Your web browser is out of date. Update your browser for more security, speed and the best experience on this site.

Business Associate Agreement

This Business Associate Agreement (“Agreement”) is between PayGround, Inc. (“Business Associate“), having a primary address of 365 E. Germann Rd., Suite 280, Gilbert, AZ 85297 and  the company named in an order(“Covered Entity“), into which this Agreement is incorporated.

WHEREAS, in order to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996, (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (“HITECH Act”), and the final regulations to such Acts that the U.S. Department of Health and Human Services (“HHS”) has promulgated and set forth in 45 CFR Parts 160, 162, and 164 (collectively, the “HIPAA Rules”), the Parties wish to enter into this Agreement; and

WHEREAS, the Parties will be entering into or have entered into an arrangement for the delivery of services, and pursuant to such arrangement, PayGround, Inc. may be considered a “Business Associate” of Covered Entity under the HIPAA Rules.  The agreement evidencing such arrangement is titled PayGround Customer Agreement and is hereby referred to as the “Services Agreement”. 

NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this Agreement, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, and intending to be legally bound hereby, the Parties agree as follows:

Definitions

Capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules. A regulatory reference in this Agreement means the section as in effect or as amended, and for which compliance is required.

Breach: has the meaning given to such term at 45 CFR § 164.402.

Breach Notification Rule: means the final regulatory provisions set forth at 45 CFR Subtitle A, Subchapter C, Parts 160 and 164, Subparts A and D.

Business Associate: means the party identified above as Business Associate.

Covered Entity: means the party identified above as Covered Entity.

Discovery: has the meaning given to such term at Subpart D of 45 CFR Part 164.

Electronic Protected Health Information or ePHI: means “electronic protected health information” as defined in 45 CFR § 160.103 but limited to the ePHI created, received, maintained, or transmitted by Business Associate for or on behalf of Covered Entity.

Individual: has the same meaning given to such term at 45 CFR § 160.103, as well as a person who qualifies as a personal representative in accordance with the HIPAA Rules.

Privacy Rule: means final regulatory Standards for Privacy set forth at 45 CFR Parts 160 and 164, Subparts A and E, as amended from time to time.

Protected Health Information or PHI: have the same meaning as “protected health information” in 45 CFR § 160.103, but limited to the information used, disclosed, created, received, maintained, or transmitted by Business Associate for or on behalf of Covered Entity.

Secretary:  means the Secretary of the Department of Health and Human Services and his or her designee.

Security Rule: means final regulatory provisions set forth at 45 CFR Parts 160 and 164, Subparts A and C.

Obligations and Activities of Business Associate

  1. Business Associate agrees not to use or disclose PHI other than as necessary to render Services, as permitted or required by this Agreement, or as Required by Law.
  2. Business Associate agrees to use appropriate safeguards and comply, where applicable, with the Security Rule with respect to ePHI to prevent use or disclosure of the information other than as provided for by this Agreement.
  3. Business Associate agrees to report to Covered Entity any use or disclosure of PHI that is not permitted by this Agreement, including but not limited to any successful Security Incident and any Breach of Unsecured PHI. The parties agree that this Section II(C) satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. For purposes of this Agreement, such Unsuccessful Security Incidents include activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service and any combination of the above, so long as no such Unsuccessful Security Incident results in unauthorized access, use, disclosure, modification or destruction of PHI or interference with information system operations.
  4. Business Associate agrees to ensure that any Subcontractors that create, receive, maintain or transmit PHI for or on behalf of Business Associate agrees in writing to comply with the Security Rule and the same restrictions and conditions that apply through this Agreement to Business Associate.
  5. Upon request by the Secretary, Business Associate agrees to make available to the Secretary the Business Associate’s documented internal practices, books and records, including policies and procedures relating to the use and disclosure of PHI created, received, maintained or transmitted by Business Associate for or on behalf of Covered Entity for use by the Secretary in determining whether Covered Entity or Business Associate is in compliance with the HIPAA Rules. 
  6. Business Associate agrees to document any disclosures of PHI and to provide to Covered Entity, or to an Individual at Covered Entity’s direction, within a reasonable time and in a reasonable manner, information related to such disclosures as necessary for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate shall not be obligated to respond to an individual’s request for an accounting of disclosures of PHI that is made by the individual directly to Business Associate.
  7. Business Associate agrees to provide to Covered Entity, or to an Individual at Covered Entity’s direction, all PHI that is part of a Designated Record Set as necessary for Covered Entity to respond to an Individual’s request for access to PHI pursuant to 45 CFR §§ 164.524. If PHI subject to this paragraph is maintained electronically, Business Associate will provide the PHI in the requested electronic form and format, if it is readily producible in such form and format; if the PHI is not readily producible by Business Associate in the requested form and format, Business Associate will provide the PHI to Covered Entity in a readable electronic form as agreed by Covered Entity and Business Associate.
  8. Upon written instructions from Covered Entity, Business Associate agrees to incorporate any amendment to PHI that is part of a Designated Record Set agreed to by Covered Entity pursuant to 45 CFR § 164.526.
  9. Subject to Business Associate’s needs in order to provide Services, or any legally enforceable requirement to use or disclose PHI, Business Associate agrees to honor any restriction on use or disclosure of PHI or request for confidential communications as agreed to by Covered Entity pursuant to 45 CFR § 164.522. 
  10. Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI as required by the Breach Notification Rule. Business Associate is under no other obligation to make any report of a Breach of Unsecured PHI, including to any individual, government agency, or the media.
  11. Business Associate agrees that as of the compliance date of any amendments to the HIPAA Rules, it will conform its practices to comply with amended requirements applicable to Business Associate.
  12. To the extent that Business Associate is to carry out any of Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that would apply to Covered Entity in the performance of such obligations.

Permitted Uses and Disclosures by Business Associate

  1. Except as otherwise permitted or limited by this Agreement, Business Associate may use or disclose PHI to render Services to or on behalf of Covered Entity, provided that such use or disclosure would not violate the HIPAA Rules if made by Covered Entity.
  2. Business Associate may use PHI for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate.
  3. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out Business Associate’s legal responsibilities, provided that (1) such disclosures are Required by Law, or (2) Business Associate obtains reasonable assurances from the recipient of the PHI (a) that the PHI  will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the recipient; and (b) that the recipient will notify Business Associate of any instances of which the recipient is aware in which the confidentiality of the PHI has been breached.
  4. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B).
  5. Business Associate may de-identify health information and use or disclose such de-identified health information in connection with the Services and for other legally permissible purposes provided the de-identified health information meets the standard and implementation specifications for de-identification under 45 CFR §164.514.
  6. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with §164.502(j)(1).

Obligations of Covered Entity

  1. Covered Entity shall notify Business Associate of any limitations in the Covered Entity’s Notice of Privacy Practices, to the extent such limitations may affect Business Associate’s use or disclosure of PHI.
  2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission granted by any Individual to use or disclose PHI, to the extent such changes or revocations may affect Business Associate’s use or disclosure of PHI.
  3. Covered Entity shall notify Business Associate of any (1) restrictions on the use or disclosure of PHI; or (2) requests for confidential communications that Covered Entity has agreed in accordance with 45 CFR § 164.522, to the extent such restrictions may affect Business Associate’s use or disclosure of PHI.
  4. Covered Entity must provide Business Associate only the minimum necessary amount of Protected Health Information to accomplish the intended purpose of the disclosure.

Permissible Requests by Covered Entity

Except as provided in Section III of this Agreement, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if made by Covered Entity.

Term and Termination

  1. Term: This Agreement shall terminate on the earlier of (1) the date on which the Service Agreement terminates; or (2) the date of termination of this Agreement for cause or otherwise.  Notwithstanding the foregoing, the protections of this Agreement will remain in place until all of the PHI is destroyed or returned to Covered Entity; or if it is infeasible to return or destroy such PHI, the protections of this Agreement will be extended to such PHI in accordance with the termination provision in Section VI.(C) of this Agreement. 
  2. Termination for Cause: Upon Covered Entity’s determination that Business Associated violated a material term of this Agreement, Covered Entity shall notify Business Associate in writing of such violation and:
    1. Provide an opportunity for Business Associate to cure the violation and, if Business Associate does not cure the violation within thirty (30) calendar days after Business Associate’s receipt of such written notice, terminate this Agreement;
    2. Immediately terminate this Agreement if Business Associate has violated a material term of this Agreement and cure is not possible; or
    3. If neither termination nor cure is feasible, Covered Entity may report the violation to the Secretary.
  3. Effect of Termination:
    1. Except as provided in Section VI.(C)(2) of this Agreement, upon termination of the Agreement for any reason, Business Associate shall within thirty (30) calendar days after termination, return all PHI to Covered Entity or destroy all PHI. This provision shall also apply to PHI that is in the possession of Subcontractors of Business Associate. Business Associate shall retain no copies of the PHI.  For the avoidance of doubt, Business Associate shall not be required to return any information that has been de-identified in accordance with Section III(E) above.
    2. If Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall, within thirty (30) calendar days after termination, provide to Covered Entity written notification of the conditions that make return or destruction infeasible. If Covered Entity approves, Business Associate shall be permitted to retain a copy of such PHI, shall extend the protections of this Agreement to such PHI, and shall limit further uses and disclosures of such PHI to those purposes that make return or destruction infeasible, for so long as Business Associate retains such PHI.  The protections of this Agreement are incorporated by reference into this Section VI.(C)(2) and this Section VI.(C)(2) shall survive termination.

Miscellaneous

Regulatory References:

A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or amended, if such amendment is final and the compliance date for such amendment has passed.

Amendment:

The Parties agree to negotiate in good faith to amend this Agreement from time to time as is necessary for the Parties to comply with any amendments to the HIPAA Rules. This Agreement may be amended only by a writing signed by both Business Associate and Covered Entity.

Survival:

The rights and obligations of Business Associate under Sections I, III. (B) and (C), and VI.(C)(2) of this Agreement shall survive the termination of this Agreement.

Interpretation:

If Covered Entity or Business Associate determines that there is any ambiguity in this Agreement, they shall discuss the provision(s) in question and shall attempt, in good faith, to resolve the ambiguity in a manner that permits Covered Entity to comply with the HIPAA Rules and that permits Business Associate to comply with the terms of this Agreement and to render Services.

No Third-Party Beneficiaries:

Nothing in this Agreement confers on any person other than Business Associate and Covered Entity any rights, remedies, obligations, or liabilities.

Severability:

If any provision of this Agreement is held by a court of competent jurisdiction to be illegal, invalid, or unenforceable, the remaining provisions of this Agreement shall not be affected.

Counterparts:

This Agreement may be executed in counterparts, all of which together shall constitute a single agreement and any one of which shall be deemed an original. A facsimile copy of a signed counterpart shall be treated as an original.

Waiver:

A waiver by Business Associate or Covered Entity of any requirement of this Agreement shall not be construed as a continuing waiver, a waiver of any other requirement, or a waiver of any right or remedy otherwise available.

Notices:

Any notice required by this Agreement shall be provided to the address in the preamble above to the attention of the President, via hand delivery, using a national courier service for next business day delivery, or via certified mail (return receipt requested). An address for notice may be changed by giving notice as required by this paragraph.

Independent Contractors:

Business Associate and Covered Entity are and shall remain independent contractors throughout the term of this Agreement.  Nothing in this Agreement shall be construed to create a partnership, joint venture, agency, or anything other than independent contractors for purposes of HIPAA.

Entire Agreement:

This Agreement, together with all exhibits and amendments, if applicable, constitutes the entire Agreement between the Parties with respect to the subject matter hereof and supersedes all previous written or oral understandings, agreements, Business Associate Agreements, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof.   In the event of any inconsistency or conflict between any provisions of this Agreement and any provisions of the Services Agreement, the provisions of this Agreement shall control in regard to HIPAA and the subject matter of this Agreement.