If you have any questions concerning our Business Associate Agreement,
please contact us at firstname.lastname@example.org or at 1(800) 905-0698.
Episode Alert, LLC Addendum: Business Associate Agreement
This Business Associate Agreement (“BA Agreement”) becomes effective by and between
Principal/User Organization/Company/Covered Entity signing up (Principal) and Episode
Alert, LLC (Business Associate). Principal and Business Associate collectively shall
be known herein as “the Parties”.
Episode Alert, LLC, in the providence of services to Covered Entity, may receive,
use and/or disclose for or on behalf of Covered Entity certain Protected Health
Information relating to patients of Covered Entity that is subject to protection
under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
and the Health Information Technology for Economic and Clinical Health Act (HITECH
Act”). By reason of such activities, the parties believe that Episode Alertis a
Business Associate of Covered Entity. Covered Entity and Business Associate wish
to comply in all respects with the requirements of HIPAA and the HITECH Act applicable
to the relationship between covered entities and their business associates. Covered
Entity and Business Associate further wish to comply with the Modifications to the
HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health
Information Technology for Economic and Clinical Health Act and the Genetic Information
Nondiscrimination Act, which was published on January 25, 2013.
1. Definitions. Terms used, but not otherwise defined in this BA Agreement shall
have the same meaning as those terms set forth in the Privacy Rule or the Security
- Breach. “Breach” shall mean the unauthorized acquisition, access, use or disclosure
of Protected Health Information in a manner not permitted under the Privacy Rule
which compromises the security or privacy of such information. “Breach” excludes:
Electronic Protected Health Information. “Electronic Protected Health Information”
shall mean Protected Health Information that is transmitted by Electronic Media
(as defined in the Security Rule) or maintained in Electronic Media.
Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually
Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and
xProtected Health Information. “Protected Health Information” shall have the same
meaning as the term “protected health information” in 45 CFR § 160.103, limited
to the information received by Business Associate from or on behalf of Covered Entity.
Secretary. “Secretary” shall mean the Secretary of the Department of Health and
Human Services or his or her designee.
Security Incident. “Security Incident” shall mean the attempted or successful unauthorized
access, use, disclosure, modification or destruction of information or interference
with system operations in an information system that provides access to Protected
Security Rule. “Security Rule” shall mean the Security Standards for the Protection
of Electronic Protected Health Information at 45 CFR part 164 subpart C.
- (i) any unintentional acquisition, access, or use of Protected Health Information
by a workforce member or person acting under the authority of Covered Entity or
Business Associate, if such acquisition, access, or use was made in good faith and
within the scope of authority and does not result in further use or disclosure in
a manner not permitted under the Privacy Rule.
- (ii) any inadvertent disclosure by a person who is authorized to access Protected
Health Information at Covered Entity or Business Associate to another person authorized
to access Protected Health Information at Covered Entity or Business Associate,
if the information received as a result of such disclosure is not further used or
disclosed in a manner not permitted under the Privacy Rule.
- (iii) a disclosure of Protected Health Information where Covered Entity or Business
Associate has a good faith belief that an unauthorized person to whom the disclosure
was made would not reasonably have been able to retain such information.
- Except as provided in exceptions (i)-(iii) above, the acquisition, access, use,
or disclosure of Protected Health Information in a manner not permitted under the
Privacy Rule is presumed to be a Breach unless the Covered Entity or Business Associate,
as applicable, demonstrates that there is a low probability that the Protected Health
Information has been compromised based on a risk assessment of at least the following
- (i) the nature and extent of the Protected Health Information involved, including
the types of identifiers and the likelihood of re-identification;
- (ii) the unauthorized person who used the Protected Health Information or to whom
the disclosure was made;
- (iii) whether the Protected Health Information was actually acquired or viewed;
- (iv) the extent to which the risk to the Protected Health Information has been mitigated.
2. Obligations and Activities of Business Associate. Business Associate agrees to:
- not use or further disclose Protected Health Information other than as permitted
or required by this BA Agreement or as Required By Law.
- use, disclose, and request only the minimum necessary amount of Protected Health
Information necessary to perform its services for Covered Entity.
- use appropriate safeguards, and comply with the Security Rule with respect to Electronic
Protected Health Information, to prevent use or disclosure of the Protected Health
Information other than in accordance with this BA Agreement.
- mitigate, to the extent practicable, any harmful effect that is known to Business
Associate of a use or disclosure of Protected Health Information by Business Associate
in violation of the requirements of this BA Agreement or the Privacy Rule.
- report to Covered Entity any use or disclosure of the Protected Health Information
not in accordance with this BA Agreement of which Business Associate becomes aware,
including any Breach of unsecured Protected Health Information and any Security
Incident. For all reporting obligations under this BA Agreement, the parties acknowledge
that, because Business Associate does not know the nature of the Protected Health
Information contained in any of the Covered Entity’s accounts, it will not be possible
for Business Associate to provide information about the identities of the Individuals
who may have been affected, or a description of the type of information that may
been subject to a Security Incident or Breach.
- in accordance with the Privacy Rule and the Security Rule, ensure that any agent,
including a subcontractor, to whom it provides Protected Health Information received
from, or received by Business Associate on behalf of, Covered Entity agrees to the
same restrictions and conditions that apply to Business Associate.
- to the extent any Protected Health Information is in a designated record set, make
available Protected Health Information to the extent, for the purposes and in the
manner required by 45 CFR § 164.524 (Access of individuals to Protected Health Information)
and 45 CFR § 164.526 (Amendment of Protected Health Information) and incorporate
any amendment to Protected Health Information as required under 45 CFR § 164.526.
- to the extent Business Associate is to carry out one or more of Covered Entity’s
obligations under the Privacy Rule, Business Associate shall comply with the requirements
of the Privacy Rule that apply to Covered Entity in the performance of such obligations.
- make internal practices, books, and records relating to the use and disclosure of
Protected Health Information received from, or received by Business Associate on
behalf of, Covered Entity available to the Secretary for purposes of the Secretary
determining Covered Entity's compliance with the Privacy Rule or the Security Rule.
- document such disclosures of Protected Health Information and information related
to such disclosures as would be required for Covered Entity to respond to a request
by an Individual for an accounting of disclosures of Protected Health Information
in accordance with 45 CFR § 164.528 (Accounting of disclosures of Protected Health
Information). For avoidance of doubt, Business Associate will document and make
available to you the information required to provide an accounting of disclosures
in accordance with 45 CFR § 164.528 of which Business Associate is aware if requested
by the Covered Entity. Because Business Associate cannot readily identify which
Individuals are identified or what types of Protected Health Information are included
in a Covered Entity’s accounts, Covered Entity will be solely responsible for identifying
which Individuals, if any, any have been included in Covered Entity data that may
have been disclosed and for providing a brief description of the Protected Health
- provide to Covered Entity, at a time and in a manner agreed by the parties, information
collected in accordance with Section 2(i) of this BA Agreement to permit Covered
Entity to respond to a request by an Individual for an accounting of disclosures
of Protected Health Information in accordance with 45 CFR § 164.528.
3. Permitted Uses and Disclosures by Business Associate.
- General Use and Disclosure Provisions. Subject to the terms of this BA Agreement,
Business Associate may use or disclose Protected Health Information to perform the
functions, activities, services for, or on behalf of, Covered Entity, provided that
such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
- Specific Use and Disclosure Provisions. Business Associate may use or disclose Protected
Health Information for the proper management and administration of Business Associate
(such as for the purposes of quality improvement and product or service testing,
support; and system maintenance); provided that, Business Associate shall disclose
such Protected Health Information only: (i) as Required by Law or (ii) to persons
from which Business Associate obtains reasonable assurances that it will remain
confidential and used or further disclosed only as Required by Law or for the purpose
for which it was disclosed, and the person shall notify Business Associate of any
instances of which it is aware in which the confidentiality of the information has
- Report Violations of Law. Business Associate may use Protected Health Information
to report violations of law appropriate to Federal and State authorities consistent
with 45 CFR § 164.502 (j)(1).
4. Obligations of Covered Entity. Covered Entity agrees that it:
- has included, and will include, in the Covered Entity’s Notice of Privacy Practices
required by the Privacy Rule, a provision stating that the Covered Entity may disclose
Protected Health Information for health care operations and payment purposes. Upon
request, Covered Entity will provide Business Associate with a copy of Covered Entity’s
Notice of Privacy Practices, as well as any changes to such Notice.
- has provided to Business Associate notice of any limitations in Covered Entity’s
Privacy Practices to the extent such limitations may affect Business Associate’s
performance of services for Covered Entity or use or disclosure of Protected Health
- will provide, upon the reasonable request of Business Associate, copies of any consent,
authorization, acknowledgment or permission by an Individual to use or disclose
Protected Health Information which may affect Business Associate’s performance of
services for Covered Entity or use or disclosure of Protected Health Information.
- has obtained, and will obtain, from Individuals consents, authorizations and other
permissions (if any) necessary or required by laws applicable to Covered Entity
for Business Associate and Covered Entity to fulfill their respective obligations
and under this BA Agreement.
- will provide in writing Business Associate with any changes in, or revocation of,
permission by an Individual to use or disclose Protected Health Information, if
such changes affect Business Associate's performance of services for Covered entity
or use or disclosure of Protected Health Information.
- will, upon request of Business Associate, notify Business Associate of the name
of and contact information for the privacy official designated by Covered Entity
in accordance with 45 CFR § 164.530.
5. Permissible Requests by Covered Entity
Covered Entity shall not request Business Associate to use or disclose Protected
Health Information in any manner that would not be permissible under the Privacy
Rule if done by Covered Entity, except as set forth in Section 3(b) above.
6. Term and Termination
- Term: Covered Entity shall have the right to terminate this BA Agreement upon any
material breach of this BA Agreement; provided, however, that prior to any such
termination, Covered Entity shall provide Business Associate with notice of the
existence of an alleged material breach and provide Business Associate an opportunity
to cure the alleged material breach. In the event Business Associate fails to cure
the material breach within thirty (30) days of receipt of written notice, Covered
Entity may thereafter immediately terminate this BA Agreement.
- Effect of Termination:(i)Except as provided in paragraph (ii) of this section, upon
termination of this BA Agreement for any reason, Business Associate shall return
or destroy all Protected Health Information received from Covered Entity, or created
or received by Business Associate on behalf of Covered Entity, or convert such Protected
Health Information to a de-identified format consistent with the Privacy Rule. This
provision shall also apply to Protected Health Information that is in the possession
of subcontractors or agents of Business Associate. Business Associate shall retain
no copies of the Protected Health Information. (ii) In the event that Business Associate
determines that returning or destroying the Protected Health Information is infeasible,
Business Associate shall provide to Covered Entity notification of the conditions
that make return or destruction infeasible. Business Associate shall extend the
protections of the BA Agreement to such Protected Health Information and limit further
uses and disclosures of such Protected Health Information to those purposes that
make the return or destruction infeasible, for so long as Business Associate maintains
such Protected Health Information. The parties agree that to the extent that Business
Associate is Required by Law to maintain copies of Protected Health Information,
return of such Protected Health Information shall be deemed infeasible and Business
Associate shall have the right to retain such Protected Health Information as Required
by Law; provided, however, that Business Associate shall only use or disclose such
Protected Health Information for the purposes of and as Required by Law. The respective
rights and obligations of Business Associate under Section 6 of this BA Agreement
shall survive the termination of this BA Agreement.
- Regulatory References. A reference in this BA Agreement to a section in the Privacy
Rule or the Security Rule means the section as in effect or as amended, and for
which compliance is required.
- Amendment. Episode Alert shall update this BA Agreement from time to time as is
necessary for Covered Entity or Business Associate, as applicable, to comply with
the requirements of HIPAA, the Privacy Rule, the Security Rule, or the HITECH Act.
- Interpretation. Any ambiguity in this BA Agreement shall be resolved in favor of
a meaning that permits Covered Entity or Business Associate, as applicable, to comply
with HIPAA, the Privacy Rule, the Security Rule or the HITECH Act.
- No Beneficiary. There are no third party beneficiaries to this BA Agreement, including
but not limited to any Individuals who are subject of the Protected Health Information.
- Integration. To Principal: made effective by Principal signing up at www.epsiodealert.com
- This BA addendum is part of the complete agreement between the parties relating
to obligations under HIPAA, the Privacy Rule, the Security Rule and the HITECH Act.