This Business Associate Agreement (“Agreement”) is entered into by and between TIS International (USA), Inc. dba Infinx Healthcare, on behalf of itself and its affiliates (“Business Associate”) and any person or entity to which Business Associate provides services as a business associate (as that term is defined pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)), to the extent such person or entity is a covered entity as that term is defined pursuant to HIPAA (“Covered Entity”). The parties are entering into this Agreement to assist the Covered Entity in complying with HIPAA, and to set forth Business Associate’s obligations under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”), and 45 CFR Parts 160 and 164, Subpart C (the “Security Rule”), Subpart D (the “Data Breach Notification Rule”), and Subpart E (the “Privacy Rule”) (collectively, the “HIPAA Regulations”). Terms used in this Agreement have the meanings given them in the HIPAA Regulations. This Agreement applies to any Protected Health Information Business Associate receives from Covered Entity, or creates, receives or maintains on behalf of Covered Entity, under its agreements with Covered Entity, which may include, without limitation, those terms and conditions set forth in the applicable Master Services Agreement and/or Infinx SaaS Services Order and standard Infinx SaaS Terms and Conditions found at www.infinx.com/saas-terms (the “Principal Agreements”), and the terms of this Agreement are hereby incorporated into the Principal Agreements. This Agreement shall be effective as the date on which the Privacy Rule requires compliance by Covered Entity.
- Business Associate may use and disclose Covered Entity’s Protected Health Information to provide Covered Entity with the goods and services contemplated by the Principal Agreements. Except as expressly provided below, this Agreement does not authorize Business Associate make any use or disclosure of Protected Health Information that Covered Entity would not be permitted to make.
- Business Associate will:
- Not use or further disclose Covered Entity’s Protected Health Information except as permitted by the Principal Agreements or this Agreement, or as required by law;
- Use appropriate safeguards, and comply, where applicable, with the HIPAA Security Rule with respect to electronic protected health information, to prevent use or disclosure of Covered Entity’s Protected Health Information other than as provided for by the Principal Agreements or this Agreement;
- Report to Covered Entity any use or disclosure of Covered Entity’s Protected Health Information not provided for by the Principal Agreements or this Agreement of which it becomes aware, including breaches of unsecured protected health information as required by the Data Breach Notification Rule (45 CFR § 164.410), and any security incident of which Business Associate becomes aware. Notwithstanding the foregoing, Covered Entity and Business Associate hereby agree that Business Associate receives frequent, routine, unsuccessful attempts to penetrate or compromise its systems, including pings, port scans and log on attempts, and that this constitutes Business Associate’s report and notification to Covered Entity of such events, and no further reporting of such Security Incidents is required unless these attempts result in an unauthorized access to, use, disclosure, destruction or loss of electronic Protected Health Information, Business Associate will not report them to Covered Entity.
- Ensure that any of Business Associate’s subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate with respect to such information, including compliance with the HIPAA Security Rule with respect to electronic protected health information;
- Make any Protected Health Information in a designated record set available to Covered Entity to enable Covered Entity to meet its obligation to provide access to the information in accordance with 45 CFR § 164.524;
- Make any Protected Health Information in a designated record set available for amendment and incorporate any amendments to Protected Health Information as directed by Covered Entity pursuant to 45 CFR § 164.526;
- Make available to Covered Entity the information concerning disclosures that Business Associate makes of Covered Entity’s Protected Health Information required to enable Covered Entity to provide an accounting of disclosures in accordance with 45 CFR § 164.528;
- To the extent that Business Associate carries out Covered Entity’s obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations;
- Make Business Associate’s internal practices, books, and records relating to Business Associate’s use and disclosure of Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of the United States Department of Health and Human Services for purposes of determining Covered Entity’s compliance with the HIPAA Regulations;
- Upon termination of the Principal Agreements, return or destroy all Covered Entity’s Protected Health Information that Business Associate still maintains in any form and retain no copies of such information or, if return or destruction is not feasible, extend the protections of this Agreement to that information and limit further use and disclosure to those purposes that make the return or destruction of the information infeasible.
- If Covered Entity determines that Business Associate has violated a material term of this Agreement, and if Business Associate fails to cure such violation within 30 days of delivery of written notice thereof, Covered Entity may immediately terminate this Agreement.
- Business Associate may use Covered Entity’s Protected Health Information for the management and administration of Business Associate’s company and to carry out Business Associate’s own legal responsibilities, and Business Associate may disclose the information for these purposes if Business Associate is required to do so by law, or if Business Associate obtains reasonable assurances from the recipient of the information (1) that it will be held confidentially, and used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and (2) that the recipient will notify Business Associate of any instances of which the recipient is aware in which the confidentiality of the information is breached.
- Business Associate may use Covered Entity’s Protected Health Information for data aggregation, as permitted by the Privacy Rule.
- Business Associate may de-identity Covered Entity’s Protected Health Information, in compliance with the requirements of 45 C.F.R. Section 164.514. Business Associate shall be the owner of such de-identified data.
- Covered Entity acknowledges that once Business Associate has completed using Protected Health Information to provide the services it is obligated to provide to Covered Entity, Business Associate will need to periodically destroy the Protected Health Information, a duplicate copy of which is maintained and used by Covered Entity for its operational, legal and business needs. Covered Entity expressly grants Business Associate permission to destroy Protected Health Information periodically after its use in providing services to Covered Entity and before termination or expiration of this Business Associate Agreement.
- This Agreement is to be interpreted in accordance with HIPAA, the HITECH Act, and the regulations promulgated thereunder, as amended from time to time. The terms of this Agreement shall prevail in the case of any conflict with the terms of any Principal Agreements to the extent necessary to allow Covered Entity to comply with the Privacy Rule.
- Nothing in this Agreement shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
- This Agreement contains the entire agreement and understanding between the Parties with respect to the subject matter hereof and supersedes any prior or contemporaneous written or oral agreements, representations and warranties between them respecting the subject matter hereof. This Agreement may be amended only by a writing signed by authorized representatives of both Parties.
Infinx Online BAA, V 2.1 (2022-01)
Once you click Submit, you will be directed to the secured Provider Enrollment Form to complete enrollment.