Business Associate Agreement

Recitals

WHEREAS, Covered Entity is a dental practice that is a "covered entity" as defined by the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and the regulations promulgated thereunder, including the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule") and the Security Standards for the Protection of Electronic Protected Health Information (the "Security Rule") at 45 CFR Parts 160 and 164;

WHEREAS, Business Associate provides AI-powered dental scribe and clinical documentation services (the "Services") to Covered Entity pursuant to an underlying service agreement or subscription agreement between the Parties (the "Service Agreement"), and in connection with such Services, Business Associate creates, receives, maintains, or transmits Protected Health Information on behalf of Covered Entity;

WHEREAS, the Parties wish to comply with the requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH Act"), as incorporated in the HIPAA Omnibus Rule (78 Fed. Reg. 5566, January 25, 2013), and all applicable regulations;

WHEREAS, the Parties intend to enter into this Agreement to ensure that Business Associate will appropriately safeguard Protected Health Information in accordance with HIPAA, the HITECH Act, and all applicable federal and state regulations;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

Article I — Definitions

1.1  Capitalized terms used in this Agreement and not otherwise defined herein shall have the meanings ascribed to them under HIPAA, the HITECH Act, and their implementing regulations at 45 CFR Parts 160 and 164, as amended from time to time.

1.2  The following terms shall have the meanings set forth below:

Article II — Obligations of Business Associate

2.1 Permitted Uses and Disclosures.  Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.

2.2 Safeguards.  Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards, including written policies and procedures, that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, in accordance with the Security Rule at 45 CFR Part 164, Subpart C. Business Associate shall comply with the requirements of 45 CFR §§ 164.308, 164.310, 164.312, and 164.316 with respect to ePHI, as required by the HITECH Act and the HIPAA Omnibus Rule.

2.3 Reporting of Security Incidents and Breaches.

• (a) Security Incidents. Business Associate shall report to Covered Entity any Security Incident of which Business Associate becomes aware. Reports of Security Incidents that do not involve unauthorized access, use, or disclosure of PHI (e.g., unsuccessful attempts such as pings, port scans, or failed log-in attempts) may be provided in summary form on a periodic basis, as mutually agreed upon by the Parties.
• (b) Breaches of Unsecured PHI. Business Associate shall report to Covered Entity any Breach of Unsecured Protected Health Information without unreasonable delay, and in no event later than sixty (60) calendar days after the discovery of such Breach. Business Associate shall be deemed to have discovered a Breach as of the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Such report shall include, to the extent reasonably available:
  • (i) The identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during such Breach;
  • (ii) A brief description of the nature of the Breach, including the date of the Breach and the date of its discovery;
  • (iii) A description of the types of Unsecured PHI involved in the Breach;
  • (iv) Any steps Business Associate recommends that affected Individuals take to protect themselves from potential harm resulting from the Breach;
  • (v) A description of what Business Associate is doing to investigate the Breach, to mitigate harm to affected Individuals, and to protect against further Breaches.
• (c) Cooperation. Business Associate shall cooperate with Covered Entity in conducting any investigation, risk assessment, or notification obligations arising from a Breach or Security Incident, including compliance with the notification requirements set forth at 45 CFR §§ 164.404 through 164.408.

2.4 Subcontractors.  Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement with respect to such PHI, in accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2).

2.5 Access to PHI.  Business Associate shall make available to Covered Entity, within fifteen (15) business days of a written request, PHI in a Designated Record Set as necessary for Covered Entity to fulfill its obligations under 45 CFR § 164.524. If an Individual makes a request for access to PHI directly to Business Associate, Business Associate shall promptly forward such request to Covered Entity.

2.6 Amendment of PHI.  Business Associate shall make available PHI for amendment and shall incorporate any amendments to PHI in a Designated Record Set as directed by Covered Entity, in accordance with 45 CFR § 164.526, within fifteen (15) business days of receiving such direction. If an Individual makes a request for amendment directly to Business Associate, Business Associate shall promptly forward such request to Covered Entity.

2.7 Accounting of Disclosures.  Business Associate shall document and make available to Covered Entity or an Individual, within thirty (30) days of a written request, such information as is necessary for Covered Entity to fulfill its obligations to provide an accounting of disclosures in accordance with 45 CFR § 164.528. Business Associate shall maintain records of disclosures of PHI and information related to such disclosures for a period of at least six (6) years from the date of the disclosure.

2.8 Access to Books and Records.  Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with the Privacy Rule, in accordance with 45 CFR § 164.504(e)(2)(ii)(I).

2.9 Mitigation.  Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement.

Article III — Permitted Uses and Disclosures

3.1 Services.  Business Associate may use and disclose PHI solely as necessary to perform the Services specified in the Service Agreement on behalf of Covered Entity, provided that such use or disclosure would not violate HIPAA if done by Covered Entity, except as otherwise permitted in this Article III.

3.2 Management and Administration.  Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that: (a) such uses are reasonably necessary for Business Associate's management and administration; and (b) with respect to any disclosure of PHI for such purposes, (i) the disclosure is Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that the information will remain confidential and will be used or further disclosed only as Required by Law or for the purposes for which it was disclosed.

3.3 Required by Law.  Business Associate may use or disclose PHI as Required by Law.

3.4 De-Identified Data.  Business Associate may use PHI to create de-identified health information in accordance with 45 CFR § 164.514(a)–(c). Once properly de-identified, such data is no longer PHI and may be used by Business Associate for product improvement, analytics, research, and development purposes. Business Associate shall maintain documentation of the de-identification methodology as required by applicable regulations.

3.5 Minimum Necessary.  Business Associate shall, to the extent required by the Privacy Rule, limit its uses and disclosures of, and requests for, PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 CFR § 164.502(b) and the HITECH Act.

Article IV — Obligations of Covered Entity

4.1 Notice of Privacy Practices.  Covered Entity shall notify Business Associate of any limitation(s) in the Covered Entity's Notice of Privacy Practices issued in accordance with 45 CFR § 164.520, to the extent that such limitation(s) may affect Business Associate's use or disclosure of PHI.

4.2 Changes in Permission.  Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.

4.3 Restrictions.  Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

4.4 Authorizations.  Covered Entity shall obtain any and all consents, authorizations, and/or other permissions that may be required under applicable federal or state law prior to furnishing PHI to Business Associate.

4.5 Permissible Requests.  Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA or applicable state law if done by Covered Entity.

Article V — Term and Termination

5.1 Term.  This Agreement shall become effective as of the Effective Date and shall remain in effect for the duration of the Service Agreement between the Parties, unless earlier terminated as provided herein. This Agreement shall automatically terminate upon the termination or expiration of the Service Agreement, subject to the survival provisions of Section 5.4.

5.2 Termination for Cause.  Either Party may terminate this Agreement if: (a) the other Party materially breaches any provision of this Agreement and fails to cure such breach within thirty (30) calendar days after receiving written notice; or (b) if cure of the breach is not reasonably possible, the non-breaching Party may immediately terminate this Agreement upon written notice.

5.3 Effect of Termination — Return or Destruction of PHI.  Upon termination of this Agreement for any reason, Business Associate shall, at the option of Covered Entity, either return or destroy all PHI received from, or created on behalf of, Covered Entity, in all forms and media, including all copies thereof, within sixty (60) calendar days after termination. If Business Associate determines that return or destruction is not feasible, it shall provide written notice to Covered Entity, extend the protections of this Agreement to such PHI for as long as it is retained, and limit further uses and disclosures to those purposes that make return or destruction infeasible. Business Associate may retain PHI as necessary to comply with legal obligations.

5.4 Survival.  The obligations of Business Associate under Sections 2.2 (Safeguards), 2.3 (Reporting), 2.7 (Accounting of Disclosures), and 5.3 (Return or Destruction) shall survive the termination of this Agreement.

Article VI — Miscellaneous

6.1 Governing Law.  This Agreement shall be governed by and construed in accordance with the laws of the State of Colorado, without regard to its conflict of laws principles, to the extent not preempted by federal law.

6.2 Entire Agreement.  This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements relating to the subject matter. This Agreement supplements, and does not replace or supersede, the Service Agreement.

6.3 Amendment.  This Agreement may not be amended, modified, or supplemented except by a written instrument signed by both Parties. The Parties agree to take such action as is necessary to amend this Agreement from time to time as necessary for compliance with changes in HIPAA, the HITECH Act, and their implementing regulations.

6.4 No Third-Party Beneficiaries.  Nothing in this Agreement shall confer upon any person other than the Parties and their respective successors and permitted assigns any rights, remedies, obligations, or liabilities whatsoever.

6.5 Severability.  If any provision of this Agreement is held by a court of competent jurisdiction to be invalid, void, or unenforceable, the remaining provisions shall continue in full force and effect.

6.6 Counterparts.  This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument. Electronic signatures shall be deemed valid and binding to the same extent as original signatures.

6.7 Interpretation.  Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with HIPAA, the HITECH Act, and their implementing regulations.