Business Associate Agreement
JourneyLabs Inc. (the “Company”), in its capacity as a Business Associate, and you (the “Clinician”), in your capacity as a Covered Entity, shall comply with the following rights, duties, and obligations regarding ePHI transmitted by the Clinician for processing and/or storage on the Company’s system in connection with the services it provides.
1. As required by Section 13401(a) of the HITECH Act, the following sections of the HIPAA Regulations will also apply to the Company in its capacity as a Business Associate:
a. 45 CFR 164.308 (Administrative Safeguards);
b. 45 CFR 164.310 (Physical Safeguards);
c. 45 CFR 164.312 (Technical Safeguards); and
d. 45 CFR 164.316 (Policies and Procedures and Documentation Requirements).
Regarding implementation specifications, the Company may use its discretion regarding compliance with the addressable specifications. For clarification and not in limitation of the foregoing, the Company shall implement appropriate safeguards to prevent unauthorized use or disclosure of ePHI, including implementing requirements of the HIPAA Security Rule with regard to ePHI.
2. As required by Section 13404 of the HITECH Act:
a. The Company may use and disclose ePHI that it obtains or creates under this Agreement only if such use or disclosure, respectively, is in strict compliance with, and limited to, used and disclosures permitted by the Services Agreement and otherwise in compliance with each applicable provision of 42 CFR 164.512(e); and
b. If the Company knows of any use or disclosure of ePHI not provided for in the Services Agreement or knows of a pattern of activity or practice that constitutes a material breach of this Agreement by the Clinician in its capacity as a Covered Entity or violation by the Clinician in its capacity as a Covered Entity of the standards of 45 CFR 164.502(e) or 45 CFR 164.504(e) with respect to this Agreement, the Company shall notify the Clinician of such material breach or violation by the Clinician and unless the Clinician takes reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, the Company shall either:
– i. Terminate this Agreement; or
– ii. If termination is not feasible, report the problem to the Secretary.