BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement is required to be signed by Hibox and its customers at the time of purchase of any tools that fall under HIPAA guidelines.
This Business Associate Agreement (“Agreement”) is entered into as of the date last signed below (“Effective Date”) by and between:
Covered Entity: _____________________________ (“Customer”), a nonprofit organization located at _____________________________
Business Associate: Hibox for Nonprofits, LLC (“Hibox”), a company located at Sheldon, Iowa.
Together referred to as the “Parties.”
RECITALS
Customer is a Covered Entity or Business Associate subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, “HIPAA Rules”).
Hibox provides software services to Customer pursuant to a separate subscription or services agreement (“Services Agreement”), and in doing so may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of Customer.
The Parties enter into this Agreement to satisfy the requirements of 45 C.F.R. § 164.308(b) and § 164.502(e).
ARTICLE 1 – DEFINITIONS
Terms used in this Agreement shall have the same meaning as defined in the HIPAA Rules. Key terms include:
1.1 “Protected Health Information” or “PHI” means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 C.F.R. § 160.103, that Hibox creates, receives, maintains, or transmits on behalf of Customer.
1.2 “Electronic Protected Health Information” or “ePHI” means PHI that is created, received, maintained, or transmitted in electronic form.
1.3 “Breach” has the meaning set forth in 45 C.F.R. § 164.402.
1.4 “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
1.5 “Subcontractor” means any third party engaged by Hibox that creates, receives, maintains, or transmits PHI on behalf of Hibox.
ARTICLE 2 – OBLIGATIONS OF HIBOX
2.1 Permitted Uses and Disclosures. Hibox may use or disclose PHI only:
(a) As necessary to perform the services described in the Services Agreement;
(b) As required by law;
(c) For Hibox’s proper management and administration, provided that disclosures are required by law or Hibox obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed; or
(d) To provide Data Aggregation services relating to Customer’s health care operations, if applicable.
2.2 Prohibited Uses and Disclosures. Hibox shall not use or disclose PHI in any manner that would violate the HIPAA Rules if done by Customer, except as permitted under this Agreement.
2.3 Safeguards. Hibox shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI and ePHI, in accordance with 45 C.F.R. Part 164, Subpart C.
2.4 Reporting.
(a) Security Incidents: Hibox shall report to Customer any Security Incident of which it becomes aware, without unreasonable delay.
(b) Breaches: Hibox shall notify Customer of any Breach of Unsecured PHI without unreasonable delay and in no case later than thirty (30) calendar days after discovery. Notification shall include, to the extent possible: the identification of individuals affected; a description of what occurred; the types of PHI involved; steps individuals should take to protect themselves; and the steps Hibox is taking to investigate, mitigate, and prevent future occurrences.
(c) Unauthorized Disclosures: Hibox shall report to Customer any use or disclosure of PHI not permitted by this Agreement of which it becomes aware.
2.5 Subcontractors. Hibox shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Hibox agrees to the same restrictions, conditions, and requirements that apply to Hibox under this Agreement, by executing a written agreement with such Subcontractor prior to disclosing PHI.
2.6 Access to PHI. To the extent Hibox maintains PHI in a Designated Record Set, Hibox shall make PHI available to Customer so that Customer may fulfill its obligations under 45 C.F.R. § 164.524 (individual right of access).
2.7 Amendment of PHI. To the extent Hibox maintains PHI in a Designated Record Set, Hibox shall make PHI available for amendment and shall incorporate any amendments directed by Customer pursuant to 45 C.F.R. § 164.526.
2.8 Accounting of Disclosures. Hibox shall maintain and make available to Customer the information required for Customer to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528.
2.9 Compliance with HIPAA Rules. To the extent Hibox is required to carry out Customer’s obligations under the Privacy Rule, Hibox shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of those obligations.
2.10 Government Access. Hibox shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
2.11 Minimum Necessary. Hibox shall use, disclose, or request only the minimum amount of PHI necessary to accomplish the intended purpose.
ARTICLE 3 – OBLIGATIONS OF CUSTOMER
3.1 Notice of Privacy Practices. Customer shall notify Hibox of any limitations in its Notice of Privacy Practices that would affect Hibox’s use or disclosure of PHI.
3.2 Individual Permissions. Customer shall notify Hibox of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Hibox’s permitted use or disclosure.
3.3 Restrictions. Customer shall notify Hibox of any restriction on the use or disclosure of PHI that Customer has agreed to or is required to abide by, to the extent such restrictions may affect Hibox’s permitted use or disclosure.
3.4 Permissible Requests. Customer shall not request Hibox to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Customer.
3.5 Lawful Instructions. Customer is responsible for ensuring that its instructions and configurations within the Hibox platform comply with applicable law.
ARTICLE 4 – TERM AND TERMINATION
4.1 Term. This Agreement shall be effective as of the Effective Date and shall remain in effect until terminated as provided herein or until the Services Agreement expires or is terminated, whichever occurs first.
4.2 Termination for Cause. Either Party may terminate this Agreement upon thirty (30) days written notice if the other Party materially breaches this Agreement and fails to cure such breach within the notice period.
4.3 Termination by Customer. Customer may terminate this Agreement immediately upon written notice if Hibox has engaged in a pattern of activity or practice that constitutes a material breach of this Agreement.
4.4 Effect of Termination – Return or Destruction of PHI. Upon termination of this Agreement, Hibox shall, at Customer’s direction, either return or securely destroy all PHI received from or created on behalf of Customer, including PHI in the possession of Subcontractors, and shall retain no copies. If return or destruction is not feasible, Hibox shall notify Customer and extend the protections of this Agreement to such PHI for as long as Hibox maintains it.
ARTICLE 5 – GENERAL PROVISIONS
5.1 Amendment. The Parties agree to amend this Agreement as necessary to comply with changes in applicable law or regulation. Hibox may amend this Agreement upon thirty (30) days written notice to Customer; continued use of the Hibox platform following such notice constitutes acceptance.
5.2 Interpretation. This Agreement shall be interpreted to give effect to the Parties’ intent to comply with the HIPAA Rules. Any ambiguity shall be resolved in favor of a meaning that permits Customer to comply with the HIPAA Rules.
5.3 Survival. The obligations of Hibox under Section 4.4 (return or destruction of PHI) shall survive termination of this Agreement.
5.4 No Third-Party Beneficiaries. Nothing in this Agreement shall confer any rights or remedies upon any person other than the Parties and their respective successors and permitted assigns.
5.5 Entire Agreement. This Agreement, together with the Services Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior negotiations, representations, or agreements relating to this subject matter.
5.6 Governing Law. This Agreement shall be governed by the laws of the State of Iowa, without regard to its conflict of law provisions, and applicable federal law.
5.7 Severability. If any provision of this Agreement is found to be unenforceable, the remaining provisions shall remain in full force and effect.
5.8 Disclaimer. Hibox does not represent that use of its platform will guarantee Customer’s compliance with HIPAA. Customer remains responsible for its own HIPAA compliance obligations.
