Business Associate Agreement

LAST UPDATED: MARCH 10, 2023
This Business Associate (“Agreement” or “BAA”), is made and entered into at the date and time your account is created and is between you (“Covered Entity”) and Zaya Health Inc. (“Business Associate”), a corporation organized under the laws of Delaware. This Agreement is specific to those services, activities, or functions performed by the Business Associate for the Covered Entity when such services, activities, or functions are covered by HIPAA (the "Services").

WHEREAS, Covered Entity and Business Associate have entered into certain agreement(s) under which Business Associate provides services to Covered Entity (the “Service Agreement”) which may involve the use or disclosure of Protected Health Information from  Covered Entity clients; and

NOW THEREFORE, the Business Associate and Covered Entity wish to address the requirements of the HIPAA respect to “business associates,” as that term is defined in the HIPAA as follows:

1. Definitions.

Capitalized terms not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA.
  1. “Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to information that Business Associate creates, accesses or receives on behalf of Covered Entity .
  2. “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and any amendments thereto (hereinafter “HIPAA”); and the HIPAA Security and Privacy rule, 45 CFR Parts 160 and 164, and any amendments thereto.
  3. “Protected Health Information” or “PHI” shall have the meaning set forth in HIPPA, limited to information that Business Associate creates, accesses or receives on behalf of Covered Entity. PHI includes EPHI.

2. Business Associate Obligations.

Business Associate acknowledges and agrees that it may be considered a “Business Associate” as defined by HIPAA. As a Business Associate of the Covered Entity, Business Associate shall comply with the following and with any state provisions that are more restrictive:
  1. Disclosure. Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement, to perform the Services or as required by applicable law.
  2. Safeguards. Business Associate shall use safeguards that are reasonably appropriate to prevent use or disclosure of PHI other than disclosures permitted or required by this Agreement. Business Associate agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of PHI.
  3. Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted or required by this Agreement and any Security Incident of which it becomes aware. The parties acknowledge and agree that this Section 2(c) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that do not result in unauthorized access to, or use, loss, modification, destruction, or disclosure of, PHI.
  4. Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree, to the same restrictions and conditions that apply to Business Associate with respect to such PHI.
  5. Individual Rights. Business Associate will make available PHI accessible to Covered Entity as necessary for Covered Entity to satisfy Covered Entity’s obligations under 45 C.F.R. §§ 164.524, 164.526, and 164.528 with respect to individuals’ rights of access, amendment, and accounting of Disclosures, but will have no other obligations to Covered Entity or individuals regarding Designated Record Sets and such individual requests. Covered Entity is responsible for appropriately responding to such individual requests. Individuals who request access to or amendment of their PHI or an accounting of Disclosures will be directed to request such PHI from Covered Entity. Business Associate shall make available protected health information in a designated record set to the Covered Entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.524 of HIPAA.
  6. Audit. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary of Health and Human Services, upon request, for purposes of determining and facilitating Covered Entity’s compliance with HIPAA.
  7. Mitigation. Business Associate shall mitigate promptly, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement, HIPAA, or other applicable federal or state law.
  8. Uses Permitted by Law.  As permitted by the Privacy Rule, Business Associate may use or disclose PHI: (a) as is necessary to perform the Services; (b) as required by law;  ; (c) to provide data aggregation services relating to the health care services of the Covered Entity; and (d) as is necessary for the proper management and administration of Business Associate’s organization or to carry out the legal responsibilities of Business Associate; provided, however, that any permitted disclosure of PHI to a third party for Business Associate’s proper management and administration must be either Required By Law or subject to reasonable assurances obtained by Business Associate from the third party that the PHI will be held confidentially, and securely, and used or disclosed only as Required By Law or for the purposes for which it was disclosed to such third party, and that any breaches of confidentiality of the PHI which become known to such third party will be immediately reported to Business Associate.  Business Associate may use PHI to create de-identified information.  Such de-identified information is not subject to this Agreement.

3. Covered Entity Obligations.

Covered Entity agrees as follows:
  1. To notify Business Associate in the event that Covered Entity is notified that a Covered Entity client honors a request to restrict the use or disclosure of PHI pursuant to 45 C.F.R. §164.522(a) or makes revisions to its notice of privacy practices in accordance with 45 C.F.R. §164.520 or agrees to a request by an Individual for confidential communications under 45 C.F.R. § 164.522(b); in each case, to the extent such restriction, revision or agreement affects Business Associate’s use or disclosure of PHI hereunder; and
  2. To take reasonable and appropriate measures to limit PHI to the minimum necessary to accomplish the intended purpose of the access, use or disclosure; and
  3. To the extent any of the following affects Business Associate’s permitted uses or disclosures of PHI hereunder, notify Business Associate of limitation(s) in its notice of privacy practices, of any changes or revocation of permission from an individual to use PHI, or any other self-imposed restrictions agreed to by Covered Entity.

4. Compliance with Law.

Each of the Parties agrees to comply with all applicable federal and state privacy laws and regulations currently in existence and that may exist in the future including all amendments.

5. Term.

This Agreement shall become effective on the date of execution by both Parties, and shall terminate upon the termination or expiration of all Services.

6. Termination for Cause.

Notwithstanding the above, either Party may terminate this Agreement if the other Party has breached a material term of this Agreement that has not been cured within thirty (30) days from the date of written notice of the existence of a material breach.

7. Effect of Termination.

Upon termination or expiration of this Agreement, Business Associate agrees that it shall return to the Covered Entity or destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that the Business Associate maintains in any form. Business Associate shall retain no copies of the PHI. The obligations of Business Associate under this Section shall survive the termination of this Agreement.

8. Third Party Beneficiary.

This Agreement is for the benefit of the Parties and not for the benefit of any third party.

9. Interpretation of Terms or Conditions of Agreement.

Any ambiguity in this Agreement shall be construed and resolved in favor of a meaning that permits the Covered Entity and Business Associate to comply with applicable state and federal law.

10. Entire Agreement/Amendments.

This Agreement and any agreement covering the Services, including the Services Agreement, constitutes the entire agreement between the parties hereto and supersedes all prior discussions and agreements, written or oral, in each case relating to the subject matter herein. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary to achieve and maintain compliance with the requirements of the Regulations.

11. Primacy.

The terms of this Agreement are hereby incorporated into the Services Agreement (including present and future agreements). In the event of a conflict between the terms of this Agreement and the terms of the Services Agreement, the terms of this Agreement shall prevail. The terms of the Services Agreement which are not modified by this Agreement shall remain in full force and effect in accordance with the terms thereof.

12. Governing Law.

This Agreement shall be governed by, and construed in accordance with, the laws of the State of California, exclusive of conflict of law rules. Each Party hereby agrees and consents that any legal action or proceeding with respect to this Agreement shall only be brought in the courts of the State of California and the county of San Francisco.

13. Execution and Counterparts.

The parties agree that this Agreement may be executed by the exchange of faxed signed copies, or signed copies delivered by electronic mail, and a signature transmitted by such means shall be deemed an original signature for the purpose of executing this Agreement.