BUSINESS ASSOCIATE AGREEMENT
Exhibit 10.22
This Business Associate Agreement (the “Agreement”) is entered into between QT Ultrasound LLC, a Delaware limited liability company (“Business Associate”), and Xxxx X. Xxxxx, MD, a California sole proprietorship (“Practice”).
RECITALS
A. | Practice is a “covered entity,” as that term is defined in the HIPAA Standards for Privacy of Individually Identifiable Health Information and the Standards for Security of Electronic Protected Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A, C and E (the “HIPAA Regulations”), and the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”) (collectively, the HIPAA Regulations and the HITECH Act are referred to as the “Requirements”), and, therefore, must comply with the Requirements. |
B. | The Requirements require Practice to enter into with its “business associates,” as that term is defined in 45 C.F.R. § 160.103, an agreement containing certain minimum safeguards. Business Associate will be a business associate of Practice. |
C. | The parties desire to enter into an agreement that complies with the Requirements. |
AGREEMENT
For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:
1. Definitions. Except as otherwise set forth in this Agreement, all capitalized terms have the same meaning as set forth in the Requirements, as such may be amended from time to time.
a. “Disclose” has the same meaning as the term “disclosure” in 45 C.F.R. § 160.103.
b. “EPHI” has the same meaning as the term “electronic protected health information” in 45 C.F.R. § 160.103, but limited to information created or received by Business Associate as a Business Associate of Practice.
c. “PHI” has the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, but limited to information created or received by Business Associate as a Business Associate of Practice.
d. “Secretary” means the Secretary of the Department of Health and Human Services or his or her designee.
2. Business Associate’s Obligations. Business Associate will:
(a) Not Use or Disclose PHI except as permitted or required by this Agreement or as required by law;
1 of 4
(b) Use appropriate safeguards and comply, where applicable, with 45 C.F.R. Subpart C with respect to EPHI, to prevent the Use or Disclosure of PHI, except as set forth in this Agreement;
(c) Implement Administrative, Physical and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of EPHI;
(d) Promptly report to Practice: (i) any Use or Disclosure of PHI by Business Associate or a third party to which Business Associate Disclosed PHI that is not contemplated by this Agreement, including any Breach of Unsecured PHI; and (ii) any Security Incident, of which Business Associate becomes aware;
(e) Ensure that any subcontractors who create, receive, maintain or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions in the Services Agreement and this Agreement;
(f) In accordance with Practice’s reasonable request, provide Practice, in accordance with 45 C.F.R. § 164.524, access to PHI in a Designated Record Set;
(g) Make any amendment to PHI in a Designated Record Set that Practice has agreed to pursuant to 45 C.F.R. § 164.526;
(h) Document any Disclosures of PHI necessary to provide an accounting of Disclosures in accordance with 45 C.F.R. § 164.528;
(i) To the extent Business Associate carries out any obligations of Practice under the Requirements, Business Associate will comply with the Requirements that apply to Practice in the performance of such obligation;
(i) Make its internal practices, books and records, relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining Practice’s compliance with the Requirements; and
(j) Mitigate, to the extent practicable, any harmful effects (known to Business Associate) from any Use or Disclosure of PHI by Business Associate not permitted by this Agreement.
3. Permitted Uses and Disclosures. Except as otherwise set forth in this Agreement, Business Associate may:
(a) Use or Disclose PHI to perform its duties and obligations under the Services Agreement and to report violations of the law to law enforcement; provided that, such Use or Disclosure complies with the Requirements;
(b) Use PHI for its management and administration or to carry out Business Associate’s legal responsibilities; and
Page 2 of 4
(c) Disclose PHI for the purposes in Section 3(b) of this Agreement, if (i) the Disclosure is required by law, or (ii) Business Associate obtains reasonable assurances from the persons to whom the PHI is disclosed that (i) the PHI will remain confidential and will not be Used or further Disclosed except as Required By Law or for the purpose for which it was Disclosed to the person, and (ii) the person will notify Business Associate of any instances of which it becomes aware that the confidentiality of the PHI has been breached.
4. Practice’s Obligations. Practice will notify Business Associate of any:
(a) Limitation in Practice’s Notice of Privacy Practices, as required by the Requirements, that may affect Business Associate’s Use or Disclosure of PHI;
(b) Changes in or revocation of an individual’s permission to Use or Disclose PHI, to the extent such change may affect Business Associate’s Use or Disclosure of PHI; and
(c) Restriction regarding the Use or Disclosure of an individual’s PHI that Practice has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of the PHI.
5. Effective Date. The terms and conditions in this Agreement will be effective as of the date below (the latter, if the parties hereto execute on different dates) and will continue until all PHI is destroyed or returned to Practice.
6. Termination. Notwithstanding any provision to the contrary in this Agreement or the Services Agreement, if Business Associate breaches any of its obligations under this Agreement or the Requirements, Practice may terminate this Agreement and the Services Agreement immediately upon providing notice to Business Associate or it may provide Business Associate with a reasonable opportunity to cure the breach or end the violation. If Practice determines, in its sole discretion, that neither termination nor cure is feasible, Practice will report the violation to the Secretary.
7. Effect of Termination. Upon termination of this Agreement, Business Associate will return to Practice or destroy all PHI. If it is not feasible for Business Associate to return or destroy the PHI, (i) Business Associate will notify Practice of such unfeasibility; (ii) Business Associate will limit Business Associate’s Use and Disclosure of such PHI to the purpose which makes it unfeasible for Business Associate to return or destroy the PHI; and (iii) the terms and conditions set forth in this Agreement will continue with respect to the PHI for so long as Business Associate maintains the PHI.
8. Indemnification. Business Associate will indemnify, defend and hold harmless Practice for, from and against any and all liabilities, costs, fees, fines, penalties and other expenses (including reasonable attorneys’ and expert fees) arising from or related to Business Associate’s breach of any of its obligations under this Agreement or the Requirements. The obligations under this Section will survive the termination of this Agreement.
9. Amendment. If the Requirements are amended and the amendments require an amendment to this Agreement to comply with the amendments to the Requirements, this
Page 3 of 4
Agreement will be amended automatically, without any signed, written amendment by Business Associate and Practice, to comply with the amendments. All applicable Requirements, including all future applicable Requirements, are hereby incorporated in this Agreement by this reference, as if they were set forth herein in full. Otherwise, no modification, amendment, or cancellation or waiver of rights under this Agreement will be effective unless it is in a writing that is signed by both parties. No waiver of any breach of this Agreement will be construed as a waiver of any other rights under this Agreement.
10. Entire Agreement. This Agreement constitutes the parties’ entire agreement with respect to the subject matter hereof. There are no restrictions, promises, representations, warranties, covenants, or understandings other than those expressly set forth herein. This Agreement supersedes all prior agreements or understandings between the parties with respect to the subject matter hereof and may not be modified or amended in any manner other than as set forth herein.
11. Governing Law. This Agreement will be construed in accord with and any dispute or controversy arising from any breach or asserted breach of this Agreement will be governed by the laws of the State of California.
12. Third-Party Beneficiaries. There are no third-party beneficiaries of this Agreement. The parties executed this Agreement as of the date below their respective signatures, below.
“PRACTICE” | “BUSINESS ASSOCIATE” | |||||||
By: | /s/ Xxxx X. Xxxxx
|
By: | /s/ Xxxxxxxx Xxxxxxx
| |||||
Its: | Proprietor
|
Its: | Chief Strategy Officer | |||||
Date: | 8 September 2020
|
Date: | September 8, 2020 |
Page 4 of 4