ELUVE, INC.
BUSINESS ASSOCIATE AGREEMENTThis Business Associate Agreement (“Agreement”) is entered into by and between
any individual or organization that creates an account with Eluve, Inc. and agrees to this Agreement (“Covered Entity”) and Eluve, Inc. (“Business Associate”) (collectively, the “Parties”). This Agreement is effective as of the date on which the Covered Entity accepts this Agreement (“Effective Date”).
WITNESSETHWHEREAS, the Parties intend to enter into an agreement (the “Client Order Form”) for services defined and described in applicable statements of work and Service Addenda (“Services”) involving the use and/or disclosure of Protected Health Information and Electronic Protected Health Information (collectively, “PHI”). The terms of the Service Agreement shall apply with full force and effect to govern the matters addressed in this Agreement.
WHEREAS, Business Associate and Covered Entity wish to enter into this Agreement in order for the Parties to establish their respective obligations and compliance with the requirements of the Final Omnibus Rule of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the Genetic Information Nondiscrimination Act, including other modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) (collectively, “HIPAA”).
NOW, THEREFORE, in consideration of the mutual promises and covenants set forth below, Business Associate and Covered Entity agree as follows:
1. Definitions. a. For purposes of this Agreement, and unless otherwise provided in this Agreement, the following capitalized terms shall have the same meaning as set forth in HIPAA, including: Breach, Data Aggregation, Designated Record Set, Disclose or Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Safeguards, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
b. Specific Definitions. The terms “Business Associate” and “Covered Entity” shall generally have the same meanings as the terms “business associate” and “covered entity” at 45 CFR §160.103 and shall also reference the party to this Agreement named above.
2. Duties and Responsibilities of Business Associate.a.
General. Business Associate agrees not to Use or Disclose PHI other than as permitted or required by the Agreement or as required by law.
b.
Safeguards. Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent the Use or Disclosure of PHI except as provided by this Agreement.
c.
Agents. Business Associate agrees to ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees (or has agreed), in writing, to the same restrictions and conditions that apply to Business Associate under HIPAA with respect to such information. Business Associate also agrees to ensure that any such agent or subcontractor, to whom it provides Electronic PHI agrees (or has agreed to) in writing, to implement reasonable and appropriate Safeguards to protect such Electronic PHI.
d.
Right of Access. Business Associate agrees to provide access promptly during normal business hours, and in any case no later than 15 business days from the request of Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR §164.524.
e.
Audit and Inspection. Upon written request, Business Associate agrees to make internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services (“Secretary”) in a time and manner reasonably designated by Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with HIPAA. The provisions of this Section shall survive termination of this Agreement.
f.
Amendments. Business Associate agrees to make any amendment(s) to PHI in a designated record set as directed or agreed by the Covered Entity pursuant to 45 CFR §164.526 promptly and in any case no later than in 20 business days of receipt thereof. In the event that a request for amendment is delivered directly to Business Associate, Business Associate shall notify Covered Entity of such request promptly and in any case no later than in ten (10) business days of receipt thereof.
g.
Accounting of Disclosures. Business Associate agrees to document any Disclosures of PHI by Business Associate or its agents or authorized subcontractors, and information related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528. Business Associate agrees to provide to Covered Entity information collected in accordance with this Section promptly, and in any case no later than in 20 business days of receipt of a request by Covered Entity. In the event that a request for an accounting of disclosures is delivered directly to Business Associate, Business Associate shall notify Covered Entity of such request promptly and in any case no later than in 20 business days of receipt thereof. Covered Entity shall determine, in its sole discretion and with the cooperation of Business Associate, whether the accounting will be provided by Business Associate or by Covered Entity to the Individual.
h. To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR §164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation.
i.
Breach Notification. Business Associate agrees to report to Covered Entity promptly and in any case no later than in 20 business days (a) of Business Associate’s discovery, any Use or Disclosure of, or improper or unauthorized Use, Disclosure or access of PHI, including breaches of Unsecured PHI as required at 45 CFR §164.410, and (b) any Security Incident of which Business Associate becomes aware (each a “Reportable Incident”).
a. Except as provided in 45 CFR §164.412, Business Associate will give Covered Entity notice of any Reportable Incident under this Section promptly, and in any case no later than five (5) business days after the first day on which Reportable Incident is known, or by the exercise of reasonable diligence would have been known, to Business Associate. Business Associate further agrees to report to Covered Entity, in writing, any Security Incident promptly, and in any case no later than one (1) business day after confirming such Security Incident relating to Covered Entity’s PHI and any remediation or mitigation efforts taken. Business Associate agrees to comply with any subsequent reasonable requests from Covered Entity for Business Associate to notify media or Individuals about any Reportable Incident of Covered Entity’s PHI or PI, as such media or Individual notice may be required by state and/or federal law.
b. Any notice of a Reportable Incident referenced in this Section 2(i) will include, to the extent possible, the names, addresses and phone numbers of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, used or disclosed.
c. The notice to Covered Entity required by Section 2(i) will be written in plain language and will include, to the extent possible or available, the following, unless otherwise required by law:
i. The identification of the Individual(s) whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed during the Breach;
ii. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach;
iii. A description of the types of Unsecured PHI that were involved in the Breach (such as whether the full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
iv. Any steps Individuals who were subjects of the Breach should take to protect themselves from potential harm that may result from the Breach;
v. A brief description of what Business Associate is doing to investigate the Breach, to mitigate the harm to Individuals, and to protect against further Breaches;
vi. The results of any and all investigations performed by the Business Associate related to the Breaches;
vii. Contact information of the most knowledgeable individual to contact relating to the Breaches; and
viii. Any other details necessary to complete an assessment of the risk that PHI has been compromised.
In the event of a breach of Unsecured PHI resulting from Business Associate’s acts or omissions, or the acts or omissions of one of Business Associate’s subcontractors, Business Associate will promptly reimburse Covered Entity for all costs reasonably incurred by Covered Entity in connection with such breach, including but not limited to the costs of issuing notices required by law and other remediation and mitigation which in the discretion of Covered Entity are appropriate and necessary to address the breach.
d.
Reporting of Unsuccessful Attempts. Notwithstanding anything to the contrary in this Section 2, Business Associate shall report to Covered Entity, upon request, the existence and occurrence of Unsuccessful Security Incidents (as defined below). The parties agree the compliance with this Section shall satisfy Business Associate’s obligations to provide Covered Entity notice of the existence and occurrence of Unsuccessful Security Incidents, for which no additional notice shall be required. For purposes of this Agreement, the term “Unsuccessful Security Incident” shall mean any security incident that does not result in any unauthorized access, use, disclosure, modification, or destruction of electronic PHI or any interference with system operations in Business Associate’s information system.
e.
Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this Agreement or applicable law.
3. Permitted Uses and Disclosures of Business Associatea.
Performance of Services. Business Associate may Use or Disclose PHI in connection with the performance of the Services if (a) such Use or Disclosure of PHI would not violate HIPAA if done by Covered Entity or (b) such Use or Disclosure is expressly permitted under this Section 3.
b.
Minimum Necessary. Business Associate agrees to take reasonable efforts to limit requests for, Use and Disclosure of PHI to the minimum necessary to accomplish the intended request, Use, or Disclosure.
c.
Proper Management and Administration. Business Associate may Use or Disclose PHI for the proper management and administration of Business Associate in connection with the performance of Services under the Service Agreement and as permitted by this Agreement; provided, however, that any Disclosure pursuant to this paragraph is required by applicable law or Business Associate has or will obtain reasonable assurances from the person or entity to whom the PHI is disclosed that (i) it will remain confidential and Used or further Disclosed only as required by law or for the purpose for which it was disclosed to the person or entity, and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
d.
Other Permitted Uses. Unless otherwise limited herein, Business Associate may: (a) perform data aggregation for the health care operations of Covered Entity or Business Associate, as permitted by 45 CFR §164.504(e)(2)(i)(B); (b) as requested by Covered Entity or authorized governmental agent, Use, analyze, and Disclose PHI in its possession for the public health activities and purposes set forth at 45 CFR §164.512(b); and (c) de-identify PHI obtained by Business Associate under the Agreement and use such de-identified data so long as such de-identification and usage is in accordance with the de-identification requirements set forth in 45 CFR §164.514(b).
e.
Disclosures Required by Law. If Business Associate believes it has a legal obligation to disclose any PHI, it will notify Covered Entity promptly, and in any case no later than five (5) business days prior to the proposed release, as to the legal requirement pursuant to which it believes the PHI must be released. If Covered Entity objects to the release of such PHI, Business Associate will allow Covered Entity to exercise its legal rights or remedies to object to the release of the PHI, and Business Associate agrees to provide such assistance to Covered Entity, at Covered Entity’s expense, as Covered Entity may reasonably request in connection therewith. Should Covered Entity fail to respond, Business Associate shall be entitled to Disclose the PHI to appropriate federal and state authorities, consistent with 45 CFR §164.502(j)(1).
4. Obligations of Covered Entitya.
Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity’s Notice of Privacy Practices in accordance with 45 CFR §164.520 to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
b.
Changes to Authorization. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
c.
Restrictions on Consent. Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI to which Covered Entity has agreed in accordance with 45 CFR §164.522, to the extent that such restriction may affect Covered Entity’s Use or Disclosure of PHI.
d.
Requests in Violation of HIPAA. Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA if done by Covered Entity.
5. Term and Terminationa.
Term. The Term of this Agreement shall commence as of the Effective Date and shall terminate either (a) as provided herein or (b) when the provision of Business Associate Services terminates and all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, or otherwise in Business Associate’s possession, is destroyed or returned to Covered Entity in a format that is reasonable to preserve its accessibility and usability, or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions in this Section. Notwithstanding the foregoing, Business Associate may retain PHI as required by applicable law.
b.
Termination for Cause. Upon either party’s knowledge of a breach by the other party (“Breaching Party”) under the terms of the Agreement, the non-Breaching Party may (i) provide a reasonable time for Breaching Party to cure the breach provided that non-Breaching Party may immediately terminate the Agreement if Breaching Party does not cure the breach or end the violation within the time frame specified by non-Breaching Party; (ii) immediately terminate the Agreement if Breaching Party has breached a material term of this Agreement and non-Breaching Party determines in its sole reasonable discretion that a cure is not possible; and (iii) if neither cure nor termination is feasible, may report the violation to the Secretary.
c.
Effect of Terminationi. Except as provided in paragraph (a) of Section 5, upon termination of this Agreement, for any reason, Business Associate shall return in a format that is reasonable to preserve its accessibility and usability or destroy all PHI received from Business Associate, created or received by Business Associate on behalf of Business Associate, or otherwise in Business Associate’s possession. Business Associate shall retain no copies of the PHI in any form.
ii. In the event that Business Associate reasonably determines that returning or destroying the PHI is infeasible, Business Associate agrees to extend the protections of this Agreement to such PHI and limit any further Uses and Disclosures of such PHI to only those purposes that make the return or destruction infeasible.
d.
Remedies for Breach of Agreement. In the event of any breach of this Agreement by Business Associate, Covered Entity may seek injunctive relief and/or monetary damages, regardless of whether the Agreement is terminated, and Covered Entity’s recovery through such legal action shall not be subject to any limitation on liability covenant or condition in any other agreement or engagement between the Parties. Business Associate hereby agrees and acknowledges that irreparable damage to Covered Entity would occur in the event that any of the provisions of this Agreement are breached and, accordingly, agrees that Covered Entity shall be entitled to both temporary and permanent injunction or injunctions to prevent breaches of this Agreement, and Covered Entity shall be entitled to enforce specifically the provisions of this Agreement in any court of competent jurisdiction, in addition to any other remedy to which Covered Entity shall be entitled under this Agreement or in law or in equity.
6. Miscellaneous a.
Regulatory References. A reference in this Agreement to a section in HIPAA means the section as in effect or as amended, and for which compliance is required.
b.
Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA.
c.
Choice of Law. This Agreement shall be deemed to have been made in the state of California, and the validity, interpretation and performance of this Agreement shall be governed by, and construed in accordance with, the internal law of the state of California, without giving effect to the conflict of law principles thereof, to the extent not preempted by applicable federal law.
d.
Amendment to Agreement. The Parties agree to take such action as is necessary to amend this Agreement from time to time in order to comply with the requirements of HIPAA. Any and all amendments to this Agreement shall be in writing and signed by both Parties. Notwithstanding the foregoing, if any modification to this Agreement is required by law or if Covered Entity determines, in its sole discretion, that this Agreement must be amended due to a change in applicable federal or state law or industry standards, Covered Entity shall notify Business Associate of such proposed modification(s) (“Legally Required Modifications”). Legally Required Modifications shall be deemed accepted by Business Associate and this Agreement shall be amended if Business Associate does not, within thirty (30) calendar days following the date of the notice from Covered Entity, deliver to Covered Entity its written rejection of such Legally Required Modifications.
e.
Binding Effect. The Agreement shall be binding upon, and shall inure to the benefit of, the Parties and their respective successors and permitted assigns.
f.
Legal Actions. Promptly, and in any case no later than five (5) business days after notice thereof, Business Associate shall advise Covered Entity of any actual or potential action, proceeding, regulatory or governmental orders or actions, or any material threat thereof that becomes known to it that may affect the interests of Covered Entity or jeopardize this Agreement, and of any facts and circumstances that may be pertinent to the prosecution or defense of any such actual or potential legal action or proceeding, except to the extent prohibited by law.
g.
Indemnification. Business Associate hereby agrees to indemnify the Covered Entity and hold the Covered Entity harmless from and against any and all liabilities, losses, damages, costs, and expenses, created by or in any way arising out of a breach of this Agreement or any violation of HIPAA or any other applicable privacy or security rule by Business Associate or its officers, directors, trustees, members, managers, employees, contractors, or agents. Such indemnity shall include without limitation the costs of (i) investigation, including forensic computer services or assistance, (ii) notification to Individuals, governmental authorities and media, (iii) credit monitoring or restoration, and (iv) reasonable attorneys’ fees, related to or arising from Business Associate’s breach or any loss, theft, or misuse of any PHI collected, accessed, used or maintained by Business Associate.
h.
Notice of Request or Subpoena for Data. Business Associate agrees to notify Covered Entity immediately, but in any case, no later than three (3) business days after Business Associate’s receipt of any request or subpoena for PHI or an accounting thereof, not otherwise provided in this Agreement. Business Associate shall promptly comply with Covered Entity’s instructions for responding to any such request or subpoena, unless such Covered Entity instructions would prejudice Business Associate. To the extent that Covered Entity decides to assume responsibility for challenging the validity of such request, Business Associate agrees to cooperate fully with Covered Entity in such challenge. The provisions of this Section shall survive the termination of this Agreement.
i.
Requests from Secretary. Immediately, but in any case, no later than five (5) business days after notice thereof, Business Associate shall advise Covered Entity of any inquiry by the Secretary concerning any actual or alleged violation of HIPAA. Business Associate agrees to permit Covered Entity to respond to any such notice or inquiry. Business Associate shall cooperate fully with Covered Entity in responding to any such inquiry.
j.
Additional Privacy and Security Compliance. Business Associate acknowledges that applicable HIPAA provisions directly apply to Business Associate and its subcontractors. Such requirements are incorporated by reference as if fully set forth herein.
k.
Property Rights in PHI. Business Associate hereby acknowledges that, as between Business Associate and Covered Entity, all PHI shall be and remain the sole property of Covered Entity, including any forms of PHI developed by Business Associate in the course of fulfilling its obligations under this Agreement.
l.
Insurance. Unless greater coverage is required under any other agreement between Covered Entity and Business Associate for the provision of services related to this Agreement, Business Associate shall maintain or cause to be maintained, at its sole cost and expense, commercially reasonable levels of insurance necessary to insure Business Associate against any claims for damages arising under HIPAA, including but not limited to the imposition of civil monetary penalties arising from the loss, theft, or unauthorized use or disclosure of PHI. Business Associate shall name Covered Entity as an additional insured on such insurance policies. Business Associate shall provide Covered Entity with certificates of such insurance upon request and shall provide prompt notice of any decrease, termination or cancellation of the insurance coverages required to be maintained hereunder no less than thirty (30) days prior to such termination, decrease or cancellation. The provisions of this paragraph shall survive the termination of this Agreement.
m.
Representations and Warranties: Business Associate represents and warrants that no PHI has been transferred by Business Associate to third parties in violation of state or federal privacy laws. There are no suits, notices, claims, investigations, orders or proceedings currently pending, or, to the knowledge of Business Associate, threatened, by state or federal agencies, or private parties involving notice or information to Individuals that PHI held or stored by the Business Associate has been compromised, lost, taken, accessed or misused. Business Associate further represents and warrants that it is not currently under any agreement, including any settlement agreement or consent decree, with the Office of Civil Rights of the U.S. Department of Health and Human Services involving creating, receiving, maintaining or transmitting PHI. Business Associate represents and warrants that no PHI may be received, maintained, stored, accessed, or transmitted outside of the United States of America. If Business Associate conducts in whole or part Electronic Transactions on behalf of the Covered Entity for which HHS has established standards, Business Associate represents and warrants that it will comply, and will require any subcontractor, vendor, or agent it involves with the conduct of Electronic Transactions to comply, with each applicable requirement of the Electronic Transactions Rule at 45 CFR Part 162. Business Associate warrants it will not use or disclose genetic information for underwriting purposes, as that term is defined in 45 CFR §164.502.
n.
Third Party Beneficiaries. This Agreement does not create any third-party beneficiary rights.
o.
Remuneration. Business Associate agrees it will not receive remuneration directly or indirectly in exchange for PHI without authorization unless an exception under Section 13405(d) of the HITECH Act applies. Business Associate agrees that it will not receive remuneration for certain communications that fall within the exceptions to the definition of Marketing under 45 CFR §164.501 unless permitted by the HITECH Act.
p.
Headings. The section headings and subheadings used herein are for reference and convenience only and shall not enter into the interpretation of this Agreement.
q.
Counterparts. This Agreement may be executed in one or more counterparts, all of which shall be considered one and the same instrument.
r.
Notices. Whenever under this Agreement one Party is required to give notice to the other, such notice shall be addressed as follows and deemed given: three (3) calendar days after deposit in United States mail, postage prepaid; one (1) calendar day after deposit with a nationally recognized overnight carrier; or upon actual delivery, if delivered by hand.
CONTACT USIf you have any questions about this Business Associates Policy, you can email us at
[email protected] or send us written correspondence at the following postal address:
Eluve, Inc. 8605 Santa Monica Blvd. PMB 880383 West Hollywood, CA 90069-4109
