BUSINESS ASSOCIATE AGREEMENT

Not For Profit promoting North Melbourne service providers in the gig economy

Home | Latest News | Our Mission | Newsletter

BUSINESS ASSOCIATE AGREEMENT

Effective Date: October 1, 2017

1. Status of the Parties

The parties hereby acknowledge and agree that a Service Professional (when applicable) is subject to HIPAA compliance as a covered entity or as a business associate “Covered Entity,” and that Loconomics “Business Associate” may be a Business Associate of Covered Entity under the HIPAA Security and Privacy Rule and the HITECH Act, each defined below.

WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 “HIPAA”, known as “the Administrative Simplification provisions,” direct the U.S. Department of Health and Human Services to develop standards to protect the security, confidentiality, and integrity of health information; and

WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services issued regulations modifying 45 CFR Parts 160 and 164 (the “HIPAA Security and Privacy Rule”; and

WHEREAS, the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) “ARRA”, pursuant to Title XIII of Division A and Title IV of Division B, called the “Health Information Technology for Economic and Clinical Health” “HITECH” Act, provides modifications to the HIPAA Security and Privacy Rule (hereinafter, all references to the “HIPAA Security and Privacy Rule” are deemed to include all amendments to such rule contained in the HITECH Act, the HIPAA Final Omnibus Rule of 2013, and any accompanying regulations, and any other subsequently adopted amendments or regulations); and

WHEREAS, the Parties wish to enter into or have entered into an arrangement whereby Business Associate will provide certain services to Covered Entity, and, pursuant to such arrangement, Business Associate may be considered a “business associate” of Covered Entity as defined in the HIPAA Security and Privacy Rule (hereby referred to as the “Arrangement Agreement”; and

WHEREAS, Business Associate may have access to Protected Health Information “PHI”, as defined below, in fulfilling its responsibilities under such arrangement;

THEREFORE, in consideration of the Parties’ continuing obligations under the Arrangement Agreement, compliance with the HIPAA Security and Privacy Rule, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, and intending to be legally bound, the Parties agree to the provisions of this Business Associate Agreement (the “Agreement” in order to address the requirements of the HIPAA Security and Privacy Rule and to protect the interests of both Parties.

2. Definitions

Except as otherwise defined herein, any and all capitalized terms in this Agreement shall have the definitions set forth in the HIPAA Security and Privacy Rule. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Security and Privacy Rule, as amended, the HIPAA Security and Privacy Rule shall control. Where provisions of this Agreement are different than those mandated in the HIPAA Security and Privacy Rule, but are nonetheless permitted by the HIPAA Security and Privacy Rule, the provisions of this Agreement shall control.

The term “Protected Health Information” or “PHI” shall have the definition set forth in the HIPAA Security and Privacy Rule, limited to PHI that is created, received, maintained, or transmitted on behalf of Covered Entity by Business Associate pursuant to the Agreement. “Protected Health Information” includes without limitation “Electronic Protected Health Information” or “EPHI,” as defined in the HIPAA Security and Privacy Rule, limited to EPHI that is created, received, maintained, or transmitted on behalf of Covered Entity by Business Associate pursuant to the Agreement.

3. Confidentiality and Security Requirements

Business Associate agrees to the following obligations:

4. Availability of PHI

Restrictions on Disclosures of PHI.

Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information maintained in a Designated Record Set pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity, if any.

Access.

Business Associate agrees to comply with any requests for preferences of access of Protected Health Information maintained in a Designated Record Set pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity, if any. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by Section 164.524 of the HIPAA Security and Privacy Rule. Business Associate agrees to make Protected Health Information maintained in a Designated Record Set available for amendment and incorporate any amendments to Protected Health Information maintained in a Designated Record Set in accordance with the requirements of Section 164.526 of the HIPAA Security and Privacy Rule.

Accounting.

In addition, Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule and Section 13405(c)(3) of the HITECH Act. Business Associate and Covered Entity shall cooperate in providing any accounting required on a timely basis.

5. Obligations of Covered Entity

Changes in Authorization.

Covered Entity shall inform Business Associate, in writing and in a timely manner, of any changes in, or withdrawal of, any authorization provided to Covered Entity by any Individual pursuant to 45 CFR § 164.508, to the extent that such changes or withdrawal may affect Business Associate’s use or disclosure of PHI. In addition, Covered Entity shall notify Business Associate, in writing and in a timely manner, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. Covered Entity shall promptly notify Business Associate of any breach by Covered Entity of any obligation under the HIPAA Security and Privacy Rule as such breach relates to PHI as defined herein. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Security and Privacy Rule if done by Covered Entity, and Business Associate is not required to use or disclose PHI in any manner that would not be permissible under the HIPAA Security and Privacy Rule if done by Covered Entity.

Minimum Necessary.

Covered Entity shall disclose to Business Associate only the “Minimum Necessary” amount of PHI for Business Associate to perform the services in Arrangement Agreement and its rights and obligations under this Agreement, and only in compliance with the HIPAA Security and Privacy Rule.

6. Term and Termination

Term.

This Agreement shall commence when the Covered Entity begins using the Loconomics Service and shall continue until (a) either party terminates this Agreement in writing; or (b) all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.

Termination for Cause.

Notwithstanding anything in this Agreement to the contrary, either Party shall have the right to terminate this Agreement upon thirty (30) days written notice and opportunity to cure to the other Party if the Party reasonably determines that the other Party has violated any material term of this Agreement. If the other party fails to timely cure the violation, the non-violating party may terminate this Agreement.

7. Miscellaneous

No Third Parties.

Except as expressly stated herein or within the HIPAA Security and Privacy Rule, the Parties to this Agreement do not intend to create any rights in any third parties.

Entire Agreement, Amendments, Assignment, Relationship, Waiver, Governing Law.

This Agreement is the entire agreement between the parties in connection with the subject matter herein and this Agreement may be amended or modified only in a writing signed by the Parties. Either party may assign, sublicense, delegate or transfer all or any portion of its rights or responsibilities under this Agreement by operation of law or otherwise to any subsidiaries or affiliates thereof, or to any other party, in connection with a sale of the business related to this Agreement or to the Arrangement Agreement. Any assignment of this Agreement by Business Associate in connection with a sale of this business shall relieve Business Associate from any further liability hereunder. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship. This Agreement will be governed by California law, without regard to its choice of law provisions. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. In addition, in the event a Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, including any then-current requirements of the HITECH Act or its regulations, such Party shall notify the other Party in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and amend the terms of this Agreement, if necessary to bring it into compliance. If, after such thirty (30)-day period, the Agreement fails to comply with the HIPAA Security and Privacy Rule, including the HITECH Act, then either Party has the right to terminate upon written notice to the other Party.

Minimum Requirements.

The Parties agree that, in the event that any documentation of the Arrangement Agreement pursuant to which Business Associate provides services to Covered Entity contains provisions relating to the use or disclosure of Protected Health Information that are more restrictive than the provisions of this Agreement, the provisions of the more restrictive documentation will control. The provisions of this Agreement are intended to establish the minimum requirements regarding the Parties’ use and disclosure of Protected Health Information.