You and the company, institution or other entity (“Healthcare Entity”) employing, contracting or retaining you, or on whose behalf you are using the Hint Health Service described below (collectively, you and such Healthcare Entity, “you”, the “Covered Entity”) agree to be bound by and become a party to this Hint Health Business Associate Agreement (this "Agreement"). You represent, warrant and agree that you are authorized to enter into this Agreement on behalf of yourself and the Healthcare Entity and to bind yourself and the Healthcare Entity to the terms and conditions herein.
This Agreement is being entered into in connection with your use of our online service for direct-pay, medical care providers, which may include, without limitation billing, membership management, reminder notifications and/or related functionality (the “Hint Health Service”) under the terms and conditions of that certain Hint Health Terms of Service Agreement (“TOS Agreement”) entered into between you and us. This Agreement, together with the TOS Agreement, as supplemented by this Agreement, (a) is intended by the parties as a final, complete and exclusive expression of the terms of their agreement regarding the subject matter hereof ; and (b) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof.
The parties hereby agree as follows:
1.1 Business Associate: “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean us.
1.2 Covered Entity: “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean you.
1.3 HIPAA Rules: “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
2. Our Obligations and Activities
We agree to:
2.1 Not use or disclose protected health information other than as permitted or required by this Agreement or as required by law;
2.2 Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement or the Terms of Service;
2.3 Within five (5) business days, report to you any use or disclosure of protected health information not provided for by the Agreement of which we become aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which we become aware;
2.4 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on our behalf agree to the same restrictions, conditions, and requirements that apply to us with respect to such information;
2.5 Make available to you protected health information in a designated record set as necessary to satisfy your obligations under 45 CFR 164.524;
2.6 Make any amendments to protected health information in a designated record set as directed or agreed to by you pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy your obligations under 45 CFR 164.526;
2.7 Maintain and make available the information required to provide an accounting of disclosures to you as necessary to satisfy your obligations under 45 CFR 164.528;
2.8 Comply with the requirements of Subpart E that apply to you in the performance of your obligations under Subpart E of 45 CFR Part 164, to the extent we are to carry out one or more of such obligations; and
2.9 Make our internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
3.1 We shall only use or disclose protected health information as necessary to perform the services set forth in the TOS Agreement between the parties.
3.2 We may use or disclose protected health information as required by law.
3.3 We agree to make uses and disclosures and requests for protected health information consistent with your minimum necessary policies and procedures provided to us in writing in advance.
3.4 We shall not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by you, except for the specific uses and disclosures set forth below.
3.5 We may use protected health information for our own proper managerial and administrative duties, or to carry out our legal responsibilities.
3.6 We may disclose protected health information for our own proper managerial and administrative functions, or to carry out our legal responsibilities, provided the disclosures are required by law, or that we obtain reasonable assurances as governed by our Policies and Procedures from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies us of any instances of which it is aware in which the confidentiality of the information has been breached.
3.7 We may provide data aggregation services relating to your health care operations.
4.1 You agree to notify us of any limitations in your notice of privacy practices under 45 CFR 164.520, to the extent that such limitation may affect our use or disclosure of protected health information.
4.2 You agree to notify us of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect our use or disclosure of protected health information.
4.3 You agree to notify us of any restriction on the use or disclosure of protected health information that you have agreed to or are required to abide by under 45 CFR 164.522, to the extent that such restriction may affect our use or disclosure of protected health information.
You shall not request that we use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by you, except as specified in Section 3 of this Agreement.
6. Term and Termination
6.1 Term: The Term of this Agreement shall be effective as of the Agreement Effective Date, and shall continue in perpetuity until either party terminates the agreement.
6.2 Termination: Either party has the right to terminate this Agreement for any reason upon 90 days prior written notice to the other party.
6.3 Obligations of Business Associate Upon Termination:
a. Upon termination of this Agreement for any reason, with respect to protected health information received from you, or created, maintained, or received by us on your behalf, we shall:
b. Retain only that protected health information which is necessary for us to continue to properly perform our own managerial and administrative duties, or to carry out our legal responsibilities;
c. Destroy the remaining protected health information that we still maintain in any form;
d. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as we retain the protected health information;
e. Not use or disclose the protected health information we retain other than for the purposes for which such protected health information was originally retained, and subject to the conditions in Section 3 of this Agreement which applied prior to termination; and
f. Destroy the protected health information we retain when it is no longer needed to properly perform our own managerial and administrative duties, or to carry out our legal responsibilities.
The obligations of the parties under this Section shall survive the termination of this Agreement.