Business Associate Agreement
This Business Associate Agreement (“Agreement”) is made and entered into as of the Effective Date by and between ARANZ Medical (“ARANZ Medical”) and the Silhouette Products Customer (“Client”), each with name and location(s) set forth in the Purchase Contract, hereby incorporated into this Agreement by reference and made a part hereof.
A. Client is either a covered entity subject to compliance with the privacy regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 as it may be amended from time to time (“Privacy Regulations”) and the security regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 as it may be amended from time to time (“Security Regulations”) or is a business associate of one or more healthcare organizations which are covered entities (“Client’s Customers”).
B. ARANZ Medical provides certain information technology, implementation and support services (“Services”) to Client under a Purchase Contract entered into between the parties, and in connection with providing the Services, may access, create, maintain or transmit protected health information (“PHI”) of Client or Client’s Customers (“Client PHI’) on behalf of Client.
C. The parties desire to enter into this Agreement as necessary to comply with the (i) Privacy Regulations, (ii) Security Regulations, and (iii) the Health Information Technology for Economic and Clinical Health Act of 2009 and the regulations promulgated thereunder as amended from time to time (“HITECH Act”).
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
1. Scope/Definitions. Terms used herein, but not otherwise defined, shall have meaning ascribed by 45 C.F.R. parts 160 and 164.
(a) The parties agree that this Agreement shall be applicable and in effect only in the event and to the extent (i) Client is either a “covered entity” or a “business associate” of a covered entity as such terms are defined in the Privacy Regulations, and (ii) ARANZ Medical meets the definition of the term “business associate,” as this term is defined in the Privacy Regulations, with respect to the Services provided by ARANZ Medical to Client.
(b) All terms used in this Agreement and defined in the Privacy Regulations, Security Regulations or HITECH Act shall have the meaning ascribed to them in the Privacy Regulations, Security Regulations, or HITECH Act, as applicable.
(c) “ARANZ Medical” means the ARANZ Medical company with which the Client contracts under the Purchase Contract.
(d) “Effective Date” means the effective date of the Purchase Contract to which this Business Associate Agreement relates.
(e) “Purchase Contract” means the contract, quotation, purchase order or order form accepted by ARANZ Medical designating which Silhouette Products are being provided to Client by ARANZ Medical.
(f) “Silhouette Products” means the hardware, licenses of software and services offered by ARANZ Medical from time to time as part of its Silhouette® product suite.
2. Rights of ARANZ Medical. ARANZ Medical may use and disclose Client PHI as needed to perform the Services for Client and for other purposes expressly permitted by this Agreement.
3. Obligations of ARANZ Medical. With regard to the use and disclosure of Client PHI, ARANZ Medical agrees as follows:
(a) Use and Disclosure of Client PHI. Except as otherwise permitted by this Agreement or applicable law, ARANZ Medical shall not use or disclose PHI except as necessary to provide Silhouette Products to or on behalf of Client, and shall not use or disclose PHI that would violate the Privacy Rule if used or disclosed by Client. Provided, however, ARANZ Medical may use PHI as necessary for the proper management and administration of ARANZ Medical, or to carry out its legal responsibilities.
(b) Data Aggregation. In the event that ARANZ Medical works for more than one covered entity, ARANZ Medical is permitted to use and disclose PHI for data aggregation purposes and/or to provide data analytics products to others, however, only in order to analyze data for permitted health care operations, and only to the extent that such use is permitted under the Privacy Rule.
(c) De-identified Information. With respect to Client PHI, ARANZ Medical may use and disclose de-identified health information if (i) the use is disclosed to Client, and (ii) the de-identification is in compliance with 45 C.F.R. §164.502(d), and the de-identified health information meets the standard and implementation specifications for de-identification under 45 C.F.R. §164.514(a) and (b).
(d) Safeguards. ARANZ Medical shall use appropriate safeguards and comply where applicable with the Security Regulations with respect to electronic protected health information (“Electronic PHI”) to prevent use or disclosure of Client PHI other than as provided in this Agreement.
(e) Reporting. ARANZ Medical shall report to Client any use or disclosure of Client PHI not permitted under the terms of this Agreement of which ARANZ Medical becomes aware, including Breaches of Unsecured PHI as required under 45 CFR 164.410 and any security incident, it being agreed that unsuccessful attempts of unauthorized access, use, disclosure, modification or destruction of Electronic PHI or interference with systems operations in an information system containing Electronic PHI of which ARANZ Medical is aware shall be reported to Client only if requested in witting by Client. It shall be the Client’s responsibility to provide any notifications of the Breach of Unsecured PHI as required under the HITECH Act, as well as any required notifications under any applicable state data breach laws. If Client is a business associate, Client agrees that it shall be the Client’s sole responsibility to (i) communicate to each applicable Client’s Customer any information reported to Client by ARANZ Medical hereunder consistent with the terms of the Client’s business associate agreements with Client’s Customers, and (ii) to provide or assist such Client’s Customers with providing any notifications of the Breach of Unsecured PHI as required under the HITECH Act and any notifications required under applicable state data breach laws.
(f) Subcontractors. ARANZ Medical shall require that any of ARANZ Medical’s subcontractors that create, receive, maintain or transmit Client PHI on behalf of ARANZ Medical agree to comparable restrictions and conditions that apply under this Agreement to ARANZ Medical with respect to Client PHI. ARANZ Medical shall provide to Client a list of any such subcontractors upon Client’s request.
(g) Access to PHI. If ARANZ Medical maintains Client PHI in a Designated Record Set (as such term is defined in the Privacy Regulations), ARANZ Medical shall make the PHI maintained in a Designated Record Set available for inspection and copying as required by the Privacy Regulations.
(h) Amendment of PHI. If ARANZ Medical maintains Client PHI in a Designated Record Set, ARANZ Medical shall make Client PHI available for amendment as required by the Privacy Regulations and shall incorporate any necessary amendment into the PHI as directed by Client.
(i) Accounting of Disclosures. ARANZ Medical shall document all disclosures of Client PHI by ARANZ Medical which would be required to be included in a response to an accounting request under the Privacy Regulations and the HITECH Act and shall provide accounting of disclosures as required by the Privacy Regulations and the HITECH Act.
(j) Disclosures to Secretary of DHHS. ARANZ Medical shall make its internal practices , books and records relating to the use and disclosure of Client PHI received or created by ARANZ Medical on behalf of Client available to the Secretary of the United States Department of Health and Human Services (“DHHS”) for the purpose of determining Client’s or Client’s customer’s compliance with the Privacy Regulations and Security Regulations. Client agrees that if ARANZ Medical is required to devote more than four hours in staff time in responding to any request for documents related to Client or any Client’s Customer, Client shall reimburse ARANZ Medical for any additional time required of ARANZ Medical to comply with such request at ARANZ Medical’s then current rate for services.
(k) Compliance. ARANZ Medical shall comply with the requirements of the Security Regulations and the requirements of the Privacy Regulations and the HITECH Act to the extent applicable to ARANZ Medical. To the extent ARANZ Medical is to carry out on behalf of Client, the Client’s or Client’s Customer’s obligation under the Privacy Regulations, ARANZ Medical shall comply with the requirements of the Privacy Regulations that apply to Client or Client’s Customer, as applicable, in the performance of such obligation.
(l) Minimum Necessary. If ARANZ Medical needs to use, disclose or request access to Client PHI in connection with providing the Services, ARANZ Medical shall use, disclose or request only the minimum amount of Client PHI necessary to accomplish the purpose of the use, disclosure or request.
4. Obligations of Client.
(a) Notification. With respect to the use or disclosure of Client PHI by ARANZ Medical, Client agrees to promptly notify ARANZ Medical in writing of: (i) any limitation in the notice of privacy practices of Client or any Client’s Customer, to the extent that such limitation may impact ARANZ Medical’s use or disclosure of Client PHI, (ii) any changes in, or revocation of, an individual’s authorization to use or disclose Client PHI if such action may impact ARANZ Medical’s use or disclosure of Client PHI, and (iii) any restrictions on the use or disclosure of Client PHI to which Client or any Client’s Customer has agreed to if such restriction may impact ARANZ Medical’s use or disclosure of Client PHI. Client shall not request ARANZ Medical to use or disclose Client PHI in any manner that would not be permissible under the Privacy Regulations if done by Client or Client’s Customer.
(b) Location of PHI. The parties acknowledge and agree that Client PHI which may be accessed, created, maintained or transmitted in connection with the Services may be located on physical or virtual information systems housed remotely at the Client’s location, remotely at a third-party’s location(s), or within ARANZ Medical’s facilities (collectively, the “Servers” and individually a “Server”). Upon commencement of this Agreement Client shall inform ARANZ Medical of the specific location(s) and application(s) on the Servers where Client or any of Client’s Customers store or maintain Client PHI (“Client PHI Locations”) and throughout the term of this Agreement shall also immediately inform ARANZ Medical prior to making any changes in Client PHI Locations.
(c) Compliance. Client shall at all times comply with the requirements of the Security Regulations, Privacy Regulations and any state data privacy and security related laws. In addition, Client shall at all times give due consideration to any security measures which are offered or recommended by ARANZ Medical in order to safeguard Client PHI, after taking into consideration Client’s business practices.
5. Term and Termination.
(a) Term. Unless earlier terminated as provided in Section 5(b) below, this Agreement shall be effective on the Effective Date and shall continue in effect until ARANZ Medical stops providing any services to Client involving access, creation, maintenance or transmission of Client PHI under the terms of the Purchase Contract.
(b) Termination. If Client determines that ARANZ Medical breached a material term of this Agreement, Client shall provide ARANZ Medical with a written notice of breach and may terminate this Agreement if ARANZ Medical does not cure the breach within thirty (30) days of receiving such notice. If ARANZ Medical determines that Client breached any of Client’s obligations under this Agreement, ARANZ Medical shall provide Client with a written notice of breach and may terminate this Agreement if Client does not cure the breach within thirty (30) days of receiving such notice.
(c) Effect of Termination. Upon termination of this Agreement, ARANZ Medical shall promptly return to Client or destroy Client PHI possessed by ARANZ Medical in any form and retain no copies of Client PHI. If such return or destruction is infeasible as determined by ARANZ Medical, the obligations set forth in this Agreement with respect to Client PHI shall survive termination of the Agreement and ARANZ Medical shall limit any further use and disclosure of Client PHI to the purposes that make the return or destruction of Client PHI infeasible.
6. Limitation of Liability. IN NO EVENT SHALL ARANZ Medical BE LIABLE FOR ANY INDIRECT, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN ANY WAY CONNECTED WITH THIS AGREEMENT. CLIENT AGREES, TO THE FULLEST EXTENT PERMITTED BY LAW, THAT THE MAXIMUM AGGREGATE LIABILITY OF ARANZ Medical TO CLIENT OR ANY THIRD PARTY FOR ALL CLAIMS UNDER THIS AGREEMENT OR THE PURCHASE CONTRACT SHALL NOT EXCEED THE GREATER OF (A) THE FEES RECEIVED BY ARANZ Medical FOR THE SERVICES PROVIDED BY ARANZ Medical TO CLIENT DURING THE TWELVE (12) MONTH PERIOD PRIOR TO THE OCCURRENCE OF THE EVENT GIVING RISE TO THE CLAIM, OR (B) THE AMOUNTS PAID BY ARANZ Medical’S INSURANCE COMPANY ON BEHALF OF ARANZ Medical WITH RESPECT TO THE CLAIM (“LIABILITY CAP”). THE FOREGOING LIMITATION OF LIABILITY SHALL APPLY REGARDLESS OF THE CAUSE OF ACTION ASSERTED BY CLIENT OR ANY THIRD PARTY. IN ANY JURISDICTION IN WHICH THE FOREGOING LIMITATION OF LIABILITY IS RESTRICTED, ARANZ Medical’S LIABILITY SHALL BE LIMITED TO THE GREATEST EXTENT PERMITTED BY LAW. THE PROVISIONS OF THIS SECTION 6 SHALL SURVIVE TERMINATION OF THIS AGREEMENT FOR ANY REASON.
7. Entire Agreement. With the exception of the Purchase Contract and documents incorporated by reference therein, this Agreement constitutes the entire agreement between the parties hereto relating to the subject matter hereof and supersedes any prior or contemporaneous verbal or written agreements, communications and representations relating to the subject matter hereof.
8. Amendment. This Agreement may be modified or amended only upon mutual written consent of the parties. If due to a future change in applicable laws, an amendment to this Agreement will be required in order for Client or ARANZ Medical to comply with such laws the parties shall promptly negotiate in good faith an appropriate amendment to this Agreement (“Amendment”).
9. Notices. Any notices to be given hereunder shall be deemed effectively given when personally delivered, received by electronic means (including e-mail) or overnight courier, or five (5) calendar days after being deposited in the United States mail, with postage prepaid thereon, certified or registered mail, return receipt requested, addressed to the party at the address designated in the Purchase Contract.
10. General Provisions. This Agreement shall be binding upon parties hereto and their respective successors and assigns, provided, Client may not assign its rights and obligations under this Agreement without obtaining the prior written consent of ARANZ Medical, not to be unreasonably withheld. The terms of this Agreement are not intended and shall not be construed to confer upon any person other than the parties hereto any rights, remedies, obligations or liabilities whatsoever. Client and ARANZ Medical shall be independent contractors and nothing in this Agreement is intended nor shall be construed to create an agency, partnership, employer-employee, or joint venture relationship between them. A waiver by either party of a breach or failure to perform under this Agreement shall not constitute a waiver of any subsequent breach or failure. This Agreement shall be governed by, construed, interpreted and enforced under the laws of the state of Delaware.
IN WITNESS WHEREOF, the parties have agreed to this Agreement with the intention to be legally bound hereby on the Effective Date.