HIPAA Business Associate Agreement
​
Last updated: December 25, 2023
This BUSINESS ASSOCIATE AGREEMENT (the “BAA”) is made and entered into by and between ELKRA AI, LLC a company incorporated under the laws of Texas (“Business Associate”) and a client (“Covered Entity” OR “The Client”) who has entered a Terms of Service Agreement (the “Agreement”) with the Business Associate, in accordance with the meaning given to those terms at 45 CFR §164.501 and 45 CFR §160.103. This BAA applies to the processing carried out by the Business Associate on behalf of the Covered Entity. In this BAA, Covered Entity and Business Associate are each a “Party” and, collectively, are the “Parties”.
WHEREAS, THE COVERED ENTITY and BUSINESS ASSOCIATE have entered into, or are entering into, or may subsequently enter into, agreements or other documented arrangements (collectively, the “Business Arrangements”) pursuant to which may provide products and/or services for THE COVERED ENTITY that require BUSINESS ASSOCIATE to access, create and use health information that is protected by state and/or federal law; and
WHEREAS, pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and subsequently passed related legislation, including but not limited to, the federal Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), the U.S. Department of Health & Human Services (“HHS”) promulgated the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Standards”), at 45 C.F.R. Parts 160 and 164, requiring certain individuals and entities subject to the Privacy Standards (each “THE COVERED ENTITY”, or collectively, “Covered Entities”) to protect the privacy of certain individually identifiable health information (“Protected Health Information” or “PHI”); and
WHEREAS, pursuant to HIPAA, HHS has issued the Security Standards (the “Security Standards”), at 45 C.F.R. Parts 160, 162 and 164, for the protection of electronic protected health information (“EPHI”), as defined in the Privacy Standards; and
WHEREAS, in order to protect the privacy and security of PHI, including EPHI, created or maintained by or on behalf of THE COVERED ENTITY, the Privacy Standards and Security Standards require THE COVERED ENTITY to enter into the “Business Associate Agreement” with certain individuals and entities providing services for or on behalf of THE COVERED ENTITY if such services require the use or disclosure of PHI or EPHI; and
WHEREAS, BUSINESS ASSOCIATE and THE COVERED ENTITY desire to enter into this Business Associate Agreement;
WHEREAS, ELKRA is a software tool meticulously engineered to assist administrators and clinicians in their management and clinical duties. It is essential to assert that this software is not conceived to be a substitute for professional administrative or clinical assessment and judgment. Users hold exclusive responsibility for interpreting and applying any and all outputs emanating from the software or website, which include, but are not limited to, summaries, recommendations, diagnoses, and analyses. It is incumbent upon the user to rigorously review every piece of data input and output and content prior to its utilization. It is imperative for users to understand that ELKRA is a supportive tool susceptible to errors and must not be solely depended upon as the quintessential basis for final decision-making and the issuance of recommendations.
NOW THEREFORE, in consideration of the mutual promises set forth in this Agreement and the Business Arrangements, and other good and valuable consideration, the sufficiency and receipt of which are hereby severally acknowledged, the parties agree as follows:
1. BUSINESS ASSOCIATE Obligations
BUSINESS ASSOCIATE may receive from THE COVERED ENTITY, or create or receive on behalf of THE COVERED ENTITY, health information that is protected under applicable state and/or federal law, including without limitation, PHI and EPHI. All capitalized terms not otherwise defined in this Agreement shall have the meanings set forth in the Privacy Standards, Security Standards or the HITECH Act, as applicable (collectively referred to hereinafter as the "Confidentiality Requirements"). All references to PHI herein shall be construed to include EPHI. BUSINESS ASSOCIATE agrees not to use or disclose (or permit the use or disclosure of) PHI in a manner that would violate the Confidentiality Requirements if the PHI were used or disclosed by THE COVERED ENTITY in the same manner.
2. Use and Disclosure of PHI
Except as otherwise required by law, BUSINESS ASSOCIATE shall use PHI in compliance with 45 C.F.R. § 164.504(e). Subject to any limitations in this Agreement, BUSINESS ASSOCIATE may disclose PHI to any third party persons or entities as necessary to perform its obligations under the Business Arrangement and as permitted or required by applicable federal or state law. Further, BUSINESS ASSOCIATE may disclose PHI for the proper management and administration of ELKRA, provided that (i) such disclosures are required by law, or (ii) BUSINESS ASSOCIATE: (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the third party; (b) requires the third party to agree to immediately notify BUSINESS ASSOCIATE of any instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Confidentiality Requirements. Additionally, BUSINESS ASSOCIATE shall ensure that all disclosures of PHI by BUSINESS ASSOCIATE and the third party comply with the principle of "minimum necessary use and disclosure," i.e., only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed; provided further, BUSINESS ASSOCIATE shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets. If BUSINESS ASSOCIATE discloses PHI received from THE COVERED ENTITY, or created or received by BUSINESS ASSOCIATE on behalf of THE COVERED ENTITY, to agents, including a subcontractor (collectively, 'Recipients'), BUSINESS ASSOCIATE shall ensure that all Recipients are bound by the same confidentiality and data protection obligations as set forth in this Agreement. BUSINESS ASSOCIATE shall report to THE COVERED ENTITY any use or disclosure of PHI not permitted by this Agreement, of which it becomes aware, such report to be made within fifteen (15) business days of BUSINESS ASSOCIATE becoming aware of such use or disclosure. In addition to BUSINESS ASSOCIATE’S obligations under Section 1, BUSINESS ASSOCIATE commits to promptly and diligently mitigate, to a reasonable extent, any harmful effect that is known or reasonably should be known to BUSINESS ASSOCIATE. BUSINESS ASSOCIATE may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1). Notwithstanding the foregoing, BUSINESS ASSOCIATE may use or disclose, without limitation, any Protected Health Information that has been fully anonymized and de-identified prior to such use or disclosure.
3. Individual Rights Regarding Designated Record Sets.
If BUSINESS ASSOCIATE maintains a Designated Record Set As defined in 45 CFR 164.501 on behalf of THE COVERED ENTITY, BUSINESS ASSOCIATE shall (i) provide access to, and permit inspection and copying of, PHI by THE COVERED ENTITY or, as directed by THE COVERED ENTITY, an individual who is the subject of the PHI under conditions and limitations required under 45 CFR § 164.524, as it may be amended from time to time, and (ii) amend PHI maintained by BUSINESS ASSOCIATE as requested by THE COVERED ENTITY. BUSINESS ASSOCIATE shall respond to any request from THE COVERED ENTITY for access by an individual within fifteen (15) days of such request and shall make any amendment requested by THE COVERED ENTITY within fifteen (15) days of such request. Any information requested under this Section 3 shall be provided in the form or format requested, if it is readily producible in such form or format. BUSINESS ASSOCIATE may charge a reasonable fee based upon the Business's labor costs in responding to a request for electronic information (or a cost-based fee for the production of non-electronic media copies). THE COVERED ENTITY shall determine whether a denial is appropriate or an exception applies. BUSINESS ASSOCIATE shall notify THE COVERED ENTITY within fifteen (15) days of receipt of any request for access or amendment by an individual. THE COVERED ENTITY shall determine whether to grant or deny any access or amendment requested by the individual. BUSINESS ASSOCIATE shall have a process in place for requests for amendments and for appending such requests to the Designated Record Set, as requested by THE COVERED ENTITY.
4. Accounting of Disclosures.
BUSINESS ASSOCIATE shall make available to THE COVERED ENTITY in response to a request from an individual, information required for an accounting of disclosures of PHI with respect to the individual in accordance with 45 CFR § 164.528, as amended by Section 13405(c) of the HITECH Act and any related regulations or guidance issued by HHS in accordance with such provision. BUSINESS ASSOCIATE shall provide to THE COVERED ENTITY such information necessary to provide an accounting within thirty (30) days of THE COVERED ENTITY's request or such shorter time as may be required by state or federal law. Such accounting must be provided without cost to the individual or to THE COVERED ENTITY if it is the first accounting requested by an individual within any twelve (12) month period. For subsequent accountings within a twelve (12) month period, BUSINESS ASSOCIATE may charge a reasonable fee based upon BUSINESS ASSOCIATE’S labor costs in responding to a request for electronic information (or a cost-based fee for the production of non-electronic media copies) so long as BUSINESS ASSOCIATE informs THE COVERED ENTITY and THE COVERED ENTITY informs the individual in advance of the fee, and the individual is afforded an opportunity to withdraw or modify the request. Such accounting obligations shall survive termination of this Agreement and shall continue as long as BUSINESS ASSOCIATE maintains PHI. BUSINESS ASSOCIATE will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA, and this BAA.
5. Withdrawal of Authorization.
If the use or disclosure of PHI in this Agreement is based upon an individual 's specific authorization for the use of his or her PHI, and (i) the individual revokes such authorization in writing, (ii) the effective date of such authorization has expired, or (iii) the consent or authorization is found to be defective in any manner that renders it invalid, BUSINESS ASSOCIATE agrees, if it has notice of such revocation or invalidity, to cease the use and disclosure of any such individual's PHI except to the extent it has relied on such use or disclosure, or where an exception under the Confidentiality Requirements expressly applies.
6. Records and Audit.
BUSINESS ASSOCIATE shall make available to the HHS or its agents, its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by BUSINESS ASSOCIATE on behalf of THE COVERED ENTITY for the purpose of determining THE COVERED ENTITY's compliance with the Confidentiality Requirements or any other health oversight agency, in a time and manner designated by the Secretary of HHS. Except to the extent prohibited by law, BUSINESS ASSOCIATE agrees to notify THE COVERED ENTITY immediately upon receipt by BUSINESS ASSOCIATE of any and all requests by or on behalf of any and all federal, state and local government authorities served upon BUSINESS ASSOCIATE for PHI.
7. Implementation of Security Standards; Notice of Security Incidents.
BUSINESS ASSOCIATE will use appropriate safeguards to prevent the use or disclosure of PHI other than as expressly permitted under this Agreement. BUSINESS ASSOCIATE will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the PHI that it creates, receives, maintains or transmits on behalf of THE COVERED ENTITY. BUSINESS ASSOCIATE acknowledges that the HITECH Act requires BUSINESS ASSOCIATE to comply with 45 C.F.R. §§ 164.308, 164.3 10, 164.312 and 164.316 as if BUSINESS ASSOCIATE were THE COVERED ENTITY, and BUSINESS ASSOCIATE agrees to comply with these provisions of the Security Standards and all additional security provisions of the HITECH Act. Furthermore, to the extent feasible, BUSINESS ASSOCIATE will use commercially reasonable efforts to ensure that the technology safeguards used by BUSINESS ASSOCIATE to secure PHI will render such PHI unusable, unreadable and indecipherable to individuals unauthorized to acquire or otherwise have access to such PHI in accordance with HHS Guidance published at 74 Federal Register 19006 (April 17, 2009), or such later regulations or guidance promulgated by HHS or issued by the National Institute for Standards and Technology ("NIST") concerning the protection of identifiable data such as PHI. Lastly, BUSINESS ASSOCIATE will promptly report to THE COVERED ENTITY any successful Security Incident, as defined in the Confidentiality Requirements, of which it becomes aware. At the request of THE COVERED ENTITY, BUSINESS ASSOCIATE shall identify: the date of the Security Incident, the scope of the Security Incident, BUSINESS ASSOCIATE’S response to the Security Incident and the identification of the party responsible for causing the Security Incident, if known.
8. Data Breach Notification and Mitigation.
8.1 HIPAA Data Breach Notification and Mitigation. BUSINESS ASSOCIATE agrees to implement reasonable systems for the discovery and prompt reporting of any "breach" of "unsecured PHI" as those terms are defined by 45 C.F.R. § 164.402 (hereinafter a "HIPAA Breach"). The parties acknowledge and agree that 45 C.F.R. § 164.404, as described below in this Section 8.1, governs the determination of the date of a HIPAA Breach. In the event of any conflict between this Section 8.1 and the Confidentiality Requirements, the more stringent requirements shall govern. BUSINESS ASSOCIATE will, following the discovery of a HIPAA Breach, notify THE COVERED ENTITY immediately and in no event later than fifteen (15) business days after BUSINESS ASSOCIATE discovers such HIPAA Breach, unless BUSINESS ASSOCIATE is prevented from doing so by 45 C.F.R. § 164.412 concerning law enforcement investigations. For purposes of reporting a HIPAA Breach to THE COVERED ENTITY, the discovery of a HIPAA Breach shall occur as of the first day on which such HIPAA Breach is known to BUSINESS ASSOCIATE or, by exercising reasonable diligence, would have been known to BUSINESS ASSOCIATE. BUSINESS ASSOCIATE will be considered to have had knowledge of a HIPAA Breach if the HIPAA Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the HIPAA Breach) who is an employee, officer or other agent of BUSINESS ASSOCIATE. No later than fifteen (15) business days following awareness of a HIPAA Breach event, BUSINESS ASSOCIATE shall provide THE COVERED ENTITY with sufficient information to permit THE COVERED ENTITY to comply with the HIPAA Breach notification requirements set forth at 45 C.F.R. §164.400 et seq. Specifically, if the following information is known to (or can be reasonably obtained by) BUSINESS ASSOCIATE, BUSINESS ASSOCIATE will provide THE COVERED ENTITY with: (i) contact information for individuals who were or who may have been impacted by the HIPAA Breach (e.g., first and last name, mailing address, street address, phone number, email address); (ii) a brief description of the circumstances of the HIPAA Breach, including the date of the HIPAA Breach and date of discovery; (iii) a description of the types of unsecured PHI involved in the HIPAA Breach (e.g., names, social security number, date of birth, addressees), account numbers of any type, disability codes, diagnostic and/or billing codes and similar information); (iv) a brief description of what BUSINESS ASSOCIATE has done or is doing to investigate the HIPAA Breach, mitigate harm to the individual impacted by the HIPAA Breach, and protect against future HIPAA Breaches; and (v) appoint a liaison and provide contact information for same so that THE COVERED ENTITY may ask questions or learn additional information concerning the HIPAA Breach. Following a HIPAA Breach, BUSINESS ASSOCIATE will have a continuing duty to inform THE COVERED ENTITY of new information learned by BUSINESS ASSOCIATE regarding the HIPAA Breach, including but not limited to the information described in items (i) through (v), above.
8.2 Data Breach Notification and Mitigation under Other Laws. In addition to the requirements of Section 8.1 , BUSINESS ASSOCIATE agrees to implement reasonable systems for the discovery and prompt reporting of any breach of individually identifiable information (including but not limited to PHI, and referred to hereinafter as "Individually Identifiable Information") that, if misused, disclosed, lost or stolen, THE COVERED ENTITY believes would trigger an obligation under one or more State data breach notification laws (each a "State Breach") to notify the individuals who are the subject of the information. BUSINESS ASSOCIATE agrees that in the event any Individually Identifiable Information is lost, stolen, used or disclosed in violation of one or more State data breach notification laws, BUSINESS ASSOCIATE shall promptly: (i) cooperate and assist THE COVERED ENTITY with any investigation into any State Breach or alleged State Breach; (ii) cooperate and assist THE COVERED ENTITY with any investigation into any State Breach or alleged State Breach conducted by any State Attorney General or State Consumer Affairs Department (or their respective agents); (iii) comply with THE COVERED ENTITY's determinations regarding THE COVERED ENTITY's and BUSINESS ASSOCIATE’s obligations to mitigate to the extent practicable any potential harm to the individuals impacted by the State Breach; and (iv) assist with the implementation of any decision by THE COVERED ENTITY or any State agency, including any State Attorney General or State Consumer Affairs Department (or their respective agents), to notify individuals impacted or potentially impacted by a State Breach.
9. Term and Termination.
9.1 This Agreement shall commence on the Effective Date and shall remain in effect until terminated in accordance with the terms of this Section 9, provided, however, that termination shall not affect the respective obligations or rights of the parties arising under this Agreement prior to the effective date of termination, all of which shall continue in accordance with their terms.
9.2 Each party reserves the right to terminate this Agreement for any reason by providing the other party with written notice at least thirty (30) days in advance.
9.3 Either Party may immediately terminate this Agreement (the "Terminating Party") and shall have no further obligations to the other Party (the "Terminated Party") hereunder if any of the following events shall have occurred and be continuing:
(i) The Terminated Party fails to observe or perform any material covenant or obligation contained in this Agreement for ten (10) days after written notice thereof has been given to the Terminated Party; or
(ii) A violation by the Terminated Party of any provision of the Confidentiality Requirements or other applicable federal or state privacy law relating to the obligations of the Terminated Party under this Agreement.
9.4 Termination of this Agreement for either of the two reasons set forth in Section 9.3 above shall be cause for Either Party to immediately terminate for cause any Business Arrangement pursuant to which BUSINESS ASSOCIATE is entitled to receive PHI from THE COVERED ENTITY.
9.5 Upon the termination of all Business Arrangements, either Party may terminate this Agreement by providing written notice to the other Party.
9.6 Upon termination of this Agreement for any reason, BUSINESS ASSOCIATE agrees either to return to THE COVERED ENTITY or to destroy all PHI received from THE COVERED ENTITY or otherwise through the performance of services for THE COVERED ENTITY, that is in the possession or control of BUSINESS ASSOCIATE or its agents. In the case of PHI which is not feasible to "return or destroy," BUSINESS ASSOCIATE shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes' that make the return or destruction infeasible, for so long as BUSINESS ASSOCIATE maintains such PHI. BUSINESS ASSOCIATE further agrees to comply with other applicable state or federal law, which may require a specific period of retention, redaction, or other treatment of such PHI.
10. Ineligible Persons.
BUSINESS ASSOCIATE represents and warrants to THE COVERED ENTITY that BUSINESS ASSOCIATE (i) is not currently excluded, debarred, or otherwise ineligible to participate in any federal health care program as defined in 42 U.S.C. Section I 320a-7b(f) ("the Federal Healthcare Programs"); (ii) has not been convicted of a criminal offense related to the provision of health care items or services and not yet been excluded, debarred, or otherwise declared ineligible to participate in the Federal Healthcare Programs, and (iii) is not under investigation or otherwise aware of any circumstances which may result in BUSINESS ASSOCIATE being excluded from participation in the Federal Healthcare Programs. This shall be an ongoing representation and warranty during the term of this Agreement, and BUSINESS ASSOCIATE shall immediately notify THE COVERED ENTITY of any change in the status of the representations and warranty set forth in this section. Any breach of this section shall give THE COVERED ENTITY the right to terminate this Agreement immediately for cause.
11. Effect of BAA.
A. This BAA is a part of and subject to the terms of the Agreement and as such shall be governed by, and shall be construed in accordance with, the same law as the Agreement. In case of contradiction between the terms of this BAA and any term of the Agreement, the terms of this BAA will prevail if it does not conflict with applicable laws.
B. Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.
12. Regulatory References.
A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.
13. Miscellaneous.
13.1 Notice. All notices, requests and demands or other communications to be given under this BAA to a Party will be made via electronic mail to the Party’s address given below:
A. If to Covered Entity, to the e-mail address given when signing the Agreement:
B. If to Business Associate, to: contact@elkra.io
13.2 Waiver. No provision of this Agreement or any breach thereof shall be deemed waived unless such waiver is in writing and signed by the Party claimed to have waived such provision or breach. No waiver of a breach shall constitute a waiver of or excuse any different or subsequent breach.
13.3 Assignment. Neither Party may assign (whether by operation of law or otherwise) any of its rights or delegate or subcontract any of its obligations under this Agreement without the prior written consent of the other Party. Notwithstanding the foregoing, THE CLIENT shall have the right to assign its rights and obligations hereunder to any entity that is an affiliate or successor of THE CLIENT, provided that prior written approval from BUSINESS ASSOCIATE is obtained. BUSINESS ASSOCIATE shall not unreasonably withhold or delay such approval. THE CLIENT agrees to provide BUSINESS ASSOCIATE with written notice of any proposed assignment, including details of the affiliate or successor, and obtain the prior written approval of BUSINESS ASSOCIATE before effecting such assignment.
13.4 Severability. Any provision of this Agreement that is determined to be invalid or unenforceable will be ineffective to the extent of such determination without invalidating the remaining provisions of this Agreement or affecting the validity or enforceability of such remaining provisions.
13.5 Entire Agreement. This Agreement constitutes the complete agreement between BUSINESS ASSOCIATE and THE COVERED ENTITY relating to the matters specified in this Agreement, and supersedes all prior representations or agreements, whether oral or written, with respect to such matters. In the event of any conflict between the terms of this Agreement and the terms of the Business Arrangements or any such later agreement(s), the terms of this Agreement shall control unless the terms of such Business Arrangements are more strict with respect to PHI and comply with the Confidentiality Requirements, or the parties specifically otherwise agree in writing. No oral modification or waiver of any of the provisions of this Agreement shall be binding on either Party; provided, however, that upon the enactment of any law, regulation, court decision or relevant government publication and/or interpretive guidance or policy that THE COVERED ENTITY believes in good faith will adversely impact the use or disclosure of PHI under this Agreement, THE COVERED ENTITY may amend the Agreement to comply with such law, regulation, court decision or government publication, guidance or policy by delivering a written amendment to BUSINESS ASSOCIATE which shall be effective thirty (30) days after receipt. No obligation on either Party to enter into any transaction is to be implied from the execution or delivery of this Agreement. This Agreement is for the benefit of, and shall be binding upon the parties, their affiliates and respective successors and assigns. No third party shall be considered a third-party beneficiary under this Agreement, nor shall any third party have any rights as a result of this Agreement.
13.6 Governing Law. This Agreement shall be governed by and interpreted in accordance with the laws of the State of Texas. Jurisdiction and venue for any dispute relating to this Agreement shall exclusively rest with the state and federal courts for in the parishes in which THE COVERED ENTITY operates.
13.7 Equitable Relief. BUSINESS ASSOCIATE understands and acknowledges that any disclosure or misappropriation of any PHI in violation of this Agreement will cause THE COVERED ENTITY irreparable harm, the amount of which may be difficult to ascertain, and therefore agrees that THE COVERED ENTITY shall have the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further disclosure or breach and for such other relief as THE COVERED ENTITY shall deem appropriate. Such right of THE COVERED ENTITY is to be in addition to the remedies otherwise available to THE COVERED ENTITY at law or in equity. BUSINESS ASSOCIATE expressly waives the defense that a remedy in damages will be adequate and further waives any requirement in an action for specific performance or injunction for the posting of a bond by THE COVERED ENTITY.
13.8 Nature of Agreement; Independent Contractor. Nothing in this Agreement shall be construed to create (i) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, or (ii) a relationship of employer and employee between the parties. BUSINESS ASSOCIATE is an independent contractor, and not an agent of THE COVERED ENTITY. This Agreement does not express or imply any commitment to purchase or sell goods or services.
13.9 Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same document. In making proof of this Agreement, it shall not be necessary to produce or account for more than one such counterpart executed by the party against whom enforcement of this Agreement is sought.
IN WITNESS WHEREOF, the parties have executed this Agreement as of the Effective Date.