This BUSINESS ASSOCIATE AGREEMENT ("BA Agreement") supplements and is made a part of the existing Services Agreement (the "Services Agreement") provided by SavvyClinician™, Inc. ("Business Associate" or "BA") to you ("Covered Entity" or "CE").
CE wishes to disclose certain information to BA pursuant to the terms of this BA Agreement, some of which may constitute Protected Health Information ("PHI") and/or electronic Protected Health Information ("e-PHI").
SavvyClinician™ provides a cloud-based therapy management platform supporting medical and school-based speech-language pathology and other therapy services, subject to HIPAA, HITECH, Texas HB 300, and FERPA regulations.
CE and BA intend to protect the privacy of PHI and e-PHI that may be disclosed to, or created, received, maintained, or transmitted by BA pursuant to the Services Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and regulations promulgated thereunder, as well as the Health Information Technology for Economic and Clinical Health Act (HITECH) and all other applicable laws, including those specific to the State of Texas and the Family Educational Rights and Privacy Act (FERPA).
The purpose of this BA Agreement is to satisfy certain standards and requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, as amended by subsequent regulations.
Terms used, but not otherwise defined, in this BA Agreement shall have the same meaning as those terms in the HIPAA Rules. In the event of a conflict, HIPAA definitions shall control.
BA agrees to:
BA will comply with the HIPAA Security Rule and use appropriate administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of e-PHI created, received, maintained, or transmitted on CE's behalf.
BA will comply with applicable standards of the Privacy Rule regarding PHI.
BA shall not use or disclose PHI except as permitted by this Agreement or as required by law.
BA will make reasonable efforts to limit use/disclosure of PHI to the minimum necessary to accomplish the intended purpose.
BA shall mitigate, to the extent practicable, any harmful effects of unauthorized use or disclosure of PHI.
BA will ensure any subcontractors who handle PHI agree to the same restrictions and conditions required under this Agreement.
BA shall provide access to PHI in a Designated Record Set when required by CE, in compliance with 45 CFR § 164.524.
BA shall notify CE of any breach of unsecured PHI without unreasonable delay, no later than 30 days after discovery, including:
BA shall cooperate fully with CE in breach investigation and notification.
BA may use or disclose PHI as follows:
CE shall:
Term: This Agreement remains in effect until all PHI is returned or destroyed.
Termination for Cause: CE may terminate for material breach by BA.
Effect of Termination: Upon termination, BA must return or securely destroy all PHI, unless retention is required by law.
Regulatory References: All HIPAA references shall apply as amended.
Amendment: The parties agree to amend this Agreement as necessary to comply with HIPAA or state law changes.
Survival: BA's obligations regarding PHI survive termination.
Interpretation: Any ambiguity shall be resolved to permit compliance with HIPAA and Texas HB 300.
Indemnification: Each party agrees to indemnify the other for violations of this Agreement, including reasonable attorney's fees.
FERPA & Educational Records: For school-based therapy services, BA acknowledges FERPA applicability. Parents or guardians seeking to correct or delete educational records will be directed to CE, who will notify BA for action within 21 days.
This Agreement shall be governed by and construed under the laws of the State of Texas and applicable federal law.
Notices must be delivered in writing to the following addresses:
SavvyClinician™, Inc.
1400 Preston Road, Suite 300
Plano, Texas 75093
Attention: Privacy Officer