Skip to main content

HIPAA BUSINESS ASSOCIATE AGREEMENT

Table of Contents

  • 1. PREAMBLE AND DEFINITIONS.
  • 2. GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE.
  • 3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE.
  • 4. OBLIGATIONS OF COVERED ENTITY.
  • 5. COMPLIANCE WITH SECURITY RULE.
  • 6. INDEMNIFICATION.
  • 7. TERM AND TERMINATION.
  • 8. MISCELLANEOUS.
  • 9. HITECH ACT Compliance.

1. PREAMBLE AND DEFINITIONS.

1.1. Pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), Zues Software Inc. (“Covered Entity” or “MediZues”), a corporation, with a mailing address of 4015 TRAVIS DRIVE STE 211 #238, Nashville, Tennessee, 37211, and You (“Business Associate,” Agent,” “User,” or “You”), enter into this Business Associate Agreement (“BAA”) as of the date that Business Associate signed up with MediZues by registering an account with MediZues or otherwise used our Website or our Services (the “Effective Date”) that addresses the HIPAA requirements with respect to “business associates,” as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules”).

  • 1.1.1. In this BAA, Covered Entity and Business Associate are each a “Party” and, collectively, are the “Parties”. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended. The term “Business Associate” refers to the user who agrees to the terms and conditions of this BAA by signing up for MediZues, without the need for entering additional personal information or providing a handwritten signature.
  • 1.1.2. By signing up for the software product MediZues, using the MediZues Website, or Using the MediZues Services, owned by Zues Software Inc., User automatically becomes the Business Associate as per the terms of this BAA.
  • 1.1.3. In accordance with the meaning given to those terms at 45 CFR § 164.501, the Business Associate agrees to abide by all the terms and conditions outlined in this BAA by virtue of their registration with MediZues.

1.2. Background.

  • 1.2.1. Covered Entity is either a “covered entity” or “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1986, Public Law 104-191, as amended by the HITECH ACT (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);
  • 1.2.1. The Parties have entered into or will enter into one or more agreements under which Business Associate provides or will provide certain specified services to Covered Entity (collectively, the “Agreement”);
  • 1.2.3. In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information;
  • 1.2.4. By providing the services pursuant to the Agreement, Business Associate will become a “business associate” of the Covered Entity as such term is defined under HIPAA;
  • 1.2.5. Both Parties are committed to complying with all federal and state laws governing confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”); and
  • 1.2.6. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to this Agreement, HIPAA and other applicable laws.

1.3. This BAA is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (“PHI”) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. The functions, activities, and services that Business Associate performs for Covered Entity are defined in our Agent Terms and Conditions of Service, available at medizues.com/terms-and-conditions-of-service, our Business Associate Policy, available at medizues.com/business_associate_policy, and our Information Security Policy, available at www.medizues.com/information-security-policy (the “Underlying Agreements”).

1.4. Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and under the American Recovery and Reinvestment Act of 2009 (“ARRA”), this BAA also reflects federal breach notification requirements imposed on Business Associate when “Unsecured PHI” (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates.

1.5. Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Protected Health Information (PHI), Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use.

1.6. A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the “Privacy Rule”) as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules.

1.7. Definitions. For the purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1 below. Any capitalized term used in this BAA, but otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law.

  • Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.
  • Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR § 164.402.
  • Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.
  • Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.
  • Designated Record Set” has the meaning given to such term under the Privacy Rule including 45 CFR § 164.501.B.
  • De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).
  • Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR § 160.103
  • Health Care Operations” has the meaning given to that term in 45 CFR § 164.501. I. “HHS” means the U.S. Department of Health and Human Services.
  • HITECH Act” means the Health Information Technology for Economic and Clinical Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005. K. “Individual” has the same meaning given to that term in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). L. “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
  • Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of the Covered Entity.

Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

  • Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
  • Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC § 17932(h).

2. GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE.

2.1. Misuse. Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.

2.2. Safeguards. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the BAA. Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.

2.3. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA’s requirements or that would otherwise cause a Breach of Unsecured PHI. Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.

2.4. Breach Notifications. The Business Associate agrees to the following breach notification requirements:

    1. Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within ten (10) calendar days of “discovery” within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. Business Associate also shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate’s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
    2. Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary, and/or any other parties as required under HIPAA, the HITECH Act, ARRA, and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification.
    3. In the event of Business Associate’s use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act, or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.4 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.

2.5. Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.

2.6. Business Associate agrees to make available PHI in a Designated Record Set to the “covered entity” or “individual or the individual’s designee” as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524.

    1. Business Associate agrees to comply with an individual’s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure, or request is required or permitted under applicable law.
    2. Business Associate agrees to charge fees related to providing individuals access to their PHI in accordance with 45 C.F.R. § 164.524(c)(4).
    3. Business Associate agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. § 164.502(b)(1) that such request, use, or disclosure shall be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.

2.7. Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or to take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526.

  • 2.7.1. Upon request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Covered Entity in accordance with procedures established by 45 CFR §164.526. Any request by Covered Entity to amend such information will be completed by Business Associate within 15 business days of Covered Entity’s request.
  • 2.7.2. In the event that any Individual requests that Business Associate amend such Individual’s PHI or record in a Designated Record Set, Business Associate within ten (10) business days will forward this request to Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Covered Entity.

2.8. Accounting of Disclosures. Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the MediZues as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528.

  • 2.8.1. Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.
  • 2.8.2. Business Associate will furnish to Covered Entity information collected in accordance with this Section, within ten (10) business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528, or in the event that Covered Entity elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request if the Individual, if and to the extent that such accounting is required under the HITECH ACT or under HHS regulations adopted in connection with the HITECH ACT.
  • 2.8.3. In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will within ten (10) business days forward such request to Covered Entity.

2.9. Availability of Books and Records. Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Section 8).

2.10. To the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).

2.11. Business Associate agrees to account for the following disclosures:

  • 2.11.1. Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
  • 2.11.2. Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity’s request, information collected in accordance with this Section 2.11, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
  • 2.11.3. Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Section 5) (“EHR”) in a manner consistent with 45 C.F.R. § 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested from Covered Entity.
  • 2.11.4. In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011, or the date that it acquires the EHR.

2.12. Business Associate agrees to comply with the “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in Section 13405(d) of Subtitle D (Privacy) of ARRA, and the “Conditions on Certain Contacts as Part of Health Care Operations,” as provided in Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.

2.13. Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.

2.14. Agreements with Agents or Subcontractors. Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restriction and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, received, maintains or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity. Business Associate shall notify Covered Entity, or upstream Business Associate, of all subcontracts and agreements relating to the Agreement, where the subcontractor or agent received PHI as described in section 1.M of this BAA. Such notification shall occur within 30 calendar days of the execution of the subcontract by placement of such notice on the Business Associate’s primary website. Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security as this BAA.

2.15. Audit Report. Upon request, Business Associate will provide Covered Entity, or upstream Business Associate, with a copy of its most recent independent HIPAA compliance report (AT-C 315), HITRUST certification or other mutually agreed upon independent standards based third party audit report. Covered Entity agrees not to re-disclose Business Associate’s audit report.

3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE.

3.1. General Uses and Disclosures. Business Associate agrees to receive, create, use, or disclose PHI only in a manner that is consistent with this BAA, the Privacy Rule, or Security Rule (as defined in Section 5), and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. § 164.504(e), if the use or disclosure would be done by Covered Entity. For example, the use and disclosure of PHI will be permitted for “treatment, payment, and health care operations,” in accordance with the Privacy Rule.

3.2. Business Associate may use or disclose PHI as Required By Law.

3.3. Business Associate agrees to make uses and disclosures and requests for PHI: Consistent with Covered Entity’s Minimum Necessary policies and procedures.

3.4. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity.

4. OBLIGATIONS OF COVERED ENTITY.

4.1. Responsibilities of Covered Entity. Covered Entity shall:

  • 4.1.1. Provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. § 164.520, to the extent that such changes or limitations may affect Business Associate’s use or disclosure of PHI.
  • 4.1.2. Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to comply with under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI under this BAA.
  • 4.1.3. Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate’s permitted or required uses and disclosures of PHI under this BAA.

4.2. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under Section 3 of this BAA.

5. COMPLIANCE WITH SECURITY RULE.

5.1. Business Associate shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term “Electronic Health Record” or “EHR” as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

5.2. In accordance with the Security Rule, Business Associate agrees to:

    1. Implement the administrative safeguards set forth at 45 C.F.R. § 164.308, the physical safeguards set forth at 45 C.F.R. § 164.310, the technical safeguards set forth at 45 C.F.R. § 164.312, and the policies and procedures set forth at 45 C.F.R. § 164.316, to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule. Business Associate acknowledges that, effective on the Effective Date of this BAA, (a) the foregoing safeguards, policies, and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity, and (b) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies, and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements;
    2. Require that any agent, including a Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI; and
    3. Report to the Covered Entity any Security Incident of which it becomes aware.

6. INDEMNIFICATION.

Business Associate shall indemnify, defend, and hold harmless the Covered Entity, its sponsor, if different from Covered Entity, and sponsor’s and Covered Entity’s affiliates (“Indemnified Parties”), from and against any and all losses, expense, damage, or injury (including, without limitation, all costs and reasonable attorney’s fees) that the Indemnified Parties may sustain as a result of, or arising out of (a) a breach of this BAA by Business Associate or its agents or Subcontractors, including but not limited to any unauthorized use, disclosure, or breach of PHI, (b) Business Associate’s failure to notify any and all parties required to receive notification of any Breach of Unsecured PHI pursuant to Section 2.4, or (c) any negligence or wrongful acts or omissions by Business Associate or its agents or Subcontractors, including without limitations, failure to perform Business Associate’s obligations under this BAA, the Privacy Rule, or the Security Rule.

Notwithstanding the foregoing, nothing in this Section shall limit any rights that any of the Indemnified Parties may have to additional remedies under the Agent Terms and Conditions of Service or under applicable law for any acts or omissions of Business Associate or its agents or Subcontractors.

7. TERM AND TERMINATION.

7.1. This BAA shall be in effect as of the date Agent registered for an account with Medizues or otherwise first used our website our services, and shall terminate on the earlier of the date that:

  1. Either party terminates for cause as authorized under Section 7.2.
  2. All of the PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is not feasible to return or destroy PHI, protections are extended in accordance with Section 7.3.

7.2. Upon either party’s knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation; or terminate the BAA. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed five (5) days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA and the Underlying Agreements, upon written notice to the other party.

7.3. Upon termination of this BAA for any reason, the parties agree that:

Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

    1. Retain only that PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities.
    2. Return to Covered Entity or, if agreed to by Covered Entity, destroy the remaining PHI that the Business Associate still maintains in any form.
    3. Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 7, for as long as Business Associate retains the PHI.
    4. Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at paragraphs (2) and (3) above under “Specific Other Uses and Disclosures” which applied prior to termination.
    5. Return to Covered Entity or, if agreed to by Covered Entity, destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

7.4. The obligations of Business Associate under this Section 7 shall survive the termination of this BAA.

8. MISCELLANEOUS.

8.1. The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the Consolidated Appropriations Act, 2021 (CAA-21), the HIPAA Rules, and any other applicable law.

8.2. The respective rights and obligations of Business Associate under Section 6 and Section 7 of this BAA shall survive the termination of this BAA.

8.3. This BAA shall be interpreted in the following manner:

    1. Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.
    2. Any inconsistency between the BAA’s provisions and the HIPAA Rules, including all amendments, as interpreted by the HHS, a court, or another regulatory agency with authority over the Parties, shall be interpreted according to the interpretation of the HHS, the court, or the regulatory agency.
    3. Any provision of this BAA that differs from those required by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this BAA.

8.4. This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA, except to the extent that the Underlying Agreements impose more stringent requirements related to the use and protection of PHI upon Business Associate. This BAA supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.

8.5. This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate. However, this BAA may not be assigned, in whole or in part, without the written consent of the other party. Any attempted assignment in violation of this provision shall be null and void.

8.6. This BAA may be executed in two or more counterparts, each of which shall be deemed an original.

8.7. Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the same internal laws as that of the Agent Terms and Conditions of Service.

8.8. Data Ownership. Business Associate’s data stewardship does not confer data ownership rights on Business Associate with respect to any data shared with it under the Agreement, including any and all forms thereof.

8.8. Effect of BAA. This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will govern. Except as expressly stated in this BA or as provided by law, this BAA will not create any rights in favor of any third party.

8.9. Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.

8.10. Notices. All notices, requests and demands or other communications to be given under this BAA to a Party will be made via either first class mail, registered or certified or express courier, or electronic mail to the Party’s address given below:

  • If to Covered Entity, to the aforementioned address mentioned in this BAA. In addition, the Covered Entity may be contacted at: (775) 440-9397; admin@medizues.com
  • If to Business Associate, to the aforementioned address mentioned in this BAA. In addition, the Business Associate may be contacted at their email provided during registration for MediZues.

9. Incorporated Policies, Procedures, and Agreements

This Zues Business Associate Agreement is comprised of this Agreement and all Zues policies, procedures, and/or agreements referenced and/or linked within this Agreement, including, without limitation, the following policies, procedures, and other agreements:

10. HITECH ACT Compliance.

The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach an agreement on such a modification, either Party will have the right to terminate this BAA upon 30 days’ prior written notice to the other Party.

In light of the mutual agreement and understanding described above, the Business Associate automatically agrees to and accepts the terms of this BAA upon signing up for MediZues, as of the date of their registration. The Covered Entity, Zues Software Inc., holds the effective date of the user’s registration as the effective date of this BAA.

IN WITNESS WHEREOF, the parties hereto have executed this BAA as of the Effective Date.