Business Associate Agreement

By clicking “Accept,” you (“Provider”) agree to be bound by this Business Associate Agreement (“Agreement”). The date of acceptance shall be referred to as the “Effective Date.”

RECITALS

A. Provider and Research and Development LLC dba “Telehealth Professional” Inc. (“Business Associate”) have entered into, are entering into, or may subsequently enter into agreements or other documented arrangements (collectively, the “Business Arrangements”), including but not limited to the Affiliation Agreement dated as of the date hereof (the “Services Agreement”). Under such arrangements, Business Associate may provide services requiring access to, creation of, or use of health information protected under state and/or federal law.

B. Pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the U.S. Department of Health & Human Services (“HHS”) issued:

• The Standards for Privacy of Individually Identifiable Health Information (“Privacy Standards”), 45 C.F.R. Parts 160 and 164;

• The Security Standards, 45 C.F.R. Parts 160, 162 and 164;

• As amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

Collectively, these are referred to as the “HIPAA Regulations.”

C. The HIPAA Regulations require Covered Entities to enter into a “Business Associate Agreement” with entities that create, receive, maintain, or transmit Protected Health Information (“PHI”) or Electronic Protected Health Information (“EPHI”) on their behalf.

D. Business Associate and Provider desire to enter into this Agreement.

AGREEMENT

In consideration of the mutual promises herein, the parties agree as follows:

1. BUSINESS ASSOCIATE OBLIGATIONS

1.1 Use and Safeguards

Business Associate may receive or create PHI and EPHI on behalf of Provider. Capitalized terms not otherwise defined shall have the meanings set forth in the HIPAA Regulations.

Business Associate shall:

• Use appropriate safeguards to prevent unauthorized use or disclosure of PHI.

• Comply with the Security Standards regarding EPHI.

• Not use or disclose PHI in any manner that would violate HIPAA if done by Provider.

• Comply with applicable HIPAA requirements when carrying out Provider’s obligations.

1.2 Security Incidents

Business Associate shall implement administrative, physical, and technical safeguards to protect EPHI.

Business Associate shall:

• Promptly report Successful Security Incidents (unauthorized access, use, disclosure, modification, destruction, or system interference).

• Report Unsuccessful Security Incidents only upon Provider’s request, with mutually agreed reporting terms.

1.3 Breach Notification

If Business Associate discovers a Breach of Unsecured PHI under 45 C.F.R. §164.410, it shall notify Provider and provide:

• Identification of affected individuals;

• Information required for Provider’s HITECH Act notification obligations (to the extent known).

2. USE OF PHI

Business Associate may use PHI:

• To perform services under the Business Arrangements;

• For proper management and administration;

• To fulfill legal responsibilities;

• To provide Data Aggregation services (42 C.F.R. §164.504(e)(2)(i)(B));

• To de-identify PHI in compliance with the Privacy Standards.

3. DISCLOSURE OF PHI

Business Associate may disclose PHI:

• As necessary to perform obligations;

• As required or permitted by law;

• For management and administration (if required by law or with confidentiality assurances).

Business Associate shall:

• Obtain reasonable assurances from third parties receiving PHI;

• Require subcontractors to agree in writing to similar HIPAA restrictions (45 CFR §§164.502(e)(1)(ii), 164.308(b)(2));

• Report unauthorized uses or disclosures;

• Mitigate harmful effects of improper disclosure where practical.

4. INDIVIDUAL RIGHTS (DESIGNATED RECORD SETS)

If Business Associate maintains a Designated Record Set, it shall:

• Provide access to PHI under 45 C.F.R. §164.524;

• Amend PHI as directed by Provider.

5. ACCOUNTING OF DISCLOSURES

Business Associate shall provide information necessary for Provider to comply with accounting requirements under 45 C.F.R. §164.528.

6. RECORDS AND AUDIT

Business Associate shall:

• Make records available to HHS or health oversight agencies as required;

• Notify Provider upon receipt of governmental requests for PHI (unless prohibited by law).

7. OBLIGATIONS OF PROVIDER

7.1 Lawful Requests

Provider shall not request actions that violate HIPAA or this Agreement.

7.2 Notice of Privacy Practices

Provider shall notify Business Associate of any limitations affecting PHI use.

7.3 Authorizations

Provider shall:

• Obtain required Individual authorizations under 45 C.F.R. §164.508;

• Inform Business Associate of changes or revocations.

7.4 Restrictions

Provider shall notify Business Associate of any agreed PHI restrictions under 45 C.F.R. §164.522.

8. TERM AND TERMINATION

8.1 Term

Effective upon acceptance and continues until terminated.

8.2 Termination for Cause

If Business Associate materially breaches this Agreement, Provider may:

• Allow time to cure; or

• Immediately terminate if cure is not possible.

8.3 Mutual Termination

Either party may terminate after Business Arrangements end.

8.4 Return or Destruction of PHI

Upon termination, Business Associate shall:

• Return or destroy all PHI; or

• If infeasible, continue protections and limit use.

This obligation survives termination.

9. MISCELLANEOUS

9.1 Notice

Notices must be in writing and delivered personally, electronically, by courier, or certified mail.

If to Business Associate:

7200 E. Hampden Ave. Ste #103

Denver, CO. 80224

Email: patientinfo@telehealthnp.com

If to Provider:

Email and physical address associated with Provider’s account.

9.2 Waiver

Waivers must be in writing. No waiver of one breach waives others.

9.3 Assignment

No assignment without written consent, except as permitted under the Services Agreement.

9.4 Severability

Invalid provisions do not affect remaining provisions.

9.5 Entire Agreement

This Agreement supersedes prior agreements regarding PHI. Stricter PHI protections in Business Arrangements control if compliant with HIPAA.

9.6 Governing Law

Governed by the laws of Colorado. Exclusive venue: state or federal courts in Parker, Colorado.

9.7 Equitable Relief

Provider may seek injunctions or specific performance for PHI violations. Business Associate waives bond requirement and adequacy of damages defense.

9.8 Independent Contractors

The parties are independent contractors. No agency or employment relationship is created.

9.9 Counterparts

May be executed in multiple counterparts.

9.10 Modifications for Regulatory Compliance

If HIPAA regulations change rendering any provision invalid, the parties agree to negotiate in good faith to amend this Agreement accordingly.

Go Back

Business Associate Agreement

By clicking “Accept,” you (“Provider”) agree to be bound by this Business Associate Agreement (“Agreement”). The date of acceptance shall be referred to as the “Effective Date.”

RECITALS

• The Standards for Privacy of Individually Identifiable Health Information (“Privacy Standards”), 45 C.F.R. Parts 160 and 164;

• The Security Standards, 45 C.F.R. Parts 160, 162 and 164;

• As amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

Collectively, these are referred to as the “HIPAA Regulations.”

D. Business Associate and Provider desire to enter into this Agreement.

AGREEMENT

In consideration of the mutual promises herein, the parties agree as follows:

1. BUSINESS ASSOCIATE OBLIGATIONS

1.1 Use and Safeguards

Business Associate may receive or create PHI and EPHI on behalf of Provider. Capitalized terms not otherwise defined shall have the meanings set forth in the HIPAA Regulations.

Business Associate shall:

• Use appropriate safeguards to prevent unauthorized use or disclosure of PHI.

• Comply with the Security Standards regarding EPHI.

• Not use or disclose PHI in any manner that would violate HIPAA if done by Provider.

• Comply with applicable HIPAA requirements when carrying out Provider’s obligations.

1.2 Security Incidents

Business Associate shall implement administrative, physical, and technical safeguards to protect EPHI.

Business Associate shall:

• Promptly report Successful Security Incidents (unauthorized access, use, disclosure, modification, destruction, or system interference).

• Report Unsuccessful Security Incidents only upon Provider’s request, with mutually agreed reporting terms.

1.3 Breach Notification

If Business Associate discovers a Breach of Unsecured PHI under 45 C.F.R. §164.410, it shall notify Provider and provide:

• Identification of affected individuals;

• Information required for Provider’s HITECH Act notification obligations (to the extent known).

2. USE OF PHI

Business Associate may use PHI:

• To perform services under the Business Arrangements;

• For proper management and administration;

• To fulfill legal responsibilities;

• To provide Data Aggregation services (42 C.F.R. §164.504(e)(2)(i)(B));

• To de-identify PHI in compliance with the Privacy Standards.

3. DISCLOSURE OF PHI

Business Associate may disclose PHI:

• As necessary to perform obligations;

• As required or permitted by law;

• For management and administration (if required by law or with confidentiality assurances).

Business Associate shall:

• Obtain reasonable assurances from third parties receiving PHI;

• Require subcontractors to agree in writing to similar HIPAA restrictions (45 CFR §§164.502(e)(1)(ii), 164.308(b)(2));

• Report unauthorized uses or disclosures;

• Mitigate harmful effects of improper disclosure where practical.

4. INDIVIDUAL RIGHTS (DESIGNATED RECORD SETS)

If Business Associate maintains a Designated Record Set, it shall:

• Provide access to PHI under 45 C.F.R. §164.524;

• Amend PHI as directed by Provider.

5. ACCOUNTING OF DISCLOSURES

Business Associate shall provide information necessary for Provider to comply with accounting requirements under 45 C.F.R. §164.528.

6. RECORDS AND AUDIT

Business Associate shall:

• Make records available to HHS or health oversight agencies as required;

• Notify Provider upon receipt of governmental requests for PHI (unless prohibited by law).

7. OBLIGATIONS OF PROVIDER

7.1 Lawful Requests

Provider shall not request actions that violate HIPAA or this Agreement.

7.2 Notice of Privacy Practices

Provider shall notify Business Associate of any limitations affecting PHI use.

7.3 Authorizations

Provider shall:

• Obtain required Individual authorizations under 45 C.F.R. §164.508;

• Inform Business Associate of changes or revocations.

7.4 Restrictions

Provider shall notify Business Associate of any agreed PHI restrictions under 45 C.F.R. §164.522.

8. TERM AND TERMINATION

8.1 Term

Effective upon acceptance and continues until terminated.

8.2 Termination for Cause

If Business Associate materially breaches this Agreement, Provider may:

• Allow time to cure; or

• Immediately terminate if cure is not possible.

8.3 Mutual Termination

Either party may terminate after Business Arrangements end.

8.4 Return or Destruction of PHI

Upon termination, Business Associate shall:

• Return or destroy all PHI; or

• If infeasible, continue protections and limit use.

This obligation survives termination.

9. MISCELLANEOUS

9.1 Notice

Notices must be in writing and delivered personally, electronically, by courier, or certified mail.

If to Business Associate:

7200 E. Hampden Ave. Ste #103

Denver, CO. 80224

Email: patientinfo@telehealthnp.com

If to Provider:

Email and physical address associated with Provider’s account.

9.2 Waiver

Waivers must be in writing. No waiver of one breach waives others.

9.3 Assignment

No assignment without written consent, except as permitted under the Services Agreement.

9.4 Severability

Invalid provisions do not affect remaining provisions.

9.5 Entire Agreement

This Agreement supersedes prior agreements regarding PHI. Stricter PHI protections in Business Arrangements control if compliant with HIPAA.

9.6 Governing Law

Governed by the laws of Colorado. Exclusive venue: state or federal courts in Parker, Colorado.

9.7 Equitable Relief

Provider may seek injunctions or specific performance for PHI violations. Business Associate waives bond requirement and adequacy of damages defense.

9.8 Independent Contractors

The parties are independent contractors. No agency or employment relationship is created.

9.9 Counterparts

May be executed in multiple counterparts.

9.10 Modifications for Regulatory Compliance

If HIPAA regulations change rendering any provision invalid, the parties agree to negotiate in good faith to amend this Agreement accordingly.