HIPAA Business Associate Agreement (“HBAA”)

These standard HIPAA Business Associate Agreement Terms and Conditions shall be incorporated into Review Master 7‘s standard service agreement for Clients that are “Covered Entities” (as defined herein).

1. Definitions

Catch-all Definition:
The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (PHI), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

Specific Definitions:

• (a) Business Associate: “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Review Master 7.

• (b) Covered Entity: “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Review Master 7’s clients in the healthcare industry that require HIPAA compliance.

• (c) HIPAA Rules: “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

• (d) Service Agreement: “Service Agreement” shall refer to the Covered Entity’s service agreement, of which the HBAA is an additional amendment of terms.

2. Obligations and Activities of Business Associate

Review Master 7 agrees to:

(a) Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.

(b) Use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent unauthorized use or disclosure.

(c) Report to the Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware.

(d) Ensure that any subcontractors creating, receiving, maintaining, or transmitting PHI on behalf of Review Master 7 agree to the same restrictions and conditions.

(e) Make PHI available to the Covered Entity as necessary to satisfy the Covered Entity’s obligations under 45 CFR 164.524.

(f) Make any amendments to PHI as directed by the Covered Entity, pursuant to 45 CFR 164.526.

(g) Maintain and provide information to the Covered Entity as required to provide an accounting of disclosures under 45 CFR 164.528.

(h) Comply with Subpart E of 45 CFR Part 164 when carrying out one or more obligations of the Covered Entity.

(i) Make internal practices, books, and records available to the Secretary of Health and Human Services to determine compliance with the HIPAA Rules.

3. Permitted Uses and Disclosures by Business Associate

(a) Review Master 7 may only use or disclose PHI as necessary to perform the services outlined in the Service Agreement.

(b) Review Master 7 may use or disclose PHI as required by law.

(c) Review Master 7 agrees to request PHI only consistent with the minimum necessary policies and procedures of the Covered Entity.

(d) Review Master 7 may not use or disclose PHI in a manner that violates Subpart E of 45 CFR Part 164 if done by the Covered Entity.

4. Permissible Requests by Covered Entity

Covered Entity shall not request Review Master 7 to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by the Covered Entity. Covered Entity must ensure its use of Review Master 7‘s services complies with HIPAA Rules.

5. Term and Termination

(a) Term: This Agreement will commence upon the start of the Service Agreement and co-terminate with the Service Agreement, or upon termination for cause as outlined below.

(b) Termination for Cause: Covered Entity may terminate this Agreement if it determines that Review Master 7 has violated a material term and has not cured the breach within a reasonable time.

(c) Obligations of Business Associate Upon Termination: Upon termination, Review Master 7 shall:

• Retain only the PHI necessary for management and legal responsibilities.
• Return or destroy any remaining PHI at the Covered Entity’s request.
• Continue to use safeguards for electronic PHI as required by Subpart C.
• Not use or disclose the retained PHI for anything other than legal responsibilities.
• Return or destroy the PHI when no longer needed.

(d) Survival: Obligations outlined in this section shall survive termination.

6. Miscellaneous

(a) Regulatory References: Any reference to sections in the HIPAA Rules means the section as in effect or amended.

(b) Amendment: Both parties agree to amend this Agreement as necessary for compliance with HIPAA Rules.

(c) Interpretation: Any ambiguity in this Agreement shall be interpreted to permit compliance with HIPAA Rules.