Business Associate Agreement
Table of Contents
Business Associate Agreement Introduction
This Business Associate Agreement ("BAA") is established between Optimind-ai ("Business Associate") and the user subscribing to the service ("Covered Entity"), collectively referred to as the "Parties." This agreement supplements and is made part of the Terms of Use or any other service agreements entered into between the Parties concerning the provision of Optimind-ai's services. The purpose of this BAA is to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health ("HITECH") Act, and accompanying regulations concerning the creation, receipt, maintenance, and transmission of Protected Health Information ("PHI"). This BAA becomes effective on the date of the Covered Entity's electronic acceptance of its terms and will remain in effect as long as the Covered Entity uses Optimind-ai's services or until terminated as provided herein.
Definitions
- Protected Health Information (PHI): Information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. PHI includes information of such nature transmitted or maintained in any form or medium, including Electronic Protected Health Information (ePHI).
- Electronic Protected Health Information (ePHI): PHI that is transmitted by electronic media or maintained in electronic media.
- Covered Entity: As defined under HIPAA, a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
- Business Associate: A person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI.
- Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI.
- Security Incident: Attempts or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system that contains PHI.
- HIPAA Rules: The applicable provisions of the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule as set forth in 45 CFR Parts 160 and 164.
Obligations of Business Associate
- The Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
- The Business Associate will use appropriate safeguards and comply with the Security Rule with respect to ePHI to prevent unauthorized use or disclosure of the information.
- The Business Associate will report any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI as required by the Breach Notification Rule, and any security incident of which it becomes aware.
- The Business Associate will ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate with respect to such information.
- To the extent the Business Associate possesses PHI in a Designated Record Set, it will make PHI available to the Covered Entity as necessary to satisfy the Covered Entity’s obligations under HIPAA to provide access to individuals.
- The Business Associate will make PHI available for amendment and incorporate any amendments to PHI as directed by the Covered Entity.
- Upon request, the Business Associate will provide an accounting of disclosures of PHI to enable the Covered Entity to fulfill its obligations under HIPAA.
- The Business Associate will make its internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
Covered Entity's Responsibilities
- The Covered Entity must inform the Business Associate of any limitations in its Notice of Privacy Practices as required by HIPAA.
- The Covered Entity must notify the Business Associate of any changes in, or revocation of, permission by an individual to use or disclose their PHI.
- The Covered Entity must advise the Business Associate of any restrictions to the use or disclosure of PHI that the Covered Entity has agreed to in accordance with 45 CFR §164.522.
- The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA rules if done by the Covered Entity itself.
Amendment and Termination
This BAA may be amended from time to time to comply with legal changes. It remains in effect until terminated by either party or until the completion of all services requiring the use or disclosure of PHI. Upon termination, the Business Associate will return or destroy all PHI, if feasible.
Contact Information
For any questions regarding this BAA, please contact us at:
Optimind Practice Management
560 W Brown Rd Suite 1011
Mesa, Arizona 85201
USA