Last modified and effective May 1, 2022
This HIPAA Business Associate Subcontractor Agreement (“Agreement”) is made and entered into as of the date of mutual execution of an Order Form, Statement of Work or similarly executed document between ENROLLEASE, INC. (“Ease” or “Subcontractor”), a Delaware corporation with offices at 500 Treat Avenue, Suite 200, San Francisco CA 94110, and the party detailed as Customer (“Customer” or “Business Associate”) on the applicable Order Form or Statement of Work (together with Ease, the “Parties”).
WHEREAS, Business Associate has entered into contracts with certain covered entities (each such covered entity a “Covered Entity,” and collectively “Covered Entities”) that require Business Associate to provide satisfactory assurances that Business Associate will appropriately safeguard all health information protected under the Privacy Rule and Security Rule (as defined below) that is disclosed by, or created or received by, Business Associate on behalf of such Covered Entities; and WHEREAS, Subcontractor provides certain services to Business Associate.
THEREFORE, and in consideration for the benefits and obligations exchanged, the Parties agree as follows:
a. Unless otherwise specified in this Agreement, all capitalized terms used in this Agreement not otherwise defined in this Agreement or otherwise in an executed document between the parties have the meanings established for purposes of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, “HIPAA”) and American Recovery and Reinvestment Act of 2009 (“ARRA”), as each is amended from time to time. Capitalized terms used in this Agreement that are not otherwise defined in this Agreement and that are defined in an executed document between the parties shall have the respective meanings assigned to them in the applicable executed document. To the extent a term is defined in both the Agreement and an executed document between the parties, HIPAA or ARRA, the definition in this Agreement, HIPAA or ARRA shall govern.
b. “Affiliate”, for purposes of this Agreement, shall mean any entity that is a controlled by or under common control with Subcontractor. For this purpose, “control” means the legal, beneficial, or equitable ownership, directly or indirectly, of fifty percent (50%) or more of the capital stock (or other ownership interest, if not a corporation) of such entity ordinarily having voting rights. “Common Control” means control of two or more entities by a common parent organization.
c. “ARRA” shall mean Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. §§17921-17954, and any and all references in this Agreement to sections of ARRA shall be deemed to include all associated existing and future implementing regulations, when and as each is effective.
d. “Electronic Protected Health Information” (“ePHI”) shall mean PHI as defined in Section 1.7 that is transmitted or maintained in electronic media.
e. “PHI” shall mean Protected Health Information, as defined in 45 C.F.R. § 160.103, and is limited to the Protected Health Information received from, or received or created on behalf of, Covered Entity by Business Associate or Subcontractor pursuant to performance of the Services.
f. “Privacy Rule” shall mean the federal privacy regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended from time to time, codified at 45 C.F.R. Parts 160 and 164 (Subparts A & E).
g. “Security Rule” shall mean the federal security regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended from time to time, codified at 45 C.F.R. Parts 160 and 164 (Subparts A & C).
h. “Services” shall mean, to the extent and only to the extent they involve the creation, use or disclosure of PHI, the services provided by Subcontractor to Business Associate under the Agreement.
2. RESPONSIBILITIES OF SUBCONTRACTOR. With regard to its use and/or disclosure of PHI, Subcontractor agrees to:
a. use and/or disclose PHI only as necessary to provide the Services, as permitted or required by this Agreement, or as otherwise Required by Law.
b. implement and use appropriate administrative, physical and technical safeguards to (i) prevent use or disclosure of PHI other than as permitted or required by this Agreement; (ii) reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that Subcontractor creates, receives, maintains, or transmits on behalf of the Business Associate.
c. promptly and without unreasonable delay, and not greater than 15 days after the discovery of Improper Use or Disclosure, report to Business Associate (i) any use or disclosure of PHI not provided for by this Agreement of which it becomes aware; and/or (ii) any security incident of which Subcontractor becomes aware, except that, for purposes of this reporting requirement the term “Security Incident” does not include inconsequential incidents that occur on a frequent basis such as scans or “pings” that are not allowed past Subcontractor’s firewall.
d. require all of its subcontractors and agents that create, receive, maintain, or transmit PHI to agree, in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Subcontractor; including but not limited to the extent that Subcontractor provides ePHI to a subcontractor or agent, it shall require the subcontractor or agent to implement reasonable and appropriate safeguards to protect the ePHI consistent with the requirements of this Agreement.
e. make available its internal practices, books, and records relating to the use and disclosure of PHI to the Secretary for purposes of determining Business Associate’s compliance with the Privacy Rule.
f. document, and within fifteen (15) days after receiving a written request from Business Associate, make available to Business Associate, information necessary for Business Associate to make an accounting of disclosures of PHI about an Individual, in accordance with 45 C.F.R. § 164.528 as of its Compliance Date.
g. notwithstanding Section 2.6, in the event that Subcontractor in connection with the Services uses or maintains an Electronic Health Record of PHI of or about an Individual, then Subcontractor shall when and as directed by Business Associate, make an accounting of disclosures of PHI directly to an Individual within fifteen (15) days, in accordance with the requirements for accounting for disclosures made through an Electronic Health Record in 42 U.S.C. 17935(c), as of its Compliance Date.
h. provide access within fifteen (15) days after receiving a written request from Business Associate to PHI in a Designated Record Set about an Individual, to Business Associate, sufficient to allow Business Associate to comply with the requirements of 45 C.F.R. § 164.524.
i. notwithstanding Section 2.7, in the event that Subcontractor in connection with the Services uses or maintains an Electronic Health Record of PHI of or about an Individual, then Subcontractor shall provide an electronic copy of the PHI within fifteen (15) days, to Business Associate, sufficient to allow Business Associate to comply with 42 U.S.C. § 17935(e) as of its Compliance Date.
j. to the extent that the PHI in Subcontractor’s possession constitutes a Designated Record Set, make available, within fifteen (15) days after a written request by Business Associate, PHI for amendment and incorporate any amendments to the PHI as directed by Business Associate.
k. request, use and/or disclose only the minimum necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
l. not directly or indirectly receive remuneration in exchange for any PHI as prohibited by 42 U.S.C. § 17935(d) as of its Compliance Date.
m. not make or cause to be made any communication about a product or service that is prohibited by 42 U.S.C. § 17936(a) as of its Compliance Date.
n. not make or cause to be made any written fundraising communication that is prohibited by 42 U.S.C. § 17936(b) as of its Compliance Date.
3. RESPONSIBILITIES OF BUSINESS ASSOCIATE. In addition to any other obligations set forth in an executed document between the parties, including in this Agreement, Business Associate:
a. by accepting the terms of this Agreement, notifies the Subcontractor that it considers client benefit enrollment data to be PHI for purposes of this Agreement.
b. shall provide to Subcontractor only the minimum PHI necessary to accomplish the Services.
c. in the event that the Business Associate honors a request to restrict the use or disclosure of PHI pursuant to 45 C.F.R. § 164.522(a) or makes revisions to its notice of privacy practices of Business Associate in accordance with 45 C.F.R. § 164.520 that increase the limitations on uses or disclosures of PHI or agrees to a request by an Individual for confidential communications under 45 C.F.R. § 164.522(b), Business Associate agrees not to provide Subcontractor any PHI that is subject to any of those restrictions or limitations to the extent any may limit Subcontractor’s ability to use and/or disclose PHI as permitted or required under this Agreement unless Business Associate notifies Subcontractor of the restriction or limitation and Subcontractor agrees to honor the restriction or limitation.
d. shall be responsible for using administrative, physical and technical safeguards at all times to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Subcontractor pursuant to an executed document between the parties, including this Agreement, in accordance with the standards and requirements of HIPAA, until such PHI is received by Subcontractor.
e. shall obtain any consent or authorization that may be required by applicable federal or state laws and regulations prior to furnishing Subcontractor the PHI.
4. PERMITTED USES AND DISCLOSURES OF PHI. Unless otherwise limited in this Agreement, in addition to any other uses and/or disclosures permitted or required by this Agreement, Subcontractor may:
a. make any and all uses and disclosures of PHI necessary to provide the Services to Business Associate.
b. use and disclose to subcontractors and agents the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of Subcontractor, provided that any third party to which Subcontractors discloses PHI for those purposes provides written assurances in advance that: (i) the information will be held confidentially and used or further disclosed only as Required by Law; (ii) the information will be used only for the purpose for which it was disclosed to the third party; and (iii) the third party promptly will notify Subcontractor of any instances of which it becomes aware in which the confidentiality of the information has been breached;
c. de-identify any and all PHI received or created by Subcontractor under this Agreement, which De-identified information shall not be subject to this Agreement and may be used and disclosed on Subcontractor’s own behalf, all in accordance with the De-identification requirements of the Privacy Rule;
d. provide Data Aggregation services relating to the Health Care Operations of the Covered Entity in accordance with the Privacy Rule;
e. use the PHI to create a Limited Data Set (“LDS”) in compliance with 45 C.F.R. 164.514(e). 5.
5. TERMINATION AND COOPERATION
a. Termination. If either Party knows of a pattern of activity or practice of the other Party that constitutes a material breach or violation of this Agreement, then the non-breaching Party shall provide written notice of the breach or violation to the other Party that specifies the nature of the breach or violation. The breaching Party must cure the breach or end the violation on or before thirty (30) days after receipt of the written notice. In the absence of a cure reasonably satisfactory to the non-breaching Party within the specified timeframe, or in the event the breach is reasonably incapable of cure, then the non-breaching Party may do the following:
(i) if feasible, terminate the Agreement, including this Agreement; or (ii) if termination of the Agreement is infeasible, report the issue to HHS.
b. Effect of Termination or Expiration. Upon termination of the Subcontractors services for any reason or the expiration or termination for any reason of an executed document between the parties and/or this Agreement, Subcontractor shall return or destroy all PHI, if feasible to do so, including all PHI in possession of Subcontractor’s agents or subcontractors. In the event that Subcontractor determines that return or destruction of the PHI is not feasible, Subcontractor may retain the PHI subject to this Section and, upon written request, notify Business Associate of such retention.
c. Under any circumstances, Subcontractor shall extend any and all protections, limitations and restrictions contained in this Agreement to Subcontractor’s use and/or disclosure of any PHI retained after the expiration or termination of an executed document between the parties and/or this Agreement, and shall limit any further uses and/or disclosures solely to the purposes that make return or destruction of the PHI infeasible.
d. Each Party shall cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry.
6. Contradictory Terms; Construction of Terms. Any other provision of the Agreement that is directly contradictory to one or more terms of this Agreement (“Contradictory Term”) shall be superseded by the terms of this Agreement to the extent and only to the extent of the contradiction, only for the purpose of Business Associate’s and Subcontractor’s compliance with HIPAA and ARRA, and only to the extent reasonably impossible to comply with both the Contradictory Term and the terms of this Agreement. The terms of this Agreement to the extent they are unclear shall be construed to allow for compliance by Business Associate and Subcontractor with HIPAA and ARRA.
7. Survival. Sections 4(a), 4(b), 5(a), and 5(b) shall survive the expiration or termination for any reason of the Agreement and/or of this Agreement.
8. Independent Contractor. Subcontractor and Business Associate are and shall remain independent contractors throughout the term. Nothing in this Agreement or otherwise in an executed document between the parties shall be construed to constitute Subcontractor and Business Associate as partners, joint-venturers, agents or anything other than independent contractors.
9. Effective Date of Agreement. This Agreement shall become effective upon the mutual execution of supporting terms by all parties.