HIPAA Business Associate Agreement
This mymedicalimages.com HIPAA Business Associate Agreement (the “HIPAA BAA”) is entered into as of the date specified above (“Effective Date”) between the mymedicalimages.com, LLC entity identified above (“mymedicalimages.com”) and the partner identified above (“Partner”). This HIPAA BAA will govern each party’s respective obligations regarding Protected Health Information. If the Partner is obligated to another Business Associate Agreement with mymedicalimages.com, LLC, that Business Associate Agreement supersedes this agreement.
- Definitions. Capitalized terms used here, but not defined here, are defined in the Agreement or under HIPAA.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations thereunder, as amended, and including the HITECH Act.
“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.
“Included Functionality.” means mymedicalimages.com site and provided software therein.
“Protected Health Information” or “PHI” will have the meaning given to it under HIPAA if provided to mymedicalimages.com as Stored Data in connection with Partner’s use of the Services provided under the Agreement.
“Secretary” means the Secretary of the U.S. Department of Health and Human Services.
“Security Rule” means 45 C.F.R., Part 164, Subpart C, under HIPAA.
- Applicability.
- Scope. This HIPAA BAA applies to the extent the Partner is acting as a Covered Entity or Business Associate, to create, receive, maintain or transmit PHI and where mymedicalimages.com, as a result, is deemed under HIPAA to be acting as a Business Associate of the Partner.
- Included Functionality. As of the effective date of this Agreement, this Agreement is applicable only to the Included Functionality. mymedicalimages.com may expand the scope of the Included Functionality by providing written and/or electronic notice to the Partner, on which date this HIPAA BAA will automatically apply to the additional new functionality and features identified in that notice.
- Use and Disclosure.
- Permitted Use. mymedicalimages.com may use and disclose PHI only as permitted under HIPAA and as specified in this HIPAA BAA. mymedicalimages.com may also use and disclose PHI for the proper management and administration of mymedicalimages.com’s business and to carry out the legal responsibilities of mymedicalimages.com, provided that any disclosure of PHI for these purposes may only occur if: (a) required by applicable
law; or (b) mymedicalimages.com enters into a business associate agreement with the person or entity to whom PHI will be disclosed. - Restricted Disclosure. The Partner will not request mymedicalimages.com to use or disclose PHI in any manner that would not be permissible under HIPAA if done by a Covered Entity itself, unless otherwise expressly permitted under HIPAA for a Business Associate. In connection with the Partner’s management and administration of the Included Functionality to End Users, the Partner is responsible for using the available controls within the Included Functionality to support its HIPAA compliance requirements.
- Permitted Use. mymedicalimages.com may use and disclose PHI only as permitted under HIPAA and as specified in this HIPAA BAA. mymedicalimages.com may also use and disclose PHI for the proper management and administration of mymedicalimages.com’s business and to carry out the legal responsibilities of mymedicalimages.com, provided that any disclosure of PHI for these purposes may only occur if: (a) required by applicable
- Appropriate Safeguards. mymedicalimages.com and the Partner will use appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI, consistent with this HIPAA BAA, and as otherwise required under the Security Rule, with respect to the Included Functionality.
- Notification.
- Following Discovery of a Breach. mymedicalimages.com will promptly notify the Partner following the discovery of a
Breach resulting in the unauthorized use or disclosure of PHI in violation of this HIPAA BAA: (a) in the most expedient time possible under the circumstances; (b) consistent with the legitimate needs of applicable law enforcement and applicable laws; (c) after taking any measures necessary to determine the scope of the Breach; and (d) to restore the reasonable integrity of the Included Functionality by using commercially reasonable efforts to mitigate any further harmful effects to the extent practicable. The Partner will promptly notify mymedicalimages.com following the discovery of a Breach (or suspected Breach) resulting in the unauthorized use or disclosure of PHI in violation of this HIPAA BAA in the most expedient time possible under the circumstances. - To the Notification E-mail. mymedicalimages.com will send any applicable Breach notifications to the Notification E-mail set forth above. The Partner, and not mymedicalimages.com, is responsible for determining whether it’s End Users are authorized to create, receive, maintain or transmit PHI within the Included Functionality and mymedicalimages.com is not obligated to do so. The Partner will send any applicable Breach notifications to privacy@mymedicalimages.com./li>
- Additional Notice. This serves as notice to the Partner that mymedicalimages.com periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification or destruction of information or interference with the general operation of mymedicalimages.com’s information systems and the Included Functionality. Even if the events described in the preceding sentence are defined as a Security Incident under HIPAA, mymedicalimages.com will not provide notice regarding these unsuccessful attempts.
- Following Discovery of a Breach. mymedicalimages.com will promptly notify the Partner following the discovery of a
- Agents and Subcontractors.
- Coverage. mymedicalimages.com will take appropriate measures to ensure that any agents and subcontractors used by mymedicalimages.com to perform its obligations under this agreement that require access to PHI on behalf of mymedicalimages.com are bound by written obligations that provide the same material level of protection for PHI as this HIPAA BAA.
- Responsibility. To the extent mymedicalimages.com uses agents and subcontractors in its performance of obligations hereunder, mymedicalimages.com will remain responsible for their performance as if performed by mymedicalimages.com itself under this agreement.
- Access to Records.
- To Support Individual Requests. mymedicalimages.com will make available to the Partner the PHI via the Services so the Partner may fulfill its obligation to give individuals their rights of access, amendment, and accounting in accordance with the requirements under HIPAA. The Partner is responsible for managing its use of the Included Functionality to appropriately respond to these individual requests
- By the Secretary. To the extent required by law, and subject to applicable
attorney client privileges, mymedicalimages.com will make its internal practices, books, and records concerning the use and disclosure of PHI received from the Partner, or created or received by mymedicalimages.com on behalf of the Partner, available to the Secretary for the purpose of the Secretary determining compliance with this HIPAA BAA.>
- Return or Destruction of PHI.
- Following Termination of the BAA. mymedicalimages.com agrees that within a commercially reasonable period following termination of the Agreement, not to exceed ninety days, mymedicalimages.com will return or destroy all PHI received from the Partner, or created by mymedicalimages.com on behalf of the Partner. Despite the foregoing, if this return or destruction is not feasible, mymedicalimages.com will extend the protections of this HIPAA BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
- Termination.
Partner may immediately terminate this HIPAA BAA upon ten days written notice to mymedicalimages.com if mymedicalimages.com has materially breached this HIPAA BAA and this breach is not reasonably capable of being cured. - Term. This HIPAA BAA will expire upon the earlier
of: (a) a permitted termination in accordance with this HIPAA BAA; (b) the execution of an updated HIPAA BAA that supersedes this HIPAA BAA. - Interpretation. It is the parties’ intent that any ambiguity under this HIPAA BAA
be interpreted consistently with the intent to comply with applicable laws.