This Business Associate Agreement (this “Agreement”) governs the use and disclosure of Protected Health Information (“PHI”) by MyZorro, Inc. together with any of its affiliates (“Business Associate”) on behalf of its customers that are Covered Entities or Business Associates under HIPAA (“Covered Entity”). This Agreement is incorporated by reference into the applicable services agreement, order form, purchase order, commercial terms or other agreement (the “Underlying Agreement”) between Business Associate and Covered Entity that involves the creation, receipt, maintenance, or transmission of PHI (each, a “Party” and together, the “Parties”).
By executing or otherwise agreeing to the Underlying Agreement, Covered Entity agrees to be bound by the terms of this Agreement.
1. Purpose
Business Associate may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of Covered Entity in connection with the services provided under the Underlying Agreement. This Agreement sets forth the terms governing Business Associate’s use and disclosure of PHI in accordance with HIPAA.
2. Definitions
Capitalized terms used but not otherwise defined herein shall have the meanings assigned under HIPAA, including 45 C.F.R. Parts 160 and 164.
3. Permitted Uses and Disclosures
Business Associate shall limit the use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with HIPAA. Business Associate may use and disclose PHI: (i) to perform its obligations under the Underlying Agreement; (ii) for its proper management and administration and to carry out its legal responsibilities, as permitted by HIPAA; and (iii) as required by law. Business Associate may de-identify PHI in accordance with HIPAA. Business Associate shall not use PHI for marketing or for any purpose not permitted by HIPAA or the Underlying Agreement..
4. Safeguards
Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards consistent with the HIPAA Security Rule to protect the confidentiality, integrity, and availability of PHI.
5. Subcontractors
Business Associate may use subcontractors to perform services, provided that such subcontractors agree in writing to comply with the same restrictions and conditions that apply to Business Associate with respect to PHI.
6. Reporting of Breaches
Business Associate shall report to Covered Entity any Breach of Unsecured PHI or Security Incident involving PHI without unreasonable delay and in and in no event later than 15 business days after discovery. Business Associate shall cooperate with Covered Entity in investigating and mitigating such Breach.
7. Access, Amendment, and Accounting
To the extent applicable, Business Associate shall make PHI available and amend PHI as directed by Covered Entity to satisfy Covered Entity’s obligations under 45 C.F.R. §§ 164.524 and 164.526. Business Associate shall provide information necessary for an accounting of disclosures in accordance with 45 C.F.R. § 164.528.
8. Access by HHS
Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS as required by HIPAA.
9. Return or Destruction of PHI
Upon termination of the Underlying Agreement, Business Associate shall return or destroy PHI within a reasonable period following termination, if feasible. If not feasible, Business Associate shall continue to protect such PHI in accordance with this Agreement.
10. Term and Termination
This Agreement shall remain in effect for so long as Business Associate maintains PHI. Either party may terminate this Agreement upon material breach not cured within a reasonable period.
11. Limitation of Liability
To the extent permitted by applicable law, the liability of Business Associate under this Agreement shall be subject to the limitations of liability set forth in the Underlying Agreement. The parties acknowledge and agree that this Agreement does not create any additional indemnification obligations beyond those, if any, set forth in the Underlying Agreement.
12. Governing Law
This Agreement shall be governed by and construed in accordance with the laws governing the Underlying Agreement, except to the extent preempted by HIPAA. The parties agree that any disputes arising out of or relating to this Agreement shall be subject to the exclusive jurisdiction and venue set forth in the Underlying Agreement.
13. Conflict
In the event of a conflict between this Agreement and the Underlying Agreement, this Agreement shall control with respect to HIPAA compliance.
14. Amendments
Business Associate may update this Agreement from time to time to reflect changes in applicable law or Business Associate’s practices. Business Associate will provide reasonable notice of any material changes by posting an updated version at the applicable URL or through the Underlying Agreement. Continued use of the services following such updates constitutes acceptance of the revised Agreement
15. Miscellaneous
This Agreement is incorporated into and forms part of the Underlying Agreement and shall be interpreted in a manner consistent therewith. In the event of a conflict between this Agreement and the Underlying Agreement, this Agreement shall control with respect to PHI and HIPAA compliance. Business Associate may assign this Agreement without consent to an affiliate or in connection with a merger, acquisition, or sale of substantially all of its assets, provided that the assignee agrees to be bound by this Agreement. No failure or delay by either Party in exercising any right under this Agreement shall operate as a waiver of such right. This Agreement shall be interpreted to permit compliance with HIPAA.