Business Associate Agreement (BAA)
This BUSINESS ASSOCIATE AGREEMENT (“BAA”) is effective as of the date and time your YATAV account is created (“Effective Date”) and is entered into between you (the “Covered Entity”) and YATAV Inc. (the “Business Associate”). This BAA supersedes any previous business associate agreement between the parties, amends and supplements the Terms of Service between the Covered Entity and Business Associate, and is made a part of the Terms of Service, as may be amended from time to time (the “Agreement”).
RECITALS
WHEREAS, the Covered Entity is a “covered entity” as defined in 45 C.F.R. § 160.103;
WHEREAS, in connection with providing services to the Covered Entity under the Agreement, the Business Associate may create, receive, maintain, or transmit certain Protected Health Information (“PHI”) on behalf of the Covered Entity as defined below;
WHEREAS, the Covered Entity and Business Associate intend to protect the privacy and ensure the security of PHI in compliance with the Health Insurance Portability and Accountability Act of 1996, Subtitle D of the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), and the regulations and guidance issued under both laws by the U.S. Department of Health and Human Services (collectively, “HIPAA”), as well as other applicable federal and state laws;
WHEREAS, the purpose of this BAA is to satisfy certain standards and requirements of HIPAA, including but not limited to 45 C.F.R. §§ 164.308(b), 164.314(a), 164.502(e), and 164.504(e);
WHEREAS, this BAA shall apply only if the Business Associate, with respect to the Covered Entity, meets the definition of “business associate” set forth in 45 C.F.R. § 160.103.
NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this BAA, the parties agree as follows:
I. DEFINITIONS
A. “Breach” shall have the meaning given to the term “breach” at 45 C.F.R. § 164.402, as it applies to the Unsecured PHI created, received, maintained, or transmitted by the Business Associate from or on behalf of the Covered Entity.
B. “Data Aggregation” shall have the same meaning as the term “data aggregation” in 45 CFR § 164.501.
C. “Designated Record Set” shall have the meaning given to such term in 45 CFR § 164.501.
D. “Electronic Protected Health Information” or “ePHI” shall have the meaning given to the term “electronic protected health information” at 45 C.F.R. § 160.103, as applied to the information created, received, maintained, or transmitted by the Business Associate from or on behalf of the Covered Entity.
E. “Individual” shall have the meaning given to such term at 45 C.F.R. § 160.103, and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
F. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as amended.
G. “Protected Health Information” or “PHI” shall have the meaning given to the term “protected health information” at 45 C.F.R. § 160.103, as applied to the information created, received, maintained, or transmitted by the Business Associate from or on behalf of the Covered Entity.
H. “Reportable Event” means any (1) use or disclosure of PHI not provided for by this BAA; (2) Security Incident; or (3) Breach of Unsecured PHI.
I. “Required by Law” shall have the meaning given to the term “required by law” at 45 C.F.R. § 164.103.
J. “Secretary” shall mean the Secretary of the U.S. Department of Health and Human Services or their designee.
K. “Security Incident” shall have the meaning given to the term “security incident” at 45 C.F.R. § 164.304, as applied to the ePHI created, received, maintained, or transmitted by the Business Associate from or on behalf of the Covered Entity.
L. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C, as amended.
M. “Subcontractor” shall have the meaning given to the term “subcontractor” at 45 C.F.R. § 160.103.
N. “Unsecured PHI” shall have the meaning given to the term “unsecured protected health information” at 45 C.F.R. § 164.402, as applied to the information created, received, maintained, or transmitted by the Business Associate from or on behalf of the Covered Entity.
O. Any other capitalized terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms in HIPAA. Any inconsistency in the definition of a term shall be resolved in favor of a meaning that permits compliance with HIPAA.
II. PERMITTED USES AND DISCLOSURES OF PHI
Except as otherwise limited in this BAA or the Agreement, the Business Associate may do any or all of the following:
A. Use or Disclosure Under the Agreement. Use or disclose PHI to perform functions, activities, or services for, or on behalf of the Covered Entity, as permitted in the Agreement, provided that such use or disclosure would not violate the Privacy Rule or any applicable state law if done by the Covered Entity. Notwithstanding the above, the Business Associate may also use and disclose PHI for the purposes identified in the paragraphs below.
B. Use for Administration or Legal Responsibilities. Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
C. Disclosure for Administration or Legal Responsibilities. Disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that:
- The disclosures are Required by Law; or
- The Business Associate obtains reasonable assurances from the third party to whom the PHI is disclosed that such information shall remain confidential and shall be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and such person agrees to promptly notify the Business Associate of any instance in which it becomes aware that the confidentiality of the information has been breached.
D. Use for Reporting of Violations. Use PHI to report violations of the law to appropriate federal, state, and local authorities, consistent with 45 C.F.R. § 164.502(j).
E. Use for Data Aggregation Services. Use PHI to provide Data Aggregation services relating to the healthcare operations of the Covered Entity, as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
F. De-identified Information. Use PHI to create de-identified information in accordance with 45 C.F.R. §§ 164.502(d) and 164.514(a)-(c). The Business Associate may use de-identified information for any purpose, provided it complies with applicable law.
III. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
A. Limited by Agreement and Law. The Business Associate may not use or disclose PHI other than as permitted or required by this BAA and the Agreement or as Required by Law.
B. Compliance with HIPAA. To the extent that the Business Associate is responsible for carrying out an obligation of the Covered Entity under HIPAA pursuant to this BAA or the Agreement, the Business Associate shall comply with the requirements of HIPAA that apply to the Covered Entity in the performance of such obligation.
C. Appropriate Safeguards. The Business Associate shall use appropriate safeguards and, where applicable, comply with the Security Rule and HITECH with respect to ePHI, to prevent the use or disclosure of PHI other than as provided for by this BAA.
D. Reportable Events.
- The Business Associate shall report to the Covered Entity, by email or telephone, any Reportable Event of which it becomes aware. All such reports shall be made without unreasonable delay and in no case later than fifteen (15) business days after the Business Associate’s discovery of a Reportable Event.
- The notification required hereunder shall include, to the extent possible: (i) the identification of each Individual whose PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, lost, modified, destroyed, or disclosed during the Reportable Event; (ii) a brief description of what happened, including the date of the Reportable Event and the date of discovery; (iii) a description of the types of PHI involved; (iv) any steps Individuals should take to protect themselves from potential harm resulting from the Reportable Event; (v) a brief description of what the Business Associate is doing to investigate, remediate, and respond to the Reportable Event, mitigate harm to Individuals, and protect against further Reportable Events; and (vi) such other information that is reasonably available to the Business Associate that the Covered Entity would reasonably be expected to need to fulfill its notification obligations. The Business Associate shall supplement its initial notification as additional information is obtained.
- The Business Associate shall cooperate with the Covered Entity in investigating a Reportable Event and assist the Covered Entity in determining whether a Reportable Event constitutes a Breach of Unsecured PHI.
- The Business Associate shall mitigate, to the extent practicable, any harmful effect known to the Business Associate of a Reportable Event.
- The parties acknowledge and agree that this Section III.D constitutes notice by the Business Associate to the Covered Entity of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that do not result in unauthorized access to, or use, loss, modification, destruction, or disclosure of, PHI, such as pings and other broadcast attacks on the Business Associate’s firewall, port scans, unsuccessful log-on attempts, unsuccessful denial of service attacks, or any combination thereof.
E. Subcontractors. If the Business Associate discloses PHI to a Subcontractor or allows a Subcontractor to create, receive, maintain, or transmit PHI on its behalf, the Business Associate shall require the Subcontractor to agree to the substantially similar restrictions, conditions, and requirements that apply to the Business Associate with respect to such information by entering into a written agreement with the Subcontractor that complies with 45 C.F.R. §§ 164.314(a) and 164.504(e).
F. Access to PHI. The Business Associate agrees to provide access, via in-app export, to Protected Health Information in a Designated Record Set to the Covered Entity or, as directed by the Covered Entity, to an Individual, in order to meet the Covered Entity’s requirements under 45 CFR § 164.524. The Business Associate further agrees, in cases where the Business Associate controls access to Protected Health Information in an Electronic Health Record or electronically stored format, to provide similar access in order for the Covered Entity to meet its requirements under the HIPAA Rules and Section 13405(c) of the HITECH Act. These provisions do not apply if the Business Associate and its employees or Subcontractors have no Protected Health Information in a Designated Record Set of the Covered Entity.
G. Amendment of PHI. To the extent that the Business Associate maintains PHI in a Designated Record Set, the Business Associate shall make amendments to such PHI in a Designated Record Set as directed by the Covered Entity in a timely manner that meets the requirements of 45 C.F.R. § 164.526. This provision does not apply if the Business Associate and its employees or Subcontractors have no Protected Health Information from a Designated Record Set of the Covered Entity.
H. Accounting of Disclosures. The Business Associate shall provide to the Covered Entity an accounting of the disclosures of an Individual’s PHI in a timely manner that meets the requirements of 45 C.F.R. § 164.528 and, as of the applicable effective date, Section 13405(c) of HITECH and any regulations promulgated thereunder. The Business Associate shall have a reasonable time within which to comply with such a request from the Covered Entity, and in no case shall the Business Associate be required to provide such documentation in less than ten (10) business days after the Business Associate's receipt of such a request.
I. Response to Requests from Individuals. Except as this BAA or any other agreement between the Covered Entity and the Business Associate may otherwise provide, in the event the Business Associate receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, the Business Associate will redirect the Individual to the Covered Entity.
J. Governmental Access to Records. The Business Associate shall make its internal policies, practices, books, and records relating to the use and disclosure of PHI that is received from, or created or received by, the Business Associate on behalf of the Covered Entity available to the Secretary for purposes of determining compliance with HIPAA. No attorney-client, accountant-client, or other legal privilege shall be deemed to have been waived by the Business Associate by virtue of the Business Associate’s compliance with this provision.
K. Minimum Necessary. The Business Associate agrees that it shall comply with HIPAA’s minimum necessary requirements.
L. Communication with Other Business Associates. In connection with the performance of its services, activities, and/or functions to or on behalf of the Covered Entity, the Business Associate may disclose information, including PHI, to other business associates of the Covered Entity. Likewise, the Business Associate may use and disclose information, including PHI, received from other business associates of the Covered Entity, as if this information was received from, or originated with, the Covered Entity. The parties agree that it is the responsibility of the Covered Entity to secure and maintain business associate agreements with its other business associates.
IV. OBLIGATIONS OF COVERED ENTITY
A. Notice of Privacy Practices. The Covered Entity shall notify the Business Associate in writing of any limitations in its notice of privacy practices, to the extent that such limitations may affect the Business Associate’s use or disclosure of PHI.
B. Notification of Revocations. The Covered Entity shall notify the Business Associate in writing of any changes in, or revocation of, an Individual’s authorization to use or disclose PHI, to the extent that such changes or revocation may affect the Business Associate’s use or disclosure of PHI.
C. Notification of Restrictions. The Covered Entity shall notify the Business Associate in writing of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to or is required to abide by in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect the Business Associate’s use or disclosure of PHI.
D. Notification of Modifications. The Covered Entity shall notify the Business Associate in writing of any modifications to accounting disclosures of PHI under 45 CFR § 164.528, made applicable under Section 13405(c) of the HITECH Act, to the extent that such restrictions may affect the Business Associate’s use or disclosure of Protected Health Information.
E. Permissible Requests. The Covered Entity shall not request that the Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA or other applicable federal or state law if done by the Covered Entity.
F. Minimum Necessary. The Covered Entity agrees that it shall comply with HIPAA’s minimum necessary requirements and only provide the Business Associate with the minimum PHI necessary in order for the Business Associate to provide the services.
V. TERM AND TERMINATION
A. Term. The term of this BAA shall commence as of the Effective Date, be coterminous with the Agreement, and continue in full force and effect from year to year, but shall terminate as of the earliest occurrence of any of the following:
- The Agreement expires or is terminated with or without cause;
- This BAA is terminated for cause as described in paragraph (B) below;
- The parties mutually agree to terminate this BAA; or
- This BAA is terminated under applicable federal, state, or local law.
B. Termination for Cause.
- Upon the Covered Entity’s determination of a breach of a material term of this BAA by the Business Associate, the Covered Entity shall provide the Business Associate with written notice of that breach in sufficient detail to enable the Business Associate to understand the specific nature of that breach and afford the Business Associate an opportunity to cure the breach; provided, however, that if the Business Associate fails to cure the breach within thirty (30) days of receipt of such notice, the Covered Entity may terminate this BAA and the Agreement.
- Upon the Business Associate’s determination of a breach of a material term of this BAA by the Covered Entity, the Business Associate shall provide the Covered Entity with written notice of that breach in sufficient detail to enable the Covered Entity to understand the specific nature of that breach and afford the Covered Entity an opportunity to cure the breach; provided, however, that if the Covered Entity fails to cure the breach within thirty (30) days of receipt of such notice, the Business Associate may terminate this BAA and the Agreement.
C. Effect of Termination.
- Subject to paragraph (2) below, upon termination of this BAA for any reason, the Business Associate shall return or destroy all PHI that the Business Associate still maintains in any form. The Business Associate shall retain no copies of such PHI.
- If returning or destroying any or all PHI is not feasible, the Business Associate shall: i. Retain only the PHI for which return or destruction is not feasible; ii. Return to the Covered Entity or destroy the remaining PHI that the Business Associate still maintains in any form; iii. Extend the protections of this BAA to any retained PHI, continue to use appropriate safeguards, and comply with the Security Rule and HITECH with respect to ePHI, in order to prevent the use or disclosure of the retained PHI other than as provided for in this BAA for as long as the Business Associate retains the PHI; iv. Not use or disclose the PHI retained by the Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set forth in this BAA that applied prior to termination; and v. Return to the Covered Entity or destroy the PHI retained by the Business Associate if and when it becomes feasible to do so.
- This Section V.C shall survive termination of this Agreement.
VI. MISCELLANEOUS
D. Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time this BAA is executed or amended.
E. Amendment; No Waiver. Upon the effective date of any federal statute amending or expanding HIPAA, any guidance, or temporary, interim final, or final regulations issued under HIPAA, or any federal statute amending or expanding HIPAA (collectively, the “Regulations”) that apply to this BAA or any amendments to the Regulations, this BAA shall be automatically amended such that the obligations imposed on the Covered Entity and Business Associate shall remain in compliance with such requirements unless the parties agree otherwise by mutual consent. The parties shall take all necessary action to expressly reflect such automatic amendments to this BAA from time to time. Except as provided otherwise in this paragraph (B), no waiver, change, modification, or amendment of any provision of this BAA shall be made unless it is in writing and is signed by the parties hereto. The failure of either party at any time to insist upon strict performance of any condition, promise, agreement, or understanding set forth herein shall not be construed as a waiver or relinquishment of the right to insist upon strict performance of the same condition, promise, agreement, or understanding at a future time.
F. Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits compliance with HIPAA. The titles and headings set forth at the beginning of each section hereof are inserted for convenience of reference only and shall in no way be construed as a part of this BAA or as a limitation on the scope of the particular provision to which it refers. In the event of an inconsistency between the provisions of this BAA and the mandatory terms of HIPAA, as may be expressly amended from time to time by the Secretary, or as a result of interpretations by the Secretary, a court, or another regulatory agency with authority over the parties, the interpretation of the Secretary, such court, or regulatory agency shall prevail.
G. Entire Agreement; Effect on the Agreement. This BAA, together with the Agreement, sets forth the entire understanding between the parties and supersedes any previous or contemporaneous understandings, commitments, representations, warranties, or agreements, written or oral, regarding the subject matter hereof. No representations, agreements, or understandings of any kind, either written or oral, except as set forth or incorporated by reference into this BAA or the Agreement, have been relied upon in entering into this BAA, nor shall any such representations, agreements, or understandings be binding upon the parties unless expressly contained herein or therein. Notwithstanding any provision to the contrary in this BAA or the Agreement, to the extent that any term in this BAA is directly contradictory to a term in the Agreement, the term in this BAA shall supersede such contradictory term to the extent necessary to permit compliance with HIPAA.
H. Relationship of Parties. The parties to this BAA are independent contractors. None of the provisions of this BAA are intended to create, nor shall they be interpreted or construed to create, any relationship between the Covered Entity and Business Associate other than that of independent contractors. Except as otherwise expressly set forth herein, neither party, nor any of its representatives, shall be deemed to be the agent, employee, or representative of the other party.
I. No Third-Party Beneficiaries. This BAA is between the parties hereto. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, any rights, remedies, obligations, or liabilities whatsoever upon any person other than the Covered Entity and Business Associate and any respective successors and assigns.
J. Invalid or Unenforceable Provision. The provisions of this BAA shall be severable. The invalidity or unenforceability of any particular provision or portion of such provision of this BAA shall be construed, in all respects, as if such invalid or unenforceable provision or portion of such provision had been omitted, and shall not affect the validity and enforceability of the other provisions hereof or portions of that provision.
K. Assignment. The parties’ rights and obligations with respect to the assignment of this BAA shall be subject to the assignment provision set forth in the Agreement. This BAA shall be binding upon, and shall inure to the benefit of, the parties hereto and their respective successors.
L. Applicable Law. This BAA shall be construed, administered, and governed by the governing law set forth in the Agreement, except to the extent preempted by applicable federal law.
M. Disputes. In the event of a dispute between the parties, the parties shall follow the dispute resolution procedures outlined in the Agreement.
N. Notices. All notices to the Business Associate shall be in writing and either delivered by hand, or sent by mail, or delivered in such other manner as the parties may agree upon, to YATAV, Inc, c/o Compliance Manager, 6940 BEACH BLVD. D-413 BUENA PARK, CA 90621. All notices to the Covered Entity shall be by email at the email address provided upon account creation.
Each party reserves the right to change the address for receiving notice during the term of this BAA upon written notice to the other parties.