Business Associate Agreement

This Business Associate Agreement (BAA), effective as of the date you begin using the services and is made by and between you (Covered Entity) and Amesite Inc. (Business Associate) for the purpose of compliance with the Health Insurance Portability and Accountability Act and its implementing administrative simplification regulations (45 CFR 160-164) (HIPAA), Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH), and any applicable State data privacy and security laws and regulations.  This BAA hereby amends and is incorporated into any underlying agreement between Covered Entity and Business Associate. To the extent that the provisions of this BAA conflict with those of an underlying agreement, the provisions of this BAA shall control.   Terms used but not otherwise defined herein shall have the same meaning as those terms defined in 45 CFR 160.103 and 164.501.

 

      If, in the provision of services to Covered Entity, representatives of Business Associate may receive or have access to Protected Health Information (PHI) that is created and/or maintained by Covered Entity, then Business Associate shall be bound to the following terms:

 

1. Permitted Uses and Disclosures.  Business Associate may use and disclose PHI in the course of performing services for or on behalf of Covered Entity as Required or permitted by law, regulation, regulatory agency or by any accrediting body to whom Covered Entity or Business Associate may be required to disclose such PHI. Business Associate may also use PHI for proper management and administration, or to carry out the legal responsibilities of Business Associate.

 

2. Business Associate’s Obligations.  Business Associate shall:

 

a. require its agents, vendors and subcontractors to whom it may provide PHI agree to the same terms and conditions as are applicable to Business Associate as set forth herein;

b. implement appropriate and reasonable physical, administrative, and technical safeguards to prevent use or disclosure of PHI other than as permitted herein;

c. report to Covered Entity any use or disclosure of PHI not provided for by this BAA;

d. make available to the Secretary of Health and Human Services or any other applicable regulatory authority, Business Associate’s books and records relating to the use or disclosure of PHI for purposes of determining Covered Entity’s compliance with HIPAA or an applicable State law; subject to any attorney-client or other privileges;

e. report to the Covered Entity, and mitigate to the extent practicable, any harmful effect that is known to Business Associate of uses or disclosures of PHI of which Business Associate becomes aware that do not comply with the terms herein;

f. to the extent that Covered Entity and Business Associate agree in writing that Business Associate shall maintain PHI as part of a Designated Record Set, upon Covered Entity’s request, provide access and make amendments to such PHI, in order to meet the requirements under HIPAA;

g. document such uses and disclosures of PHI and, upon Covered Entity’s request, provide such information as would be required for Covered Entity to account for disclosures of PHI as required under HIPAA;

h. when Business Associate ceases to perform services for or on behalf of Covered Entity, Business Associate will destroy all PHI received or if such destruction of PHI is not feasible, continue to abide by the terms set forth herein with respect to such PHI; and

i. following a discovery of a Breach of Unsecured Protected Health Information, as defined in HITECH, notify Covered Entity of such Breach within ten (10) days of the discovery of the Breach.

 

3. Term and Termination.  The term of this BAA shall be effective as of the date set forth above and shall terminate when Business Associate ceases to perform services for Covered Entity, except as provided in 2(h) above.  Covered Entity may terminate this BAA if Business Associate fails to cure or take substantial steps to cure a material breach of this BAA within thirty (30) days after receiving written notice of such material breach from Covered Entity.

 

4. Agreement.  This BAA constitutes the entire agreement between the parties.  This BAA may be amended only in writing signed by Covered Entity and Business Associate.  The parties agree to take such action to amend this BAA as is necessary to comply with the requirements of HIPAA and HITECH.  This BAA and the rights and obligations of the parties hereunder shall in all respects be governed by, and construed in accordance with, the laws of the Commonwealth of Michigan, including all matters of construction, validity, and performance.