Business Associate Data Use Agreement

THIS BUSINESS ASSOCIATE AGREEMENT AND DATA USE AGREEMENT  (“BAA”) is entered into on the Effective Date, by and between Client (also referred to herein as “Covered Entity”), and WellSky Corporation and its Affiliates (“Business Associate” or “WellSky”).

Background

A. Covered Entity and WellSky have entered into a certain license agreement in effect as of the Effective Date, (such agreement is the “Agreement”), pursuant to which Covered Entity has licensed software from Business Associate and Business Associate provides implementation, maintenance, support, and other services to Covered Entity.

B. Covered Entity possesses Protected Health Information that is protected under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the regulations promulgated thereunder by the United States Department of Health and Human Services (collectively, “HIPAA”), and is permitted to use or disclose such Protected Health Information only in accordance with HIPAA and the Regulations.

C. Business Associate may have access to and may receive Protected Health Information from Covered Entity in connection with its performance under the Agreement. The Agreement may from time to time require the Business Associate’s receipt, Use, and/or Disclosure of Protected Health Information (PHI) from Covered Entity.

D. The provisions of this BAA in their totality are intended to implement the HIPAA regulations as they concern Business Associate Agreements. The provisions of the Agreement will remain in full force and effect and are amended by this BAA only to the extent necessary to effectuate the provisions set forth herein.

Terms

1. Definitions. All capitalized terms used but not otherwise defined in this BAA or the Agreement shall have the same meaning as those terms in the Regulations.

a. Individual shall have the same meaning as the term “individual” in 45 CFR § 160.103 of the Regulations and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g) of the Regulations.

b. Regulations shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E, Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C; 45 CFR § 164.314, and the Health Information Technology for Economic and Clinical Health Act (HITECH), as it directly applies, as in effect on the date of this BAA.

c. Protected Health Information shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

d. Required by Law shall have the same meaning as the term “required by law” in 45 CFR § 164.103 of the Regulations.

e. Secretary shall mean the Secretary of the Department of Health and Human Services or his/her designee.

f. Security Incident shall have the same meaning given to such term in 45 CFR § 164.304.

2. Obligations and Activities of Business Associate.

a. Business Associate agrees to comply with the requirements of the Privacy and Security Rules directly applicable to Business Associates through the HITECH Act.

b. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by this BAA, the Privacy and Security Rules, the Agreement, or as required by law. Such disclosures shall be consistent with the “minimum necessary” requirements of the Regulations.

c. Business Associate agrees to use reasonable and appropriate safeguards to protect against the use or disclosure of the Protected Health Information other than as provided for by this BAA or the Agreement.

d. Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this BAA.

e. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by the BAA of which it becomes aware.

f. Business Associate shall notify Covered Entity of a breach of the Privacy Rule relating to the impermissible use or disclosure of Protected Health Information provided to the Business Associate for purposes of carrying out its obligations under the Agreement. Unless otherwise required by law or agreed to by the parties, it shall be the responsibility of Covered Entity to communicate with affected individual(s), the Secretary and the media information regarding the unintended use or disclosure.

g. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same or similar restrictions and conditions that apply through this BAA to Business Associate with respect to such information.

h. If Business Associate maintains Protected Health Information in a Designated Record Set for Covered Entity, Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner mutually agreed upon by the parties, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524 of the Regulations. In the event a request for access is delivered directly to Business Associate by an Individual, Business Associate shall as soon as possible, forward the request to Covered Entity.

i. If Business Associate maintains Protected Health Information in a Designated Record Set for Covered Entity, Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 of the Regulations at the request of Covered Entity or an Individual, and in the time and manner mutually agreed upon by the parties. In the event a request for amendment is delivered directly to Business Associate by an Individual, Business Associate shall as soon as possible, forward the request to Covered Entity.

j. Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary, in a time and manner reasonably designated by Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Regulations.

k. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528 of the Regulations.

l. Business Associate agrees to provide to Covered Entity or an Individual, in time and manner mutually agreed, information collected in accordance with Section 2(k) of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528 of the Regulations. In the event a request for accounting is delivered directly to Business Associate by an Individual, Business Associate shall as soon as possible, forward the request to Covered Entity.

m. Notwithstanding anything to the contrary in the Agreement, any reporting or notification obligations of Business Associate pursuant to this BAA shall be provided to Covered Entity’s registered email address and shall satisfy any such reporting or notification requirements under this BAA.

3. Permitted Uses and Disclosures by Business Associate.

a. Except as otherwise limited in this BAA, Business Associate may use or disclose Protected Health Information to perform functions, activities or services for, or on behalf of, Covered Entity in connection with the BAA and any other agreements in effect between Covered Entity and Business Associate, including without limitation the provision of software implementation and support services, provided that such use or disclosure would not violate the Regulations if done by Covered Entity.

b. Except as otherwise expressly limited in this BAA, Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

c. Except as otherwise expressly limited in this BAA, Business Associate may disclose Protected Health Information for disclosures that are Required By Law, or if Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

d. Except as otherwise expressly limited in this BAA, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B) and in accordance with the Documentation.

e. Business Associate may de-identify any PHI, provided such de-identification conforms to the requirements of 45 CFR § 164.514(b).

f. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).

4. Obligations of Covered Entity.

a. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of protected health information.

b. Covered Entity shall notify Business Associate of any changes in or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect the Business Associate’s use or disclosure of protected health information.

c. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of protected health information that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s user or disclosure of protected health information.

d. Covered Entity shall not request Business Associate to use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.

e. Covered Entity shall only provide a minimum amount of protected health information necessary for the Business Associate to satisfy its obligations under the Agreement.

5. Electronic Data Security.

4. Business Associate agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic Protected Health Information that it creates, receives, maintains or transmits to or on behalf of Covered Entity as required by the Regulations.  Business Associate further agrees to ensure that any agent, including a subcontractor, to whom it provides such information, agrees to implement reasonable and appropriate safeguards to protect it.  Business Associate agrees to promptly report to Covered Entity any Security Incident of which it becomes aware, provided that this BAA shall constitute notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents including, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the foregoing, so long as any such incident does not result in unauthorized access, use or disclosure of PHI or material disruption of Business Associate’s information systems.

4. 4. 6. Termination.

a. Except as otherwise provided herein, this BAA shall terminate upon termination of the Agreement.

b. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate of this BAA, Covered Entity may:

4. 4. 1. 1. Provide a reasonable opportunity for Business Associate to cure the material breach or end the material violation and if Business Associate does not cure the material breach or end the material violation within a reasonable time, Covered Entity may terminate this BAA and the provisions of the Agreement that require or permit Business Associate to access Protected Health Information;
         2. If Business Associate has breached a material term of this BAA and cure is not possible, immediately terminate this BAA and the provisions of the Agreement that require or permit Business Associate to access Protected Health Information; or
         3. If neither termination nor cure is feasible, report the violation to the Secretary.

If Covered Entity breaches, Business Associate may terminate this BAA and any Underlying Agreement 30 days after written notice.

c. Effect of Termination.

4. 4. 1. 1. Except as provided in paragraph (2) of this section, upon termination of this BAA, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
         2. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. In such event, Business Associate shall extend the protections of this BAA to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. Except as provided herein, any termination of the maintenance program or provisions of the Agreement that permit Business Associate to access Protected Health Information shall not affect the parties’ other obligations or rights under the Agreement.

4. 4. 7. Miscellaneous

a. Changes to Regulations.  If the Regulations are amended in a manner that would alter the obligations of WellSky as set forth in this BAA, then the parties agree to negotiate in good faith mutually acceptable changes to the terms set forth in this BAA.

b. Survival.  The respective rights and obligations of Business Associate under Section 6(c) of this BAA shall survive the termination of this BAA.

c. Interpretation.  Any ambiguity in this BAA shall be resolved to permit compliance with the Regulations.

d. Incorporation.  Except for Covered Entity, no third party may rely on the terms, conditions, rights, remedies, or obligations hereunder.  The terms of this BAA supersede any prior or contemporaneous agreement or understandings with respect to the subject matter of the BAA and are fully incorporated into and subject to the terms of the Agreement.

e. Governing Law.  The choice of law and venue applicable to this BAA shall be the same as the choice of law and venue that are applicable to the Agreement.

f. Notices:  Except as otherwise provided herein, any reports or notices to be given hereunder to a Party shall be made in accordance with the notice provision under the Agreement.

Prior versions:

July 5, 2023