This BUSINESS ASSOCIATE AGREEMENT (“Agreement”), Shall be incorporated into the Terms of Service Agreement for Customers that are Covered Entities (as defined by HIPAA Rules), and who provide Protected Health Information (“PHI”) (as defined by HIPAA Rules) to AgentAI, Inc. (“AGENTAI” or “Business Associate”) in relation with services and software they have purchased or subscribed to.
WHEREAS, AGENTAI provides certain services (“Services”) to Covered Entity; and
WHEREAS, such services are provided using existing data of Covered Entities; and
WHEREAS, in connection with providing Services, Covered Entity discloses certain Protected Health Information (“PHI”) to AGENTAI; and
WHEREAS, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), the Privacy and Security Standards promulgated thereto, and the final Omnibus Rule require that Covered Entity receive adequate assurances that AGENTAI will comply with certain obligations with respect to the privacy and security of PHI received in the course of providing services to or on behalf of Covered Entity; and
WHEREAS, the Parties wish to establish satisfactory assurances that AGENTAI will appropriately safeguard PHI and execute this Agreement as Required by Law; and
WHEREAS, the purpose of this Agreement is to comply with the requirements of HIPAA, the HITECH Act, regulations promulgated thereunder by the U.S. Department of Health and Human Services, and other applicable federal and state laws.
NOW, THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy and Security Rules, the HITECH Act and applicable Privacy and Security regulations.
“Business Associate” shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 CFR §160.103.
“Covered Entity or Entities” shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 CFR §160.103.
“Data Aggregation” will have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 CFR §160.501.
“Designated Record Set” or “DRS” shall have the meaning given to such term under the Privacy Rule, including but not limited to 45 CFR §164.501.
“Electronic Protected Health Information” or “ePHI” shall have the meaning given to such term under the HIPAA Rule, including but not limited to 45 CFR Parts 160, 162, and 164, and under HITECH.
“Health Information Technology for Economic and Clinical Health (“HITECH”) Act” means Division A, Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), 42 U.S.C. Section 3000 et seq., as amended by the Omnibus Final Rule at 78 Fed. Reg. 5566; implementing regulations and Department of Health and Human Services (“HHS”) Guidance.
“Individual” shall mean the person who is the subject of PHI under the Privacy Rule, including but not limited to 45 CFR §164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
“Information” shall mean any “health information” as defined in 45 CFR Section 160.103.
“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and 45 CFR Part 164, Subpart A and Subpart E, as amended from time to time.
“Protected Health Information” or PHI shall have the same meaning as the term "protected health information" in 45 CFR §164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
“Required by Law” shall have the same meaning as the term “required by law” in 45 CFR §164.501.
“Secretary” means the Secretary of the Department of Health and Human Services or his or her Designee.
“Security Rule” means the HIPAA regulation that is codified at 45 CFR Part 164.
“Workforce” means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.
AGENTAI shall:
1.1 Use and Disclose PHI/ePHI. Business Associate agrees not to use or further disclose PHI other than expressly permitted or required by this Business Associate Agreement or the HIPAA Rules or as Required by Law.
1.2 Specific Use or Disclosure Provisions. Except as otherwise limited in this Business Associate Agreement, AGENTAI may use and disclose PHI to properly provide, manage and administer the services required under any underling Agreement between the parties and consistent with applicable law to assist Covered Entity in its operations, as long as such use or disclosure would not violate the HIPAA Rules if done by Covered Entity, or such use or disclosure is expressly permitted in (a) through (c) below:
(a) AGENTAI may use PHI for the proper management and administration of AGENTAI or to carry out AGENTAI's legal responsibilities.
(b) AGENTAI may disclose PHI to third parties for the proper management and administration of AGENTAI or to carry out the legal responsibilities of AGENTAI provided that the disclosures are Required by Law, or AGENTAI obtains reasonable assurances from the person to whom the information is disclosed that: (A) the information will remain confidential, (B) the information will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and (C) the person notifies AGENTAI of any instances of which it is aware in which the confidentiality of the information has been breached.
(c) AGENTAI may use PHI to perform Data Aggregation services on behalf of Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B).
1.3 Reporting. AGENTAI agrees to promptly notify the Covered Entity if AGENTAI has knowledge that PHI has been used or disclosed by AGENTAI in a manner that violates this Business Associate Agreement. To the extent that AGENTAI creates, receives, maintains or transmits Electronic PHI, AGENTAI agrees to report promptly to the Covered Entity any Security Incident, as determined by AGENTAI, involving PHI of which AGENTAI becomes aware. AGENTAI shall comply with 45 CFR §164.402 and shall, following the discovery of a Breach of Unsecured PHI, notify the Covered Entity of such Breach, in accordance with 45 CFR §164.410.
1.4 Safeguards. Use appropriate safeguards, consistent with applicable law, to prevent use or disclosure of PHI in a manner that would violate this Agreement. To the extent that AGENTAI creates, receives, maintains or transmits Electronic PHI, AGENTAI agrees to use appropriate administrative, physical and technical safeguards, and comply with the Security Standards, to protect the confidentiality, integrity and availability of the Electronic PHI that AGENTAI creates, receives, maintains or transmits on behalf of Covered Entity.
1.5 Mitigation. AGENTAI agrees to mitigate, to the extent practicable, any harmful effect that is known to AGENTAI of a use or disclosure of PHI by AGENTAI in violation of this Business Associate Agreement or the Agreement entered into by the parties.
1.6 Disclosure to Agents and Subcontractors of AGENTAI. AGENTAI agrees to ensure that any agent, including a Subcontractor, to whom it provides PHI received from, or created or received by AGENTAI on behalf of Covered Entity, agrees, in writing, to at least the same restrictions, terms and conditions that apply through this Agreement to AGENTAI with respect to such information, including the requirement that it implement reasonable and appropriate safeguards and comply with Subpart C of 45 CFR Part 164, to protect any Electronic PHI that is disclosed to it by AGENTAI.
1.7 Access of Individuals to Information. To the extent that AGENTAI maintains a Designated Record Set, AGENTAI shall provide access to Covered Entity to PHI in a Designated Record Set in order to meet the requirements under 45 CFR 164.524. In the event any Individual requests access to PHI directly from AGENTAI, AGENTAI shall forward such request to Covered Entity. Any denial of access to PHI/ePHI shall be determined solely by Covered Entity.
1.8 Audit and Inspection. AGENTAI agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by AGENTAI on behalf of Covered Entity, available to Covered Entity within ten (10) business days, or at the request of Covered Entity or the Secretary, to the Secretary in a time and manner directed by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the HIPAA Rules. Any release of information regarding AGENTAI's practices, books and records is proprietary to AGENTAI and shall be treated as confidential and shall not be further disclosed without the written permission of AGENTAI, except as necessary to comply with the HIPAA Rules.
1.9 Amendment of Information. Within thirty (30) days of a request by Covered Entity or Individual, AGENTAI agrees to make any appropriate amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR §164.526.
1.10 Accounting of Disclosures. Within thirty (30) days of a proper request by Covered Entity, AGENTAI agrees to document and make available to Covered Entity, for a reasonable cost-based fee (under conditions permitted by HIPAA if an Individual requests an accounting more than once during a twelve month period), such disclosures of PHI and information related to such disclosures necessary to respond to such request for an accounting of disclosures of PHI, in accordance with 45 CFR §164.528. Within sixty (60) days of proper request by subject Individual, AGENTAI agrees to make available to the Individual the information described above.
1.10 Accounting of Disclosures. Within thirty (30) days of a proper request by Covered Entity, AGENTAI agrees to document and make available to Covered Entity, for a reasonable cost-based fee (under conditions permitted by HIPAA if an Individual requests an accounting more than once during a twelve month period), such disclosures of PHI and information related to such disclosures necessary to respond to such request for an accounting of disclosures of PHI, in accordance with 45 CFR §164.528. Within sixty (60) days of proper request by subject Individual, AGENTAI agrees to make available to the Individual the information described above.
1.11 Restrictions on Use or Disclosure. Within fifteen (15) business days of a request of Covered Entity, AGENTAI agrees to consider restrictions on the use or disclosure of PHI agreed to by Covered Entity on behalf of an Individual in accordance with 45 CFR §164.522.
1.12 Privacy of Individually Identifiable Health Information. To the extent AGENTAI is to carry out one or more of Covered Entity's obligations under Subpart E of 45 CFR Part 164, AGENTAI agrees to comply with the requirements of subpart E that apply to the Covered Entity in the performance of such obligations.
2.1 Permitted Uses and Disclosures. Except as otherwise limited in this Agreement, AGENTAI (and Subcontractors as applicable) may use or disclose PHI/ePHI to perform functions, activities, or services for, or on behalf of, AGENTAI pursuant to the Agreement provided such use or disclosure would not violate the Privacy Rule if done by the Covered Entity.
2.2 Use for Management and Administration. Except as otherwise limited in this Agreement, AGENTAI (and Subcontractors as applicable) may use PHI/ePHI for the proper management and administration of AGENTAI (and Subcontractors, as applicable) or to carry out their legal responsibilities.
2.3 Disclosure for Management and Administration. Except as otherwise limited in this Agreement, AGENTAI (and Subcontractor, as applicable) may disclose PHI/ePHI for the proper management and administration of the services to be performed under the Consulting Agreement.
2.4 Minimum Necessary. AGENTAI and its employees, agents, representatives or Subcontractors will limit use or disclosure of use or disclosure PHI/ePHI to the minimum amount of PHI/ePHI necessary to accomplish the purpose of the request, use, or disclosure.
2.5 Data Aggregation. Except as otherwise limited in this Agreement, AGENTAI may use PHI/ePHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B). AGENTAI may further de-identify PHI/ePHI (in accordance with 45 CFR. §164,514) and use such de-identified data for AGENTAI's own purposes and shall retain any and all ownership claims relating to the de-identified data it creates from such PHI.
2.6 Report Violations of Law. AGENTAI (and Subcontractors as applicable) may use PHI/ePHI to report violations of law appropriate to Federal and State authorities consistent with 45 CFR §164.502(j)(1).
3.1 Changes in Permission. Covered Entity shall notify AGENTAI of any restrictions, revocations of, permission by an Individual to use or disclose PHI/ePHI, that an Individual requests on use or disclosure of his/her PHI/ePHI, and that Covered Entity has agreed to in accordance with 45 CFR §164.522; and to the extent that such changes may affect AGENTAI (and Subcontractor's, as applicable) use or disclosure of that Individual's PHI/ePHI. AGENTAI agrees to consider restrictions on the use or disclosure of PHI agreed to by Covered Entity on behalf of the Individual in accordance with 45 CFR §164.522.
3.2 Permissible Requests by Covered Entity. Covered Entity shall not request AGENTAI to, use or disclose PHI/ePHI in any manner that would not be permissible under the Privacy or Security Rule, the HITECH Act or California state law if done by Covered Entity.
3.3 Compliance with HIPAA Security Rule. Covered Entity agrees to comply with the HIPAA Security Rule, including, without limitation, safeguarding all computers, laptops, cell phones, tablets, or other mobile devices in accordance with the HIPAA Security Regulations.
4.1 Term and Termination.
(a) The term of this Agreement shall be effective as of the effective date contemplated by the Terms of Service Agreement to which this Agreement is incorporated, and shall terminate when all of the PHI provided by Covered Entity to Business Associate (or created or received by Business Associate on behalf of Covered Entity) is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, when protections are extended to such information in accordance with the termination provisions in this Section.
(b) Without limiting the termination rights of the parties pursuant to the Consulting Agreement, upon either party's knowledge of a material breach by the other of this Business Associate Agreement, the non-breaching party shall notify the breaching party of such material breach and the breaching party shall have thirty (60) days to cure such material breach. In the event the breach is not cured, or cure is infeasible, the nonbreaching party shall have the right to immediately terminate this Business Associate Agreement and the Agreement or if cure of the material breach is infeasible, report the violation to the Secretary.
(c) To the extent feasible, upon termination of the Agreement for any reason, AGENTAI shall, and shall cause any subcontractors and agents to, return or destroy and retain no copies of all PHI received from, or created or received by AGENTAI on behalf of, Covered Entity. If AGENTAI determines, in its sole discretion, that return or destruction of such information is not feasible, AGENTAI shall continue to limit the use or disclosure of such information as set forth in this Agreement as if the Agreement had not been terminated.
(d) The respective rights and obligations of Business Associate under this Section 5 of this Agreement shall survive the termination of this Agreement for any reason.
5.1 Regulatory References. A reference in this Agreement to a section in the Privacy and Security Rule or a HITECH Act regulation means the section as in effect or as amended.
5.2 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time to comply with the requirements of the HIPAA Privacy and Security Rule, the HITECH Act and applicable regulations, and state law. The parties also agree that Business Associate may unilaterally amend this Agreement from time to time for the reasons set forth in the above paragraphs and for other business reasons and that any such amended agreement which Business Associate signs on a later date will supersede this Agreement.
5.3 Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the HIPAA Privacy and Security Rules, the HITECH Act and applicable regulations, and applicable law, where more stringent than HIPAA.
5.4 Waiver. No provision of this Agreement or any breach thereof shall be deemed waived unless such waiver is in writing and signed by the Party claimed to have waived such provision or breach. No waiver of a breach shall constitute a waiver of or excuse any different or subsequent breach.
5.5 Assignment. Neither Party may assign (whether by operation of law or otherwise) any of its rights or delegate or subcontract any of its obligations under this Agreement without the prior written consent of the other Party.
5.6 Severability. Any provision of this Agreement that is determined to be invalid or unenforceable will be ineffective to the extent of such determination without invalidating the remaining provisions of this Agreement or affecting the validity or enforceability of such remaining provisions.
5.7 Governing Law. To the extent not preempted by Federal law, this Agreement shall be governed and construed in accordance with the state laws governing the Terms of Service Agreement, without regard to conflicts of laws provisions that would require application of the law of another state.
5.8 Days. All references to the term “days” in this Agreement shall mean business days.
5.9 Entire Agreement. This Agreement constitutes the complete Business Associate Agreement between Covered Entity and AGENTAI relating to matters specified in this Agreement, and supersedes and replaces any prior business associate agreements between the Covered Entity and Business Associate, as of the date set forth below.
Last Updated: Feb 6, 2024