Business Associate Agreement

WHEREAS, Covered Entity (you, the client) and CareFlo have or are entering into a Service Agreement pursuant to which CareFlo will provide services for Covered Entity that require CareFlo to access various types of information including but not limited to health information that is protected by state and/or federal law;

WHEREAS, CareFlo and Covered Entity desire that CareFlo obtain access to such information in accordance with the terms specified herein;

NOW THEREFORE, in consideration of the mutual promises set forth in this BAA and other good and valuable consideration, the sufficiency and receipt of which are hereby severally acknowledged, the parties agree as follows:

1. Obligations. CareFlo may receive from Covered Entity health information that is protected under applicable state and/or federal law, including without limitation, protected health information (“PHI”) as defined in the regulations at 45 C.F.R. Parts 160 and 164 (the “Privacy Standards”) promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”). All capitalized terms not otherwise defined in this BAA shall have the meanings set forth in the Privacy Standards. CareFlo agrees not to use or disclose (or permit the use or disclosure of) PHI in a manner that would violate the requirements of the Privacy Standards if the PHI were used or disclosed to Covered Entity in the same manner. CareFlo shall use appropriate safeguards to prevent the use or disclosure of PHI other than as expressly permitted under this BAA. 

1.1. In the event CareFlo creates, receives, maintains, or otherwise is exposed to personally identifiable or aggregate patient or other medical information defined as Protected Health Information ("PHI") in the Health Insurance Portability and Accountability Act of 1996 or its relevant regulations ("HIPAA") and otherwise meets the definition of CareFlo as defined in the HIPAA Privacy Standards (45 CFR Parts 160 and 164), CareFlo shall: (a) Recognize that HITECH (the Health Information Technology for Economic and Clinical Health Act of 2009) and the regulations thereunder (including 45 C.F.R. Sections 164.308, 164.310, 164.312, and 164.316), apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity; (b) Not use or further disclose the PHI, except as permitted by law; (c) Not use or further disclose the PHI in a manner that had the Covered Entity done so, would violate the requirements of HIPAA; (d) Use appropriate safeguards (including implementing administrative, physical, and technical safeguards for electronic PHI) to protect the confidentiality, integrity, and availability of and to prevent the use or disclosure of the PHI other than as provided for by this BAA; (e) Comply with each applicable requirements of 45 C.F.R. Part 162 if CareFlo conducts Standard Transactions for or on behalf of the Covered Entity; (f) Report promptly to the Covered Entity any security incident or other use or disclosure of PHI not provided for by this BAA of which CareFlo becomes aware; (g) Ensure that any subcontractors or agents who receive or are exposed to PHI (whether in electronic or other format) are explained CareFlo’s obligations under this paragraph and agree to the same restrictions and conditions; (h) Make available PHI in accordance with the individual’s rights as required under the HIPAA regulations; (i) Account for PHI disclosures for up to the past six (6) years as requested by the Covered Entity, which shall include: (i) dates of disclosure, (ii) names of the entities or persons who received the PHI, (iii) a brief description of the PHI disclosed, and (iv) a brief statement of the purpose and basis of such disclosure; (j) Make its internal practices, books, and records that relate to the use and disclosure of PHI available to the U.S. Secretary of Health and Human Services for purposes of determining CareFlo’s compliance with HIPAA; and (k) Incorporate any amendments or corrections to PHI when notified by Customer or enter into a Business Associate Agreement or other necessary Agreements to comply with HIPAA.

2. Disclosure of PHI. CareFlo may disclose PHI as necessary to perform its obligations under the Business Arrangement and as permitted by law, provided that CareFlo shall in such case: (a) obtain reasonable assurances from any person to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by laws or for the purpose for which it was disclosed to the person or entity; (b) agree to immediately notify Covered Entity of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this BAA or for a purpose not expressly permitted by the Privacy Standards; and (c) ensure that all disclosures of PHI are subject to the principal of “minimum necessary use and disclosure” i.e. only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed. If CareFlo discloses PHI received from the Covered Entity, or created or received by CareFlo on behalf of Covered Entity, to agents, including a subcontractor (collectively, “Recipients”), CareFlo shall require Recipients to agree in writing to the same restrictions and conditions that apply to CareFlo under this BAA. CareFlo shall report to Covered Entity any use or disclosure of PHI not permitted by this BAA, or which it becomes aware, such report to be made within five (5) days of CareFlo becoming aware of such use or disclosure.

3. Use of PHI. CareFlo may use PHI solely for Covered Entity’s benefit and only (i) for the purpose of performing services for Covered Entity as such services are defined in the Service Agreement, and (ii) as necessary for the proper management and administration of CareFlo to carry out its legal responsibilities, provided that such uses are permitted under federal and state law. Covered Entity shall retain all rights in the PHI not granted herein. 

4. Accounting Disclosures. CareFlo shall make available to Covered Entity in response to a request from an individual, information required for an accounting of disclosures of PHI with respect to the individual, in accordance with 45 CFR § 164.528, as it may be amended from time to time, incorporating exceptions to such accounting designated under the regulation. Such accounting is limited to disclosures that were made in the six (6) years prior to the request and shall not include any disclosures that were made prior to the compliance date of the Privacy Standards, April 14, 2003. CareFlo shall provide such information necessary to provide an accounting within thirty (30) days of Covered Entity’s request. Such accounting must be provided without costs to the individual or to Covered Entity if it is the first accounting requested by an individual within any twelve (12) month period; however, a reasonable, cost-based fee may be charged for subsequent accountings if CareFlo informs the Covered Entity and the Covered Entity informs the individual in advance of the fee, and the individual is afforded an opportunity to withdraw or modify the request. Such accounting shall be provided as long as CareFlo maintains PHI.

5. Withdrawal of Consent or Authorization. If the use of disclosure of PHI in this BAA is based upon an individual’s specific consent or authorization for the use of his or her PHI, and (i) the individual revokes such consent or authorization in writing, (ii) the effective date of such authorization has expired, (iii) the consent or authorization is found to be defective in any manner that renders it invalid, CareFlo Agrees, if it has notice of such revocation or invalidity, to cease the use and disclosure of any such individual’s PHI except to the extent it has relied on such use or disclosure, or where an exception under the Privacy Standards expressly applies.

6. Records and Audit. CareFlo shall make available to Covered Entity and to the United States Department of Health and Human Services or its agents, its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by CareFlo on behalf of Covered Entity for the purpose of determining Covered Entity’s compliance with the Privacy Standards or any other health oversight agency, in a time and manner designated by Covered Entity or the Secretary.

7. Notice of Privacy Practice. Covered Entity shall provide to CareFlo its Notice of Privacy Practices (“Privacy Notice”) when adopted and any amendment thereafter. Any use or disclosure permitted by this BAA may be amended by such Privacy Notice. CareFlo agrees that it will abide by the limitations of any Privacy Notice published by Covered Entity of which it has knowledge. The amended Privacy Notice shall not affect permitted uses and disclosures on which CareFlo has relied prior to the receipt of such Privacy Notice.

8. No Third Party Beneficiaries. The parties agree that the terms of this BAA shall apply only to themselves and are not for the benefit of any third-party beneficiaries.

9. De-Identified Data. Notwithstanding the provisions of this BAA, CareFlo and its subcontractors may use or disclose non-personally identifiable information provided that the disclosed information does not include a key or other mechanism that would enable the information to be identified by anyone other than Covered Entity.

10. Term and Termination

10.1. This BAA shall commence on the Effective Date and shall remain in effect until the Service Agreement has been terminated, provided, however, that any termination shall not affect the respective obligations or rights of the parties arising under this BAA prior to the effective date of termination, all of which shall continue in accordance with their terms, and provided that the effective date of Sections 4 and 5 shall be in accordance with the provisions of those sections.

10.2. Covered Entity, at its sole discretion, may immediately terminate this BAA and shall have no further obligations to CareFlo hereunder if any of the following events shall have occurred and be continuing:

(a) CareFlo shall fail to observe or perform any material covenant or agreement contained in this BAA for ten (10) days after Notice thereof has been given to CareFlo by the Covered Entity; or

(b) A violation by CareFlo of any provisions of the Privacy Standards or applicable federal or state privacy law.

10.3. Upon the termination of all Service Agreements, this BAA will also terminate.

10.4. Upon termination of this BAA for any reason, CareFlo agrees either to return to Covered Entity or to destroy all PHI received from or created on behalf of Covered Entity through the performance of services for Covered Entity, that is in the possession or control of CareFlo or its agents. In the case of information for which it is not feasible to “return or destroy,” CareFlo shall continue to comply with the covenants in this BAA with respect to such PHI and shall comply with other applicable state or federal law, which may require a specific period of retention, redaction, or other treatment. Notwithstanding anything else in this BAA, the terms of this Section 10.5 shall survive the expiration or termination of either the Service Agreement or this BAA with or without cause, in perpetuity.

10.5. Termination of this BAA shall be cause for Covered Entity to terminate any other Service Agreement according to the proper termination policy of each Service Agreement.

11. No Warranty. PHI IS PROVIDED TO CAREFLO SOLELY ON AN “AS-IS” BASIS, COVERED ENTITY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE.

12. Indemnification. CareFlo will indemnify, defend and hold Covered Entity and its officers, directors, employees, agents, successors and assigns harmless, from and against any and all losses, liabilities damages, costs and expenses (including reasonable attorneys’ fees) arising out of or related to any third-party claim based upon any breach of this BAA by CareFlo or similar breach by Recipients (“Claim”). If CareFlo assumes the defense of a Claim, Covered Entity shall have the right, at its expense, to participate in the defense of such Claim, and CareFlo shall not take any action with respect to such Claim without prior written consent of the Covered Entity.

14.1 Ineligible Persons. CareFlo represents and warrants to Covered Entity that CareFlo (i) is not currently excluded, debarred, or otherwise ineligible to participate in any federal health care program as defined in 42 U.S.C. Section 1320a-7b(f) (“the Federal Healthcare Programs”), (ii) has not been convicted of a criminal offense related to the provision of health care items or services and not yet been excluded debarred, or otherwise declared ineligible to participate in the Federal Healthcare Programs, and (iii) is not under investigation or otherwise aware of any circumstances which may result in CareFlo being excluded from participation in the Federal Healthcare Programs. This shall be an ongoing representation, and warranty during the term of this BAA, and CareFlo shall immediately notify Covered Entity of any change in the status of the representations and warranty set forth in this section. Any breach of this section shall give Covered Entity the right to terminate this BAA immediately for cause.