This Business Associate Agreement (the “Agreement”) shall be incorporated into the Terms of Service Agreement for Customers that are Covered Entities (as defined in the HIPAA Rules) and that provide Protected Health Information (“PHI”) (as defined in the HIPAA Rules) to Tebra Technologies, Inc. and its subsidiaries (“Tebra” or “Business Associate”) in connection with the software and services they have purchased.
WHEREAS, Covered Entity possesses Individually Identifiable Health Information that is protected under the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), the U.S. Department of Health and Human Services issued Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”), Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”) and Breach Notification Standards for Unsecured Protected Health Information (the “Breach Notification Rule”) at 45 CFR parts 160 and 164 (collectively the “HIPAA Rules”);
WHEREAS, in order to ensure that Covered Entity and Business Associate remain in compliance with the HIPAA Rules and other applicable federal and state laws and regulations regarding the disclosure of PHI to Business Associate, the parties have agreed to enter into this Agreement;
NOW THEREFORE, Covered Entity and Business Associate agree as follows:
Capitalized terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Rules, and if no such definition is provided in such rules, then the meaning shall be that given to such capitalized term in the Terms of Service Agreement to which this Agreement is incorporated.
- Tebra Obligations and Activities
The obligations and activities of the Business Associate, as required by the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information and Technology for Economic and Clinical Health (“HITECH Act”) and in regulations promulgated thereunder, are as follows:
- Business Associate agrees to not use or disclose Protected Health Information other than (i) as permitted or required by the Agreement or as Required by Law; or (ii) as otherwise authorized by Covered Entity.
- Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement.
- Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
- Business Associate agrees to report to Covered Entity any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware.
- Business Associate agrees to ensure that any subcontractor that creates, receives, maintains, or transmits electronic PHI originating from the Covered Entity on behalf of the Business Associate, agrees to substantially the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
- Business Associate agrees to provide access, at the request of Covered Entity to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in in a time and manner that allows Covered Entity to meet the requirements under 45 CFR § 164.524.
- Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity, in a time and manner that allows a Covered Entity to meet the requirements of 45 CFR 164.526 and in the time and manner of within thirty (30) days.
- Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary, for purposes of the Secretary determining compliance with the Privacy Rule.
- Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
- Upon request of Covered Entity, Business Associate agrees to provide to Covered Entity or an Individual, information collected in accordance with Section 2 (ix) of this Agreement, as necessary to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
- Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity in accordance with the 45 CFR 164.306 (the HIPAA Security standards).
- Business Associate shall report to the Covered Entity any use or disclosure of PHI not permitted by this Agreement. Business Associate shall report any Breach of Unsecured PHI to Covered Entity in a manner that is in compliance with its obligations pursuant to 45 CFR §164.410.
- Business Associate shall report a successful Security Incident in accordance with Section xii above and shall report unsuccessful Security Incidents upon request of Covered Entity.
- When using, disclosing or requesting PHI, Business Associate agrees to use, disclose or request the minimal amount of information necessary for the stated purpose, unless an exception to the minimum necessary rule, as set forth in 45 CFR §164.502(b)(2).
- Permitted Uses and Disclosures
The permitted uses and disclosures of the Business Associate, as required by the Health Insurance Portability and Accountability Act (HIPAA) and in regulations promulgated thereunder, are as follows:
- Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Terms of Services Agreement and this Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
- Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
- Business Associate may use PHI to de-identify the information in accordance with 45 CFR 164.514(a)-(c), and shall retain any and all ownership claims relating to the de-identified data it creates from such PHI.
- Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).
- Covered Entity’s Obligations
The obligations of Covered Entity, as required by HIPAA and in regulations promulgated thereunder, are as follow:
- To the extent that Covered Entity utilizes services provided by the Business Associate to communicate with patients, Covered Entity is responsible for obtaining and documenting authorizations or requests from patients to communicate through this service and to inform patient of risks associated with such communications as applicable. It shall be Covered Entity’s responsibility to determine what permissions, authorizations or consents shall be documented and maintained for HIPAA compliance purposes. Business Associate does not obtain consent, authorization or permission from patients and the parties agree that is not Business Associate’s obligation to do so or to document or maintain any consent, authorization or permission obtained from patients.
- Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
- Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
- Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
- Covered Entity agrees to comply with the HIPAA Security Rule, including, without limitation, safeguarding all computers, laptops, cell phones, tablets, or other mobile devices in accordance with the HIPAA Security Regulations.
- Term and Termination
- The term of this Agreement shall be effective as of the effective date contemplated by the Terms of Service Agreement to which this Agreement is incorporated, and shall terminate when all of the PHI provided by Covered Entity to Business Associate (or created or received by Business Associate on behalf of Covered Entity) is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, when protections are extended to such information in accordance with the termination provisions in this Section.
- Termination For Cause. In addition to any termination rights set forth in the Terms of Service Agreement, in the event of a material breach of this Agreement, the other party shall either: (i) provide the breaching party with an opportunity to cure the breach or end the violation, and terminate the Agreement (including this Agreement) if the breaching party does not cure the breach or end the violation within sixty (60) days, or (ii) immediately terminate the Terms of Service Agreement (and this Agreement) if cure is not possible.
- Termination upon Issuance of Guidance or Change In Law. If the Secretary provides additional guidance, clarification or interpretation on the Privacy Rule, or there is a change or supplement to the HIPAA statutes or regulations (both referred to as a “HIPAA Change”), such that a party hereto determines that the service relationship between Business Associate and Covered Entity is no longer a Business Associate relationship as defined in HIPAA, such party shall provide written notice to the other party of the HIPAA Change, and upon mutual agreement of the parties that the HIPAA Change renders this BA Agreement unnecessary, this Agreement shall terminate and be null and void.
- The respective rights and obligations of Business Associate under this Section 5 of this Agreement shall survive the termination of this Agreement for any reason.
- The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the HIPAA Rules and the HIPAA.
- The parties agree that Business Associate may unilaterally amend this Agreement from time to time for the reasons set forth in the above paragraphs and for other business reasons and that any such amended agreement which Business Associate signs on a later date will supersede this Agreement.
- Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the HIPAA Rules.
- The terms Covered Entity and Business Associate are used in this Agreement only for purposes of convenience and are not meant to imply that either party would meet the definition of Covered Entity or Business Associate set forth in the HIPAA regulations.
- To the extent not preempted by Federal law, this Agreement shall be governed and construed in accordance with the state laws governing the Terms of Service Agreement, without regard to conflicts of laws provisions that would require application of the law of another state.
- This Agreement does not and is not intended to confer any rights or remedies upon any person other than the parties.
- This Agreement supersedes and replaces any prior business associate agreements between the Covered Entity and Business Associate, including any of Tebra’s subsidiaries as of the date set forth below.
Last Updated: June 1, 2023
To see previous versions, click here .