Business Associate Agreement

This Business Associate Agreement (this “BAA”) is entered into as of the Effective Date by and between Reify Health, Inc., Delaware corporation, having its principal place of business at 33 Arch St., 17th Floor, Boston, MA 02110, USA (together with its subsidiaries and Affiliates, “Business Associate” or “Reify”) and the party accepting this BAA, as evidenced by such party’s click-through acceptance or signature, or by such party’s registration for, access to, or use of the Services (together with its subsidiaries and Affiliates, “Covered Entity” or “Customer”), each a “Party,” and collectively, the “Parties.”

This BAA is incorporated by reference into and forms part of the StudyTeam® for Sites Terms of Service or other master agreement between the Parties governing Customer’s use of Reify’s products and services (the “Agreement”), or, where no such agreement is in effect, applies to Customer’s use of the Services pursuant to a sponsor-granted license, and sets forth the Parties’ rights and obligations with respect to the use and disclosure of Protected Health Information (PHI) by Reify on behalf of Customer in connection with the Services, to the extent required under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”). The effective date of this BAA shall be the Effective Date of the Agreement, or, where no Agreement is in effect, the date Customer first accesses or uses the Services.

The Parties agree as follows:

1. DEFINITIONS
   
   Capitalized terms used but not otherwise defined in this BAA shall have the meanings assigned to such terms under HIPAA or, where applicable, in the Agreement.
   
2. PERMITTED USES AND DISCLOSURES
   1. Use and Disclosure. Business Associate shall not Use or Disclose PHI other than as reasonably necessary to provide, operate, maintain, develop, support, and improve the Services as contemplated by the Agreement, in accordance with this BAA, or as Required by Law. Business Associate shall not Use or Disclose PHI in a manner that would violate HIPAA if Used or Disclosed by Covered Entity.
   2. Management and Administration. Except as otherwise provided in this BAA, Business Associate may Use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, and may Disclose PHI for such purposes solely to the extent that such Disclosures are either Required by Law or under reasonable assurances from the recipient that the (i) the PHI will be held secure and confidential in accordance with this BAA, (ii) Use and further Disclosure will be limited to that which is Required by Law or for the purposes for which it was disclosed, and (iii) breach of confidentiality of PHI will be promptly reported to Business Associate, in accordance with 45 C.F.R. § 164.504(e)(4).
   3. Data Aggregation. Business Associate may use PHI to provide data aggregation services related to the health care operations of Covered Entity, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
   4. Minimum Necessary. Business Associate shall request, Use, and Disclose only the minimum amount of PHI necessary to perform the Services, in accordance with 45 C.F.R. § 164.502(b).
   5. Prohibition on Sale and Marketing. Business Associate shall not receive remuneration, directly or indirectly, in exchange for the Use or Disclosure of PHI, and shall not Use or Disclose PHI for marketing purposes without prior authorization from Covered Entity.
      
3. SAFEGUARDS; INCIDENT REPORTING
   1. Safeguards. Business Associate shall implement and maintain appropriate administrative, technical, and physical safeguards to protect the confidentiality, integrity, and security of electronic PHI in accordance with 45 C.F.R. Part 164 Subpart C, and to prevent any Use or Disclosure not permitted by this BAA or HIPAA.
   2. Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of this BAA or HIPAA.
   3. Breach Notification. Business Associate shall notify Covered Entity without unreasonable delay, and in no event later than forty-eight (48) hours after Discovery, of any Breach of Unsecured PHI or material Security Incident caused by the acts or omissions of Business Associate and, to the extent possible, include a detailed narrative of all relevant information then known to Business Associate, updated in phases as it becomes available. Business Associate shall not be required to notify Covered Entity of any attempted or unsuccessful security incidents that do not result in unauthorized access, Use, or Disclosure of PHI. This BAA constitutes notice that Business Associate may experience such incidents from time to time.
   4. Downstream Entities. Business Associate shall ensure that its agents or Subcontractors who create, receive, maintain, or transmit PHI on its behalf comply with restrictions and conditions that are no less protective than those applicable to Business Associate under this BAA.
   5. Confidentiality. Business Associate shall ensure that PHI will be limited to only those employees or agents who need to know such information to perform the Services; provided that each such employee or agent has a legal or contractual obligation to maintain the confidentiality of the PHI.
      
4. INDIVIDUAL RIGHTS
   1. Access. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available to Covered Entity, or as directed by Covered Entity, to enable Covered Entity to comply with its obligations under HIPAA.
   2. Amendment. To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate shall incorporate amendments to PHI as directed by Covered Entity and in accordance with HIPAA.
   3. Accounting of Disclosures. Business Associate shall document disclosures of PHI and provide such information as reasonably requested by Covered Entity to permit Covered Entity to comply with its accounting of disclosures obligations under 45 C.F.R. § 164.528.
   4. Access to Books and Records. Business Associate shall make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA.
      
5. OBLIGATIONS OF COVERED ENTITY
   1. Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practice, pursuant to 45 C.F.R. § 164.520, to the extent that the limitations may affect Business Associate’s Use or Disclosure of PHI.
   2. Revocation of Permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, permissions to Use and Disclose PHI by Individual who is the subject of the PHI, to the extent that the changes or revocation may affect Business Associate’s Use or Disclosure of PHI.
   3. Restrictions on Disclosures. The Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that the Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's Use or Disclosure of PHI.
   4. Impermissible Use and Disclosure. Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permitted under HIPAA if done by Covered Entity.
      
6. TERM AND TERMINATION
   1. Term. This BAA shall become effective as of the Effective Date and shall remain in effect so long as Business Associate creates, receives, maintains, or transmits PHI on behalf of Covered Entity in connection with the Services.
   2. Effect of Termination. Upon termination of this BAA, Business Associate shall, at Covered Entity’s written request, return or securely destroy all PHI in its possession or control, including PHI held by its agents or subcontractors, and shall retain no copies unless return or destruction is infeasible, in which case Business Associate shall notify Covered Entity and continue to protect such PHI in accordance with this BAA, limiting further Uses and Disclosures to those purposes that make return or destruction infeasible, for so long as such PHI is retained.
      
7. GENERAL
   1. Order of Precedence. In the event of a conflict between the terms of this BAA and the Agreement, the terms of this BAA shall prevail solely to the extent of such conflict and only with respect to the Use and Disclosure of PHI and the Parties’ obligations under HIPAA.

Prefer a signed copy? Sign here.