top of page

Business Associate Agreement

This is a “Business Associate Agreement” (BAA) that is being created at the time your SerenePractice account is set up (the “Effective Date”). The BAA is between you (the “Covered Entity”) and SerenePractice LLC (the “Business Associate”). This BAA replaces any previous business associate agreement between the parties. It amends, supplements, and is part of the “Terms of Service” between the Covered Entity and the Business Associate, which may be amended from time to time (the “Agreement”).

 

RECITALS
 

The following text is a Business Associate Agreement (BAA) between the Covered Entity and the Business Associate. A Covered Entity is a "covered entity" as defined in 45 C.F.R. § 160.103. Business Associate will provide services to Covered Entity under this agreement, which may involve creating, receiving, maintaining, or transmitting Protected Health Information (PHI).
 

Covered Entity and Business Associate intend to protect the privacy and security of PHI in compliance with HIPAA, which includes the Health Insurance Portability and Accountability Act of 1996, Subtitle D of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), as well as other applicable federal and state laws.

This BAA aims to meet HIPAA standards and requirements, including 45 C.F.R. §§ 164.308(b), 164.314(a), 164.502(e), and 164.504(e). It will only be applicable if the Business Associate meets the definition of “business associate” outlined in 45 C.F.R. § 160.103 concerning the Covered Entity.
 

NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information under this BAA, the parties agree as follows:
 

I. DEFINITIONS
 

The following terms have specific meanings within the context of this document:

  • "Breach" means any unauthorized acquisition, access, use, or disclosure of Unsecured PHI by a Business Associate from or on behalf of the Covered Entity, as defined in 45 C.F.R. § 164.402.

  • "Data Aggregation" has the same meaning as the 45 C.F.R. § 164.501 term for 45 CFR.

  • "Designated Record Set" has the same meaning as the 45 C.F.R. § 164.501 term for 45 CFR.

  • "Electronic Protected Health Information" or "ePHI" means any PHI created, received, maintained, or transmitted electronically by a Business Associate from or on behalf of the Covered Entity, as defined in 45 C.F.R. § 160.103.

  • "Individual" means any person, including a personal representative, as defined in 45 C.F.R. § 164.502(g), as defined in 45 C.F.R. § 160.103.

  • "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as amended.

  • "Protected Health Information" or "PHI" means any information created, received, maintained, or transmitted by a Business Associate from or on behalf of the Covered Entity, as defined in 45 C.F.R. § 160.103.

  • "Reportable Event" means any use or disclosure of PHI not provided for by this BAA, any Security Incident, or any Breach of Unsecured PHI.

  • "Required by Law" means any requirement imposed by law, rule, regulation, or legal process, as defined in 45 C.F.R. § 164.103.

  • "Secretary" means the Secretary of the U.S. Department of Health and Human Services or his or her designee.

  • "Security Incident" means any attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI by a Business Associate from or on behalf of the Covered Entity, as defined in 45 C.F.R. § 164.304.

  • "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C, as amended.

  • "Subcontractor" means any person to whom Business Associate delegates a function, activity, or service, as defined in 45 C.F.R. § 160.103.

  • "Unsecured PHI" means any PHI not secured by the standards for encryption and destruction outlined in 45 C.F.R. § 164.402.
     

If any terms written in capital letters are used in this document and you don’t know what they mean, they will have the exact definition of those terms under HIPAA. If there is any confusion in defining a term, the meaning that complies with HIPAA will be considered valid.
 

II. PERMITTED USES AND DISCLOSURES OF PHI
 

Except as limited in this Business Associate Agreement (BAA) or the Agreement itself, the Business Associate (BA) may do any or all of the following:

  • Use or Disclosure under the Agreement: Use or disclose protected health information (PHI) to perform functions, activities, or services for or on behalf of the covered entity to the extent permitted by the Agreement, provided that such use or disclosure would not violate the Privacy Rule or any applicable state law if done by the covered entity. However, BA may also use and disclose PHI for the following purposes.

  • Use for Administration or Legal Responsibilities: Use PHI to manage and administer BA properly or to carry out BA's legal responsibilities.

  • Disclosure for Administration or Legal Responsibilities: Disclose PHI for the proper management and administration of BA or to carry out BA's legal responsibilities, provided that:

    • The law requires the disclosures; or

    • BA obtains reasonable assurances from the third party to whom the PHI is disclosed that such information shall remain confidential and shall be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and such person agrees to promptly notify BA of any instance of which it is aware in which the confidentiality of the information has been breached.

  • Use for Reporting of Violations: Use PHI to report law violations to appropriate federal, state, and local authorities, consistent with 45 C.F.R. § 164.502(j).

  • Use for Data Aggregation Services: Use PHI to provide Data Aggregation services relating to the health care operations of the covered entity, as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).

  • De-identified Information: Use PHI to create de-identified information by 45 C.F.R. §§ 164.502(d) and 164.514(a)-(c). BA may use de-identified information if it complies with applicable law.
     

III. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
 

The following is a set of guidelines that must be followed by Business Associates while handling Protected Health Information (PHI):

  • Business Associates are not allowed to use or disclose PHI in any way other than what is permitted by the BAA (Business Associate Agreement) and the Agreement or as Required by Law.

  • Business Associates must comply with HIPAA (Health Insurance Portability and Accountability Act) requirements while performing any obligation of the Covered Entity specified in the BAA or the Agreement.

  • Business Associates must use appropriate safeguards and comply with the Security Rule and HITECH (Health Information Technology for Economic and Clinical Health) to prevent any unauthorized use or disclosure of PHI.

  • Business Associates must report any Reportable Event to the Covered Entity without any delay and in no case later than fifteen (15) business days after becoming aware of such an event.

  • The report must include the identification of each Individual whose PHI has been or is reasonably believed to have been accessed, acquired, used, lost, modified, destroyed, or disclosed during the Reportable Event, a brief description of what happened, including the date of the Reportable Event and the date of the discovery, the types of PHI involved, any steps individuals should take to protect themselves from potential harm, and what Business Associate is doing to investigate, remediate, and respond to the Reportable Event.

  • Business Associates must cooperate with the Covered Entity in investigating a Reportable Event and assist in determining whether it constitutes a Breach of Unsecured PHI.

  • Business Associates must mitigate any harmful effect known to them of a Reportable Event to the extent practicable.

  • Business Associates must report any attempted but unsuccessful Security Incidents that do not result in unauthorized access to, or use, loss, modification, destruction, or disclosure of PHI, such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, unsuccessful denial of service attacks, or any combination thereof.

  • If the Business Associate shares Protected Health Information (PHI) with a Subcontractor or allows a Subcontractor to create, receive, maintain, or transmit PHI on its behalf, the Business Associate must require the Subcontractor to comply with the same restrictions, conditions, and requirements that apply to Business Associate concerning such information. This can be done by entering into a written agreement with the Subcontractor in compliance with 45 C.F.R. §§ 164.314(a) and 164.504(e).

  • Business Associate agrees to provide access to PHI in a Designated Record Set to the Covered Entity or an Individual as directed by the Covered Entity. This is to meet Covered Entity’s requirements under 45 CFR § 164.524. If the Business Associate controls access to PHI in an Electronic Health Record or access to PHI stored electronically in any format, it will provide similar access to help the Covered Entity meet its requirements under the HIPAA Rules and Section 13405(c) of the HITECH Act. However, these provisions do not apply if the Business Associate and its employees or Subcontractors have no Protected Health Information in a Designated Record Set of the Covered Entity.

  • Business Associate shall amend PHI in a Designated Record Set as directed or agreed to by Covered Entity in a time and manner that meets the requirements of 45 C.F.R. § 164.526. However, this provision does not apply if the Business Associate, its employees, or Subcontractors have no Protected Health Information from a Designated Record Set of the Covered Entity.

  • Business Associate shall provide Covered Entity with an accounting of the disclosures of an Individual’s PHI in a time and manner that meets the requirements of 45 C.F.R. § 164.528 and Section 13405(c) of HITECH, as of the applicable effective date. Business Associate shall have a reasonable time to comply with such a request from Covered Entity, and in no case shall Business Associate be required to provide such documentation in less than ten (10) business days after Business Associate's receipt of such request.

  • If a Business Associate receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, it will redirect the Individual to the Covered Entity. This is unless this BAA or any other agreement between the Covered Entity or Business Associate states otherwise.

  • To determine compliance with HIPAA, the Business Associate shall make its internal policies, practices, books, and records relating to the use and disclosure of PHI available to the Secretary. No attorney-client, accountant-client, or other legal privilege shall be deemed to have been waived by the Business Associate by the Business Associate’s compliance with this provision.

  • Business Associate agrees to comply with HIPAA’s minimum requirements. In connection with the performance of its services, activities, and/or functions to or on behalf of the Covered Entity, the Business Associate may share information, including PHI, with other business associates. Business Associates may also use and disclose information, including PHI, from other business associates of the Covered Entity as if it were received from or originated with the Covered Entity. The Covered Entity is responsible for securing and maintaining business associate agreements with its other business associates.
     

IV. OBLIGATIONS OF COVERED ENTITY
 

  • Notice of Privacy Practices: The Covered Entity must inform the Business Associate in writing of any limits to its Privacy Practices that may affect the use or disclosure of Protected Health Information (PHI) by the Business Associate.

  • Notification of Revocations: The Covered Entity must inform the Business Associate in writing of any changes or revocations of authorization by an individual to use or disclose PHI that may affect the Business Associate's use or disclosure of PHI.

  • Notification of Restrictions: The Covered Entity must inform the Business Associate in writing of any restrictions on the use or disclosure of PHI that the Covered Entity has agreed to or is required to abide by 45 C.F.R. § 164.522 and that may affect the Business Associate's use or disclosure of PHI.

  • Notification of Modifications: The Covered Entity must inform the Business Associate in writing of any changes to accounting disclosures of PHI under 45 CFR § 164.528, as made applicable under Section 13405(c) of the HITECH Act, that may affect the Business Associate's use or disclosure of Protected Health Information.

  • Permissible Requests: The Covered Entity must not ask the Business Associate to use or disclose PHI in any way that would not be allowed under HIPAA or other applicable federal or state law if done by the Covered Entity.

  • Minimum Necessary: The Covered Entity agrees to comply with HIPAA's minimum requirements and only provides the Business Associate with the minimum PHI necessary for the Business Associate to provide the services.
     

V. TERM AND TERMINATION
 

Term: This BAA will start on the Effective Date, be in effect for the same period as the Agreement, and continue in full force and effect from year to year until it terminates for any of the following reasons:

  • The Agreement expires or is terminated with or without cause.

  • This BAA is terminated for cause as described below in paragraph (B).

  • The parties mutually agree to terminate this BAA.

  • This BAA is terminated under applicable federal, state, or local law.

  • Termination for Cause: If the Covered Entity determines that the Business Associate has breached a material term of this BAA, the Covered Entity shall provide the Business Associate with written notice of that breach in sufficient detail to enable the Business Associate to understand the specific nature of the violation and an opportunity to cure the breach. If the Business Associate fails to cure the breach within thirty (30) days of receiving such notice, the Covered Entity may terminate this BAA and the Agreement. If the Business Associate determines that the Covered Entity has breached a material term of this BAA, the Business Associate shall provide the Covered Entity with written notice of that breach in sufficient detail to enable the Covered Entity to understand the specific nature of the violation and an opportunity to cure the breach. If the Covered Entity fails to remedy the breach within thirty (30) days of receiving such notice, the Business Associate may terminate this BAA and the Agreement.

  • Effect of Termination: Upon termination of this BAA for any reason, the Business Associate must return or destroy all PHI that the Business Associate still maintains in any form. If the return or destruction of any or all PHI is not feasible, the Business Associate shall comply with the terms of this BAA and the Security Rule and HITECH regarding any retained PHI. Business Associate shall not use or disclose the PHI retained by Business Associate for any purpose other than what is provided for in this BAA. This Section V.C shall survive termination of this Agreement.
     

VI. MISCELLANEOUS
 

  • Regulatory References: Any reference in this Business Associate Agreement (BAA) to a section in the Health Insurance Portability and Accountability Act (HIPAA) means the section is in effect or as amended at the time this BAA is executed or amended.

  • Amendment; No Waiver: Upon the effective date of any federal statute amending or expanding HIPAA, any guidance or temporary, interim final or final regulations promulgated under HIPAA, or under any federal statute amending or expanding HIPAA (collectively, the "Regulations") that apply to this BAA or any amendments to the Regulations, this BAA shall be automatically amended. The obligations imposed on the Covered Entity and Business Associate shall comply with such requirements unless the parties agree otherwise by mutual consent. The parties shall take all necessary action to expressly reflect such automatic amendments to this BAA occasionally. Except as provided otherwise in this paragraph, no waiver, change, modification, or amendment of any provision of this BAA shall be made unless it is in writing and is signed by the parties hereto. The failure of either party at any time to insist upon strict performance of any condition, promise, agreement, or understanding set forth herein shall not be construed as a waiver or relinquishment of the right to insist upon strict performance of the same condition, promise, agreement, or understanding at a future time.

  • Interpretation: Any ambiguity in this BAA shall be resolved in favor of a meaning that permits compliance with HIPAA. The titles and headings set forth at the beginning of each section are inserted for convenience of reference only. They shall in no way be construed as a part of this BAA or as a limitation on the scope of the particular provision to which it refers. In the event of an inconsistency between the provisions of this BAA and the mandatory terms of HIPAA, as may be expressly amended from time to time by the Secretary or as a result of interpretations by the Secretary, a court, or another regulatory agency with authority over the parties, the interpretation of the Secretary, such court, or regulatory agency shall prevail.

  • Entire Agreement; Effect on the Agreement: This BAA, together with the Agreement, sets forth the entire understanding between the parties and supersedes any previous or contemporaneous understandings, commitments, representations, warranties, or agreements, written or oral, regarding the subject matter. No representations, agreements, or understandings of any kind, either written or oral, except as set forth or incorporated by reference into this BAA or the Agreement, have been relied upon in entering into this BAA, nor shall any such representations, agreements, or understandings be binding upon the parties unless expressly contained herein or therein. Notwithstanding any provision to the contrary in this BAA or the Agreement, to the extent that any term in this BAA is directly contradictory to a term in the Agreement, the term in this BAA shall supersede such contradictory term to the extent necessary to permit compliance with HIPAA.

  • Relationship of Parties: The parties to this BAA are independent contractors. None of the provisions of this BAA are intended to create, nor shall they be interpreted or construed to create, any relationship between the Covered Entity and Business Associate other than that of independent contractors. Except as otherwise expressly set forth herein, neither party nor its representatives shall be deemed the agent, employee, or representative of the other party.

  • No Third-Party Beneficiaries: This BAA is between the parties hereto. Nothing expressed or implied in this BAA is intended to confer, nor shall anything herein confer, any rights, remedies, obligations, or liabilities upon any person other than the Covered Entity and Business Associate and any respective successors and assigns.

  • Invalid or Unenforceable Provision: The provisions of this BAA shall be severable. The invalidity or unenforceability of any particular provision or portion of such provision of this BAA shall be construed, in all respects, as if such invalid or unenforceable provision or portion of such provision had been omitted and shall not affect the validity and enforceability of the other provisions hereof or portions of that provision.

  • Assignment: The parties' rights and obligations concerning the assignment of this BAA shall be subject to the assignment provision outlined in the Agreement. This BAA shall be binding upon and inure to the benefit of the parties and their respective successors.

  • Applicable Law: This BAA shall be construed, administered, and governed by the governing law outlined in the Agreement, except to the extent preempted by applicable federal law.

  • Disputes: In the event of a conflict between the parties, the parties shall follow the dispute resolution procedures outlined in the Agreement.

  • Notices: All notices to Business Associate shall be in writing and either delivered by hand, sent by mail, or delivered in such other manner as the parties may agree upon to SerenePractice, L.

  • Each party reserves the right to change the address for receiving notice during the term of this BAA upon written notice to the other parties.

bottom of page