Information is your most valuable asset. It’s our passion.
Ready to take control of your information lifecycle? We handle documents for more than 30,000 businesses in North America. Let us help you handle yours.
Access Business Associate Agreement
This Business Associate Agreement (“BAA”) is made between the Access company set forth in the client’s agreement (“ACCESS”) and the client (“CLIENT”), and supplements the Master Agreement for Records Storage and Management Services and/or Service Agreement for Secure Destruction Services and/or Access Service Terms and Conditions found at https://www.accesscorp.com/access-service-terms-and-conditions/ and/or other agreement (the applicable agreement hereinafter referred to as the “Agreement”) entered into between ACCESS and CLIENT pursuant to which ACCESS is providing services for information/records storage and/or confidential destruction of records (“Services”). Capitalized terms used but not otherwise defined in this BAA shall have the same meaning as ascribed to those terms in the HIPAA Rules and the HITECH Act (as those terms are defined in Section 1 below).
ACCESS and CLIENT are entering into this BAA in order for both parties to meet the relevant requirements of HIPAA, as well as the provisions of the HITECH Act, along with any accompanying regulations, under which CLIENT is a “Covered Entity” and ACCESS is a “Business Associate” of CLIENT. If and to the extent that CLIENT is not, or subsequently ceases to continue to be, a Covered Entity under HIPAA, or ACCESS is not, or ceases to continue to be, a Business Associate under HIPAA, this BAA shall be of no effect.
This BAA shall be effective only if the Agreement becomes effective and, if so, this BAA shall be effective as of the Effective Date set forth in the Agreement.
1. Definitions.
“Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this BAA, shall mean ACCESS.
“Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this BAA, shall mean CLIENT.
“HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, and accompanying regulations, as may be amended from time to time.
“HIPAA Rules” shall mean the HIPAA Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Part 160 and Part 164. Any reference in this BAA to a section in the HIPAA Rules means the section in effect or as amended.
“HITECH Act” shall mean the applicable provisions of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 and any accompanying regulations.
“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR, Parts 160 and 164.
“Security Rule” shall mean the HIPAA Security Standards codified at 45 CFR Parts 160, 162, and 164.
The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules:
Breach, Data Aggregation, Designated Record Set, Disclosure, Individual, Minimum Necessary, Protected Health Information (or “PHI”), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
2. Obligations and Activities of Business Associate under the HIPAA Rules to the Extent Applicable to the Services Provided Under the Agreement.
(a) Business Associate may only Use or disclose PHI as necessary to perform the services set forth in the Agreement, as permitted or required by this BAA, the Agreement or as Required By Law. Additionally, Business Associate may Use or disclose PHI for the purposes authorized by this BAA only (i) to its employees, Subcontractors and agents, in accordance with this BAA, or (ii) as directed by Covered Entity, if such Use or Disclosure of PHI would not violate the HIPAA Rules. Except as otherwise limited in this BAA, Business Associate may Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
(b) Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation services relating to the health care operations of the Covered Entity.
(c) Business Associate’s Use, Disclosure or request of PHI shall utilize a limited data set if practicable or otherwise the Minimum Necessary PHI to accomplish the intended results of the Use, Disclosure or request.
(d) Business Associate agrees to implement appropriate safeguards to prevent Use or Disclosure of the PHI other than as permitted by this BAA or the Agreement or as Required By Law. Such safeguards shall include implementing requirements of the Security Rule with regard to electronic PHI.
(e) Business Associate agrees to mitigate, to the extent practicable and within the limits of liability established in the Agreement or to a maximum of six (6) months of charges paid by CLENT to ACCESS, whichever is less, any harmful effect that is known to Business Associate of a Breach of Unsecured PHI or Use or Disclosure of PHI by Business Associate as a result of Business Associate’s Breach of this BAA. This is ACCESS’ maximum liability for any and all claims, causes of action, fines, penalties, damages, costs or expenses arising hereunder.
(f) Business Associate agrees to report to Covered Entity (i) any Use or Disclosure of PHI not provided for by this BAA or the Agreement of which it becomes aware, (ii) any Breach of Unsecured Protected Health Information, and/or (iii) any Security Incident. Such notice shall be given promptly and in any event within the timeframe required by 45 CFR § 164.410. Any such report shall include (i) the identification (if known) of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed during such Breach, and (ii) any other available information (to the extent known) Covered Entity is required to include in notification to the Individual under 45 CFR § 164.404(c) such as a brief description of the incident and the nature of the information disclosed. Covered Entity shall report any Breach of Unsecured PHI to Individuals, the Secretary, the HHS Office for Civil Rights and/or the media as Required by Law.
(g) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any agent, including a Subcontractor, to whom it provides Covered Entity’s PHI, or whom it allows to create, receive, maintain or transmit Covered Entity’s PHI (including electronic PHI) on its behalf, agrees, in writing, to the same restrictions that apply to Business Associate with respect to such PHI.
(h) To the extent (if any) that Business Associate maintains a Designated Record Set for Covered Entity, Business Associate agrees to provide access, to the Covered Entity at its request, to PHI in a Designated Record Set, so that Covered Entity may respond to an Individual in order to meet the requirements under 45 CFR 164.524. Any request from an Individual directly to Business Associate shall promptly be forwarded to Covered Entity for a response.
(i) To the extent (if any) that Business Associate maintains a Designated Record Set for Covered Entity, and is notified by Covered Entity that an amendment to PHI in a Designated Record Set is required, then Covered Entity shall instruct Business Associate to retrieve the record or any other such document identified by Covered Entity in a Designated Record Set so that Covered Entity may make any such amendment to the PHI as may be required by either the Covered Entity or an Individual.
(j) Business Associate agrees to make its internal practices, books and records relating to the Use and Disclosure of PHI, available to the Secretary, upon request of the Secretary or Covered Entity, upon receiving not less than five (5) days’ advance written notification by Covered Entity, for the purpose of determining compliance with HIPAA Rules.
(k) Where requested by Covered Entity in connection with a specific request from an Individual and consistent with this paragraph, Business Associate agrees to document as set forth below such Disclosures of PHI (but only to the extent that Covered Entity has provided Business Associate with sufficient information to know that PHI may reside in the records or other such documents delivered by Covered Entity to Business Associate). Subject to Covered Entity providing Business Associate with sufficient information upon which to make a determination as to the existence of PHI in records or such other documents delivered by Covered Entity to Business Associate, the documentation of such Disclosures shall contain such information related to such Disclosures as would be required for Covered Entity to respond to the request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528.
(l) Business Associate agrees to provide to Covered Entity, upon receiving not less than five (5) days advance written notification by Covered Entity, information or a record about an Individual contained in a Designated Record Set to permit Covered Entity to respond to a specific request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528.
(m) Covered Entity shall pay Business Associate’s reasonable charges for performing its obligations under this Section 2, provided such fees shall comply with HIPAA Rules.
3. Obligations of Covered Entity.
Covered Entity shall not request Business Associate to Use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity (except to the extent Business Associate performs Data Aggregation or for the management and administration and legal responsibilities of the Business Associate). Notwithstanding anything to the contrary herein, Covered Entity acknowledges that any Use or Disclosure of PHI made by Business Associate at the request of Covered Entity is made in reliance that such request is permissible and Covered Entity is requesting the Minimum Necessary to accomplish the intended purpose of the Use or Disclosure or request. Covered Entity shall indemnify Business Associate for any damages, costs, fines or penalties incurred by reason of actions taken by Business Associate pursuant to Covered Entity instructions or requests that are in breach of this provision or applicable law.
(a) Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
(b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
(c) Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
4. Term and Termination.
(a) Term. The Term, Termination and Effects of Termination of this BAA shall be the same as the terms and conditions identified in the Agreement. The obligations of Business Associate shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created, received or maintained by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions in the Agreement.
(b) Termination for Cause. Upon Covered Entity’s knowledge of a material breach of this BAA by Business Associate, Covered Entity shall provide at least sixty (60) days’ notice and opportunity for Business Associate to cure the breach or provide reasonable measures to prevent another like breach. If Business Associate does not cure the breach, provide reasonable measures to prevent another like breach, or end the violation within the time specified by this Section, Covered Entity may immediately terminate this BAA. If Business Associate has breached a material term of this BAA and cure is not possible, or if neither cure nor termination is feasible, Covered Entity shall report the violation to the Secretary.
(c) Effect of Termination.
1. Except as provided in the Agreement and paragraph 2 of this Section, upon termination of this BAA in accordance with the provisions of this BAA and the Agreement, Business Associate shall return or destroy all PHI received from Covered Entity, or created, maintained or received by Business Associate on behalf of Covered Entity, that the Business Associate still maintains in any form. This provision shall apply to PHI that is in the possession of Subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
2. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon the Covered Entity’s acceptance that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. Business Associate shall be entitled to compensation for continued maintenance of PHI as provided for in the Agreement and price schedules.
(d) Covered Entity shall pay the charges of Business Associate for the return and/or destruction of PHI as set forth in the Agreement. The obligations of Business Associate under this Section 4 shall survive termination of this BAA.
5. Miscellaneous.
(a) Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.
(b) No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
(c) ACCESS may amend this BAA from time to time. When ACCESS makes material changes to this BAA, ACCESS will notify you. You can tell when this BAA was last updated by looking at the revision date. Any changes to this BAA will become effective upon posting on the site. Continued use of the services provided by ACCESS constitutes CLIENT’s acceptance of the revised BAA then in effect.
Where any of the terms and conditions in this BAA are in conflict with the Agreement and cannot be read in any way to be compatible, those in the Agreement shall prevail, except to the extent said interpretation would violate the HIPAA Rules.
Revised August 31, 2016
No material changes from original version
Revised December 1, 2016
Material changes from August 31, 2016 version:
1. Update paragraph 1 to clarify and confirm that this BAA applies to Access Service Terms and Conditions located in Access’ website.
2. Update Section 5 to describe amendment process of BAA.
Access Business Associate Subcontractor Agreement
This Business Associate Subcontractor Agreement (“BASA”) is made between the CLIENT (“Business Associate”) and the Access company set forth in- the underlying agreement between Access and Client (“ACCESS”) and supplements the Master Agreement for Records Storage and Management Services and/or Service Agreement for Secure Destruction Services and/or Access Service Terms and Conditions found at https://www.accesscorp.com/access-service-terms-and-conditions/ and/or other agreement (the applicable agreement hereinafter referred to as the “Underlying Agreement”) entered into between ACCESS and Business Associate pursuant to which ACCESS is providing services for information/records storage and/or confidential destruction of records (“Services”). Capitalized terms used but not otherwise defined in this BASA shall have the same meaning as ascribed to those terms in the HIPAA Rules and the HITECH Act (as those terms are defined in Section 1 below).
WHEREAS, Business Associate provides services for certain of its clients (each individually a “Covered Entity”) that involve Business Associate creating, receiving, maintaining, transmitting or otherwise Using or Disclosing PHI; and
WHEREAS, ACCESS is a Business Associate Subcontractor of Business Associate under the HIPAA Rules; and
WHEREAS, pursuant to its agreements with one or more Covered Entities and HIPAA, Business Associate is required to ensure that ACCESS will appropriately safeguard, Use and Disclose PHI in accordance with HIPAA; and
WHEREAS, the parties are committed to complying with HIPAA and the HITECH Act and the standards for privacy and security of PHI as set forth therein;
NOW THEREFORE, for good and valuable consideration and the mutual covenants and promises contained herein, the parties hereto, intending to be legally bound, hereby agree as follows:
1. Definitions.
“HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, and accompanying regulations, as may be amended from time to time.
“HIPAA Rules” shall mean the HIPAA Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Part 160 and Part 164. Any reference in this BASA to a section in the HIPAA Rules means the section in effect or as amended.
“HITECH Act” shall mean the applicable provisions of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 and any accompanying regulations.
“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR, Parts 160 and 164.
“Security Rule” shall mean the HIPAA Security Standards codified at 45 CFR Parts 160, 162, and 164.
The following terms used in this BASA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Individual, Minimum Necessary, Protected Health Information (or “PHI”), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
2. Obligations and Activities of ACCESS under the HIPAA Rules.
(a) ACCESS may only Use or Disclose PHI as necessary to perform the services set forth in the Underlying Agreement, as permitted or required by this BASA, or as Required by Additionally, ACCESS may Use or Disclose PHI for the purposes authorized by this BASA only (i) to its employees, its Subcontractors and agents, in accordance with this BASA, or (ii) as directed by Business Associate, if such Use or Disclosure of PHI would not violate the HIPAA Rules. Except as otherwise limited in this BASA, ACCESS may Use PHI for the proper management and administration of the ACCESS or to carry out the legal responsibilities of the ACCESS.
(b) Except as otherwise limited in this BASA, ACCESS may, if and as requested by Business Associate, use PHI to provide Data Aggregation services relating to the health care operations of a Covered Entity.
(c) ACCESS’ Use, Disclosure or request of PHI shall utilize a limited data set if practicable or otherwise the Minimum Necessary PHI to accomplish the intended results of the Use, Disclosure or request.
(d) ACCESS agrees to implement appropriate safeguards to prevent Use or Disclosure of the PHI other than as permitted by this BASA or the Underlying Agreement or as Required by Such safeguards shall include implementing requirements of the Security Rule with regard to electronic PHI.
(e) ACCESS agrees to mitigate, to the extent practicable and within the limits of liability established in the Underlying Agreement or to a maximum of six (6) months of charges paid by Business Associate to ACCESS, whichever is more, (or a maximum of six (6) months of charges if there is no limit of liability in the Underlying Agreement), any harmful effect to Business Associate that is known to ACCESS of a Breach of Unsecured PHI or unauthorized Use or Disclosure of PHI by ACCESS as a result of ACCESS’ breach of this BASA. This is ACCESS’ maximum liability for any and all claims, causes of action, fines, penalties, damages, costs or expenses arising hereunder.
(f) ACCESS agrees to report to Business Associate (i) any Use or Disclosure of PHI not provided for by this BASA or the Underlying Agreement of which it becomes aware, (ii) any Breach of Unsecured Protected Health Information, and/or (iii) any Security Incident affecting the PHI of the applicable Covered Such notice shall be given promptly and in any event within the timeframe required by 45 CFR § 164.410. Any such report shall include (i) the identification (if known) of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by ACCESS to have been, accessed, acquired, used or disclosed during such Breach, and (ii) any other available information (to the extent known) Business Associate is required to include in notification to a Covered Entity or an Individual under 45 CFR § 164.404(c) such as a brief description of the incident and the nature of the information disclosed. Business Associate shall report any Breach of Unsecured PHI to any applicable Covered Entity, Individuals, the Secretary, the HHS Office for Civil Rights and/or the media as Required by Law.
(g) In accordance with 45 CFR 502(e)(1)(ii) and 164.308(b)(2) if applicable, ACCESS agrees to ensure that any agent, including its Subcontractor if any, to whom it provides PHI, or PHI created, received, maintained or transmitted by ACCESS on behalf of Business Associate, agrees in writing to the same restrictions that apply to ACCESS with respect to such PHI.
(h) To the extent (if any) that ACCESS maintains a Designated Record Set for Business Associate on behalf of any Covered Entity, ACCESS agrees to provide access, to the Business Associate at its request, to PHI in a Designated Record Set, so that Business Associate may respond to a Covered Entity or an Individual in order to meet the requirements under 45 CFR 524. Any request from an Individual directly to ACCESS shall promptly be forwarded to Business Associate for a response.
(i) To the extent (if any) that ACCESS maintains a Designated Record Set for Business Associate and is notified by Business Associate that an amendment to PHI in a Designated Record Set is required, then Business Associate shall instruct ACCESS to retrieve the record or any other such document identified by Business Associate in a Designated Record Set so that Business Associate may make any such amendment to the PHI as may be required.
(j) ACCESS agrees to make its internal practices, books and records relating to the Use and Disclosure of PHI, available to the Secretary, upon request of the Secretary or Business Associate, upon receiving not less than five (5) days’ advance written notification by Business Associate, for the purpose of determining compliance with HIPAA Rules.
(k) Where requested by Business Associate in connection with a specific request from an Individual and consistent with this paragraph, ACCESS agrees to document as set forth below such Disclosures of PHI (but only to the extent that Business Associate has provided ACCESS with sufficient information to know that PHI may reside in the records or other such documents delivered by Business Associate to ACCESS). Subject to Business Associate providing ACCESS with sufficient information upon which to make a determination as to the existence of PHI in records or such other documents delivered by Business Associate to ACCESS, the documentation of such Disclosures shall contain such information related to such Disclosures as would be required for Business Associate to respond to the request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528.
(l) ACCESS agrees to provide to Business Associate, upon receiving not less than five (5) days’ advance written notification by Business Associate, information or a record about an Individual contained in a Designated Record Set to permit Business Associate to respond to a specific request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528.
(m) Business Associate shall pay ACCESS’ reasonable charges for performing its obligations under this Section 2, provided such fees shall comply with HIPAA Rules.
3. Obligations of Business Associate.
(a) Business Associate shall not request ACCESS to Use or Disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Business Associate (except to the extent ACCESS performs Data Aggregation or for the management and administration and legal responsibilities of the ACCESS). Notwithstanding anything to the contrary herein, Business Associate acknowledges that any Use or Disclosure of PHI made by ACCESS at the request of Business Associate is made in reliance that such request is permissible and Business Associate is requesting the Minimum Necessary to accomplish the intended purpose of the Use or Disclosure or request.
(b) Business Associate shall notify ACCESS of any limitation(s) in its notice of privacy practices or the applicable Covered Entity’s practices in accordance with 45 CFR 164.520, to the extent that such limitation may affect ACCESS’ Use or Disclosure of PHI.
(c) Business Associate shall notify ACCESS of any changes in, or revocation of, permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect ACCESS’ Use or Disclosure of PHI.
(d) Business Associate shall notify ACCESS of any restriction on the Use or Disclosure of PHI that Business Associate or the applicable Covered Entity has agreed to or is required to abide by under 45 CFR §164.522, to the extent that such restriction may affect ACCESS’ Use or Disclosure of PHI.
4. Term and Termination.
(a) Term. The Term, Termination and Effects of Termination of this BASA shall be the same as the terms and conditions identified in the Underlying Agreement. The obligations of ACCESS shall terminate when all of the PHI provided by Business Associate to ACCESS, or created, received or maintained by ACCESS on behalf of Business Associate, is destroyed or returned to Business Associate. If it is infeasible to return or destroy PHI, protections will be extended to such information in accordance with 4(c) below.
(b) Termination for Cause. Upon Business Associate’s knowledge of a material breach of this BASA by ACCESS, Business Associate shall provide at least sixty (60) days’ notice and opportunity for ACCESS to cure the breach or provide reasonable measures to prevent another like breach. If ACCESS does not cure the breach, provide reasonable measures to prevent another like breach or end the violation within the time specified by this Section, Business Associate may immediately terminate this BASA. If ACCESS has breached a material term of this BASA, and neither cure, nor reasonable measures to prevent another like kind breach is possible, and termination is not feasible, Business Associate shall report the violation to the Secretary.
(c) Effect of Termination.
1. Upon termination of this BASA in accordance with the provisions of this BASA and the Underlying Agreement, ACCESS shall return or destroy all PHI received from Business Associate, or created, maintained or received by ACCESS on behalf of Business Associate, that ACCESS still maintains in any form. This provision shall apply to PHI that is in the possession of Subcontractors or agents of ACCESS. ACCESS shall retain no copies of the PHI.
2. In the event that ACCESS determines that returning or destroying the PHI is infeasible, ACCESS shall provide to Business Associate notification of the conditions that make return or destruction infeasible Upon the Business Associate’s acceptance that return or destruction of PHI is infeasible, ACCESS shall extend the protections of this BASA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as ACCESS maintains such PHI. ACCESS shall be entitled to compensation for continued maintenance of PHI as provided for in the Underlying Agreement or price schedules.
(d) Business Associate shall pay the charges of ACCESS for the return and/or destruction of PHI as set forth in the Underlying Agreement. The obligations of ACCESS under this Section 4 shall survive termination of this BASA.
5. Miscellaneous.
(a) Interpretation. Any ambiguity in this BASA shall be interpreted to permit compliance with the HIPAA Rules.
(b) No Third Party Beneficiaries. Nothing express or implied in this BASA is intended to confer, nor shall anything herein confer, upon any person other than Business Associate, ACCESS and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
(c) ACCESS may amend this BASA from time to time. When ACCESS makes material changes to this BASA, ACCESS will notify you. You can tell when this BASA was last updated by looking at the revision date. Any changes to this BASA will become effective upon posting on the site. Continued use of the services provided by ACCESS constitutes CLIENT’s acceptance of the revised BASA then in effect.
Where any of the terms and conditions in this BASA are in conflict with the Underlying Agreement and cannot be read in any way to be compatible, those in the Underlying Agreement shall prevail, except to the extent said interpretation would violate the HIPAA Rules.
Originally posted August 31, 2016
Revised December 1, 2016
Material changes from August 31, 2016 version:
1. Update paragraph 1 to clarify and confirm that this BASA applies to Access Service Terms and Conditions located in Access’ website.
2. Update Section 5 to describe amendment process of BASA.