LAST UPDATED: [April 1, 2023]
You and the company, institution or other entity (“Healthcare Entity”) employing, contracting or retaining you, or on whose behalf you are using the Hint Health Service described below (collectively, you and such Healthcare Entity, “you”, the “Covered Entity”) agree to be bound by and become a party to this Hint Health Business Associate Agreement (this "Agreement") with Hint Health Inc (“we”, “us”, “Hint Health”, “Business Associate”). You represent, warrant and agree that you are authorized to enter into this Agreement on behalf of yourself and the Healthcare Entity and to bind yourself and the Healthcare Entity to the terms and conditions herein.
This Agreement is being entered into in connection with your use of our online service for direct-pay, medical care providers, which may include, without limitation billing, membership management, reminder notifications and/or related functionality (the “Hint Health Service”) under the terms and conditions of that certain Hint Health Terms of Service Agreement or related order form (collectively, “TOS Agreement”) entered into between you and us. This Agreement, together with the TOS Agreement, as supplemented by this Agreement, (a) is intended by the parties as a final, complete and exclusive expression of the terms of our agreement regarding the subject matter hereof; and (b) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof.
Health Entity is a covered entity as such term is defined under HIPAA and as such is required to comply with the requirements thereof regarding the confidentiality and privacy of PHI.
By providing services pursuant to the TOS Agreement and receiving PHI for or on your behalf, Hint Health shall become a business associate, as such term is defined under HIPAA, and will therefore have obligations regarding the confidentiality and privacy of PHI that we receive from or on your behalf.
The parties hereby agree as follows:
1.1 Business Associate: “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean us.
1.2 Covered Entity: “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean you.
1.3 HIPAA: “HIPAA” shall mean collectively, the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations, each as amended.
1.4 “Protected Health Information” or “PHI” is any information, whether oral or recorded in any form or medium that is created, received, maintained, or transmitted by us for or on your behalf, that identifies an individual or might reasonably be used to identify an individual and relates to: (i) the individual’s past, present or future physical or mental health; (ii) the provision of health care to the individual; or (iii) the past, present or future payment for health care.
The following terms used in this Agreement shall have the same meaning as those terms in HIPAA: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, , Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
2. Our Obligations and Activities
We agree to:
2.1 Not use or disclose PHI other than as permitted or required by this Agreement, the TOS Agreement, or as required by law;
2.2 Not use or disclosure PHI in any manner that violates applicable federal and state laws;
2.3 Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement or the TOS Agreement;
2.4 Within ten (10) business days, report to you any use or disclosure of PHI not provided for by the Agreement of which we become aware, including Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any successful Security Incident of which we become aware. The parties acknowledge that unsuccessful Security Incidents that occur within the normal course of business shall not be reported pursuant to this Agreement. Such unsuccessful Security Incidents include, but are not limited to, port scans or “pings,” and unsuccessful log-on attempts, broadcast attacks on our firewall, denials of service or any combination thereof if such incidents are detected and neutralized by our anti-virus and other defensive software and not allowed past our firewall;
2.5 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on our behalf agree to the same restrictions, conditions, and requirements that apply to us with respect to such information;
2.6 Make available to you PHI maintained in a Designated Record Set as necessary to satisfy your obligations under 45 CFR 164.524. In the event that any Individual requests access to PHI directly from us, we shall forward such request to you. You will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and we will make no such determinations. Except as Required by Law, only you will be responsible for releasing PHI to an Individual pursuant to such a request. Any denial of access to PHI determined by you pursuant to 45 CFR Section 164.524, and conveyed to us by you, shall be your responsibility, including resolution or reporting of all appeals and/or complaints arising from denials;
2.7 Identify and respond internally to any suspected or known Breach of any Unsecured Protected Health Information, Security Incident or other improper use or disclosure of PHI, and will mitigate, to the extent practicable, their harmful effects, document their outcomes, and provide documentation of any successful Security Incident and Breach of any Unsecured PHI to you upon request.
2.8 Make any amendments to PHI maintained in a Designated Record Set as directed or agreed to by you pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy your obligations under 45 CFR 164.526. You will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment to PHI and we will make no such determinations. Any denial of amendment to PHI determined by you pursuant to 45 CFR Section 164.526, and conveyed to us by you, shall be your responsibility, including resolution or reporting of all appeals and/or complaints arising from denials;
2.9 Maintain and make available the information required to provide an accounting of disclosures to you as necessary to satisfy your obligations under 45 CFR 164.528. In the event that any Individual requests an accounting of disclosures of PHI directly from us, we shall forward such request to you. You will be responsible for preparing and delivering an accounting to Individual. We shall implement an appropriate record keeping process to enable us to comply with the requirements of this Agreement;
2.10 Comply with the requirements of Subpart E of 45 CFR Part 164 that apply to you in the performance of your obligations under Subpart E of 45 CFR Part 164, to the extent we are to carry out one or more of such obligations; and
2.11 Make our internal practices, books, and records available to the Secretary for purposes of determining compliance with HIPAA.
3. Permitted Uses and Disclosures by Business Associate
3.1 We shall only use or disclose PHI as necessary to perform the services set forth in the TOS Agreement between the parties, and as outlined in this Agreement.
3.2 We may use or disclose PHI as required by law.
3.3 We agree to use and disclosure the minimum necessary PHI for its specific purposes.
3.4 We shall not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by you, except for the specific uses and disclosures set forth below.
3.5 We may use PHI for our own proper managerial and administrative duties, or to carry out our legal responsibilities.
3.6 We may disclose PHI for our own proper managerial and administrative functions, or to carry out our legal responsibilities, provided the disclosures are required by law, or that we obtain reasonable assurances as governed by our Policies and Procedures from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies us of any instances of which it is aware in which the confidentiality of the information has been breached.
3.7 We may provide data aggregation services to the extent permitted under HIPAA and combine PHI created or received on behalf of you by us pursuant to this Agreement with PHI, as defined by 45 C.F.R. 160.103, received by us in our capacity as a business associate of other covered entities, to permit data analyses that relate to the Health Care Operations of the respective covered entities and/or you.
3.8 We may de-identify any and all PHI created or received by us under this Agreement to permit anonymized data analyses that relate to the Health Care Operations of you and other covered entities. Once PHI has been de-identified pursuant to 45 CFR 164.514(b), such information is no longer PHI subject to this Agreement.
4. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
4.1 You agree to notify us of any limitations in your notice of privacy practices under 45 CFR 164.520, to the extent that such limitations may affect our use or disclosure of PHI.
4.2 You agree to notify us of any changes in, or revocation of, the permission by an Individual to use or disclose their PHI, to the extent that such changes may affect our use or disclosure of PHI.
4.3 You agree to notify us of any restriction on the use or disclosure of PHI that you have agreed to or are required to abide by under 45 CFR 164.522, to the extent that such restriction may affect our use or disclosure of PHI.
5. Permissible Requests by Covered Entity
You shall not request that we use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by you, except as specified in Section 3 of this Agreement.
6. Term and Termination
6.1 Term: The Term of this Agreement shall be effective as of the date that the parties first exchanged PHI, and shall continue in perpetuity until either party terminates the agreement.
6.2 Termination: Either party has the right to terminate this Agreement for any reason upon written notice to the other party in the same manner as outlined in the TOS Agreement. This Agreement shall terminate immediately upon termination of the TOS Agreement, subject to Section 6.3 of this Agreement.
6.3 Obligations of Business Associate Upon Termination: Upon termination of this Agreement for any reason, with respect to PHI received from you, or created, maintained, or received by us on your behalf, we shall:
6.4 Material Breach: Where either party has knowledge of a material breach by the other party, the non-breaching party shall provide the breaching party with an opportunity to cure. Where said breach is not cured to the reasonable satisfaction of the non-breaching party within twenty (20) business days of the breaching party’s receipt of notice from the non-breaching party of said breach, the non-breaching party shall, if feasible, terminate this Agreement and the portion(s) of the TOS Agreement affected by the breach. Where either party has knowledge of a material breach by the other party and cure is not possible, the non-breaching party shall, if feasible, terminate this Agreement and the portion(s) of the TOS Agreement affected by the breach.
The obligations of the parties under this Agreement, which by their terms are intended to survive, shall survive the termination of this Agreement.
8.1 Amendment: If any of the regulations promulgated under HIPAA are amended or interpreted in a manner that renders this Agreement inconsistent therewith, the parties shall amend this Agreement to the extent necessary to comply with such amendments or interpretations.
8.2 Interpretation: Any ambiguity in this Agreement shall be resolved to permit the parties to comply with HIPAA.
8.3 Conflicting Terms: In the event that any terms of this Agreement conflict with any terms of the TOS Agreement, the terms of this Agreement shall govern and control.
8.4 Severability: The provisions of this Agreement shall be severable, and if any provision of this Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.