BUSINESS ASSOCIATE AGREEMENT
PROTECTING PERSONAL HEALTH INFORMATION
This Business Associate Agreement (the “ Agreement ”) is between READ IT, LLC (the
“ Business Associate ”), and ________________________ (the “ Covered Entity ”).
Background
The Business Associate is a vendor for the Covered Entity.
The Covered Entity is a provider of health care services and possesses and maintains certain
confidential Private Health Information.
The Covered Entity and Business Associate have agreed to conduct all of their business in
compliance with all applicable HIPAA Rules.
Therefore, the parties agree as follows:
Section 1. Definitions
A. Defined Terms. Terms defined in the preamble of this Agreement have their assigned meanings,
and each of the following terms has the meaning assigned to it:
“Business Associate” generally has the same meaning as the term “business associate” at 45 CFR
160.103, and in reference to the party to this agreement, has the meaning set forth in the preamble
of this Agreement.
“Covered Entity” generally has the same meaning as the term “covered entity” at 45 CFR
160.103, and in reference to the party to this agreement, has the meaning set forth in the preamble
of this Agreement.
“HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45
CFR Part 160 and Part 164, as amended and updated from time to time.
“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health information at
45 CFR Part 160 and Part 164, Subparts A and E.
“Protected Health Information” has the same meaning as the term ‘protected health information’
in 45 CFR § 164.501, limited to the information created or received by the Business Associate
from or on behalf of the Covered Entity.
“Secretary” means the Secretary of the Department of Health and Human Services or his or her
designee.
B. Terms Defined Elsewhere. The following terms used in this Agreement have the same meaning
as those terms in the HIPAA Rules: “ Breach ,” “ Data Aggregation ,” “ Designated Record Set ,”
“ Disclosure ,” “ Health Care Operations ,” “ Individual ,” “ Minimum Necessary ,” “ Notice of Privacy
Practices ,” “ Protected Health Information ,” “ Required By Law ,” “ Secretary ,” “ Security Incident ,”
“ Subcontractor ,” “ Unsecured Protected Health Information ,” and “ Use .”
Section 2. Obligations of Business Associate
A. Specific Obligations. During the Term, the Business Associate shall
i. not use or disclose Protected Health Information other than as permitted or required by this
Agreement or as Required By Law;
ii. use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to
electronic protected health information, to prevent use or disclosure of protected health
information other than as provided for by the Agreement;
iii. report to the Covered Entity any use or disclosure of the Protected Health Information not
provided for by this Agreement of which it becomes aware, including, but not limited to, breaches
of unsecured protected health information as required at 45 CFR 164.410, and any security
incident of which it becomes aware;
iv. ensure that any agent, including a subcontractor, to whom it provides Protected Health
Information received from, or created or received by the Business Associate on behalf of the
Covered Entity agrees to the same restrictions and conditions that apply to the Business Associate
with respect to such information;
v. make internal practices, books, records, and disclosures of Protected Health Information
received from or created or received by the Business Associate on behalf of the Covered Entity
available to the Secretary, in a time and manner designated by the Secretary, for purposes of the
Secretary determining the Business Associate and/or Covered Entity’s compliance with the
HIPAA Rules;
vi. make available protected health information in a designated record set to the Covered
Entity” as necessary to satisfy the Covered Entity’s obligations under 45 CFR 164.524;
vii. make any amendment(s) to Protected Health Information in a designated record set as
directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as
necessary to satisfy the Covered Entity’s obligations under 45 CFR 164.526;
viii. maintain and make available the information required to provide an accounting of
disclosures to the Covered Entity as necessary to satisfy the Covered Entity’s obligations under 45
CFR 164.528;
ix. document any and all disclosures of Protected Health Information and information related
to such disclosures as would be required for the Covered Entity to respond to a request by an
Individual for an accounting of disclosures of Protected Health Information in accordance with 45
CFR §164.528;
x. to the extent the business associate is to carry out one or more of covered entity’s
obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that
apply to the covered entity in the performance of such obligation(s);
xi. follow all “Minimum Necessary” Rules as applicable to the Covered Entity and the
Business Associate;
xii. provide records about information collected to permit the Covered Entity to respond to a
request by an Individual for an accounting of disclosures for Protected Health Information in
accordance with 45 CFR § 164.528, with all such records of disclosure provided to the Covered
Entity within seven days of the Business Associate’s receipt of a written request for such
information by the Covered Entity;
xiii. make amendments in designated Record Set as directed and agreed per federal and state
law; and
xiv. make available Protected Health Information in a designated record set to patient or
designee as requested by the Covered Entity.
B. Specific Permitted Use. Business Associate may only use or disclose Protected Health
Information as restricted and directed by this Agreement and only for the following purposes:
i. PATIENT INTAKE FORMS
ii. PATIENT LAB RESULTS
iii. ELECTRONIC DELIVERY OF REPORTS TO THE CLINIC
iv. PATIENT CONTACT INFORMATION WHEN REGISTERING FOR WEBINAR
These permissible uses may be amended from time to time as directed in writing by the Covered Entity to
the Business Associate.
C. General Permitted Use. The following applies to the Business Associate’s general Use of
Protected Health Information:
i. The Business Associate may Use or disclose Protected Health Information as Required By
Law.
ii. The Business Associate shall make Uses and Disclosures and requests for Protected
Health Information consistent with the Covered Entity’s Minimum Necessary policies and
procedures.
iii. The Business associate may not Use or disclose Protected Health Information in a manner
that would violate Subpart E of 45 CFR Part 164 if done by the Covered Entity.
iv. The Business Associate may use Protected Health Information for the proper management
and administration of the Business Associate or to carry out the legal responsibilities of the
Business Associate, provided the Disclosures are Required By Law, or the Business Associate
obtains reasonable assurances from the person to whom the information is disclosed that the
information will remain confidential and used or further disclosed only as Required By Law or for
the purposes for which it was disclosed to the person, and the person notifies the Business
Associate of any instances of which it is aware in which the confidentiality of the information has
been breached.
Section 3. Obligations of Covered Entity
A. Limitations in Notice of Privacy Practices. The Covered Entity shall notify the Business
Associate of any limitation(s) in the notice of privacy practices of the Covered Entity under 45 CFR §
164.520, to the extent that such limitation may affect the Business Associate’s use or disclosure of
Protected Health Information.
B. Changes in Permission. The Covered Entity shall notify the Business Associate of any changes
in, or revocation of, permission by any Individual to use or disclose Protected Health Information if it
would affect the Business Associate’s use or disclosure of Protected Health Information.
C. Agreed Restrictions. The Covered Entity shall notify the Business Associate of any restriction on
the use or disclosure of Protected Health Information that the Covered Entity has agreed to or is required to
abide by under 45 CFR 164.522, to the extent that such restriction may affect the Business Associate’s use
or disclosure of Protected Health Information.
Section 4. Limitation of Relationship
A. Relinquishment of Control. Notwithstanding anything to the contrary in this Agreement or any
other written or oral agreement between the parties, the Covered Entity does not retain any control over the
manner in which the Business Associate accomplishes the standards and requirements set forth in any and
all agreement(s) between the parties.
B. Limitation of Remedies. Notwithstanding anything to the contrary in this Agreement or any
other written or oral agreement between the parties, the only avenue of control for the Covered Entity is to
amend the terms of the agreements between the parties or to bring suit for the Business Associate’s breach
of the terms of the agreement(s) between the parties.
C. Interim Instructions. Notwithstanding anything to the contrary in this Agreement or any other
written or oral agreement between the parties, this Agreement is not to be construed to grant the Covered
Entity the authority to direct the actual performance of the Business Associate beyond requiring that it
meet the standards stated in this Agreement. Notwithstanding anything to the contrary in this Agreement or
any other written or oral agreement between the parties, The Covered Entity may not give interim
instructions to the Business Associate regarding the Business Associate’s performance under this
Agreement.
D. Business Associate’s Behavior. The Business Associate shall not act in any manner that would
create an agency relationship between the parties, as the term “agency” is defined under federal common
law.
E. Actions in Opposition. Any action or inaction of the Covered Entity in opposition to the terms of
this Section 4 are considered void and irrelevant. The Business Associate is not required to follow or rely
upon any such directions or instructions of the Covered Entity.
Section 5. Indemnification
The Business Associate shall indemnify, defend, and hold harmless the Covered Entity and the
Covered Entity’s employees, agents, members, managers, shareholders, and owners from and against any
and all claims, suits, losses, judgments, damages, liabilities, and governmental fines or assessments
including any investigation, legal, and other expenses incurred in connection with and any amount paid in
settlement of any claim, action, suit, or proceeding (collectively, the “ Losses ”) to which the Covered
Entity or the Covered Entity’s employees, agents, members, managers, shareholders, and owners may
become subject, if such Losses arise out of or are based upon any facts and circumstances, or alleged facts
and circumstances, that arise out of or are related to the Business Associate’s or the Business Associate’s
agent or subcontractor’s provision of any services on behalf of the Covered Entity, or the acts or omissions
of the Business Associate or the Business Associate’s employees, agents, or subcontractors, except to the
extent that such Losses are attributable to the Covered Entity’s negligence, act, or omission or the Covered
Entity’s employees, agents, members, managers, shareholders, or owners’ negligence, act, or omission.
This right to indemnification is in addition to any other right available to the Covered Entity, including the
right to bring suit against the Business Associate under this Agreement or any other agreement between the
parties.
Section 6. Term and Termination
A. Term. The Term of this Agreement is the period of time in which the Business Associate is
providing products or services to the Covered Entity or longest term of any other agreement between the
parties, whichever is longer.
B. Termination. The Covered Entity may terminate this Agreement and/or any other agreement
between the parties if the Covered Entity breaches any of the terms of this Agreement.
C. Obligations upon Termination. Upon termination of this Agreement for any reason, the
Business Associate and all subcontractors shall return to the Covered Entity or destroy all Protected Health
Information received from the Covered Entity or created, maintained, or received by the Business
Associate on behalf of the Covered Entity that the Business Associate possesses or maintains in any form
at the time of termination. The Business Associate may not retain any copies of Protected Health
Information in any form. Upon the Covered Entity’s request, the Business Associate shall provide to the
Covered Entity proof of said destruction.
D. Survival. The obligations of the Business Associate under this Section 6 will survive the
termination of this Agreement.
Section 7. Miscellaneous Provisions
A. Additional Training and Information. The Business Associate understands and acknowledges
that it may have additional obligations under the HIPAA Rules that are not contained in this Agreement.
The Business Associate shall at all times be in compliance with all applicable HIPAA Rules. The Business
Associate acknowledges that it has been informed by the Covered Entity that additional information
regarding compliance with the HIPAA Rules can be found through the U.S. Department of Health &
Human Services’ website at www.hhs.gov/hipaa/for-professionals/covered-entities.
B. Conflicting Provisions. If any provision of this Agreement conflicts with any current or future
agreement between the parties, the terms of this Agreement will prevail.
C. Assignment and Delegation. This Agreement may not be assigned or delegated by either party.
D. Waiver. Any waiver of a default under this Agreement must be made in writing and will not be a
waiver of any other default concerning the same or any other provision of this Agreement. No delay or
omission in the exercise of any right or remedy under this Agreement will impair such right or remedy or
be construed as a waiver. A consent to or approval of any act will not be deemed to waive or render
unnecessary consent to or approval of any other or subsequent act.
E. Attorney’s Fees. If either party hires an attorney who is not a salaried employee to enforce the
terms of this Agreement against the other party, then the prevailing party is entitled to collect from the
defaulting party its reasonable attorneys’ fees plus court costs and expert witness fees.
F. Severability. If any provision of this Agreement is illegal or unenforceable, that provision is
amended to have the fullest effect allowed by law and the other provisions remain in force.
G. Amendments. This Agreement may be amended only by an agreement in writing signed by both
parties. The Parties shall take such action as is necessary to amend this Agreement from time-to-time as is
necessary for compliance with the requirements of the HIPAA Rules and any other applicable law
H. Governing Law. This Agreement is to be governed by and construed in accordance with the laws
of Indiana, without regard to its conflict of law principles. Any dispute arising in any manner under this
Agreement is to be brought or commenced in federal or state court having jurisdiction in Hamilton County,
Indiana.
I. Drafting Ambiguities . Each party to this Agreement has reviewed and had the opportunity to
revise this Agreement. Each party to this Agreement has had the opportunity to have legal counsel review
and revise this Agreement. The rule of construction that any ambiguities are to be resolved against the
drafting party will not be employed in the interpretation of this Agreement or of any amendments to this
Agreement. Any ambiguity in this Agreement will be interpreted to permit compliance with the HIPAA
Rules.
J. Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means
the section as in effect or as amended.
To evidence the parties’ agreement to this Agreement, they have executed and delivered it on the
dates indicated below, but as of the date set forth in the preamble.
BUSINESS ASSOCIATE
Read IT LLC
Thomas Culleton, DC
Managing Member of READ IT, LLC