Last Modified: November 29, 2023.
THIS BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is entered into between you ("Covered Entity”) and CoverMyMeds LLC, a Delaware limited liability company ("Business Associate") and is effective as of the date that you click the "SIGN UP" button on the Create Your Account screen (the "Effective Date").
WHEREAS, the U.S. Department of Health and Human Services issued regulations on "Standards for Privacy of Individually Identifiable Health Information" comprising 45 C.F.R. Parts 160 and 164, Subparts A and E (the “Privacy Standards"), "Security Standards for the Protection of Electronic Protected Health Information" comprising 45 C.F.R. Parts 160 and 164, Subpart C (the "Security Standards"), and "Standards for Notification in the Case of Breach of Unsecured Protected Health Information" comprising 45 C.F.R. Parts 160 and 164, Subpart D (the "Breach Notification Standards"), promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and as modified by the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 ("HITECH Act") (the Privacy Standards, the Security Standards and the Breach Notification Standards are collectively referred to herein as the "HIPAA Standards").
WHEREAS, in conformity with the HIPAA Standards, Business Associate has and/or will have access to, create and/or receive certain Protected Health Information (“PHI”) to perform its Services as provided under the Terms of Service entered into by and between Covered Entity and Business Associate (the “Terms of Service”).
WHEREAS, Covered Entity is required by the HIPAA Standards to obtain satisfactory assurances that Business Associate will appropriately safeguard all PHI disclosed by or created or received by Business Associate on behalf of Covered Entity.
WHEREAS, the parties hereto desire to enter into this Agreement to memorialize their obligations with respect to PHI pursuant to the requirements of the HIPAA Standards.
NOW, THEREFORE, Covered Entity and Business Associate agree as follows:
Definitions
Except as otherwise specified herein, capitalized terms used but not defined in this Agreement shall have the same meaning as those terms as defined in the Terms of Service or, if not defined therein, in the HIPAA Standards.
- Protected Health Information ("PHI") has the same meaning as the term "Protected Health Information" as defined in 45 C.F.R. § 160.103 and includes electronic PHI ("ePHl”) limited, however, to such information created or received by Business Associate in a business associate capacity on behalf of Covered Entity.
- Secretary means the Secretary of the Department of Health and Human Services or his/her designee.
Obligations and Activities of Business Associate
- Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, the Terms of Service, or as permitted or Required by Law.
- Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement.
- In accordance with the HIPAA Standards, Business Associate shall implement Administrative, Physical and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of ePHl that it creates, receives, maintains or transmits on behalf of the Covered Entity. Specifically, Business Associate shall comply with the Security Standards.
- Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any security incident of which it becomes aware. The parties acknowledge and agree that this Section 2(d) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any other incident that does not result in unauthorized access, use or disclosure of PHI.
- Business Associate will enter into a written agreement with any Subcontractor that creates, receives, maintains or transmits PHI on behalf of Business Associate for Services provided to Covered Entity, which requires the Subcontractor to agree to restrictions and conditions on the use and disclosure of PHI that are no less restrictive than those that apply through this Agreement to Business Associate with respect to such PHI.
- Business Associate will cooperate with Covered Entity's efforts to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
- To the extent Business Associate maintains any PHI in a Designated Record Set, within twenty (20) business days of receipt of a written request by Covered Entity, Business Associate agrees to provide Covered Entity with access to PHI in a Designated Record Set for Covered Entity to comply with the requirements under 45 C.F.R. § 164.524. Business Associate further agrees, within twenty (20) business days of receipt of Covered Entity's written request, to make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance with 45 C.F.R. § 164.526. If Business Associate provides copies or summaries of PHI to an Individual it may impose a reasonable, cost-based fee in accordance with 45 C.F.R. § 164.524(c)(4).
- Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI relating to the use and disclosure of PHI created or received by Business Associate on behalf of Covered Entity available, at the request of the Covered Entity, to the Secretary, for purposes of determining Covered Entity's compliance with the HIPAA Standards, subject to any applicable privileges.
- Business Associate agrees to document those disclosures of PHI, and information related to such disclosures, as required to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate further agrees to provide Covered Entity such information within twenty (20) business days of receipt of its written request to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI, in accordance with 45 C.F.R. § 164.528.
- Business Associate acknowledges that in using, disclosing and requesting PHI, it shall comply with the minimum necessary requirements of the Privacy Standards.
Permitted Uses and Disclosures of PHI by Business Associate
- Business Associate may use or disclose PHI to perform functions, activities, or Services for, or on behalf of, Covered Entity pursuant to the Terms of Service, provided that such use or disclosure does not violate the HIPAA Standards.
- Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that such disclosures are (i) Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Business Associate may use and disclose Protected Health Information to provide Data Aggregation services related to the health care operations of Covered Entity.
- Business Associate may use or disclose Protected Health Information to de-identify information or create a Limited Data Set, in accordance with 45 C.F.R. § 164.514(b), and use and disclose such de-identified data as permitted by law and, in the case of a Limited Data Set, as permitted by and in accordance with the Privacy Standards.
- Business Associate may use or disclose Protected Health Information for purposes of obtaining, and in accordance with, authorizations that meet the requirements of 45 CFR § 164.508.
- Business Associate may use or disclose Protected Health Information as permitted by 45 CFR § 164.506(c).
- Business Associate may use or disclose Protected Health Information to for public health and other purposes permitted by 45 CFR 164.512 and to report violations of law to appropriate federal and state authorities consistent with 45 CFR § 164.502(j)(1).
Term and Termination
- Term The provisions of this Agreement shall commence on the Effective Date and shall terminate upon termination of the Services except as provided in Section 4(c).
- Termination for Cause. Without limiting the termination rights of the parties pursuant to this Agreement and upon Covered Entity's knowledge of a material breach of this Agreement by Business Associate, Covered Entity shall provide a reasonable opportunity of not less than thirty (30) business days for Business Associate to cure the breach or end the violation and, if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, terminate this Agreement.
- Effect of Termination.
- Except as provided in paragraph (2) of this section, upon termination of the Services for any reason, Business Associate shall return or destroy all PHI received or created by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of Subcontractors of Business Associate.
- If Business Associate determines that returning or destroying the PHI is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction not feasible, for so long as Business Associate maintains such PHI.
Covered Entity Obligations
Covered Entity will notify Business Associate fifteen (15) days, if practicable, prior to the effective date of (1) any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, (2) any changes in, or revocation of, permission by an Individual to use or disclose PHI, or (3) any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522. Covered Entity will make such notification to the extent that such limitation, restriction, or change may affect Business Associate’s use or disclosure of PHI.
Notices
Any notices or communications to be given pursuant to this Agreement shall be made, in the case of Covered Entity, to the individual noted in Covered Entity contact appearing in your account set up information and if made to Business Associate, to the address given below:
If to Business Associate to:
Legal Department
910 John Street
Columbus, Ohio 43222
legal@covermymeds.com
With a copy to:
privacy@covermymeds.com
Miscellaneous
- Regulatory References. A reference in this Agreement to a section in the HIPAA Standards means the section then in effect and as of its applicable compliance date.
2. Amendment. This Agreement may be updated, revised or otherwise amended by Business Associate from time to time as Business Associate reasonably may deem appropriate, including, but not limited, to take into account statutory or regulatory changes or case law developments.
- Waiver; Severability. No failure or delay on the part of either Party in exercising any right under this Agreement will operate as a waiver of, or impair, any such right. No waiver of any such right will have effect unless given in a written document signed by the Party waiving such right. If any part of this Agreement is held to be void or unenforceable, such part will be treated as severable, leaving valid the remainder of this Agreement.
- Integration; Interpretation. This Agreement supersedes and replaces any and all previous business associate agreements between the parties. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with the HIPAA Standards. In the event of any inconsistency or conflict between this Agreement and the Terms of Service, the terms and conditions of this Agreement shall govern and control.
- No Third-Party Beneficiary. Nothing express or implied in this Agreement or in the Terms of Service is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
- Survival. The respective rights and obligations of Business Associate under Section 4(c) of this Agreement shall survive the termination of this Agreement for so long as Business Associate retains any PHI.
- Interpretation. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with the HIPAA Standards. In the event of any inconsistency or conflict between this Agreement and the Terms of Service, the terms and conditions of this Agreement shall govern and control.
- Independent Contractor Status. The relationship between the Parties is one of independent contractors and not agents, joint venturers, or partners of one another. This Agreement does not create a partnership or joint venture.
- Governing Law. This Agreement shall be governed by and construed in accordance with the same internal laws as that of the Terms of Service.
- Modifications. Business Associate shall not be bound by any edits or modifications to this Agreement made by Covered Entity unless Business Associate expressly agrees in writing to any such edits or modifications.
If you need a signed copy of our Business Associate Agreement for your organization, you may download our Business Associate Agreement, for any assistance please contact baa@covermymeds.com.