BUSINESS ASSOCIATE AGREEMENT
Last Updated: April 16, 2019
This Business Associate Agreement (“Agreement”) constitutes a contract by and between OnePay Global LLC (“OnePay” or “Business Associate”) and any health care provider, health plan, or health care clearinghouse (“Covered Entity”) (each a “Party” and collectively the “Parties”) who signs up to use OnePay’s Services through our Website or who signs a separate agreement regarding the Services. This Agreement governs Business Associate’s processing, storage, and/or use of any protected health information (“PHI”) provided to Business Associate by Covered Entity, unless the Parties sign a separate Business Associate Agreement, and is effective as of the date the Covered Entity signs up to use OnePay’s Services or signs a separate agreement to use the Services (“Effective Date”). If the Parties sign a separate Business Associate Agreement, the separate agreement will control.
- OBLIGATIONS OF BUSINESS ASSOCIATE
- Prohibited Use and Disclosure. Business Associate will not use or disclose PHI in any manner that is not permitted by this Agreement, or a related agreement, or as required by law.
- Required Safeguards To Protect PHI. Business Associate will use appropriate safeguards, and comply with the HIPAA Rules (specifically, the Security Rule, 45 C.F.R. Part 164, Subpart C) with respect to electronic PHI, to prevent the use or disclosure of PHI other than as provided by this Agreement.
- Reporting to Covered Entity. Business Associate will immediately report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any breach of unsecured PHI, as required by the HIPAA Rules (specifically, the Breach Notification Rule, 45 C.F.R. Part 164, Subpart D).
- Agreements With Subcontractors. Business Associate will enter into an agreement with any subcontractor of Business Associate that creates, receives, maintains, or transmits PHI on behalf of Business Associate, as required by the HIPAA Rules (specifically, 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2)). The agreement will require the subcontractor to be bound by the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI.
- Access to PHI. Business Associate will make PHI about an individual in a designated record set available to Covered Entity upon request for so long as such information is maintained by Business Associate in the designated record set, as required by the HIPAA Rules (specifically, 45 C.F.R. § 164.524). Business Associate will make such PHI available to Covered Entity within 15 days in order to allow Covered Entity to meet its obligations under the HIPAA Rules.
- Amendment of PHI. Business Associate will amend PHI or a record about the individual in a designated record set upon request by Covered Entity for so long as the PHI is maintained in the designated record set, as required by the HIPAA Rules (specifically, 45 C.F.R. § 164.526). Business Associate will amend such information within 15 days in order to allow Covered Entity to meet its obligations under the HIPAA Rules.
- Documentation and Accounting of Disclosures. Business Associate will document and make available to OnePay the information required to provide an accounting of disclosures of PHI as necessary to permit Covered Entity to respond to a request for an accounting of such disclosures, as required by the HIPAA Rules (specifically, 45 C.F.R. § 164.528). Business Associate will make such information available to Covered Entity within 30 days in order to allow Covered Entity to meet its obligations under the HIPAA Rules.
- Other Obligations. To the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the HIPAA Rules, Business Associate will comply with the requirements that apply to Covered Entity in the performance of such obligations, as required by the HIPAA Rules (specifically, the Privacy Rule, 45 C.F.R. Part 164, Subpart E).
- Availability of Books and Records. Business Associate will make its internal practices, books, and records available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
- De-Identification of PHI. Business Associate will not de-identify PHI unless otherwise permitted in writing by Covered Entity.
- PERMISSIBLE USE AND DISCLOSURE OF PHI
- Ownership of PHI. Business Associate agrees that it does not own any PHI provided to Business Associate by Covered Entity, and does not have any rights in such PHI, except the limited right to use and disclose the PHI as provided by this Agreement.
- Permissible Use of PHI. Business Associate may use or disclose PHI only as permitted by this Agreement or a related agreement, or as required by law.
- Permissible Disclosure of PHI. Business Associate may not use or disclose PHI in a manner that would violate the HIPAA Rules (specifically, the Privacy Rule, 45 C.F.R. Part 164, Subpart E) if done by OnePay, except that: (a) Business Associate may use PHI for its own proper management and administration, or to carry out its legal responsibilities; and (b) Business Associate may discloses PHI to a third party for its own proper management and administration, or to carry out its legal responsibilities, provided that: (i) the disclosures are required by law, or (ii) Business Associate obtains reasonable assurances from the third party that the PHI will remain confidential and will be used or further disclosed only as required by law or for the purposes for which it was disclosed to the third party, and that the third party will notify Business Associate of any instances in which the confidentiality of the PHI has been breached.
- “Minimum Necessary” Requirement. Business Associate agrees that any use and disclosure or requests for PHI by Business Associate will be consistent with Covered Entity’s minimum necessary use and disclosure policies, except where such use or disclosure is required by law. Such policies require that use and disclosure of PHI be limited to persons who need access to the information to carry out their job duties, namely, persons involved in the development, implementation, and maintenance of Covered Entity’s software, and that such persons only use or disclose such PHI as necessary to carry out such duties, namely, patient biometrics and related information sufficient to identify the subject of the biometrics.
- Data Aggregation Services. Business Associate may provide data aggregation services relating to the health care operations of Covered Entities.
- TERM AND TERMINATION
- Term. The term of this Agreement starts on the Effective Date and ends on the date that any related agreement between Covered Entity and Business Associate is terminated, or on the date that Covered Entity or Business Associate terminates this Agreement, as set forth below, whichever is sooner.
- Termination. This Agreement may be terminated: (1) immediately if either Covered Entity or Business Associate determines that the other Party has violated its HIPAA obligations; or (2) at Covered Entity’s or Business Associate’s discretion if either Party has given the other Party a reasonable time to cure the breach or end the violation, and the other Party has not cured the breach or ended the violation within such time.
- Obligations After Termination. Upon the termination of this Agreement for any reason, including the termination of any related agreement between Covered Entity and Business Associate, Business Associate will, at Covered Entity’s discretion, return or destroy all PHI received from Covered Entity that Business Associate maintains in any form. Business Associate will retain no copies of such PHI. This provision applies to all PHI in the possession of Business Associate and any subcontractors of Business Associate. The obligations of Business Associate under this section will survive the termination of this Agreement.
- LIMITATIONS ON LIABILITY
THE PARTIES AGREE THAT THEY WILL NOT BE LIABLE TO EACH OTHER FOR ANY DAMAGES, UNLESS SUCH LIABILITY IS FOUND TO HAVE BEEN CAUSED BY GROSS NEGLIGENCE OR INTENTIONAL MISCONDUCT, ARISING FROM OR RELATED TO THIS AGREEMENT. THE PARTIES AGREE THAT THIS LIMITATION ON LIABILITY APPLIES TO ANY DIRECT, INDIRECT, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR PUNITIVE DAMAGES, ANY ACCOUNTING OF PROFITS, OR ANY LOST PROFITS, UNDER ANY THEORY OF LIABILITY, INCLUDING BREACH OF CONTRACT, NEGLIGENCE, OR OTHERWISE, REGARDLESS OF WHETHER THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
- Governing Law and Jurisdiction. In the event of any legal proceedings arising from or related to this Agreement, any such proceedings will be governed by the laws of the State of Maryland, without regard to any conflict of law rules, and applicable federal law. Any such proceedings initiated by OnePay will be brought in state or federal court in the jurisdiction where you are primarily located, and any such proceedings initiated by you will be brought in state court in Montgomery County, Maryland or in federal court in the State of Maryland. The Parties expressly waive any challenges to personal jurisdiction and venue in any other forums.
- Injunctive Relief. The Parties agree that their failure to meet their obligations under HIPAA, HITECH, and the HIPAA Rules may result in irreparable harm, and in such event, either Party will be entitled to institute proceedings in any court of competent jurisdiction to obtain injunctive relief.
- Mitigation of Breach. Business Associate will cooperate with Covered Entity’s investigation, analysis, notification, and mitigation activities in the event of any use or disclosure of PHI not permitted by this Agreement. If Business Associate undertakes any notification or mitigation activities in connection with such unpermitted use or disclosure, Business Associate will bear the cost of such activities. If Covered Entity undertakes such activities at Business Associate’s request, or because Business Associate declines to undertake such activities, Business Associate will reimburse Covered Entity for the cost of such activities.
- Compelled Disclosure of PHI. In the event Business Associate receives a court order, subpoena, or similar requirement to disclose PHI to a third party, Business Associate will promptly notify Covered Entity, and in any event, will provide Covered Entity with a copy of the requirement within five (5) days of receipt. Covered Entity will have the right to review Business Associate’s response, including the PHI to be disclosed, prior to transmittal to any third party.
- Intended Beneficiaries. Business Associate agrees that any third-party Covered Entity that provides PHI to Covered Entity is an intended beneficiary of this Agreement, and is entitled to the same rights as Covered Entity under this Agreement. No other persons or entities are intended beneficiaries of this Agreement.
- Regulatory References. Any reference in this Agreement to HIPAA, HITECH, or the HIPAA Rules means the statutes or the regulations currently in effect.
- Amendment. The parties will consider this Agreement to be amended as necessary to comply with the current versions of HIPAA, HITECH, and the HIPAA Rules.
- Interpretation. Any ambiguity in this Agreement or conflict with a related agreement will be interpreted to permit compliance with HIPAA, HITECH, and the HIPAA Rules.