Business Associate Subcontractor Agreement

Business Associate Subcontractor Agreement

This Business Associate Subcontractor Agreement (“BASA”) is made between the Access company set forth in the subcontract or vendor agreement (hereinafter “Business Associate” or “ACCESS”), and the vendor or subcontractor (hereinafter “Subcontractor”). Capitalized terms used but not otherwise defined in this BASA shall have the same meaning as ascribed to those terms in the HIPAA Rules and the HITECH Act (as those terms are defined in Section 1 below).

WHEREAS, Business Associate provides services for certain of its clients (each individually a “Covered Entity”) that involve Business Associate creating, receiving, maintaining, transmitting or otherwise Using or Disclosing PHI; and

WHEREAS, Business Associate subcontracts a portion of those services to Subcontractor pursuant to a subcontract agreement (the “Underlying Agreement”); or

WHEREAS, Subcontractor is Business Associate’s vendor pursuant to a vendor agreement (the “Underlying Agreement”);

WHEREAS, Subcontractor is a Business Associate Subcontractor of Business Associate under the HIPAA Rules; and

WHEREAS, the parties are committed to complying with HIPAA and the HITECH Act and the standards for privacy and security of PHI as set forth therein;

NOW THEREFORE, for good and valuable consideration and the mutual covenants and promises contained herein, the parties hereto, intending to be legally bound, hereby agree as follows:

1. Definitions. 

“Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this BASA, shall mean ACCESS.

“HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, and accompanying regulations, as may be amended from time to time.

“HIPAA Rules” shall mean the HIPAA Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Part 160 and Part 164. Any reference in this BASA to a section in the HIPAA Rules means the section in effect or as amended.

“HITECH Act” shall mean the applicable provisions of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 and any accompanying regulations.

“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR, Parts 160 and 164.

“Security Rule” shall mean the HIPAA Security Standards codified at 45 CFR Parts 160, 162, and 164.

The following terms used in this BASA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Individual, Minimum Necessary, Protected Health Information (or “PHI”), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

2. Obligations and Activities of Subcontractor under the HIPAA Rules.

(a) Subcontractor may only Use or Disclose PHI as necessary to perform the services set forth in the Underlying Agreement, as permitted or required by this BASA, or as Required by Law. Additionally, Subcontractor may Use or Disclose PHI for the purposes authorized by this BASA only (i) to its employees, its subcontractors and agents, in accordance with this BASA, or (ii) as directed by ACCESS, if such Use or Disclosure of PHI would not violate the HIPAA Rules. Except as otherwise limited in this BASA, Subcontractor may Use PHI for the proper management and administration of Subcontractor’s business or to carry out the legal responsibilities of Subcontractor. Subcontractor must ensure that neither it nor its directors, officers, employees, agents, or subcontractors, access, store, share, maintain, use, or disclose PHI outside of the United States of America.

(b) Except as otherwise limited in this BASA, Subcontractor may, if and as requested by ACCESS, Use PHI to provide Data Aggregation services relating to the health care operations of a Covered Entity.

(c) Subcontractor’s Use, Disclosure or request of PHI shall utilize a limited data set if practicable or otherwise the Minimum Necessary PHI to accomplish the intended results of the Use, Disclosure or request.

(d) Subcontractor agrees to implement appropriate safeguards to prevent Use or Disclosure of the PHI other than as permitted by this BASA or the Underlying Agreement or as Required by Law. Such safeguards shall include implementing requirements of the Security Rule with regard to electronic PHI.

(e) Subcontractor agrees to mitigate, to the extent practicable any harmful effect that is known to Subcontractor of a Breach of Unsecured PHI or Use or Disclosure of PHI by Subcontractor as a result of Subcontractor’s Breach of this BASA, including, but not limited to, compliance with any state law or contractual data breach requirements.

(f) Subcontractor agrees to provide notice to ACCESS of (i) any Use or Disclosure of PHI not provided for by this BASA or the Underlying Agreement of which it becomes aware, (ii) any Breach of Unsecured Protected Health Information, and/or (iii) any Security Incident. Such notice shall be given promptly and, in any event, the earlier to occur of: (i) within thirty (30) days of the incident; or (ii) prior to the expiration of the timeframe required by Business Associate to the applicable Covered Entity. Any such report shall include (i) the identification (if known) of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Subcontractor to have been, accessed, acquired, used or disclosed during such Breach, and (ii) any other available information (to the extent known) ACCESS is required to include in notification to a Covered Entity or an Individual under 45 CFR § 164.404(c) such as a brief description of the incident and the nature of the information disclosed. Business Associate shall report any Breach of Unsecured PHI to any applicable Covered Entity, Individuals, the Secretary, the HHS Office for Civil Rights and/or the media as Required by Law.

(g) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2) if applicable, Subcontractor agrees to ensure that any agent or affiliate, including its subcontractor if any, to whom it provides PHI, or PHI created, received, maintained or transmitted by Subcontractor on behalf of ACCESS, agrees in writing to the same restrictions that apply to Subcontractor with respect to such PHI. Notwithstanding the foregoing, Subcontractor may not further subcontract this Agreement or Delegate or Assign any of its rights and duties hereunder without the express written consent of ACCESS, which consent may be withheld in ACCESS’ complete discretion.

(h) To the extent (if any) that Subcontractor maintains a Designated Record Set for Business Associate on behalf of any Covered Entity, Subcontractor agrees to provide access, to ACCESS at its request, to PHI in a Designated Record Set, so that ACCESS may respond to a Covered Entity or an Individual in order to meet the requirements under 45 CFR 164.524. Any request from an Individual directly to Subcontractor shall promptly be forwarded to ACCESS for a response.

(i) To the extent (if any) that Subcontractor maintains a Designated Record Set for ACCESS and is notified by ACCESS that an amendment to PHI in a Designated Record Set is required, then ACCESS shall instruct Subcontractor to retrieve the record or any other such document identified by ACCESS in a Designated Record Set so that ACCESS may make any such amendment to the PHI as may be required.

(j) Subcontractor agrees to make its internal practices, books and records relating to the Use and Disclosure of PHI available to the Secretary, upon request of the Secretary or ACCESS, upon receiving not less than five (5) days’ advance written notification by ACCESS, for the purpose of determining compliance with HIPAA Rules.

(k) Where requested by ACCESS in connection with a specific request from an Individual and consistent with this paragraph, Subcontractor agrees to document, as set forth below, such Disclosures of PHI (but only to the extent that ACCESS has provided Subcontractor with sufficient information to know that PHI may reside in the records or other such documents delivered by ACCESS to Subcontractor). Subject to ACCESS providing Subcontractor with sufficient information upon which to make a determination as to the existence of PHI in records or such other documents delivered by ACCESS to Subcontractor, the documentation of such Disclosures shall contain such information related to such Disclosures as would be required for ACCESS to respond to the request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528.

(l) Subcontractor agrees to provide to ACCESS, upon receiving not less than five (5) days’ advance written notification by ACCESS, information or a record about an Individual contained in a Designated Record Set to permit ACCESS to respond to a specific request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528.

(m) Subcontractor shall fully cooperate with ACCESS and the applicable the Covered Entity as needed to further investigate and evaluate any Security Breach involving the Subcontractor or of which the Subcontractor has become aware.

3. Obligations of Business Associate.

(a) ACCESS shall not request Subcontractor to Use or Disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by ACCESS or the applicable Covered Entity (except to the extent Subcontractor performs Data Aggregation or for the management and administration and legal responsibilities of Subcontractor).

(b) ACCESS shall notify Subcontractor of any limitation(s) in its or the applicable Covered Entity’s notice of privacy practices in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Subcontractor’s Use or Disclosure of PHI.

(c) ACCESS shall notify Subcontractor of any changes in, or revocation of, permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect Subcontractor’s Use or Disclosure of PHI.

(d) ACCESS shall notify Subcontractor of any restriction on the Use or Disclosure of PHI that ACCESS or the applicable Covered Entity has agreed to or is required to abide by under 45 CFR §164.522, to the extent that such restriction may affect Subcontractor’s Use or Disclosure of PHI.

4. Term and Termination.

(a) Term. The Term, Termination and Effects of Termination of this BASA shall be the same as the terms and conditions identified in the Underlying Agreement. The obligations of Subcontractor shall terminate when all PHI provided by ACCESS to Subcontractor, or created, received or maintained by Subcontractor on behalf of ACCESS, is destroyed or returned to ACCESS. If it is infeasible to return or destroy PHI, protections will be extended to such information in accordance with 4(c) below.

(b) Termination for Cause. In addition to any other rights ACCESS may have in the Underlying Agreement, this BASA, or by operation of law or in equity, ACCESS may, (but is not required to), upon a breach or violation of this BASA, provide a reasonable opportunity for Subcontractor to cure or end any such violation within the time specified by ACCESS. If cure is not possible or if Subcontractor does not cure such breach or violation, ACCESS may immediately terminate the Underlying Agreement.  ACCESS’ option to have a breach cured shall not be construed as a waiver of any other rights ACCESS has in the Underlying Agreement, this BASA, or by operation of law or in equity.

(c) Effect of Termination.

1.  Upon termination of this BASA in accordance with the provisions of this BASA and the Underlying Agreement, Subcontractor shall return or destroy all PHI received from Business Associate, or created, maintained or received by Subcontractor on behalf of ACCESS, that Subcontractor still maintains in any form. This provision shall apply to PHI that is in the possession of subcontractors or agents of Subcontractor. Subcontractor shall retain no copies of the PHI.

2.  In the event that Subcontractor determines that returning or destroying the PHI is infeasible, Subcontractor shall provide to ACCESS notification of the conditions that make return or destruction infeasible. Upon the ACCESS’ acceptance that return or destruction of PHI is infeasible, Subcontractor shall extend the protections of this BASA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Subcontractor maintains such PHI.

5. Insurance. 

Subcontractor shall obtain and maintain the following insurance policies: 1) Professional Liability (or converging risk) Insurance covering claims for breach of confidential information and data breaches in amounts of at least Two Million Dollars ($2,000,000); 2) Commercial General Liability Insurance–One Million Dollars ($1,000,000) per occurrence and Three Million Dollars ($3,000,000) in the aggregate; 3) Workers’ compensation with statutory limits and Employers’ Liability Insurance in an amount of at least Five Hundred Thousand Dollars ($500,000); 4) Automobile Liability Insurance with a combined single limit of at least Two Million Dollars ($2,000,000); and 5) Umbrella Insurance in an amount of at least Five Million Dollars ($5,000,000). Such coverage shall be primary and non-contributory and include coverage for ongoing and completed operations. Subcontractor shall: a) name ACCESS as an additional insured, properly endorsed; b) provide evidence of such coverage from time to time upon request; c) cause its insurers to waive subrogation; and d) notify ACCESS immediately in the event such policy is cancelled or not renewed.

6. Injunctive Relief.

Subcontractor stipulates that its unauthorized use or disclosure of PHI while performing services pursuant to this BASA would cause irreparable harm to ACCESS, and in such event, ACCESS shall be entitled to institute proceedings in any court of competent jurisdiction to obtain damages and injunctive relief without posting any bond.

7. Indemnification. 

Subcontractor shall indemnify and hold harmless ACCESS and its affiliates, officers, employees and agents, from and against any and all claims, penalties, fines, costs, liabilities, or damages, including but not limited to reasonable attorney fees, incurred by ACCESS arising from a violation by Subcontractor of its obligations under HIPAA or this BASA.

8. Miscellaneous. 

(a) Amendment. The parties agree to negotiate in good faith any amendment to this BASA that may be required from time to time as is necessary for compliance with the HIPAA Rules and any other applicable law. If the parties cannot reach mutual agreement on the terms of any such amendment within sixty (60) days following the date of receipt of any such written request made by one party to the other, then either party shall have the right to terminate this BASA and the Underlying Agreement upon providing not less than thirty (30) days’ written notice to the other party.

(b) Interpretation. Any ambiguity in this BASA shall be interpreted to permit ACCESS to comply with the HIPAA Rules. In case of any inconsistency or conflict between the Underlying Agreement and the terms and conditions of this BASA, the terms and conditions of this BASA shall control.

(c) No Third Party Beneficiaries. Nothing express or implied in this BASA is intended to confer, nor shall anything herein confer, upon any person other than ACCESS (and its affiliates), Subcontractor and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.

(d) Independent Contractor Status. For the purposes of this BASA, Subcontractor is an independent contractor of ACCESS, and shall not be considered an agent of ACCESS.

 

IN WITNESS WHEREOF, each of the parties has caused this BASA to be executed by its duly authorized representatives as of the Effective Date first set forth in the Underlying Agreement.


Business Associate Subcontractor Agreement

 

This Business Associate Subcontractor Agreement (“BASA”) is made between vendor (hereinafter “Business Associate”), and the Access company set forth in the underlying agreement between Access and vendor (hereinafter referred to as “ACCESS”) and supplements the agreement (the “Underlying Agreement”) entered into between ACCESS and Business Associate pursuant to which ACCESS is providing services for information/records storage and/or confidential destruction of records (“Services”). Capitalized terms used but not otherwise defined in this BASA shall have the same meaning as ascribed to those terms in the HIPAA Rules and the HITECH Act (as those terms are defined in Section 1 below).

WHEREAS, Business Associate provides services for certain of its clients (each individually a “Covered Entity”) that involve Business Associate creating, receiving, maintaining, transmitting or otherwise Using or Disclosing PHI; and

WHEREAS, ACCESS is a Business Associate Subcontractor of Business Associate under the HIPAA Rules; and

WHEREAS, pursuant to its agreements with one or more Covered Entities and HIPAA, Business Associate is required to ensure that ACCESS will appropriately safeguard, Use and Disclose PHI in accordance with HIPAA; and

WHEREAS, the parties are committed to complying with HIPAA and the HITECH Act and the standards for privacy and security of PHI as set forth therein;

NOW THEREFORE, for good and valuable consideration and the mutual covenants and promises contained herein, the parties hereto, intending to be legally bound, hereby agree as follows:

1. Definitions.

“HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, and accompanying regulations, as may be amended from time to time.

“HIPAA Rules” shall mean the HIPAA Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Part 160 and Part 164. Any reference in this BASA to a section in the HIPAA Rules means the section in effect or as amended.

“HITECH Act” shall mean the applicable provisions of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 and any accompanying regulations.

“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR, Parts 160 and 164.

“Security Rule” shall mean the HIPAA Security Standards codified at 45 CFR Parts 160, 162, and 164.

The following terms used in this BASA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Individual, Minimum Necessary, Protected Health Information (or “PHI”), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

2. Obligations and Activities of ACCESS under the HIPAA Rules.

(a) ACCESS may only Use or Disclose PHI as necessary to perform the services set forth in the Underlying Agreement, as permitted or required by this BASA, or as Required by Additionally, ACCESS may Use or Disclose PHI for the purposes authorized by this BASA only (i) to its employees, its Subcontractors and agents, in accordance with this BASA, or (ii) as directed by Business Associate, if such Use or Disclosure of PHI would not violate the HIPAA Rules. Except as otherwise limited in this BASA, ACCESS may Use PHI for the proper management and administration of the ACCESS or to carry out the legal responsibilities of the ACCESS.

(b) Except as otherwise limited in this BASA, ACCESS may, if and as requested by Business Associate, use PHI to provide Data Aggregation services relating to the health care operations of a Covered Entity.

(c) ACCESS’ Use, Disclosure or request of PHI shall utilize a limited data set if practicable or otherwise the Minimum Necessary PHI to accomplish the intended results of the Use, Disclosure or request.

(d) ACCESS agrees to implement appropriate safeguards to prevent Use or Disclosure of the PHI other than as permitted by this BASA or the Underlying Agreement or as Required by Such safeguards shall include implementing requirements of the Security Rule with regard to electronic PHI.

(e) ACCESS agrees to mitigate, to the extent practicable and within the limits of liability established in the Underlying Agreement or to a maximum of six (6) months of charges paid by Business Associate to ACCESS, whichever is more, (or a maximum of six (6) months of charges if there is no limit of liability in the Underlying Agreement), any harmful effect to Business Associate that is known to ACCESS of a Breach of Unsecured PHI or Use or Disclosure of PHI by ACCESS as a result of ACCESS’ breach of this This is ACCESS’ maximum liability for any and all claims, causes of action, fines, penalties, damages, costs or expenses arising hereunder.

(f) ACCESS agrees to report to Business Associate (i) any Use or Disclosure of PHI not provided for by this BASA or the Underlying Agreement of which it becomes aware, (ii) any Breach of Unsecured Protected Health Information, and/or (iii) any Security Incident affecting the PHI of the applicable Covered Such notice shall be given promptly and in any event within the timeframe required by 45 CFR § 164.410. Any such report shall include (i) the identification (if known) of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by ACCESS to have been, accessed, acquired, used or disclosed during such Breach, and (ii) any other available information (to the extent known) Business Associate is required to include in notification to a Covered Entity or an Individual under 45 CFR § 164.404(c) such as a brief description of the incident and the nature of the information disclosed. Business Associate shall report any Breach of Unsecured PHI to any applicable Covered Entity, Individuals, the Secretary, the HHS Office for Civil Rights and/or the media as Required by Law.

(g) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2) if applicable, ACCESS agrees to ensure that any agent, including its Subcontractor if any, to whom it provides PHI, or PHI created, received, maintained or transmitted by ACCESS on behalf of Business Associate, agrees in writing to the same restrictions that apply to ACCESS with respect to such PHI.

(h) To the extent (if any) that ACCESS maintains a Designated Record Set for Business Associate on behalf of any Covered Entity, ACCESS agrees to provide access, to the Business Associate at its request, to PHI in a Designated Record Set, so that Business Associate may respond to a Covered Entity or an Individual in order to meet the requirements under 45 CFR 164.524. Any request from an Individual directly to ACCESS shall promptly be forwarded to Business Associate for a response.

(i) To the extent (if any) that ACCESS maintains a Designated Record Set for Business Associate and is notified by Business Associate that an amendment to PHI in a Designated Record Set is required, then Business Associate shall instruct ACCESS to retrieve the record or any other such document identified by Business Associate in a Designated Record Set so that Business Associate may make any such amendment to the PHI as may be required.

(j) ACCESS agrees to make its internal practices, books and records relating to the Use and Disclosure of PHI, available to the Secretary, upon request of the Secretary or Business Associate, upon receiving not less than five (5) days advance written notification by Business Associate, for the purpose of determining compliance with HIPAA Rules.

(k) Where requested by Business Associate in connection with a specific request from an Individual and consistent with this paragraph, ACCESS agrees to document as set forth below such Disclosures of PHI (but only to the extent that Business Associate has provided ACCESS with sufficient information to know that PHI may reside in the records or other such documents delivered by Business Associate to ACCESS). Subject to Business Associate providing ACCESS with sufficient information upon which to make a determination as to the existence of PHI in records or such other documents delivered by Business Associate to ACCESS, the documentation of such Disclosures shall contain such information related to such Disclosures as would be required for Business Associate to respond to the request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528.

(l) ACCESS agrees to provide to Business Associate, upon receiving not less than five (5) days advance written notification by Business Associate, information or a record about an Individual contained in a Designated Record Set to permit Business Associate to respond to a specific request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528.

(m) Business Associate shall pay ACCESS’ reasonable charges for performing its obligations under this Section 2, provided such fees shall comply with HIPAA Rules.

3. Obligations of Business Associate.

(a) Business Associate shall not request ACCESS to Use or Disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Business Associate (except to the extent ACCESS performs Data Aggregation or for the management and administration and legal responsibilities of the ACCESS). Notwithstanding anything to the contrary herein, Business Associate acknowledges that any Use or Disclosure of PHI made by ACCESS at the request of Business Associate is made in reliance that such request is permissible and Business Associate is requesting the Minimum Necessary to accomplish the intended purpose of the Use or Disclosure or request.

(b) Business Associate shall notify ACCESS of any limitation(s) in its notice of privacy practices or the applicable Covered Entity’s practices in accordance with 45 CFR § 164.520, to the extent that such limitation may affect ACCESS’ Use or Disclosure of PHI.

(c) Business Associate shall notify ACCESS of any changes in, or revocation of, permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect ACCESS’ Use or Disclosure of PHI.

(d) Business Associate shall notify ACCESS of any restriction on the Use or Disclosure of PHI that Business Associate or the applicable Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect ACCESS’ Use or Disclosure of PHI.

4. Term and Termination.

(a) Term. The Term, Termination and Effects of Termination of this BASA shall be the same as the terms and conditions identified in the Underlying Agreement. The obligations of ACCESS shall terminate when all of the PHI provided by Business Associate to ACCESS, or created, received or maintained by ACCESS on behalf of Business Associate, is destroyed or returned to Business Associate. If it is infeasible to return or destroy PHI, protections will be extended to such information in accordance with 4(c) below.

(b) Termination for Cause. Upon Business Associate’s knowledge of a material breach of this BASA by ACCESS, Business Associate shall provide at least sixty (60) days’ notice and opportunity for ACCESS to cure the breach or provide reasonable measures to prevent another like breach. If ACCESS does not cure the breach, provide reasonable measures to prevent another like breach or end the violation within the time specified by this Section, Business Associate may immediately terminate this BASA. If ACCESS has breached a material term of this BASA, and neither cure, nor reasonable measures to prevent another like kind breach is possible, and termination is not feasible, Business Associate shall report the violation to the Secretary.

(c) Effect of Termination.

1.  Upon termination of this BASA in accordance with the provisions of this BASA and the Underlying Agreement, ACCESS shall return or destroy all PHI received from Business Associate, or created, maintained or received by ACCESS on behalf of Business Associate, that ACCESS still maintains in any This provision shall apply to PHI that is in the possession of Subcontractors or agents of ACCESS. ACCESS shall retain no copies of the PHI.

2.  In the event that ACCESS determines that returning or destroying the PHI is infeasible, ACCESS shall provide to Business Associate notification of the conditions that make return or destruction Upon the Business Associate’s acceptance that return or destruction of PHI is infeasible, ACCESS shall extend the protections of this BASA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as ACCESS maintains such PHI. ACCESS shall be entitled to compensation for continued maintenance of PHI as provided for in the Underlying Agreement.

(d) Business Associate shall pay the charges of ACCESS for the return and/or destruction of PHI as set forth in the Underlying The obligations of ACCESS under this Section 4 shall survive termination of this BASA.

5. Miscellaneous.

(a) Amendment. The parties agree to negotiate in good faith any amendment to this BASA that may be required from time to time as is necessary for compliance with the HIPAA Rules and any other applicable law. If the parties cannot reach mutual agreement on the terms of any such amendment within sixty (60) days following the date of receipt of any such written request made by one party to the other, then either party shall have the right to terminate this BASA and the Agreement upon providing not less than thirty (30) days’ written notice to the other party.

(b) Interpretation. Any ambiguity in this BASA shall be interpreted to permit compliance with the HIPAA Rules.

(c) No Third Party Beneficiaries. Nothing express or implied in this BASA is intended to confer, nor shall anything herein confer, upon any person other than Business Associate, ACCESS and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.

 

Where any of the terms and conditions in this BASA are in conflict with the Underlying Agreement and cannot be read in any way to be compatible, those in the Underlying Agreement shall prevail, except to the extent said interpretation would violate the HIPAA Rules.

IN WITNESS WHEREOF, each of the parties has caused this BASA to be executed by its duly authorized representatives as of the Effective Date first set forth in the Underlying Agreement.

 

Revised October 25, 2016

Talk to an expert who can help you find the right solution.

Please complete this form and an Access representative will contact you to discuss how we can help.

If you are an existing client please click here to contact client care.