This Business Associate Agreement Addendum (“Addendum” or “BAA”) is entered into by and between unstuck Mental Health Studios, Inc. (“Unstuck”) and ______ To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate shall provide access to such PHI to Provider in a time and manner that meets the requirements of 45 C.F.R. § 164.524.
(“Provider”) and is hereby incorporated by reference into the Unstuck Terms of Service (“Agreement”) entered into by and between the Parties. This BAA applies only where Provider is a Covered Entity or a Business Associate under HIPAA and when Unstuck is acting as a Business Associate as defined in 45 CFR § 160.103. In the event of any conflict between a provision in this BAA and a provision in the Agreement, the terms of this BAA shall control.
1. Definitions
Unless otherwise defined in this BAA, capitalized terms shall have the meanings set forth in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations at 45 CFR Parts 160 and 164, as amended from time to time.
“Protected Health Information” (PHI): Shall have the same meaning as defined in 45 CFR § 160.103, limited to the PHI that is received, created, maintained, or transmitted by Unstuck on behalf of Provider through the use of Unstuck's services.
“Unsuccessful Security Incidents”: Incidents that do not result in unauthorized access, use, disclosure, modification, or destruction of PHI. These may include, but are not limited to, pings, port scans, unsuccessful log-on attempts, and other routine activities that do not compromise the integrity of PHI.
2. Permitted Uses and Disclosures of PHI
2.1 Use and Disclosure by Unstuck
a. Unstuck shall not use or disclose PHI except as permitted or required by this BAA, the Agreement, or as required by law. Unstuck is permitted to use and disclose PHI to perform the services outlined in the Agreement with Provider, provided such use or disclosure would not violate HIPAA if done by Provider.
b. Unstuck may use PHI to create de-identified information in accordance with 45 CFR §§ 164.502(d) and 164.514(a)-(c). Unstuck shall own all rights, title, and interest in such de-identified data and may use it for any lawful purpose.
2.2 Management and Administration
Unstuck may use PHI for the proper management and administration of its business and to fulfill any legal responsibilities. Disclosures for these purposes are permitted only if:
a. The disclosures are required by law; or
b. Unstuck obtains reasonable assurances from the recipient that the PHI will remain confidential, will be used or further disclosed only as required by law or for the purpose for which it was disclosed, and the recipient agrees to notify Unstuck of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.
3. Safeguards
a. Unstuck shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, as required by 45 CFR Part 164, Subpart C.
b. Unstuck shall use reasonable and appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this BAA or as required by law.
4. Reporting Obligations
4.1 Unauthorized Use or Disclosure
Unstuck shall promptly report to Provider any use or disclosure of PHI not permitted or required by this BAA of which it becomes aware.
4.2 Security Incidents
Unstuck shall report to Provider any Security Incident of which it becomes aware. Notification is hereby deemed given for Unsuccessful Security Incidents, and no further notice will be provided for such incidents.
4.3 Breach Notification
In the event of a breach of unsecured PHI as defined in 45 CFR § 164.402, Unstuck shall notify Provider without unreasonable delay and in no case later than 30 calendar days after discovery of the breach.
5. Subcontractors and Agents
Unstuck shall ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of Unstuck agree in writing to the same restrictions, conditions, and requirements that apply to Unstuck with respect to such PHI.
Unstuck remains responsible for ensuring that its subcontractors and agents comply with the terms of this BAA
6. Access to PHI
To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate shall provide access to such PHI to Provider in a time and manner that meets the requirements of 45 C.F.R. § 164.524.
7. Amendment of PHI
To the extent Unstuck maintains PHI in a Designated Record Set, Unstuck shall make any amendments to such PHI as directed or agreed upon by Provider pursuant to 45 CFR § 164.526. Unstuck shall complete such amendments within a time and manner that meets the requirements of 45 C.F.R. § 164.524.
8. Accounting of Disclosures
Unstuck shall document disclosures of PHI as required under 45 CFR § 164.528 and shall provide such information to Provider upon request to enable Provider to fulfill its obligations to provide an accounting of disclosures to individuals.
9. Obligations of Provider
a. Provider shall not request Unstuck to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Provider, except as expressly permitted under this BAA.
b. Provider shall implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI in compliance with HIPAA.
10. Performance of Provider's Obligations
To the extent that Unstuck is to carry out any of Provider's obligations under the Privacy Rule, Unstuck shall comply with the requirements of the Privacy Rule that apply to Provider in the performance of such obligations.
11. Term and Termination.
This BAA shall continue in effect until the earlier of (1) termination by a Party for breach as set forth in this BAA, or (2) expiration of the Agreement.
Upon written notice, either Party immediately may terminate the Agreement and this BAA if the other Party is in material breach or default of any obligation in this BAA. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice.
Upon expiration or termination of this BAA, unstuck shall return or destroy all PHI in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Agreement. If it is not feasible to return or destroy any portions of the PHI upon termination of this BAA, then Unstuck shall extend the protections of this BAA, without limitation, to such PHI and limit any further use or disclosure of the PHI to those purposes that make the return or destruction infeasible for the duration of the retention of the PHI.
12. Miscellaneous Provisions
12.1 Regulatory References
A reference in this BAA to a section in HIPAA means the section as in effect or as amended.
12.2 Amendment
This BAA may be amended only in writing signed by both Parties. The Parties agree to take such action as is necessary to amend this BAA from time to time to comply with the requirements of HIPAA and any other applicable law
12.3 Interpretation
Any ambiguity in this BAA shall be resolved to permit compliance with HIPAA.
12.5 No Third-Party Beneficiaries
Nothing express or implied in this BAA is intended to confer any rights, remedies, obligations, or liabilities whatsoever upon any person other than Unstuck and Provider and their respective successors or assigns.