Legal

Business Associate Agreement

This Business Associate Agreement (the “Agreement”) is entered into between Therabee (“Business Associate”) and the licensed therapist, clinician, or healthcare organization that accepts this Agreement (“Covered Entity”). It takes effect on the date Covered Entity accepts it during account registration or by continuing to use Therabee’s services.

The purpose of this Agreement is to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations, and to set out how Business Associate will protect the Protected Health Information it creates, receives, maintains, or transmits on behalf of Covered Entity in the course of providing its services.

1. Definitions

Capitalized terms used but not otherwise defined in this Agreement have the meanings given to them in HIPAA, the HITECH Act, and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Rules”).

“Breach” means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the Privacy Rule which compromises the security or privacy of the Protected Health Information, as defined in 45 C.F.R. § 164.402.

“Electronic Protected Health Information” or “ePHI” means Protected Health Information that is transmitted or maintained in electronic media.

“Protected Health Information” or “PHI” means individually identifiable health information, as defined in 45 C.F.R. § 160.103, that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.

“De-Identify” means to alter PHI so that it no longer identifies an individual and there is no reasonable basis to believe the information can be used to identify an individual, in accordance with 45 C.F.R. § 164.514(a)–(b).

“Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 C.F.R. § 164.304.

2. Permitted Uses and Disclosures of PHI

Business Associate may use and disclose PHI only as necessary to provide the services described in its agreement with Covered Entity, as permitted by this Agreement, or as required by law.

Business Associate may use PHI for its own proper management and administration, or to carry out its legal responsibilities, provided that any disclosure for these purposes is either required by law or made subject to reasonable assurances of confidentiality from the recipient.

Business Associate may De-Identify PHI in accordance with the HIPAA Rules and may use such De-Identified data, which no longer constitutes PHI, to improve and develop its services.

Business Associate will make reasonable efforts to limit its uses, disclosures, and requests of PHI to the minimum necessary to accomplish the intended purpose, in accordance with the minimum necessary standard of the HIPAA Rules.

Business Associate will not use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted in this Section.

3. Safeguards

Business Associate will implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including ePHI, as required by the Security Rule at 45 C.F.R. §§ 164.308, 164.310, and 164.312.

These safeguards include, without limitation, encryption of ePHI in transit and at rest, access controls, workforce training, and regular review of security practices.

4. Reporting

Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, and any Security Incident of which it becomes aware, within five (5) business days of discovery.

Business Associate will notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the Breach. Such notification will include, to the extent known, the identity of each individual whose PHI was involved, a description of the nature of the Breach, the date of the Breach and its discovery, and the steps Business Associate is taking to investigate and mitigate the Breach.

The parties acknowledge that unsuccessful Security Incidents — such as pings, port scans, denial of service attacks that do not result in unauthorized access to PHI, and login attempts that fail — occur routinely, and this Section constitutes notice of such unsuccessful incidents without further reporting obligation.

5. Mitigation

Business Associate will take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI in violation of this Agreement.

6. Subcontractors and Agents

Business Associate will ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions and conditions at least as protective as those that apply to Business Associate under this Agreement, including the implementation of reasonable and appropriate safeguards for ePHI, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2).

7. Individual Rights

Access. Within fifteen (15) business days of a request by Covered Entity, Business Associate will make available PHI held in a Designated Record Set so that Covered Entity can meet its obligations under 45 C.F.R. § 164.524.

Amendment. Within fifteen (15) business days of a request by Covered Entity, Business Associate will make PHI in a Designated Record Set available for amendment, and will incorporate any amendment that Covered Entity directs, in accordance with 45 C.F.R. § 164.526.

Accounting of Disclosures. Business Associate will document disclosures of PHI as required for Covered Entity to respond to a request for an accounting of disclosures, and will make such information available to Covered Entity within fifteen (15) business days of a request, in accordance with 45 C.F.R. § 164.528.

If an individual submits a request for access, amendment, or an accounting directly to Business Associate, Business Associate will forward the request to Covered Entity within five (5) business days.

8. Availability of Books and Records

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

9. Obligations of Covered Entity

Covered Entity will notify Business Associate of any limitations in its notice of privacy practices, any changes in or revocation of an individual’s permission to use or disclose PHI, and any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by, in each case to the extent such matters may affect Business Associate’s use or disclosure of PHI.

Covered Entity will not request that Business Associate use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

10. Ownership of PHI

As between the parties, Covered Entity retains all right, title, and interest in and to all PHI. Business Associate acquires no ownership rights in PHI and will not sell PHI or receive remuneration in exchange for PHI, except as permitted by the HIPAA Rules.

11. Term and Termination

This Agreement takes effect on the date Covered Entity accepts it as part of registering for or using Therabee’s services, and remains in effect until the underlying services agreement between the parties terminates or this Agreement is terminated in accordance with this Section.

Either party may terminate this Agreement if the other party materially breaches it and fails to cure the breach within thirty (30) days of receiving written notice of the breach. If cure is not possible, the non-breaching party may terminate this Agreement immediately upon written notice.

Upon termination, Business Associate will return or destroy all PHI received from, or created or received on behalf of, Covered Entity, and will retain no copies, if feasible. If return or destruction is not feasible, Business Associate will extend the protections of this Agreement to the retained PHI, limit further uses and disclosures to the purposes that make return or destruction infeasible, and destroy the PHI when it becomes feasible to do so.

12. Miscellaneous

Regulatory References. Any reference in this Agreement to a section of the HIPAA Rules means the section as in effect or as amended.

Amendment. The parties will take such action as is necessary to amend this Agreement from time to time as required for compliance with the HIPAA Rules. Business Associate may update this Agreement upon notice to Covered Entity to the extent required to comply with applicable law.

Limitation of Liability. To the maximum extent permitted by law, Business Associate’s aggregate liability arising out of or related to this Agreement will not exceed ten thousand U.S. dollars ($10,000).

Interpretation. Any ambiguity in this Agreement will be resolved to permit the parties to comply with the HIPAA Rules.

No Third-Party Beneficiaries. Nothing in this Agreement confers any right, remedy, or obligation on any person other than the parties and their respective successors and permitted assigns.

Governing Law. This Agreement is governed by the laws of the State of Delaware, without regard to its conflict of laws principles, except to the extent preempted by federal law.

Questions?

If you have questions about this Agreement or Therabee’s privacy and security practices, contact us at [email protected].