ReputationDefender® Local Standard HIPAA Business Associate Agreement Terms and Conditions
(Updated September 2018)
These Standard HIPAA Business Associate Agreement Terms and Conditions (“BAA”) shall be incorporated into the Standard Terms of Service (which may be found at https://www.reputationdefender.com/legal/reputationdefender-service-terms for Customers that are Covered Entities (as defined below) and that provide Protected Health Information (“PHI”) (as defined below) to ReputationDefender LLC (the “Company”) in connection with the ReputationDefender® Local services they have purchased. These terms supplement and are made part of the service agreement between Company and Customers (“Underlying Agreement”) in order to comply with the federal Standards for Privacy of Individually Identifiable Health Information, located at 45 C.F.R. Part 160 and Part 164, Subparts A through E (“Privacy Rule”) and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (the “HITECH Act”).
For the purposes of this Agreement, capitalized terms shall have the meanings ascribed to them below. All capitalized terms used but not otherwise defined herein will have the meaning ascribed to them by HIPAA or the HITECH Act.
1.1 A “Breach” is any acquisition, access, use, or disclosure of Unsecured PHI that is inconsistent with the terms of this Agreement and that compromises the security or privacy of the Unsecured PHI. Whether an acquisition, access, use, or disclosure of Unsecured PHI compromises its security or privacy shall be determined by reference to the definition of “breach” in 45 C.F.R. § 164.402.
1.2 “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean ReputationDefender LLC.
1.3 “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Customer.
1.4 “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
1.5 “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.6 Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use.
2. GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE
2.1 Use and Disclosure of PHI. Company shall not use or disclose PHI other than as permitted or required by this BAA or as Required by Law. Company shall not use or disclose PHI for fundraising or marketing purposes. Company shall not directly or indirectly receive remuneration in exchange for PHI, except with the prior written consent of Covered Entity and as permitted by the HITECH Act; however, this prohibition shall not affect payment by Covered Entity to Company for services provided pursuant to the Underlying Agreement.
2.2 Safeguards. Company shall use appropriate safeguards, and comply with Subpart C of 45 C.F.R Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Underlying Agreement.
2.3 Mitigation. Company shall mitigate, to the extent practicable, any harmful effect that is known to Company of a use or disclosure of PHI by Company in violation of the requirements of this BAA.
2.4 Reporting. Company shall notify in writing Covered Entity of any access, use or disclosure of PHI for a purpose that is not provided for in this BAA or the Underlying Agreement, and any Breach of Unsecured PHI, of which Company becomes aware without unreasonable delay and in no case later than thirty (30) calendar days after discovery.
2.5 Disclosure to Agents and Subcontractors. Company shall ensure that any covered subcontractor to whom Company discloses PHI received from Covered Entity, has in place an appropriate Business Associate agreement.
2.6 Designated Record Set. Company shall provide access, at the request of Covered Entity, to PHI in a Designated Record Set in order to meet the requirements under 45 C.F.R. § 164.524.
2.7 Internal Practices, Policies, and Procedures. Company shall make available its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Company on behalf of, Covered Entity available to the Covered Entity and to the Secretary of Health and Human Services (“Secretary”) for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and the HITECH Act.
2.8 Accounting for Disclosures. Company agrees to maintain the information required to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and to make this information available to Covered Entity upon Covered Entity’s request in order to allow Covered Entity to respond to an Individual’s request for accounting of disclosures.
2.9 Security Obligations. Company shall implement appropriate safeguards as are necessary to prevent the use or disclosure of PHI otherwise than as permitted by the Underlying Agreement or this BAA including, but not limited to, administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Covered Entity’s electronic PHI as required by 45 C.F.R. §§ 164.308, 164.310, and 164.312, as amended from time to time. Company shall ensure that any agent, including a subcontractor, to whom it provides such electronic PHI, agrees to implement reasonable and appropriate safeguards to protect it. Company shall comply with the policies and procedures and document requirements of the Privacy Rule including, but not limited to, 45 C.F.R. § 164.316. Company agrees to report promptly to Covered Entity any security incident of which it becomes aware.
2.10 Breach Pattern or Practice by Covered Entity. If Company knows of a pattern of activity or practice of Covered Entity that constitutes a material breach or violation of Covered Entity’s obligations under the BAA, Company must take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, Company must terminate the Underlying Agreement, if feasible, or if termination is not feasible, report the problem to the Secretary.
3. PERMITTED USES AND DISCLOSURES BY COMPANY
3.1 Permitted Uses and Disclosures. Except as otherwise limited in this BAA, Company may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement provided such use or disclosure would not violate the Privacy Rule including, but not limited to, each applicable requirement of 45 C.F.R. § 164.504(e) and the HITECH Act if done by the Covered Entity.
3.2 Use for Management and Administration. Except as otherwise limited in this BAA, Company may use PHI for the proper management and administration of the Company or to carry out the legal responsibilities of the Company.
3.3 Disclosure for Management and Administration. Except as otherwise limited in this BAA, Company may disclose PHI for the proper management and administration of the Company, provided that disclosures are Required by Law, or Company obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Company of any instances of which it is aware in which the confidentiality of the information has been breached.
3.4 Minimum Necessary. Company (and its agents or subcontractors) shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure. Company understands and agrees that the definition of “minimum necessary” is subject to change from time to time and shall keep itself informed of guidance issued by the Secretary with respect to what constitutes “minimum necessary.”
3.5 Data Aggregation. Except as otherwise limited in this BAA, Company may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
3.6 Report Violations of Law. Company may use PHI to report violations of law to appropriate Federal and State authorities consistent with 45 C.F.R. §164.502(j)(1).
4. OBLIGATIONS OF COVERED ENTITY
4.1 Notice of Privacy Practices. Covered Entity shall provide Company with the notice of privacy practices that Covered Entity maintains in accordance with 45 C.F.R. § 164.520, to the extent that such limitations may affect Company’s use or disclosure of PHI.
4.2 Changes in Permission. Covered Entity shall notify Company of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Company’s use or disclosure of PHI.
4.3 Notification of Restrictions. Covered Entity shall notify Company of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Company’s use or disclosure of PHI.
4.4 Permissible Requests by Covered Entity. Covered Entity shall not request Company to use or disclose PHI in any manner that would not be permissible under the Privacy Rule and the HITECH Act if done by Covered Entity.
5. TERM AND TERMINATION
5.1 Term. The Term of this BAA shall be effective as of the first day that Covered Entity provides PHI to Company and shall terminate when all of the PHI provided by Covered Entity to Company, or created or received by Company on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
5.2 Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Company, Covered Entity shall either:
- provide 60 days advance written notice specifying the nature of the breach or violation to Company. Company shall have 60 days from the date of the notice in which to remedy the breach or violation. If such corrective action is not taken within the time specified, this BAA and the Underlying Agreement shall terminate at the end of the 60 day period without further notice or demand;
- immediately terminate this BAA and the Underlying Agreement if Company has breached a material term of this BAA and cure is not possible; or
- report the violation to the Secretary if neither cure of the breach nor termination of this BAA and the Underlying Agreement are feasible.
5.3 Effect of Termination.
- Except as provided in Section 4.3b, upon termination of this BAA or the Underlying Agreement, for any reason, Company shall return or destroy all PHI received from Covered Entity, or created or received by Company on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Company. Company shall retain no copies of the PHI.
- In the event that Company determines that returning or destroying PHI is not feasible, Company shall notify Covered Entity in writing of the conditions that make return or destruction infeasible. If return or destruction of the PHI is infeasible, Company shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Company maintains such PHI.
6. MISCELLANEOUS IN ADDITION TO TERMS AND CONDITIONS
6.1 Regulatory References. A reference in this BAA to a section in the Privacy Rule or the HITECH Act means the section as in effect or as amended.
6.2 No Third Party Beneficiaries. Nothing in this BAA shall be considered or construed as conferring any right or benefit on a person not party to this BAA nor imposing any obligations on either Party hereto to persons not a party to this BAA.
6.3 Amendments. Company reserves the right to change the terms and conditions of this BAA at any time. Company will notify Covered Entity of any material changes to this BAA by sending Covered Entity an e-mail to the last e-mail address Covered Entity provided to Company or by prominently posting notice of the changes on Company’s website. Any material changes to this BAA will be effective upon the earlier of thirty (30) calendar days following Company’s dispatch of an e-mail notice to Covered Entity or thirty (30) calendar days following Company’s posting of notice of the changes on its website. These changes will be effective immediately for new Company Clients. Please note that at all times Covered Entity is responsible for providing Company with its most current e-mail address. In the event that the last e-mail address that Covered Entity has provided Company is not valid, or for any reason is not capable of delivering to Covered Entity the notice described above, Company’s dispatch of the e-mail containing such notice will nonetheless constitute effective notice of the changes described in the notice. If Covered Entity does not agree with the changes to this BAA, Covered Entity must notify Company prior to the effective date of the changes that Covered Entity wishes to terminate its subscription to the applicable Company services. Continued use of the Company services, following notice of such changes, shall indicate Covered Entity’s acknowledgement of such changes and agreement to be bound by the terms and conditions of such changes.
6.4 Interpretation. The provisions of this HIPAA Addendum shall prevail over the provisions of any other agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this HIPAA Addendum, the Privacy Rule or the HITECH Act.