Business Associate Agreement

Preamble

This Business Associate Agreement ("Agreement") is entered into between Parental Care Guide ("Business Associate") and the professional practitioner creating an account ("Covered Entity" or "Practitioner"), collectively referred to as the "Parties."

The Parties wish to enter into this Agreement to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations, including the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164, Subparts A and E) and the HIPAA Security Rule (45 C.F.R. Parts 160 and 164, Subparts A and C).

I. Definitions

Business Associate

Parental Care Guide, a technology platform that creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity.

Covered Entity

The professional practitioner (Geriatric Care Manager, Elder Law Attorney, Social Worker, Financial Planner, or similar) who has entered into this Agreement by creating a practitioner account on the Platform.

Protected Health Information (PHI)

Information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. PHI includes electronic PHI (ePHI).

Services

The care coordination, care planning, medication tracking, document management, family communication, and related technology services provided by the Platform to the Covered Entity.

Platform

The Parental Care Guide software application accessible at parentalcareguide.com and associated APIs and services.

Breach

The acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of such information, as defined under 45 C.F.R. § 164.402.

Security Incident

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined under 45 C.F.R. § 164.304.

II. Obligations of the Business Associate

A. Permitted Uses and Disclosures

The Business Associate agrees to:

1. Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
2. Use appropriate safeguards and comply with the HIPAA Security Rule with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
3. Report to the Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incidents of which it becomes aware.
4. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
5. Make available PHI in a designated record set to the Covered Entity as necessary to satisfy the Covered Entity's obligations under 45 C.F.R. § 164.524.
6. Make any amendment(s) to PHI in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy the Covered Entity's obligations under 45 C.F.R. § 164.526.
7. Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy the Covered Entity's obligations under 45 C.F.R. § 164.528.
8. To the extent the Business Associate is to carry out one or more of the Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
9. Make its internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

B. Minimum Necessary

The Business Associate shall, to the extent practicable, use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request.

C. Safeguards

The Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity, in accordance with 45 C.F.R. Part 164, Subpart C.

III. Permitted Uses and Disclosures by Business Associate

A. General Use and Disclosure

Except as otherwise limited in this Agreement, the Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, the Covered Entity as specified in this Agreement, provided that such use or disclosure would not violate the HIPAA Privacy Rule if done by the Covered Entity.

B. Specific Use and Disclosure Provisions

1. The Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
2. The Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are required by law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed.
3. The Business Associate may use PHI to provide Data Aggregation services to the Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
4. The Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

IV. Obligations of the Covered Entity

The Covered Entity agrees to:

1. Notify the Business Associate of any limitation(s) in the Covered Entity's Notice of Privacy Practices, to the extent that such limitation may affect the Business Associate's use or disclosure of PHI.
2. Notify the Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect the Business Associate's use or disclosure of PHI.
3. Notify the Business Associate of any restriction on the use or disclosure of PHI that the Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect the Business Associate's use or disclosure of PHI.
4. Not request the Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule if done by the Covered Entity.
5. Ensure that any PHI entered into the Platform has been obtained lawfully and with appropriate patient authorization as required under applicable law.
6. Be solely responsible for obtaining any required patient authorizations, consents, or notices prior to entering PHI into the Platform.

V. Breach Notification

The Business Associate shall notify the Covered Entity without unreasonable delay and in no case later than 60 days following discovery of a Breach of Unsecured PHI. Notification shall include, to the extent possible:

1. The identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
2. A brief description of what happened, including the date of the Breach and the date of discovery of the Breach;
3. A description of the types of unsecured PHI involved in the Breach;
4. Any steps individuals should take to protect themselves from potential harm resulting from the Breach;
5. A brief description of what the Business Associate is doing to investigate the Breach, mitigate harm, and protect against further Breaches; and
6. Contact procedures for individuals to ask questions or obtain additional information.

VI. Term and Termination

A. Term

This Agreement shall be effective as of the date the Covered Entity creates a practitioner account on the Platform and shall terminate when all PHI provided by the Covered Entity to the Business Associate is destroyed or returned to the Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions in Section VI.C.

B. Termination for Cause

Upon either Party's knowledge of a material breach by the other Party, the non-breaching Party shall provide an opportunity for the breaching Party to cure the breach or end the violation. If the breaching Party does not cure the breach or end the violation within a reasonable time period, or if cure is not possible, the non-breaching Party may terminate this Agreement and the Covered Entity's access to the Platform.

C. Effect of Termination

1. Upon termination of this Agreement for any reason, the Business Associate shall return or destroy all PHI received from the Covered Entity that the Business Associate still maintains in any form. The Business Associate shall retain no copies of the PHI.
2. If the Business Associate determines that returning or destroying the PHI is infeasible, the Business Associate shall provide notification to the Covered Entity of the conditions that make return or destruction infeasible. Upon notification, the Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI.

VII. Miscellaneous

A. Regulatory References

A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended, and for which compliance is required.

B. Amendment

The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

C. Survival

The respective rights and obligations of the Business Associate under Section VI.C of this Agreement shall survive the termination of this Agreement.

D. Interpretation

Any ambiguity in this Agreement shall be resolved to permit the Parties to comply with the HIPAA Rules. The Parties agree that any inconsistency between the provisions of this Agreement and the HIPAA Rules shall be resolved in favor of the HIPAA Rules.

E. Governing Law

This Agreement shall be governed by and construed in accordance with applicable federal law, including HIPAA and HITECH, and the laws of the State in which the Covered Entity is licensed to practice.

F. Entire Agreement

This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior negotiations, representations, warranties, and understandings of the Parties with respect to the subject matter hereof.

Adapted from the U.S. Department of Health & Human Services model Business Associate Agreement. Source: U.S. Department of Health & Human Services, Office for Civil Rights. This document does not constitute legal advice. Parental Care Guide recommends consulting a qualified healthcare attorney prior to handling protected health information in a production environment.