Altimate Medical, Inc. Business Associate Agreement


This BUSINESS ASSOCIATE AGREEMENT (“Agreement”) is made and entered into by and between (hereinafter “Provider” or “Covered Entity”) and Altimate Medical, Inc. (hereinafter “Business Associate”) and shall apply if Provider is a “Covered Entity” as defined at 45 C.F.R. § 160.103. The Agreement is made to ensure that the parties satisfy the requirements of the final regulations issued by the U.S. Department of Health and Human Services (“DHHS”) pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), governing the privacy of individually identifiable health information obtained, created or maintained by certain entities, including health care providers (the “Privacy Standards”), and the security of electronic Protected Health Information collected, maintained, used, or transmitted by certain entities, including health care providers (the “Security Standards”). Business Associate and Covered Entity may be referred to individually herein as a “Party” and, collectively, the “Parties.”
RECITALS
WHEREAS, subject to and in accordance with the generally applicable website Terms of Use and Privacy Policy, available at www.easystand.com/privacy, Business Associate provides Covered Entity with access to a web-based application that permits Covered Entity to generate a letter of medical necessity in connection with ordering product manufactured by Business Associate and distributed and sold by independent dealers-distributors (the “LMN Application”) and, in connection with access to and use of the LMN Application, Covered Entity discloses to Business Associate certain information (“Protected Health Information” or “PHI”) that is subject to protection under HIPAA and HITECH; and
WHEREAS, Business Associate, as a recipient of PHI from Covered Entity through the LMN Application, is a “Business Associate” as that term is defined in HIPAA and regulations promulgated by DHHS to implement certain provisions of HIPAA (“HIPAA Regulations”); and
WHEREAS, the purpose of this Agreement is to satisfy the requirements of the HIPAA Regulations including, but not limited to, 45 C.F.R. §§ 164.502(e), 164.504(e), 164.308(b) and 164.314(a), as the same may be amended from time to time;
NOW, THEREFORE, the Parties do hereby agree to the terms as set forth below.
AGREEMENTS
1. Effect. The terms and provisions of this Agreement shall supersede any other conflicting or inconsistent terms and provisions with respect to information that constitutes Protected Health Information under HIPAA that is transmitted, accessed or maintained by Business Associate.
2. Definitions.
(a) All terms used, but not otherwise defined, in this Agreement shall have the same meaning as the respective terms in 45 C.F.R. §§ 160.103, 164.103, 164.304, 164.402 and 164.501.
(b) “Protected Health Information” or “PHI” shall have the same meaning set forth in 45 C.F.R. § 160.103, limited to the PHI received by Business Associate from Covered Entity through the LMN Application.
3. Obligations and Activities of Business Associate.
(a) Business Associate agrees to not use or further disclose PHI other than as required by law, or as permitted or required by this Agreement.

(b) Business Associate agrees to use appropriate safeguards, and comply, where applicable with Subpart C of 45 C.F.R. Part 164 with respect to electronic protected health information, to prevent use or disclosure of the PHI other than as provided for by this Agreement.

(c) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured PHI as required at 45 C.F.R § 164.410, and any Security Incident of which it becomes aware. The Parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.

(d) In the event of a Breach of any Unsecured PHI that Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of Covered Entity, Business Associate shall provide notice of such Breach to Covered Entity immediately, but in any event not more than fifteen (15) days after discovering the Breach.
Notice of a Breach shall include, at a minimum: (i) the identification of each individual who’s PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach, if known, (iii) the scope of the Breach, and (iv) a description of the Business Associate’s response to the Breach.
In the event of a Breach, Business Associate shall, in consultation with Covered Entity, mitigate, to the extent practicable, any harmful effect of such Breach that is known to Business Associate.
(e) Business Associate agrees to ensure that any agents and subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.

(f) Business Associate agrees to make its internal practices, books, and records available to the Secretary of DHHS for purposes of determining compliance with the HIPAA Regulations.

(g) Business Associate agrees to maintain and make available to Covered Entity, within thirty (30) business days following a written request, information necessary to permit Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

(h) If Business Associate maintains information in a Designated Record Set, it agrees to make available to Covered Entity, within thirty (30) business days following a written request, PHI in such Designated Record Set, in order for Covered Entity to respond to individuals’ requests for access to information about them in accordance with 45 C.F.R § 164.524. If Business Associate maintains, on behalf of Covered Entity, information in an electronic Designated Record Set, Business Associate shall provide such information in the electronic format to Covered Entity upon request, or, if directed by the Covered Entity, directly to a requesting individual. This provision shall not affect Business Associate’s continuing obligation to provide information in other formats as set forth herein.

(i) If Business Associate maintains information in a Designated Record Set, it agrees to make any amendments or corrections to PHI in such Designated Record Set within thirty (30) business days following a written request by the Covered Entity in accordance with 45 C.F.R. § 164.526.

(j) To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
4. Permitted Uses and Disclosures by Business Associate.
i. Business Associate may use or disclose PHI as necessary to host and provide the LMN Application.

ii. Business Associate may use or disclose PHI as required by law.

iii. Business Associate agrees to make uses and disclosures and requests for PHI subject to the minimum necessary requirements set forth in the Privacy Standards.

iv. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except for the specific uses and disclosures set forth below.

v. Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

vi. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

vii. Business Associate may provide data aggregation services related to the health care operations of Covered Entity.

viii. Business Associate may de-identify PHI it receives from Covered Entity in accordance with 45 C.F.R. § 164.514, which de-identified data and any derivative works from such data shall be owned by Business Associate, in all forms and media worldwide, and may be used by Business Associate for any lawful purpose.
5. Obligations of Covered Entity.
(a) Covered Entity shall provide Business Associate notice of any limitation(s) in the notice of privacy practices of Covered Entity in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

(b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s uses and disclosures of PHI.

(c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
6. Term and Termination.
(a) Term. This Agreement shall be effective as of the date of Provider’s electronic signature (the “Effective Date”), and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, including when it is not advisable to do so in order to protect the legal interests of Covered Entity or Business Associate, protections are extended to such information, in accordance with the termination provisions in this Section 6.

(b) Termination by Covered Entity. Business Associate authorizes termination of this Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the Agreement and Business Associate has not cured the breach or ended the violation within the time reasonably specified by Covered Entity.

(c) Effect of Termination. Upon termination of the Agreement for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

(i) Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities.

(ii) Destroy the remaining PHI that Business Associate still maintains in any form.

(iii) Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Agreement, for as long as Business Associate retains the PHI.

(iv) Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at Section 3 of this Agreement, which applied prior to termination.

(v) Destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

(d) Survival. The obligations of Business Associate under Section 6(c) shall survive the termination of this Agreement.
7. Miscellaneous.
(a) Regulatory References. A reference in this Agreement to a section in the HIPAA Regulations means the section as in effect or as amended, and for which compliance is required.

(b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary to comply with the requirements of the HIPAA Regulations and any other applicable law.

(c) Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Regulations and any other applicable law.

(d) Authority. Each person signing this Agreement represents and warrants that he or she has the full right, power and authority to enter into this Agreement and to perform its obligations hereunder and that this Agreement constitutes the legal, valid and binding obligations of the Parties, enforceable in accordance with its terms.

Accepted and Agreed:

Leave this empty:

Signed by Todd Tholkes, CEO
Signed On: March 1, 2018

Signature Certificate
Document name: Altimate Medical, Inc. Business Associate Agreement
Unique Document ID: 619fb57ed9f7460f5b8c8193545af03a65260285
Timestamp Audit
March 25, 2016 10:52 am CDTAltimate Medical, Inc. Business Associate Agreement Uploaded by Todd Tholkes, CEO - lmnadmin@easystand.com IP 63.142.32.10