Business Associate Agreement
This Business Associate Agreement is entered into by and between My City Med, Inc. (“My City Med“) and any Healthcare Providers that have entered into a Physician User Agreement with My City Med, unless My City Med and such Healthcare Provider have executed a separate business associate agreement that addresses the same subject matter as this Business Associate Agreements. This Business Associate Agreement applies with respect to any and all Protected Health Information that may be collected, accessed, used, processed or disclosed pursuant to My City Med’ performance and Healthcare Provider’s receipt of services under the Physician User Agreement.
Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as updated and amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act ( the “HITECH Act”), My City Med may from time to time act as a business associate in the performance of services for Healthcare Provider under the Physician User Agreement. In such event, the Healthcare Provider is a covered entity. Pursuant to this Business Associate Agreement, My City Med and the Covered Entity agree to access, use, process and disclose any such Protected Health Information in compliance with the requirements of HIPAA and the HITECH Act.
By accepting the terms of the Physician User Agreement or by receiving services from My City Med pursuant to the Physician User Agreement that require My City Med to access, use, process or disclose Protected Health Information, Healthcare Provider accepts the terms of this Business Associate Agreement.
Capitalized terms not defined in this Agreement shall be defined as provided in HIPAA, the HITECH ACT and their implementing rules.
2. Uses and Disclosures of Protected Health Information
2.1 My City Med may from time to time disclose Protected Health Information to Healthcare Provider in conjunction with Healthcare Provider’s receipt of services under the Physician User Agreement and Healthcare Provider may from time to time disclose Protected Health Information to My City Med for use by My City Med in performing services under the Physician User Agreement. For purposes of this Agreement, “Protected Health Information” is limited to Protected Health Information, as defined in HIPAA, HITECH and their implementing rules, that is accessed, used, processed or disclosed pursuant to the Physician User Agreement.
2.2 Neither party shall access, use, process or disclose such Protected Health Information for any purpose other than as permitted under this Business Associate Agreement. Each party may access, use, process and disclose the Protected Health Information it receives for the proper management and administration of such party, to perform its obligations under and receive the benefits of the service delivered under the Physician User Agreement and to otherwise carry out its legal responsibilities; provided, however, that in all cases such use is permitted under applicable law. Either party may disclose Protected Health Information if the disclosure is required by law. Either party may also disclose Protected Health Information for the proper management and administration of the business of such party, provided it obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law and for the purpose for which it was disclosed.
2.3 Each party shall maintain appropriate safeguards including, but not limited to, administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Protected Health Information.
2.4 If either party becomes aware of any unauthorized access to or use, processing or disclosure of unsecured Protected Health Information, it shall so notify the other party. Such notice shall contain: (a) the date of discovery of the unauthorized access, use, processing or disclosure; (2) a listing of the identification of individuals and/or classes of individuals who are subject to the unauthorized access, use, processing or disclosure; and (3) a general description of the nature of the unauthorized access, use, processing or disclosure. The party responsible for such unauthorized access, use, processing or disclosure shall perform an appropriate risk assessment to determine whether the Protected Health Information has been compromised. In performing the risk assessment, such party will consider a combination of factors such as: (a) the nature and extent of the Protected Health Information affected, (b) the unauthorized person who impermissibly used the Protected Health Information or to whom the Protected Health Information was impermissibly disclosed; (c) whether Protected Health Information was acquired or viewed and (d) the extent to which the risk to the Protected Health Information has been mitigated. The results of such risk assessment shall be provided to other party. My City Med is not responsible for monitoring Healthcare Provider’s own access to or use, processing or disclosure of Protected Health Information.
2.5 In the event of an unauthorized access to or use, processing or disclosure of unsecured Protected Health Information, the party responsible for such unauthorized access to or use, processing or disclosure of unsecured Protected Health Information will use reasonable efforts to mitigate, to the extent practicable, any harmful effect arising from such unauthorized access to or use, processing or disclosure of unsecured Protected Health Information.
2.6 The parties will cooperate with respect to any required notifications that must be made to the individuals or the media with respect to any unauthorized access to or use, processing or disclosure of unsecured Protected Health Information.
2.7 With respect to any Subcontractor or agent to whom either party provides Protected Health Information, the disclosing party shall first contractually obligate such Subcontractor or agent to agree to protect such Protected Health Information pursuant to terms and conditions at least as protective as the terms of this Business Associate Agreement.
2.8 My City Med may de-identify any and all Protected Health Information that is in its possession or control provided that My City Med implements de-identification criteria in accord with applicable law. De-identified information does not constitute Protected Health Information and is not subject to the terms of this Business Associate Agreement.
3. Compliance with Law
3.1 Each party is responsible for its own compliance with any and all existing or subsequent laws, whether by statute, regulation, common law, or otherwise, related to its access to or use, processing or disclosure of Protected Health Information. Healthcare Provider agrees that it shall have and maintain appropriate consents from data subjects, as may be necessary, for My City Med to access, use, process and disclose Protected Health Information in accordance with its delivery of services under the Physician User Agreement and as otherwise permitted under this Business Associate Agreement.
3.2 The parties shall provide each other only the minimum amount of Protected Health Information necessary for My City Med to perform the services described in the Physician User Agreement.
3.3 Upon request by the Department of Health and Human Services (“HHS”), each party shall make available to HHS the internal practices, books, and records of such party relating to the use and disclosure of Protected Health Information for purposes of ensuring compliance with the provisions of HIPAA and the HITECH Act.
3.4 In the event that My City Med receives an inquiry from an individual for access to or the right to amend Protected Health Information, it shall advise Healthcare Provider of that communication and the request. The parties shall cooperate in making Protected Health Information available to the individual and in making the requested amendment of Protected Health Information. The Healthcare Provider shall retain and make available on request information required to provide an accounting of disclosures in accordance with the provisions of HIPAA and the HITECH Act.
4. Default, Termination
4.1 In the event that either party reasonably determines that the other has accessed, used, processed or disclosed unsecured Protected Health Information in a manner inconsistent with a material term of this Business Associate Agreement, it shall provide written notice of such breach to the other party and specify in reasonable detail any such breach. Upon receipt of such written notice, the receiving party shall have 30 days to achieve compliance with this Business Associate Agreement or to establish a reasonable schedule for compliance with this Business Associate Agreement. In the event that a party fails or refuses to comply with this obligation, the other party may terminate the Agreement upon written notice. If either party reasonably determines that the other party has accessed, used, processed or disclosed Protected Health Information in a manner inconsistent with this Agreement following written notice of a prior breach, the non-breaching party may immediately terminate the Agreement.
4.2 Within 30 days of termination of this Business Associate Agreement, My City Med shall return to Healthcare Provider, or destroy, the Protected Health Information made available to My City Med by the Healthcare Provide that is in My City Med control and take reasonable steps to ensure that My City Med has no means of identifying or reidentifying individuals who are the subject of such Protected Health Information. My City Med shall also contractually obligate any Subcontractor to return to My City Med, or destroy, any such Protected Health Information in the Subcontractor’s control.
4.3 In the event that My City Med is unable to return or destroy the Protected Health Information in its control, My City Med shall continue to protect such Protected Health Information from further disclosure.
4.4 UNDER NO CIRCUMSTANCES WILL MY CITY MED OR ITS AFFILIATES, OR ANY OF ITS OR THEIR RESPECTIVE DIRECTORS, OFFICERS, SHAREHOLDERS, PROPRIETORS, PARTNERS, EMPLOYEES, AGENTS, REPRESENTATIVES, SERVANTS, ATTORNEYS, PREDECESSORS, SUCCESSORS OR ASSIGNS, BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, LOST PROFITS AND DAMAGES THAT RESULT FROM INCONVENIENCE, DELAY, OR LOSS OF USE) ARISING OUT OF ITS ACCESS TO OR USE, PROCESSING OR DISCLOSURE OF PROTECTED HEALTH INFORMATION, EVEN IF IT OR THEY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages; thus, this limitation may not be applicable.
4.5 Healthcare Provider will defend, indemnify, and hold harmless My City Med and its affiliates, and its and their respective directors, officers, shareholders, proprietors, partners, employees, agents, representatives, servants, attorneys, predecessors, successors and assigns, from and against any and all claims, proceedings, damages, injuries, liabilities, losses, costs and expenses (including reasonable attorneys’ fees and litigation expenses), relating to or arising from Healthcare Provider’s (i) unauthorized access to or use, processing or disclosure of Protected Health Information, (ii) breach of this Business Associate Agreement or (iii) violation of applicable law.
5. Governing Law and Venue Selection
Regardless of the jurisdiction in which the Healthcare Provider resides, this Business Associate Agreement is made in the State of Colorado, and will be construed and enforced in accordance with Colorado law (without regard to its provisions governing conflicts of law), as applied to agreements entered into and completely performed in Colorado.
ANY ACTION ARISING OUT OF THIS BUSINESS ASSOCIATE AGREEMENT OR ANY ACTION TO ENFORCE THIS BUSINESS ASSOCIATE AGREEMENT WILL BE BROUGHT ONLY IN THE FEDERAL OR STATE COURTS PRESIDING IN DENVER, COLORADO, U.S.A., AND HEALTHCARE PROVIDER EXPRESSLY AGREES TO BE SUBJECT TO THE JURISDICTION OF SUCH COURTS.
6. Notices; Contacting My City Med
Any notices to Healthcare Provider may be sent to the e-mail address that is provided to My City Med in the Healthcare Provider’s registration, and will be deemed given one business day after the e-mail is sent. Notices to My City Med must be sent to email@example.com and the following address:
My City Med
Overland Park, KS 66282
The following provisions will survive the termination of this Business Associate Agreement: 1; 4; 5 and 7. Failure to insist on strict performance of any provisions of this Business Associate Agreement will not operate as a waiver of any subsequent default or failure of performance. No waiver of any provision of this Business Associate Agreement will be valid unless in writing and acknowledged in writing or electronically by both parties. If any portion of this Business Associate Agreement is adjudged invalid or unenforceable by a court of competent jurisdiction, the remaining portions will remain valid, enforceable, and in effect, and the parties will promptly substitute for the invalid provision an enforceable provision which resembles the invalid provision as closely as possible in intent and economic effect. No joint venture, partnership, employment or agency relationship exists between My City Med and the Healthcare Provider as a result of this Business Associate Agreement. This Business Associate Agreement constitutes the entire agreement between My City Med and the Healthcare Provider with respect to the use of Protected Health Information, and, except and only if the parties have separately executed a stand alone business associate agreement, supersedes any and all prior understandings or agreements between My City Med and the Healthcare Provider, whether written or oral.
BY ACCEPTING THE TERMS OF THE PHYSICIAN USER AGREEMENT OR BY USING ANY SERVICE MADE AVAILABLE UNDER THE TERMS OF THE PHYSICIAN USER AGREEMENT, HEALTHCARE PROVIDER ACCEPTS THE TERM AND CONDITIONS OF THIS BUSINESS ASSOCIATE AGREEMENT. PLEASE NOTE THAT MY CITY MED RESERVES THE RIGHT, AT ITS SOLE DISCRETION, TO CHANGE THIS BUSINESS ASSOCIATE AGREEMENT FROM TIME TO TIME. HEALTHCARE PROVIDER’S CONTINUED USE OF THE SERVICES PROVIDED UNDER THE PHYSICIAN USER AGREEMENT AFTER ANY SUCH CHANGE TAKES EFFECT WILL BE DEEMED TO CONSTITUTE HEALTHCARE PROVIDER’S ACCEPTANCE OF AND AGREEMENT TO THE REVISIONS TO THIS BUSINESS ASSOCIATE AGREEMENT.