Business Associate Agreement
Effective June 1, 2019
The Clariti HIPAA Business Associate Agreement (“Agreement”) is entered into by and between you the “Covered Entity” and Clariti Health, LLC (“Clariti”). Clariti and Covered Entity are parties to certain Service Agreements whereby Clariti is providing services and software (the “Services”) to or on behalf of Covered Entity that may involve the use and disclosure of Protected Health Information (“PHI”). This Agreement defines the parties’ obligations with respect to Clariti’s use and disclosure of PHI. “You”, “yours” and “Client” refer to the Covered Entity that is subscribing to the Services. “We,” “our”, “us” and Clariti refers to Clariti Health, LLC.
As used herein, the following terms shall have these designated meanings:
“Breach” has the same meaning as set forth in Section 13400 of HITECH and shall include the unauthorized acquisition, access, use or disclosure of PHI that compromises the security and/or privacy of such PHI.
“Electronic Protected Health Information” or “Electronic PHI” means Protected Health Information that is transmitted by electronic media and/or maintained in electronic media.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated there under.
“HITECH” means the Health Information Technology for Economic and Clinical Health Act, a portion of the American Recovery and Reinvestment Act of 2009, and the regulations promulgated there under.
“Individual” means an employee, contractor or affiliate of the Covered Entity who may access or use the Services.
“Privacy Standards” means the Standards for Privacy of Individually Identifiable Health Information promulgated by the US Department of Health and Human Services (“HHS”), 45 CFR Parts 160 and 164 as may be amended from time to time.
“Protected Health Information” or “PHI” means information that is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse that relates to the past, present or future physical or mental health or condition of an individual, the provision of healthcare to an individual or the past, present or future payment for the provision of healthcare to an individual and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
“Security Standards” means the Security Standards promulgated by HHS, 45 CFR Parts 160 and 164 as may be amended from time to time.
Use and Disclosure of Protected Health Information
Except as otherwise stated herein, Clariti shall use and disclose Protected Health Information only as required to perform its obligations under the Service Agreements. Clariti shall not, and shall ensure that its employees, contractors, subcontractors and agents do not, use or disclose PHI received from Covered Entity in any manner that would violate the Privacy Standards or Security Standards, or any applicable state privacy laws, if so used by Covered Entity. Clariti is responsible for full compliance with the Privacy Standards and Security Standards, as required by HITECH and any applicable state privacy laws, to the same extent as Covered Entity.
Clariti’s Responsibilities Regarding Protected Health Information
With regard to its use and or disclosure of Protected Health Information, Clariti agrees to:
a. Use and/or disclose PHI only as permitted by this Agreement or as required by law. As part of this limitation, Clariti recognizes that there are additional requirements under HITECH that impact its use and disclosure of PHI, including, for example, the requirement to apply the “minimum necessary” obligation to disclosures for treatment, payment and healthcare operations;
b. Use appropriate safeguards to prevent unauthorized use or disclosure of PHI, consistent with HITECH, and the Privacy Standards and Security Standards, including, without limitation, implementing administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that Clariti creates, receives, maintains or transmits on behalf of Covered Entity;
c. In the event that Clariti becomes aware of a security or privacy breach which might trigger security breach reporting obligations under HITECH, or of any use or disclosure of PHI not permitted by this Agreement, Clariti will report such breach Covered Entity in accordance with Section 164.410 of the Regulations and to comply with any other reporting requirements under HITECH.
d. Report to the Covered Entity any other use or disclosure of PHI not provided for by this Agreement of which Clariti becomes aware, and to comply with any other reporting requirements under HITECH.
e. In the event of a security incident involving Electronic PHI or a Breach of Unsecured PHI, mitigate to the extent practicable any harmful effects of such incident or breach.
f. Require all its employees, contractors, subcontractors and agents that receive, use or have access to PHI to agree in writing to be bound by the same responsibilities, restrictions and conditions upon the use and/or disclosure of PHI that apply to Clariti under this Agreement.
g. Pursuant to HITECH, if Clariti knows of a pattern of activity or practice that constitutes a Breach or violation of Clariti’s obligations under this Agreement, Clariti must take reasonable steps to cure the Breach or end the violation. If such steps are unsuccessful, Clariti must terminate the contract or arrangement, if feasible; if termination is not feasible, Clariti must report the problem to the Secretary of HHS.
h. Make available its internal practices, books and records relating to the use and disclosure of PHI to the Secretary of HHS for purposes of determining the parties’ compliance with HIPAA and/or HITECH.
i. Within ten (10) business days after receiving a written request from Covered Entity, provide to Covered Entity such information as is requested and necessary to enable Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual’s PHI in accordance with HIPAA. Such information shall include, at a minimum, the date of any disclosure by Clariti, the name and address of the entity or person to whom disclosure was made, a description of the PHI so disclosed and a description of the purpose for which such disclosure was made. Clariti agrees to implement appropriate record keeping processes to enable it to comply with the requirements of this section.
j. Make available PHI in its possession for amendment and/or incorporate any such amendments or corrections into the PHI in accordance with the HIPAA regulations.
k. Promptly report to Covered Entity any subpoena, court or other administrative order or discovery request calling for release or disclosure of PHI so that Covered Entity will have an opportunity to seek protective relief or otherwise direct Clariti’s response to such request.
Covered Entity’s Responsibilities Regarding Protected Health Information
With regard to PHI, Covered Entity agrees to:
a. Not ask Clariti to use or disclose PHI in any manner that would not be permissible under the regulations.
b. Provide Clariti with notices of any changes in, or revocations of, any permission or authorization by an Individual to use or disclose PHI and Covered Entity, and immediately take action to modify or remove the account of the Individual from the Services.
c. Notify Clariti of any restrictions on the use or disclosure of PHI that may concern Clariti or the Services that Covered Entity has agreed to in accordance with the Regulations.
Termination for Breach
We or Client may terminate the Contract on notice to the other party if the other party materially breaches the Contract and such breach is not cured within ten (10) days after the non-breaching party provides notice of the breach. We may terminate the Contract immediately on notice to Client if we reasonably believe that the Services are being used by Client or its Authorized Users in violation of applicable law, or there is a credible risk of harm to us, the Services, or disclosure of PHI.
This Agreement will automatically terminate upon the termination or expiration of the Service Agreements.
Effect of Termination
Upon termination of this Agreement or the Service Agreements, Clariti will return to Covered Entity or destroy all PHI in its possession maintained or stored in any form or media, and retain no copies, if it is feasible to do so. If return or destruction is not feasible, Clariti agrees to extend all protections contained in this Agreement to its use and or disclosure of any retained PHI following termination of this Agreement, and to limit all further uses and/or disclosures to those purposes that make the return or destruction of the PHI not feasible. As part of our ability to provide comparative statistics and benchmarks in association with the Services, Clariti does reserve the right to maintain in perpetuity de-identified information in aggregate.
Permitted Uses and Disclosures of PHI
Notwithstanding the restrictions and conditions upon the use and/or disclosure of PHI set forth herein, Clariti may use PHI for its proper management and administration and to fulfill Clariti’s legal responsibilities.
Minimum Necessary Representation
Clariti represents and warrants that it shall request, use and/or disclose only the amount of PHI that is minimally necessary to perform its obligations under the Service Agreements. In addition, Clariti represents and warrants that it will institute and implement policies and practices to limit its uses and disclosures of PHI to that which is minimally necessary to perform its obligations under the Service Agreements.
In the event of termination or expiration of the Agreement the following sections will survive; Clariti’s Responsibilities Regarding Protected Health Information, Covered Entities Responsibilities Regarding Protected Health Information, and Termination.
Over time we may change the Agreement to reflect changes in the regulations or our business. If we make a material change to the Agreement, we will provide Covered Entity with reasonable notice, prior to the change taking effect, via email to the Covered Entity’s current contact email address. You can review the most current version of the Business Associate Agreement at any time by visiting this page. A materially revised Agreement will become effective on the date set forth in our notice, and all other changes will become effective upon posting of the change. If Covered Entity, or any Authorized User, accesses or uses the Services after the effective date, that use will constitute Covered Entity’s acceptance of any revised terms and conditions.
Please also feel free to contact us if you have any questions about Clariti’s Business Associate Agreement. You may contact us at [email protected], by phone 844.696.6741, or mail to Clariti Health 26 Bayberry Lane Branford, CT 06405.