BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (this “BAA”) is made between you and OCDfeat, Inc. (“OCDfeat”). You and OCDfeat have entered or will enter into a business relationship for OCDfeat to provide access to its proprietary application to assist you or your providers with the management of your patients’ obsessive compulsive disorder and related conditions (the “Service”), as governed by our OCDfeat Terms of Service (available at https://ocdfeat.com/terms/, and/or any other such written agreement as may be entered into by the parties from time-to-time (each individually, and together collectively the “Underlying Agreement”) under which OCDfeat may create, receive, maintain, or transmit protected health information (“PHI”) of your patients. To the extent that you are a “Covered Entity,” and OCDfeat is a “Business Associate,” as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) with respect to OCDfeat’s provision of the Service, the parties agree to the terms of this Agreement to address requirements of HIPAA with respect to OCDfeat’s access to and use of PHI through the Service or otherwise.
1. Effect. This BAA defines, modifies, and replaces any prior arrangements between the parties with respect to PHI. This BAA is made subject to the terms and conditions of the Underlying Agreement. Except as otherwise set forth in this BAA, the terms and provisions of this BAA will supersede any other conflicting or inconsistent terms and provisions in the Underlying Agreement. Absent an Underlying Agreement, this BAA shall govern OCDfeat’s obligations with respect to PHI from you.
2. Definitions. All capitalized terms used herein without definition shall have the respective meanings assigned to such terms in 45 C.F.R. Parts 160 and 164 (“HIPAA Regulations”).
3. Permitted uses and disclosures by OCDfeat.
a. Except as specifically limited in this BAA, OCDfeat may use or disclose PHI to perform its obligations under this BAA, to provide the Application, and to perform functions, activities, or services for you or on your behalf in connection with the Application or the Underlying Agreement, or as required by law.
b. OCDfeat may use PHI for its proper management and administration (e.g., research and testing in support of our products or services) and to carry out its legal responsibilities;
c. OCDfeat may disclose PHI for its proper management and administration, or to carry out its legal responsibilities, provided the disclosures are required by law or OCDfeat obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies OCDfeat when the person becomes aware that the confidentiality of the information has been breached.
d. OCDfeat may provide data aggregation services relating to Your and OCDfeat’s other customers’ health care operations.
e. OCDfeat may de-identify PHI so long as such de-identification meets the requirements of 45 CFR 164.514(a)-(c), and may use, disclose, and transfer such de-identified data at its discretion, for any lawful purpose.
f. OCDfeat may disclose PHI (i) for the treatment activities of a healthcare provider; (ii) to a covered entity or healthcare provider for the payment activities of the entity that receives the PHI; or (iii) to another covered entity for healthcare operations activities of the entity that receives the PHI, if each entity either has or had a relationship with the Individual who is the subject of the PHI being disclosed, the PHI pertains to such relationship, and the disclosure is for the covered entity’s health care operations in accordance with 45 C.F.R. § 164.506(c)(4)(i).
4. OCDfeat’s obligations and activities.
a. Safeguards against Misuse of PHI. OCDfeat shall use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this BAA, and comply when applicable with Subpart C of 45 CFR Part 164 with respect to electronic PHI that OCDfeat creates, receives, maintains, or transmits on Your behalf;
b. Reporting of Disclosures of PHI. OCDfeat shall report to you any use or disclosure of PHI not covered by this BAA (including breaches of unsecured PHI) of which we become aware, as well as any security incidents of which we becomes aware, in accordance with 45 CFR 164.410 and 164.412. Notwithstanding the foregoing, the parties acknowledge and agree that this Section 3(c) constitutes notice by OCDfeat to you of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to you shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on our firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incidents resulted in unauthorized access, use or disclosure of Your electronic PHI;
c. Notification of Breach. OCDfeat shall notify you of the discovery of any Breach of Unsecured PHI in accordance with the HIPAA Regulations. Such notice shall include the identity of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, breached. OCDfeat’s obligation to report under Section 3(c) and this Section 3(d) is not and will not be construed as an acknowledgement by OCDfeat of any fault or liability with respect to any use, disclosure, Security Incident or Breach.
d. Agreements by Third Parties. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, OCDfeat shall ensure that its affiliates, agents, or subcontractors that create, receive, maintain, or transmit PHI on our behalf agree to the same or materially similar terms that apply to OCDfeat with respect to such information;
e. Access to Information. If OCDfeat maintains PHI in a Designated Record Set, as defined in 45 C.F.R. § 164.501, then upon your request, OCDfeat shall provide access to such PHI in a Designated Record Set to the Individual in order for you to comply with the requirements under 45 C.F.R. § 164.524. If OCDfeat receives a direct request from an Individual for access to PHI, it will forward the request to you to fulfill. If OCDfeat provides copies or summaries of PHI to an Individual, OCDfeat may impose a reasonable, cost-based fee in accordance with 45 C.F.R. § 164.524(c)(4). Notwithstanding the foregoing, if the PHI that is the subject of a request for access is maintained in one or more Designated Record Sets electronically and if the Individual requests an electronic copy of such information, OCDfeat shall provide access to the PHI in the electronic form and format requested. Further, if an Individual’s request for access directs OCDfeat to transmit the copy of PHI directly to another person designated by the Individual, OCDfeat shall provide the copy to the person designated by the Individual. The Individual’s request must be in writing, signed by the Individual, and clearly identify the designated person;
f. Availability of PHI for Amendment. If OCDfeat maintains PHI in a Designated Record Set, OCDfeat agrees to make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set, in order for you to comply with 45 C.F.R. § 164.526. If OCDfeat receives a direct request from an Individual for amendment to PHI, OCDfeat will forward the request to you to fulfill.
g. Accounting of Disclosures. Within forty-five (45) days after notice by you to OCDfeat, OCDfeat shall make available such information as is in its possession and that is required for you to make the accounting required by 45 C.F.R. § 164.528. If OCDfeat receives a direct request from an Individual for an accounting of disclosures of PHI, OCDfeat will forward the request to you to fulfill. The obligations set forth in the foregoing section will not apply to disclosures of PHI related to the Treatment of a patient, the processing of Payments related to such Treatment, or the Health Care Operations of a covered entity or its business associate and not relating to disclosures made earlier than six (6) years prior to the date on which the accounting was requested.
h. To the extent OCDfeat has agreed in writing to carry out your obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to you in performance of such obligation(s).
i. OCDfeat agrees to make its internal practices, books, and records available to the Secretary to determine compliance with the HIPAA Regulations.
j. Except for the purposes set forth in the Underlying Agreement and as otherwise provided by law, OCDfeat shall not directly or indirectly receive remuneration in exchange for any PHI of an Individual unless you receive a valid HIPAA authorization.
k. OCDfeat shall make reasonable efforts to limit the use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
5. Your Obligations and Restrictions.
a. Your Obligations. You will implement its own appropriate safeguards, not inconsistent with this BAA, to prevent unauthorized use and disclosure of PHI and will maintain the necessary consents required by law before using the Application to process PHI.
b. Minimum Necessary. OCDfeat may deem that you are disclosing to it only that PHI which you determine is reasonably necessary to achieve the intended purpose of the disclosure.
c. Changes in Policies and Procedures. You shall notify OCDfeat prior to implementing any change in its privacy or security policies and procedures, including your Notice of Privacy Practices, which would affect OCDfeat’s obligations hereunder.
d. Notice of Restrictions on Use or Disclosure. You agree to notify OCDfeat of any restriction on the use or disclosure of PHI that it has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect OCDfeat’s use or disclosure of PHI. To the best of your knowledge, there are no such restrictions as of the date of this BAA.
e. Permitted Actions by you. In no event will you request OCDfeat to use or disclose PHI in any manner not permitted by HIPAA Rules if done by you, nor will you send unencrypted PHI to OCDfeat in any form. Should you do so, OCDfeat will not be responsible for damages related to such requests or unencrypted PHI.
f. Your Authority. You warrant and represent that you have or will have obtained before transmitting PHI to OCDfeat, the requisite consent or authority to provide OCDfeat with PHI to be processed and stored in the as permitted in this BAA or in the Underlying Agreement.
6. Term and Termination.
a. This BAA will become effective contemporaneously with the Underlying Agreement, and unless otherwise terminated as provided herein, will have a term that will run concurrently with that of the last expiration date or termination of the Underlying Agreement, if any.
b. If either party learns of a material breach of this Agreement by the other party, the non-breaching party will notify the breaching party and provide a reasonable opportunity to cure the breach, and if such breach is not cured within a reasonable time, terminate this Agreement and the Service components that we determine require or permit ongoing access to PHI. If a cure is not possible, then the non-breaching party may immediately terminate this Agreement and the Service components that we determine require or permit ongoing access to PHI.
c. Except as provided in this subsection, on termination of this Agreement, we will return or destroy all PHI, and we will retain no copies of the PHI. If we determine that returning or destroying PHI is infeasible (e.g., retention of PHI is necessary to continue our proper management and administration or to carry out our legal obligations), we will inform you of the conditions that make return or destruction infeasible and will extend the protections of this Agreement to such PHI to limit further uses and disclosures of PHI to those purposes that make the return or destruction infeasible, for as long as we maintain such PHI. The terms of this subsection apply to PHI in possession of our subcontractors or agents.
7. Miscellaneous.
a. Notice. Notices or other communications pertaining to this BAA shall be in writing and sent by email to the email address listed below.
Email: admin@ocdfeat.com
b. Amendment. The parties agree to take such good faith action to amend this Agreement from time to time to comply with actual or reasonably anticipated changes to requirements of the HIPAA Regulations.
c. Interpretation. Any ambiguity in this Agreement will be resolved to permit compliance with the HIPAA Regulations.
Entire Agreement. This BAA is the entire agreement between the parties regarding its subject matter and supersedes prior or contemporaneous representations or agreements about such matters and may not be modified except by a written agreement signed by the parties. This BAA will be deemed to be accepted by you and will govern the parties’ obligations related to the Application and will be subject to and will form an integral part of the Underlying Agreement, unless the parties have entered into a separate, written business associate agreement.