customer to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with HIPAA Rules. The Linus Health will provide to Customer information required to provide an accounting of Disclosures to the Customer as reasonably necessary to satisfy Customer’s obligations under 45 CFR 164.528 within ten (10) business days of receipt of a request by Customer or an Individual.

To the extent Linus Health is to carry out one or more of Customer's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Customer in the performance of such obligation(s); and

Linus Health will make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Linus Health on behalf of Customer available to the Secretary within normal business hours and in the manner designated by the Secretary, for purposes of the Secretary determining Customer's and Linus Health’s compliance with the HIPAA Rules.

SECTION 4
Permitted Uses and Disclosures by Linus Health

  1. Except as otherwise described in this Agreement, Linus Health may only Use or Disclose PHI to perform functions, activities, or services for, or on behalf of, Customer as necessary to perform the services specified in the Underlying Agreements, or as required or permitted by law.

  2. Linus Health may de-identify PHI pursuant to 45 CFR 164.514(a)-(c) as needed to perform functions, activities, or services for, or on behalf of, Customer as necessary to perform the services specified in the Underlying Agreements..

  3. Linus Health agrees to Use or Disclosure the minimum amount of PHI necessary to accomplish the intended purpose of the Use, or Disclosure.

  4. Linus Health may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Customer except for the specific uses and disclosures set forth below.

  5. Linus Health may disclose PHI for the proper management and administration of Linus Health or to carry out the legal responsibilities of the Linus Health, provided that Disclosures are Required by Law or Linus Health obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Linus Health, in writing, within ten (10) business days of becoming aware of any instances in which the confidentiality of the information has been Breached.

  6. Linus Health may Use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. §164.502(j)(1).

  7. Except as otherwise provided in this Agreement, Linus Health may use PHI to provide data aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Except as otherwise provided in this Agreement, Linus Health may use PHI to create de-identified data, de-identified output and limited data sets, as defined under HIPAA, for the express purpose of improving Linus Health’s Products, Services and/or platform (each as defined in the Underlying Agreement) and Linus Health may further use and disclose such limited data sets for the same purpose, provided Linus Health, as an agent for the Customer,  complies with all HIPAA requirements concerning limited data sets with each recipient of a limited data set.

  8. Except as otherwise limited in this Agreement, Linus Health may use and disclose Protected Health Information for the proper management and administration of the Linus Health and to carry out the legal responsibilities of Linus Health, provided that any such disclosures are permitted or Required by Law, or Linus Health obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as permitted Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Linus Health of any instances of which it is aware in which the confidentiality of the information has been breached.

  9. On behalf of Customer, Linus Health may use and disclose PHI for purposes set forth in 45 C.F.R. § 164.512.  

SECTION 5
Obligations of Customer

  1. Customer will notify Linus Health of any changes in, or revocation of, permission by Individual to use or disclose PHI, pursuant to 45 C.F.R. §164.508, to the extent that such changes may affect Linus Health's Use or Disclosure of PHI.

  2. Customer will notify Linus Health in writing, in a timely manner, of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with HIPAA Rules, to specifically include 45 CFR §164.522, to the extent that such restriction may affect Linus Health's Use or Disclosure of PHI.

  3. Customer will not request Linus Health to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer.

  4. Customer represents and warrants that it will comply with HIPAA as amended.

SECTION 6
Term and Termination

  1. Term. This Agreement commences on the Effective Date and terminates in accordance with the terms of this Section 6.

  2. Termination of Underlying Agreements. Upon the termination of all Underlying Agreements, either Party may terminate this Agreement by providing written notice to the other Party.

  3. Termination for Cause. Upon Customer's or Linus Health’s knowledge of a pattern of activity or a practice that constituted a material breach by the other Party, the non-breaching Party may immediately terminate this Agreement and any Underlying Agreements, or in the non-breaching Party 's sole discretion, may provide an opportunity for the breaching Party to cure the breach.  If an opportunity to cure the breach is provided, and the breaching Party does not cure the breach within thirty (30) days, the non-breaching Party shall terminate this Agreement and the Underlying Agreements if feasible.

  4. Effect of Termination.  Except as provided in Section 6(E), upon termination of this Agreement for any reason, Linus Health, with respect to PHI received from Customer, or created, maintained, or received by Linus Health on behalf of Customer, shall:
    1. Retain only that PHI which is necessary for Linus Health to continue its proper management and administration or to carry out its legal responsibilities;

    2. Return to Customer, or, if agreed to by Customer, destroy, the remaining PHI that the Linus Health still maintains in any form;

    3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent Use or Disclosure of the PHI, other than as provided for in this Section, for as long as Linus Health retains the PHI.

    4. Not use or disclose the PHI retained by Linus Health other than for the purposes for which such PHI was retained and subject to the same conditions which applied prior to termination; and

    5. Return to Customer or, if agreed to by Customer, destroy, the PHI retained by Linus Health when it is no longer needed by Linus Health for its proper management and administration or to carry out its legal responsibilities. This Section 6(D) applies to PHI that is in the possession of subcontractors or agents of Linus Health. Neither Linus Health nor subcontractors or agents of Linus Health will retain any copies of the PHI.

  5. In the event Linus Health determines that returning or destroying the PHI is infeasible, Linus Health will extend the protections of this Agreement to such PHI and limit further Uses or Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Linus Health maintains such PHI. If it is infeasible for Linus Health to obtain from a Subcontractor or agent any PHI in the possession of the Subcontractor or agent, Linus Health will require the Subcontractors and agents to agree to extend any and all protections, limitations, and restrictions contained in their written Agreement with Linus Health to the Subcontractors' and/or agents' Use and/or Disclosure of any PHI retained after the termination of this Agreement, and to limit any further Uses and/or Disclosures to the purposes that make the return or destruction of the PHI infeasible for so long as the subcontractor or agent maintains such PHI.

  6. Survival. The Parties’ obligations under this Section 6 shall survive the termination of this Agreement.

SECTION 7
Miscellaneous

  1. Penalties. Linus Health acknowledges that civil and criminal penalties for violation of HIPAA Rules apply to Linus Health in the same manner as they apply to Customer.

  2. Title. Except as otherwise described in this Agreement, Linus Health acknowledges and agrees that it acquires no title or rights to the PHI, including any de-identified information, as a result of this Agreement.

  3. Regulatory References.  A reference in this Agreement to a section of HIPAA means the section as in effect or as amended.

  4. Amendment. The Parties will take such action as is necessary to amend this Agreement from time to time as is necessary for the Parties to comply with the requirements of HIPAA Rules.

  5. Interpretation.  Any ambiguity in this Agreement will be resolved to permit the Parties to comply with HIPAA Rules.

  6. Waiver. No provision of this Agreement may be waived except by an agreement in writing signed by the waiving Party, and the failure of either Party to insist on the strict performance of any term or condition in this Agreement, or to exercise any option in this Agreement, will not be construed as a waiver of such term, condition, or option in any other instance.

  7. Choice of Law and Jurisdiction. This Agreement will be governed by and construed in accordance with the laws of the State of Massachusetts, without regard to choice of law rules.  THE PARTIES WAIVE ANY RIGHT TO A TRIAL BY JURY FOR A DISPUTE RELATED TO THIS AGREEMENT.

  8. Entire Agreement. This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior oral or written agreements, commitments, or understandings with respect thereto.  In the event of a conflict between the terms and conditions of this Agreement and the Underlying Agreements or any related exhibits, the terms of this Agreement take precedence and control over those of the Underlying Agreements and exhibits, unless otherwise agreed to in writing by all Parties.

  9. Assignment.  Customer has entered into this Agreement in specific reliance on the expertise and qualifications of Linus Health. Consequently, Linus Health’s interest under this Agreement may not be transferred or assigned or assumed by any other person, in whole or in part, without the prior written consent of Customer; provided that Linus Health may assign this Agreement without the consent of Customer as part of a corporate reorganization, consolidation, merger, or sale of all or substantially all of its assets or business to which this Agreement relates.

  10. Severability. Whenever possible, each provision of this Agreement will be interpreted so as to be effective and valid under applicable law.  If any provision of this Agreement should be prohibited or found invalid under applicable law, such provision is ineffective to the extent of such prohibition or invalidity without invalidating the other remaining provisions of this Agreement; provided, however, that if any such invalid provision is material, then such Party may terminate the Agreement upon thirty (30) days' prior written notice to the other Party.

  11. Headings. The paragraph headings are for convenience only and are not to be construed to define, modify, expand, or limit the terms and provisions of this Agreement.

  12. Authority. The individual(s) signing this Agreement on behalf of Customer and on behalf of Linus Health are duly authorized representatives of the respective Parties with full power and authority to execute this Agreement on behalf of Customer and Linus Health.

  13. Notices.  All notices, requests, demands and other communications that are required to be given, or may be given, under this Agreement will be in writing and will be deemed to have been duly given when:  received, if personally delivered; the day after it is sent, if sent by recognized expedited delivery service; and three (3) days after it is sent, if mailed, first class mail, postage prepaid, return receipt requested, or upon receipt with electronic confirmation, if sent by email..  In each case notice will be sent to:

If to Customer: as defined in the Order Agreement  
If to Linus Health: as defined in the Order Agreement
or to such other address as such Party has specified by notice in writing to the other Party.

  1. Third-Party Beneficiaries. This Agreement is solely for the benefit of the Parties hereto and will in no way be construed to entitle any other third party to any compensation or benefit, does not create any third-party beneficiaries, and does not confer any rights or remedies upon any person or entity other than the Parties and their respective successors and permitted assigns.