HIPAA BUSINESS ASSOCIATE AGREEMENT

LAST MODIFIED: AUGUST 12, 2020

CEDRUSMED IS CONTROLLED, OPERATED, AND INTENDED FOR USE ONLY IN THE UNITED STATES OF AMERICA.

This HIPAA Business Associate Agreement (this “Agreement”) is entered into by and between the customer/entity/person agreeing to the terms below (the “Covered Entity”) and CedrusMed LLC, a Florida limited liability company (the “Business Associate”), effective as of the date electronically accepted by Covered Entity when clicking “ACCEPT HIPAA BAA” button (or other electronic means made available by Business Associate for such purposes). For purposes of this Agreement, Covered Entity and Business Associate may each be referred to as a “Party” and collectively as the “Parties.” This Agreement is an addendum to the Underlying Agreement(s) (defined below).

THE TERMS OF THIS AGREEMENT FORM A BINDING LEGAL CONTRACT BETWEEN THE PARTIES. CAREFULLY READ ALL OF THE TERMS OF THIS AGREEMENT BEFORE CLICKING THE “ACCEPT HIPAA BAA” BUTTON. BY CLICKING THE “ACCEPT HIPAA BAA” BUTTON, YOU ACKNOWLEDGE YOUR CONSENT AND AGREEMENT TO ALL THE TERMS AND CONDITIONS SET FORTH IN THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL THE TERMS OF THIS AGREEMENT, DO NOT CLICK “ACCEPT HIPAA BAA.” IF YOU HAVE ANY QUESTIONS REGARDING THE EFFECT OF THE TERMS AND CONDITIONS IN THIS AGREEMENT, YOU ARE ADVISED TO CONSULT INDEPENDENT LEGAL COUNSEL.

RECITALS

WHEREAS, Covered Entity has retained Business Associate to provide certain services to be performed for or on behalf of Covered Entity, which are described and set forth in one or more separate agreements, order form(s), and/or statement(s) of work for services between the Parties (collectively, the “Underlying Agreement(s)”);

WHEREAS, the purpose of this Agreement is to satisfy the standards and requirements of the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, as may be amended from time to time; and

WHEREAS, this Agreement shall supplement and/or amend each of the Underlying Agreements entered into between the Parties to allow the Parties to comply with the HIPAA Rules (defined below).

NOW THEREFORE, in consideration of the mutual covenants set forth in this Agreement, and other good and valuable consideration, the sufficiency and receipt of which are hereby severally acknowledged, the parties agree as follows:

1. Definitions.
a. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (“PHI”), Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information (“Unsecured PHI”), and Use.

b. Specific Definitions.
i. Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” as set forth in 45 CFR § 160.103, and in reference to the Party to this Agreement, shall mean CedrusMed, LLC.

ii. Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” as set forth in 45 CFR § 160.103, and in reference to the Party to this Agreement, shall mean the entity named in the preamble and its affiliates.

iii. HIPAA Rules. “HIPAA Rules” shall mean the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”) provisions of the American Recovery and Reinvestment Act of 2009, and its implementing regulations, the Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Part 160 and Part 164, as such regulations may be amended from time to time.

2. Obligations and Activities of Business Associate as to Protected Health Information.

a. Use and Disclosure of Protected Health Information. Business Associate may use and/or disclose PHI only as Required by Law, permitted under this Agreement, or to the extent necessary to perform Business Associate’s obligations under the Underlying Agreement(s). Business Associate shall use the Minimum Necessary PHI to accomplish the purposes of each Use or Disclosure of PHI hereunder in compliance with the requirements of 45 C.F.R. §164.502(b).

b. Health Information Safeguards. Business Associate shall develop, implement, maintain and use appropriate safeguards that comply with Subpart C of 45 C.F.R. Part 164 and reasonably and appropriately protect the confidentiality, integrity, security and availability of electronic PHI and reasonably prevent Use or Disclosure of any PHI other than as provided for by this Agreement or the Underlying Agreement. Business Associate shall implement administrative, physical and technical safeguards for Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity, including without limitation, compliance with each of the Standards and Implementation Specifications of 45 C.F.R. §164.308 (Administrative Safeguards), 45 C.F.R. §164.310 (Physical Safeguards), 45 C.F.R. §164.312 (Technical Safeguards) and 45 C.F.R. §164.316 (Policies and Procedures and Documentation Requirements).

c. Reporting. Business Associate shall report to Covered Entity any Security Incident or any Use or Disclosure of PHI not authorized by this Agreement or the Underlying Agreement of which it becomes aware, including incidents that constitute Breaches of Unsecured PHI, as required at 45 CFR § 164.410. Business Associate shall make the report to Covered Entity’s Privacy Officer within five (5) business days after Business Associate learns of such unauthorized Use or Disclosure. Business Associate’s report shall identify the following, if known: (a) identify the nature of the unauthorized Use or Disclosure; (b) identify the PHI used or disclosed; (c) identify who is responsible for the unauthorized Use or Disclosure; (d) identify what Business Associate has done or shall do to mitigate any deleterious effect of the unauthorized Use or Disclosure; (e) identify what corrective action Business Associate has taken or shall take to prevent future similar unauthorized Use or Disclosure; and (f) provide such other information, including a written report, as reasonably requested by Covered Entity’s Privacy Officer. Business Associate shall notify Covered Entity in writing promptly upon the discovery of any Breach of PHI in accordance with 45 C.F.R. § 164.410, but in no case later than thirty (30) calendar days after discovery. A privacy risk assessment will be conducted to determine whether the Business Associate or Covered Entity has the obligation to report the breach to the patient(s), OCR, and/or the media, as required by the HIPAA Rules.

d. Subcontractors and Agents. In accordance with 45 CFR §§ 164.502 (e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate shall ensure that any Subcontractors and agents that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.

e. Mitigation of Disclosure of PHI. Business Associate shall take reasonable measures to reasonably mitigate, to the extent practicable, any harmful effect known to Business Associate of any Use or Disclosure of PHI by Business Associate or its Subcontractors or agents in violation of the requirements of this Agreement. Business Associate shall cure any violation in accordance with 45 C.F.R. § 160.410(b).

f. Access to Health Information by Individuals. If applicable, Business Associate shall make available to Covered Entity, within five (5) business days of request, PHI held in a Designated Record Set as necessary for Covered Entity to respond to an Individual’s request for access to PHI. In the event any Individual or personal representative requests access to the Individual’s PHI or Health Information directly from Business Associate, Business Associate shall forward to Covered Entity any and all requests by the Individual to access such records.

g. Correction of Health Information. If applicable, Business Associate shall, as directed or agreed to by the Covered Entity, promptly amend or correct PHI held in a Designated Record Set or take other measures necessary to satisfy Covered Entity’s obligations in accordance with the requirements of 45 C.F.R. § 164.526. In the event an Individual delivers the request for an amendment or correction directly to Business Associate, Business Associate shall promptly forward such request to Covered Entity within five (5) business days.

h. Accounting of Disclosures. If applicable, Business Associate shall implement an appropriate recordkeeping system and document its disclosures of PHI in a manner sufficient for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Covered Entity shall designate the time and manner in which Business Associate shall provide the accounting of its disclosures to Covered Entity. In the event an Individual delivers the request for an accounting directly to Business Associate, Business Associate shall promptly forward such request to Covered Entity within five (5) business days.

i. Availability of Books and Records. To the extent the Business Associate is to carry out one or more of the covered entity’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). Business Associate shall make its internal practices, books and records relating to the Use and Disclosure of PHI received from or on behalf of Covered Entity available to Covered Entity and to the Secretary for the purpose of determining compliance by Covered Entity or Business Associate with the requirements of the HIPAA Rules.

j. Limitation on Obligations. Business Associate has no obligations under this Agreement with respect to any PHI that Covered Entity creates, receives, maintains, or transmits outside of the Underlying Agreement(s) and this Agreement will not apply to any PHI created, received, maintained or transmitted outside of the Underlying Agreement(s).

3. Permitted Uses and Disclosures by Business Associate.

a. Business Associate may only use or disclose PHI as permitted by law, as set forth in the Underlying Agreement or as designated specifically by this Agreement. Business Associate is not authorized to de-identify patient information in accordance with 45 CFR 164.514(a)-(c) without written approval by the Covered Entity.
b. Business Associate agrees to make Uses and Disclosures and requests for PHI consistent with Covered Entity’s minimum necessary policies and procedures. Without limiting the generality of the foregoing, Covered Entity will provide no more than the Minimum Necessary amount of PHI required for the performance of Business Associate’s services under the Underlying Agreement.
c. The Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by the Covered Entity, except for the specific Uses and Disclosures set forth below, and Covered Entity will not request Business Associate to do so.
d. Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibility of the Business Associate.
e. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which confidentiality of the information has been breached.
f. Business Associate shall not use PHI to provide Data Aggregation services except as permitted by the Underlying Agreement or with the prior written authorization of the Covered Entity.

4. Obligations of Covered Entity.

a. Covered Entity shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

b. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her protected information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

c. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

d. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules or any other applicable law.

e. Covered Entity remains responsible for fulfilling Individual rights and/or obligations of the Covered Entity and is not delegating any of its obligations or responsibilities under the HIPAA Rules to Business Associate.

f. Covered Entity shall obtain all necessary consents and Authorizations required under HIPAA Rules or any other applicable law to provide the PHI to Business Associate.

g. By clicking “ACCEPT HIPAA BAA” button (or other electronic means made available by Business Associate for such purposes) presented with this Agreement, Covered Entity has accepted that its account contains PHI.

5. Term and Termination.

a. Term. The Term of this Agreement shall be effective as of the date of the Underlying Agreement and shall terminate on the termination date of the Underlying Agreement, or on the date either Party terminates for cause as authorized by Section 5(b) of this Agreement, whichever is sooner.

b. Termination for Cause or Breach. Upon the either Party’s knowledge of a material breach of this Agreement by the other Party, such non-breaching Party shall: (1) provide an opportunity for the breaching Party to cure the breach or end the violation, and terminate the Business Relationship and this Agreement and the Underlying Agreement if the breaching Party does not cure the breach or end the violation within the time specified by the non-breaching Party; or (2) if feasible, immediately terminate the Business Relationship and this Agreement and the Underlying Agreement if either Party has breached a material term of this Agreement and cure is not possible. Either Party shall have the right to terminate this Agreement and the Underlying Agreement if it determines, in its reasonable discretion, that either Party has breached any material provision of this Agreement or violated any provision contained in the HIPAA Rules. Either Party may exercise this right by providing written notice to the breaching Party of termination, and the termination shall be effective immediately or at such other date specified by the non-breaching Party in such notice.

c. Return or Destruction of Health Information.

i. Except as otherwise provided in this Paragraph, upon termination, cancellation, expiration or other conclusion of this Agreement, Business Associate shall return to Covered Entity or destroy all PHI in whatever form or medium (including in any electronic media under Business Associate’s custody or control), that Business Associate received from or on behalf of Covered Entity, including any copies of and any PHI or compilations derived from and allowing identification of such PHI. Business Associate shall complete such return or destruction as promptly as possible, but not later than thirty (30) days after the effective date of the termination, cancellation, expiration or other conclusion of this Agreement. Within such 30-day period, Business Associate shall certify in writing to Covered Entity that such return or destruction has been completed. In the event that Business Associate determines that returning or destroying the PHI is not feasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this Agreement to such PHI and limit further Uses and Disclosures of PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
ii. If the Business Associate is required to use or disclose PHI for its own management and administration or to carry out its legal responsibilities and the Business Associate needs to retain PHI for such purposes, Business Associate shall:
A. Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
B. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI other than as provided for in this Paragraph, for as long as the Business Associate retains the PHI;
C. Return to Covered Entity, or destroy, the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

6. Miscellaneous.

a. Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

b. Regulatory Compliance. If the HIPAA Rules are amended in a manner that would alter the obligations of either Party as set forth in this Agreement, then the parties agree to take such action as is necessary in good faith to amend this Agreement to comply with the HIPAA Rules. All amendments shall be mutually agreed to by the parties in writing.

c. Interpretation. Any ambiguity in this Agreement and the underlying Agreement shall be interpreted to permit compliance with the HIPAA Rules. The terms of this Agreement shall prevail in the case of any conflict with the terms of any Underlying Agreement to the extent necessary to allow the parties to comply with the HIPAA Rules.

d. Ownership of PHI. The PHI to which Business Associate, or any agent or contractor or subcontractor of Business Associate has access under this Agreement shall be and remains the property of Covered Entity.

e. Mutual Representations and Warranties. Each of the Parties represent and warrant to the others that (a) it is duly authorized to execute and deliver this Agreement and to perform its obligations hereunder and has taken all necessary actions to authorize such execution, delivery, and performance, (b) the person signing this Agreement on behalf of each of the Parties is duly authorized to do so on its behalf, and (c) this Agreement constitutes its legal, valid, and binding obligation, enforceable against it in accordance with its terms.

f. Independent Contractor. The parties hereto shall be independent contractors, and neither shall at any time be considered an agent or employee of the other. No joint venture, partnership, or like relationship is created between the parties by this Agreement or the Underlying Agreement.

g. Nature of Fees and Services. Business Associate and Covered Entity mutually acknowledge and agree that Covered Entity’s disclosure of data to Business Associate is expressly and exclusively for the purpose of obtaining the services from Business Associate and that: (a) any services to be provided by Business Associate under this Agreement or the Underlying Documents do not reflect remuneration in exchange for data in a manner that constitutes a prohibited sale of PHI under HIPAA Rules; and (b) any fees to be paid by Covered Entity are intended to reflect the fair market value of the services and do not reflect remuneration in exchange for data in a manner that constitutes a prohibited sale of PHI under HIPAA Rules.

h. Entire Agreement; Amendment. There are no oral agreements with respect to the subject matter of this Agreement which are not fully expressed herein. No representations, understanding, or agreements have been made or relied upon in the making of this Agreement other than those specifically set forth herein. This Agreement can only be modified or amended by a writing signed by authorized representatives of both Parties.

i. Severability. In the event that any provision of this Agreement is held to be void, voidable, or unenforceable, it shall be severed from this Agreement and the remaining portions hereof shall remain in full force and effect.

j. Assignment. Neither party may assign this Agreement or its rights thereunder without prior written consent from the other party, which shall not be unreasonably withheld.

k. Third Party Beneficiaries. This Agreement is entered into by and between the parties hereto and for their benefit. There is no intent by either party to create or establish a third-party beneficiary status or rights in any third party to this Agreement.

l. Representation by Counsel. Each party acknowledges that it has had the opportunity to be represented by counsel of such party’s choice with respect to this Agreement. In view of the foregoing and notwithstanding any otherwise applicable principles of construction or interpretation, this Agreement shall be deemed to have been drafted jointly by the parties and in the event of any ambiguity, shall not be construed or interpreted against the drafting party.
m. Governing Law; Jurisdiction; Waiver of Jury Trial. This Agreement shall be considered as having been entered into in the State of Florida, United States of America, and shall be construed and interpreted in accordance with the laws of that state. In any action or proceeding arising out of or relating to this Agreement (an “Action”), each of the parties hereby irrevocably submits to the jurisdiction of any federal or state court of competent jurisdiction sitting in Miami, Florida, and further agrees that any Action shall be heard and determined in such Florida federal or state court. Each party hereby irrevocably waives, to the fullest extent it may effectively do so, the defense of an inconvenient forum to the maintenance of any Action in Miami, Florida. All Actions, issues, matters, and disputes between the Parties concerning this Agreement shall be tried by a judge in a non-jury trial.

n. Attorney’s Fees in the Event of Dispute. If any legal action, dispute, or other proceeding arises or is commenced to interpret, enforce or recover damages for the breach of any term of this Agreement, the prevailing party shall be entitled to recover from the non-prevailing Parties all of its fees and costs in connection therewith, including, without limitation, its attorneys’ fees and costs and costs of suit.

o. Notices. Any notice, demand or communication required or permitted to be given by any provision of this Agreement shall be in writing and will be deemed to have been given when actually delivered (by whatever means) to the Party designated to receive such notice, or on the next business day following the day sent by overnight courier with delivery confirmation, or on the third (3rd) business day after the same is sent by certified United States mail, postage and charges prepaid, directed to the individuals at the addresses indicated in the Underlying Document(s), or to such other or additional address as any Party might designate by written notice to the other Party.

p. Counterparts; Facsimile/Electronic Signatures. This Agreement may be executed in counterparts and delivered by facsimile or via electronic means such as PDF, and each such counterpart and/or facsimile/electronic signature shall be deemed to be an original, and all of which when taken together shall constitute one executed agreement.

q. LIMITATION OF LIABILITY. EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, BUSINESS ASSOCIATE SHALL NOT BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING DIRECT, INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST OR ANTICIPATED PROFITS, ARISING OUT OF OR IN ANY WAY RELATED TO THIS AGREEMENT, EVEN IF THE BUSINESS ASSOCIATE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
[Remainder of Page Intentionally Left Blank]

CONTACT

If you have any questions about these Terms Of Service, please contact us at legal@cedrusmed.com.