Benefit Administration Platform Employer Agreement
This Benefit Administration Platform Employer Agreement is effective as of the effective date on the Purchase between THEbenefitsHUB, LLC, d/b/a allsynx, a Texas Limited Liability Company (“allsynx”), and Client (the “Employer”).
This Agreement provides for the implementation and administration of benefits for employees on the Benefit Administration Platform administered by allsynx. The parties agree as follows:
- Definitions and Defined Terms
- Defined Terms. Terms defined in the preamble have their assigned meanings and each of the following terms has the meaning assigned to it.
“Agreement” means this Benefit Administration Platform Employer Agreement and Exhibit A, as may be amended from time to time.
“Benefit Administration Platform” means THEbenefitsHUB benefit administration platform, hosted and maintained by allsynx, which includes but is not limited to, enabling users to enroll in benefits, review benefits, change coverage and beneficiary designations, as well as additional functions to facilitate enrollment of employees on the benefit administration platform.
“Business Day” means any day allsynx is open for business.
“Carrier” means insurance carrier offering Products for employee benefit plans.
“Confidential Information” means any and all proprietary, including Intellectual Property, technical, financial, or operational information, trade secrets, software code and algorithms, and any other data or material of a Party that is of a non-public or confidential nature, either marked or unmarked and would reasonably be considered confidential, which has been disclosed by a Party to the other Party in tangible or intangible form, including oral communications, or otherwise has come into the possession of the other Party, except for information that: (i) is or becomes publicly known, other than through any act or omission of the receiving Party; (ii) was in the other Party’s lawful possession before the disclosure, and such evidence can be shown by tangible evidence; (iii) is lawfully disclosed to the receiving Party by a third party without restriction on disclosure, which receipt can be shown through tangible evidence; (iv) is independently developed by the receiving Party, which independent development can be demonstrated by written evidence; or (v) is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body.
“Documentation” means all documents, demonstration materials, webinars, system user guides or other documentation and manuals made available to the Employer by allsynx from time to time, which sets out a description of the Services and the user instructions for the Services.
“Effective Date” means the date first listed in the preamble.
“Employer Information” means information supplied by the Employer to allsynx during the Employer’s use of the Services.
“Exhibit A” means the Business Associate Agreement between Employer and allsynx, attached to this Benefit Administration Platform Employer Agreement.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996.
“Intellectual Property Rights” means, without limitation, all right, title, and interest to any inventions, technological innovations, discoveries, designs, formulas, know-how, processes, business methods, patents, trademarks, service marks, copyrights, computer software, algorithms, domains, web presence, advertising and promotional material, ideas, creations, writings, lectures, illustrations, photographs, motion pictures, scientific and mathematical models, improvements to all such property, and all recorded material defining, describing, or illustrating such property, whether in tangible or intangible manifestations of such intellectual property.
“Login Credentials” means the unique username and encrypted password provided to employees for accessing the Benefit Administration Platform.
“Loss” means any demand, claim, proceeding, suit, judgment, loss, liability, costs, expense, fee, penalty, or fine.
“Normal Business Hours” means the hours allsynx is normally open for business, Monday – Thursday 8:00 am – 5:30 pm CST, Friday 8:00 am – 2:00 pm CST, which are subject to change in allsynx’s sole discretion.
“Personnel” means employees, representatives, agents, subcontractors, and other persons whom allsynx or Employer have authority or oversight of.
“PHI” means protected health information as defined under HIPAA.
“Products” means products offered by a Carrier and administered on the Benefit Administration Platform.
“Routine Maintenance Window” means 10:00pm – 2:00am Central Time each day and all day on holidays.
“Services” means the implementation and administration of the Benefit Administration Platform on behalf of the Employer.
“Software” means the software applications provided by allsynx as part of the Services.
“Term” has the meaning assigned to it in Section 3.
“Termination Date” means the date the Agreement is terminated pursuant to Section 10, of this Agreement.
- Applicability. This Agreement shall apply to the Services provided by allsynx to Employer. If Employer would like allsynx to provide additional services, allsynx shall enter into a separate agreement with Employer regarding the additional services and the fees associated with the additional services.
- Effective Date
- Effective Date. This Agreement is effective on the Effective Date.
- Term. Except as provided in Section 10, this Agreement will begin on the Effective date and continue through August 31, 2023. The Agreement will then automatically renew for successive one-year terms, beginning September 1st of the year and ending August 31st the following year until terminated as provided in Section 10.
- allsynx Representations and Warranties.
- Hosting and Operation. allsynx will host, operate, and maintain the Benefit Administration Platform in a commercially reasonable manner.
- Implementation and Administration. allsynx will implement and maintain the Employer’s plan information on the Benefit Administration Platform in compliance with applicable state and federal laws and regulations.
- Support Services. allsynx will provide Employer with allsynx’s standard customer support services during Normal Business Hours. In addition, as part of Employer’s initial implementation, allsynx shall provide Employer access to training on the Benefit Administration Platform through allsynx’s HUB University.
- Maintenance of Benefit Administration Platform. allsynx routinely maintains the Benefit Administration Platform during the Routine Maintenance Window. However, there are times when the Benefit Administration Platform requires non-routine maintenance. If non-routine maintenance is required, allsynx shall provide Employer as much notice in advance as reasonably possible, but no such notice is guaranteed. Employer should expect intermittent disruption of services during maintenance of the Benefit Administration Platform.
- Additional Fees. Any additional services not specifically provided for in this Agreement or the agreement between Employer and Employer’s broker may incur additional costs and require execution of a new agreement.
- allsynx shall be entitled to make changes to the Services, Documentation, Software, and Benefit Administration Platform in its sole discretion.
- Notwithstanding the foregoing, allsynx:
- does not warrant that the Employer’s use of the Services will be uninterrupted or error free; or that the Service, Documentation and/or the information obtained by the Employer through the Services will meet the Employer’s requirements; and
- is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Employer acknowledges that the Services and Documentation may be subject to limitations, delays and other problems inherent in the use of such communications facilities.
- The Employer’s Representations and Warranties.
- The Employer undertakes that it shall:
- provide allsynx with all necessary cooperation and assistance to enable allsynx to meet its obligations under this Agreement;
- provide all requested and necessary information for employee enrollment;
- maintain employee eligibility data within the Benefit Administration Platform, including managing and maintaining terminations and new hires in a timely manner;
- carry out Employer responsibilities set out in this Agreement in a timely and efficient manner. In the event of any delays in the Employer’s provision of such assistance as agreed by the Parties, allsynx may adjust any agreed timetable or delivery schedule as reasonably necessary;
- ensure that all Employer’s Personnel use the Services and Documentation in accordance with the terms and conditions of this Agreement and shall be responsible for any Personnel’s breach of this Agreement;
- obtain and maintain all necessary licenses, consents, and permissions necessary for allsynx and its Personnel to perform their obligations under this Agreement, including without limitation the Services;
- keep a full back-up copy of all its data, including but not limited to Employer Information; and
- be solely responsible for ensuring that appropriate environmental conditions are maintained, per relevant specifications provided by allsynx from time to time, for its receipt and use of the Services; and
- be solely responsible for all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Employer’s network connections or telecommunications links or caused by the internet.
- Electronic Data Interchange. Employer authorizes allsynx to exchange Employer data with its insurance carriers, third party administrators, employer’s payroll company, and other service providers.
- Employee Accounts. Each employee of Employer will be given an account with unique Login Credentials. Login Credentials shall not be shared with anyone. Employer and employee are solely responsible for maintaining the confidentiality of their Login Credentials. If an employee experiences trouble with their Login Credentials, the employee should contact their respective allsynx representative.
- Authorization for Broker Access. If Employer is a customer of a broker, then Employer grants their broker access to Employer Data, Employer Confidential Information, and access to Employer’s Benefit Administration Platform page to allow broker to perform its duties in assisting Employer.
- Use of Employer Trademarks. Employer hereby grants allsynx the limited, non-exclusive license, worldwide, to use during the Term of this Agreement, Employer’s trademarks on the Benefit Administration Platform and on any Documentation created by allsynx for Employer’s use.
- Third Party Software. Employer’s use of third-party vendors, software, services, and other products is governed by the terms of any license or other agreement between Employer and the third party. ALLSYNX SHALL HAVE NO LIABILITY OR RESPONSIBILITIES RELATED TO AND MAKES NO REPRESENTATIONS OR WARRANTY WHATSOEVER REGARDING THIRD-PARTY PRODUCTS AND RELATED SOFTWARE SERVICES. allsynx is not responsible for any services or products provided by a third party.
- Intellectual Property Rights. Employer acknowledges and agrees that allsynx and/or its licensors own all the Intellectual Property Rights in the Intellectual Property of allsynx. This Agreement does not grant the Employer any rights or licenses to, or in, the Intellectual Property of allsynx. The Employer shall notify allsynx if it becomes aware of any unauthorized use by Personnel of the whole or any part any of allsynx’s Intellectual Property.
- Confidential Information
- Non-disclosure. In order to perform its obligations under this Agreement, each Party may be given access to Confidential Information and shall hold the other’s Party’s Confidential Information in strict confidence, using at least the same degree of care as it employs to safeguard its own Confidential Information, but no less than reasonable care. Each Party shall not, unless required by law, make the other’s Confidential Information available to any third party, or use the other’s Confidential Information for any purpose other than to fulfill obligations under this Agreement.
- Restrictions on Use. Each Party may disclose Confidential Information to:
- Personnel that have a need to know such information, provided that each person is under a duty of non-disclosure that is at least as protective of the Confidential Information as the confidentiality and non-disclosure provisions herein; and
- persons or entities whom a Party is legally compelled to disclose such Confidential Information, provided that the non-disclosing Party is given advanced notice of such compelled disclosure, if legally permitted to do so, and shall cooperate with the other Party in connection with any efforts to prevent or limit the scope of such disclosure or use of the Confidential information.
- Each Party to this Agreement shall promptly notify the other Party if it becomes aware of any breach of confidence by any person to whom it divulges all or any part of the Confidential Information and shall give the other Party all reasonable assistance in connection with any proceedings which the other Party may institute against such person for breach of confidence.
- Remedies. allsynx and the Employer recognize that Confidential Information is of a special, unique, extraordinary value, which may not be reasonably or adequately compensated in damages in any action at law and that a breach by either Party of this Section 7 may cause the owner of the Confidential Information irreparable injury and damage. Both Parties agree that, in addition to any other remedies in equity or at law, both Parties will be entitled to seek the remedies of injunction, specific performance and other equitable relief without the necessity of proving damages.
- Data Security.
- If either Party receives PHI, non-public personal information within the meaning of the Gramm-Leach Bliley Act, or any data subject to state privacy laws from any Personnel or other Party under this Agreement, receiving Party agrees to protect such information or data in compliance with all applicable law.
- Security Requirements. Each Party agrees to establish and maintain:
- administrative, technical, and physical safeguards against the destruction, loss, or alteration of PHI; and
- appropriate security measures to protect PHI, consistent with applicable state and Federal laws and regulations relating to personal information security.
- Remediation. If either Party becomes aware of any circumstance that may constitute or result in a breach of security, including threats and perceived threats to security, that Party will immediately notify the other Party, who will promptly investigate and take all commercially reasonable steps to remedy the breach. Each Party will be responsible for all security breaches and the costs of remediation, including credit monitoring and notification services, except to the extent a breach is caused by the other Party. If a Party becomes aware of a deficiency in the other Party’s security practices, that Party shall notify the other Party of the deficiency. The deficient Party shall have 30 days to remedy the deficiency to the other Party’s satisfaction.
- Business Associate Agreement. Employer and allsynx shall execute a business associate agreement, attached hereto as Exhibit A, prior to transmission of PHI to allsynx.
- Limitation of Liability.
- Except as expressly and specifically provided in this Agreement:
- Employer assumes sole responsibility for results obtained from the use of the Services, Software, and/or Documentation, and for conclusions drawn from such use. allsynx shall have no liability for any damage caused by errors or omissions in any information, instructions, or scripts provided to allsynx by the Employer, or any actions taken by allsynx at the Employer’s direction; and
- to the fullest extent permitted by applicable law the Services, Software and/or the Documentation are provided to the Employer on an “as-is” basis and allsynx makes no warranties, representations, conditions, either express or implied, about the Services, Software, and/or the Documentation, whether imposed by statute or by operation of law or otherwise, and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement.
- ALLSYNX’S TOTAL AGGREGATE LIABILITY IN CONTRACT, TORT (INCLUDING NEGLIGENCE OR BREACH OF STATUTORY DUTY), MISREPRESENTATION, RESTITUTION OR OTHERWISE, ARISING IN CONNECTION WITH THE PERFORMANCE OR CONTEMPLATED PERFORMANCE OF THIS AGREEMENT SHALL BE LIMITED TO THE TOTAL FEES PAID BY THE EMPLOYER TO ALLSYNX IN THE 2 MONTHS IMMEDIATELY PRECEDING THE DATE ON WHICH THE CLAIM AROSE, PROVIDED ALWAYS THAT ALLSYNX SHALL NOT IN ANY CIRCUMSTANCES BE LIABLE FOR ANY LOSS OF PROFITS, LOSS OF BUSINESS, DEPLETION OF GOODWILL AND/OR SIMILAR LOSSES, OR LOSS OF ANTICIPATED SAVINGS, OR LOSS OF USE OR LOSS OR CORRUPTION OF DATA OR INFORMATION, OR PURE ECONOMIC LOSS, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL LOSS, COSTS, DAMAGES, CHARGES OR EXPENSES, HOWEVER ARISING UNDER THIS AGREEMENT. THIS PROVISION APPLIES REGARDLESS OF CAUSE, AND EVEN IF CAUSED BY THE NEGLIGENCE OF CONSULTANT AND/OR CONSULTANT’S AFFILIATES, SUBCONTRACTORS AND PERSONNEL.
- Termination without Cause. Either allsynx or the Employer may terminate this Agreement without cause upon 90 days’ prior written notice.
- Termination with Cause.
- By Law. This Agreement will be terminated immediately upon:
- a determination by a court of law that an essential term of this Agreement violates any federal, state, or local law or regulation; or a change in law or regulation that renders this Agreement unlawful;
- the institution by or against either Party for insolvency, receivership, or bankruptcy proceedings or any other proceedings for the settlement of the Party’s debts;
- either Party making an assignment for the benefit of creditors; or
- either Party’s election to dissolve and liquidate.
- For Breach. This Agreement may be terminated immediately by either Party in the event the other Party to this Agreement:
- materially breaches the Agreement;
- the non-breaching Party provides written notice of the breach, demanding the breach be cured; and
- after 30 days of notice of the breach, the breach continues.
- Termination upon Intellectual Property Claim by Employer. allsynx shall have the right, without prejudice to any other rights or remedies to which it may be entitled, to terminate this Agreement immediately upon written notice to Employer where Employer disputes the ownership or validity of allsynx’s Intellectual Property Rights.
- On termination of this Agreement for any reason:
- all rights granted under this Agreement shall terminate with effect from the Termination Date;
- each Party shall return and make no further use of any equipment, property, documentation, and other items (and all copies of them), which includes but is not limited to Confidential Information, belonging to the other Party;
- the Employer’s right to receive the Services shall cease automatically and no refunds (whether pro-rata or otherwise) of any amount will be payable to the Employer and the Employer agrees that it and any of its Personnel shall make no further use of the Services and/or Documentation;
- allsynx is entitled to destroy or otherwise dispose of any of the Employer Information in its possession after the 10th Business Day following the termination date, so long as the destruction or disposal of any PHI is in compliance with applicable state and federal laws and regulations; and
- Employer shall pay all amounts due allsynx under this Agreement immediately.
- Return of Confidential Information. Subject to each Party’s obligation to maintain records in accordance with this Agreement, by law, or by the Party’s record retention policy, upon termination of this Agreement each Party will promptly:
- return the other Party’s confidential information, if feasible;
- destroy all confidential information of the other Party that cannot feasibly be returned to the other Party;
- ensure any Personnel of the Party also return or destroy all confidential information of the other Party in accordance with this Agreement; and
- upon request, provide an attestation to the other Party verifying the return or destruction of the other Party’s confidential information.
Failure to return or destroy Confidential Information in compliance with this Section 11.5 shall result in termination of this Agreement “for cause” as defined in Section 10.2.
- Comingled Data. In the event that the Confidential Information of a Party has been comingled with the other Party’s Confidential Information such that it cannot feasibly be separated for return or destruction, the other Party shall keep all comingled data confidential according to the terms of this Agreement.
- The provisions of this Section 10 and Sections 1 (Definitions), 7 (Confidentiality), 8 (Data Security), 9 (Limitation of Liability), and to the extent applicable, 12 (General Provisions), shall survive the termination of this Agreement, however it arises, and shall continue to bind the Parties or the relevant Party (as applicable) without limit in time.
- Termination of this Agreement shall not affect any rights of the Parties accrued up to the Termination Date.
- Force Majeure. Neither Party shall have liability to the other under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, failure of telecommunications networks, acts of God, war, riot, civil commotion, malicious damage, or compliance with any law or governmental order, provided that the other Party is notified of such an event and its expected duration.
- General Provisions.
- Governing Law. The laws of Texas govern all matters arising under or relating to this Agreement, including torts. Venue, in the event of suit, shall be the court of appropriate jurisdiction in Dallas County, Texas.
- Notices and other communications under or in connection with this Agreement shall be given in writing by hand, by airmail, registered courier or by e-mail, save that service of any notice of any claim, dispute, termination, breach, or legal proceedings in connection with this Agreement shall not be made by e-mail. Any such notice, if so given, shall be deemed to have been served:
- after 1 Business Day, if it is sent by a nationally recognized courier with package tracking capabilities;
- after 3 Business Days, if it is sent by certified or registered mail with prepaid postage, and a return receipt was requested;
- if sent by hand, when delivered; or
- if sent by e-mail, 6 hours after sending, provided the sender has not received a notice of failed or delayed delivery.
- All notices to allsynx should be sent to the following addresses:
THEbenefitsHUB, LLC, d/b/a allsynx
Attn: Kymberlie Welp
2121 N. Glenville Drive
Richardson, TX 75082
- Interpretative Provision. If any ambiguity or question of intent or interpretation arises, this Agreement shall be construed as if drafted jointly by the parties and no presumption or burden of proof shall arise favoring or disfavoring any party by virtue of the authorship of any of the provisions of this Agreement.
- This Agreement shall not prevent allsynx from entering into similar agreements with third Parties, or from independently developing, using, selling, or licensing documentation, products, and/or services which are similar to those provided under this Agreement.
- Further Assurance. Each Party shall, at its own cost, do and execute, or arrange for the doing and executing of, each necessary act, document, and thing as may be reasonably necessary and requested of it by the other Party to implement this Agreement, including Exhibit A.
- Assignment and Delegation. Neither Party may assign nor delegate, in whole or in part, by operation of law or otherwise, any of its rights or obligations under this Agreement without the other Party’s prior written consent, except for any delegation by allsynx to an affiliate or subcontractor to fulfill its obligations under this Agreement.
- Authority to Bind. Each Party represents and warrants that it is fully qualified to enter into this Agreement, to perform the obligations hereunder, and has full legal power and authority to do so.
- Successors and Assigns. This Agreement binds and benefits the Parties and their respective permitted successors and assigns.
- No Third-Party Beneficiary Rights. No provision in this Agreement is intended nor shall this Agreement create any rights with respect to the subject of this Agreement in any third party.
- Independent Parties. This Agreement shall not be construed as constituting or creating a partnership, joint venture, agency or other association or relationship between allsynx and Employer. To the extent that either Party undertakes or performs any duty for itself or for the other Party as require by this Agreement, the Party will be construed as acting as an independent contractor and not as a partner, joint venture, or agent of the other Party.
- Compliance with Laws. Each Party shall comply with all applicable federal or state laws, rules, and regulations in performing services under this Agreement.
- Amendments. The Parties may amend this Agreement only by an agreement in writing that both Parties execute.
- Sole and Entire Agreement. The express terms of this Agreement constitute the sole and entire agreement between the Parties and supersedes all prior written and oral agreements or understandings. Each Party acknowledges that it is not relying, and will not seek to rely, on any term or condition which is not expressly set out in this Agreement.
- Waiver, Rights Cumulative. Each of the rights of each Party under this Agreement may be exercised as often as is necessary, is cumulative and not exclusive of any other rights which that Party may have under this Agreement, law, or otherwise, and may be waived only in writing and specifically. Delay by a Party in exercising, or the non-exercise of a Party, of any such right shall not constitute a waiver of that right.
- Severability. If any term or other provision of this Agreement is determined by a court of competent jurisdiction to be invalid, illegal, or incapable of being enforced by any rule of Law or public policy, all other terms, provisions, and conditions of this Agreement shall nevertheless remain in full force and effect.
Exhibit A – Business Associate Agreement
This Business Associate Agreement is between allsynx and Employer. This Agreement provides for the terms related to the use and disclosure of PHI between allsynx and Employer in accordance with the Benefit Administration Platform Employer Agreement, preceding this Business Associate Agreement. The parties agree as follows:
- Defined Terms. Terms defined in the preamble and the Benefit Administration Platform Employer Agreement have their assigned meanings and each of the following terms has the meaning assigned to it.
“BAA” means this Business Associate Agreement.
“Business Associate” has the meaning assigned to it under HIPAA, 45 CFR § 160.103, and in reference to the party to this BAA, shall mean allsynx.
“Covered Entity” has the meaning assigned to it under HIPAA 45 CFR § 160.103, and TX Health and Safety Code § 181.001, and in reference to the party to this BAA, shall mean Employer.
“PHI” means protected health information, as defined under HIPAA.
- Interpretive Provisions.
- This BAA includes the interpretive provisions of the Benefit Administration Platform Employer Agreement.
- A reference in this BAA to any HIPAA regulation is a reference to the HIPAA regulation in effect and as amended, as may be applicable. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA rules.
- If any term of Section 6 conflicts with another term of this BAA, the term contained in Section 6 shall be controlling. Any ambiguity in Section 6 shall be resolved to permit Covered Entity to comply with the HIPAA Rules.
- Effective Date. This BAA is effective on the Effective Date.
- Term. The term for this BAA shall be the term defined in Section 3.2 of the Benefit Administration Platform Employer Agreement.
- Acknowledgement of HIPAA Duties. The parties acknowledge that US federal regulations relating to the confidentiality of individually identifiable health information require covered entities to comply with the privacy standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, including Subparts A and E of 45 C.F.R. §§ 160 and 164 (“the Privacy Rule”), the “Standards for Electronic Transactions,” Subpart A of 45 CFR §160, and Subparts A, and I – R of 45 CFR § 162 (the “Electronic Transaction Rule”), the security standards, Subpart C of 45 C.F.R. §§ 160, 162 and 164 (“the Security Rule”), and the “Standards for Breach Notification for Unsecured Protected Health Information,” Subpart D of 45 CFR § 164 (the “Breach Notification Rule”), adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, collectively, referred to herein as “HIPAA Rules.” The HIPAA Rules, as well as any applicable state confidentiality laws, require Covered Entity to ensure that business associates who receive confidential information in the course of providing services on behalf of the Covered Entity comply with certain obligations regarding the confidentiality of health information.
- Purposes for which Protected Health Information May Be Used or Disclosed to Business Associate. In connection with the Services provided by Business Associate on behalf of Covered Entity pursuant to this BAA, Covered Entity may use and disclose PHI, as defined in the HIPAA Rules, to Business Associate for the purposes of fulfilling both Covered Entity’s and Business Associate’s obligations under the Benefit Administration Platform Employer Agreement, provided that Business Associate shall not use or disclose PHI, in any manner that would constitute a violation of HIPAA Regulations if done by Covered Entity.
- Business Associate Obligations. Notwithstanding any other obligations contained in this BAA, Business Associate agrees to comply with applicable federal and state confidentiality and security laws, including, but not limited to the Privacy Rule and Security Rule, including without limitation:
- Use of PHI. Business Associate shall not use or disclose PHI except as necessary to fulfil the purposes of this BAA. Business Associate is permitted to use and disclose PHI as necessary for the proper management and administration of Business Associate or to carry out its legal responsibilities and its responsibilities under this BAA. However, Business Associate shall in such case:
(i) provide training to members of its workforce regarding the confidentiality requirements in the HIPAA Rules and this BAA;
(ii) obtain reasonable assurances from the person to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity; and
(iv) ensure that all disclosures of PHI are subject to the principle of “minimum necessary use and disclosure,” i.e., only PHI that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request may be disclosed.
- Disclosure to Third Parties. If the Business Associate discloses PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, to agents, including a subcontractor, Business Associate shall require the agent to agree to the same restrictions and conditions that apply to Business Associate under this BAA. Business Associate shall ensure that any agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity. Business Associate shall be liable to Covered Entity for any intentional acts, failures, or omissions of the Agent in providing the services as if they were Business Associate’s own acts, failures, or omissions, to the extent permitted by law. Business Associate further expressly warrants that its Agents will be specifically advised of the terms of this BAA.
- Amendment. Business Associate and Covered Entity agree to take such action as is necessary to amend this Section 6 from time to time as is necessary for compliance with the requirements of the HIPAA Regulations and any other applicable law.
- Limitation on Disclosure. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except for the specific uses and disclosures set forth in this BAA.
- Notice of Privacy Practices. Business Associate shall abide by the limitations of any Notice of Privacy Practices (“Notice”) published by the Covered Entity of which it has knowledge. Covered Entity shall provide to Business Associate such Notice when it is adopted. Any use or disclosure permitted by this BAA may be amended by such Notice. However, the amended Notice shall not affect permitted uses and disclosures on which Business Associate relied prior to such notice.
- Safeguards. Business Associate shall maintain appropriate safeguards to ensure that PHI is not used or disclosed other than as provided by this BAA or as required by law, in accordance with Subpart C of 45 CFR Part 164. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity.
- Covered Entity Obligations.
- Covered Entity shall notify Business Associate of any limitations in the notice of privacy practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect business associate’s use or disclosure of PHI.
- Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect Business Associate’s use or disclosure of protected health information.
- Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity, except for any provision in this BAA for data aggregation, management and administration, and legal responsibilities of Business Associate.
- Disclaimer of Obligations to Third Parties of Covered Entity. Business Associate shall not be responsible for PHI safeguards in relation to any transfers of PHI made directly between the Covered Entity and a third party. It is the Covered Entity’s sole responsibility to ensure compliance of a third party with HIPAA guidelines.
- Data Aggregation. In the event that Business Associate works for more than one Covered Entity, Business Associate is permitted to use and disclose PHI, but only in order to analyze data for permitted health care operations, and only to the extent that such use is permitted under the HIPAA Rules.
- De-identified Information. Use and disclosure of de-identified health information is permitted, but only if:
- the de-identification complies with 45 CFR §164.502(d); and
- any such de-identified health information meets the standard and implementation specifications for de-identification under 45 CFR §164.514(a) and (b).
- Requests by Individuals to Business Associate. If Business Associate receives a request from an individual to the Business Associate regarding PHI, Business Associate agrees to forward all such requests to the Covered Entity within 10 days of such request. Business Associate further agrees to assists the Covered Entity in meeting all deadlines for responding to such requests to the extent the Business Associate maintains the required information.
- Individual Rights Regarding Designated Record Sets. If Business Associate maintains a designated record set (as defined in the HIPAA Rules) on behalf of Covered Entity, Business Associate agrees as follows:
- Withdrawal of Consent or Authorization. If the use or disclosure of PHI in this BAA is based upon an individual’s specific consent or authorization for the use of his or her PHI, and the individual revokes such consent or authorization in writing, or the effective date of such authorization has expired, or the consent or authorization is found to be defective in any manner that renders it invalid, Business Associate shall, if it has notice of such revocation, expiration or invalidity, cease the use and disclosure of any such individual’s PHI except to the extent it has relied on such use or disclosure, or where an exception under the Privacy Rule expressly applies.
- Correction of PHI. Business Associate agrees that it will amend PHI maintained by Business Associate in a designated record set as requested by Covered Entity. Business Associate must incorporate amendment within 15 days of the request by the Covered Entity.
- Individual Right to Copy or Inspection. Business Associate agrees that, if it maintains PHI in a designated record set for the Covered Entity, it will permit an individual to inspect or copy PHI about the individual in that set under conditions and limitations required under 45 CFR §164.524. The Covered Entity is required to act on such requests as soon as possible but not later than 30 days following receipt of the request. Business Associate agrees to assist Covered Entity in meeting this deadline, to the extent the requested information is maintained by Business Associate and not the Covered Entity, by providing the requested information to the Covered Entity within 25 days of such request, in the form requested by Covered Entity. The information shall be provided in the form or format requested, if it is readily producible in such form or format; or in summary, if the individual has agreed in advance to accept the information in summary form.
- Individual Right to Amendment. If Business Associate maintains PHI in a designated record set, Business Associate agrees, if it to make amendments to PHI at the request and direction of Covered Entity pursuant to 45 CFR §164.526, within 15 days of such a request. If Business Associate maintains a record in a designated record set that is not also maintained by Covered Entity, Business Associate agrees that it will accommodate an individual’s right to have access to and amend PHI about the individual in a designated record set in accordance with the Privacy Rule set forth at 45 CFR §164.526, unless the regulation provides for a denial or exception that applies.
- To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.
- Improper Use or Disclosure.
- Reports of Improper Use or Disclosure. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, in accordance with the Breach Notification Rule codified at 45 CFR 410, and any security incident of which it becomes aware.
- Accounting of Disclosures. Business Associate agrees to make available to the individual and/or the Covered Entity from whom the PHI originated, information required for an accounting of disclosures of PHI with respect to the individual, in accordance with 45 CFR §164.528, and incorporating exceptions to such accounting designated under the regulation. Within 20 days of notice by Covered Entity to Business Associate that it has received a request for an accounting of disclosures of PHI, Business Associate shall make available to Covered Entity, or if requested by Covered Entity, to the individual, the information required to be maintained pursuant to this Paragraph 14. In the event the request for accounting is delivered directly to Business Associate, Business Associate shall within 10 days forward such request to Covered Entity. Such accounting is limited to disclosures that were made in the six (6) years prior to the request (not including any disclosures prior to the compliance date of the Privacy Rule).
- Covered Entity is required to act on such requests as soon as possible but not later than 60 days following receipt of the request. Business Associate agrees to use its best efforts to assist Covered Entity in meeting this deadline.
- Such accounting must be provided without cost to the individual or Covered Entity if it is the first accounting requested by an individual within any 12-month period.
- Such accounting shall be provided so long as Business Associate maintains the PHI.
- Internal Practices, Books, and Records. Business Associate shall make available its Internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by Business Associate on behalf of the Covered Entity to the U.S. Department of Health and Human Services or its agents for the purpose of determining compliance with the HIPAA Rules, or any other health oversight agency, or to the Covered Entity.
- Miscellaneous. This BAA shall also be subject to the terms in Sections 9 – 12 of the Benefit Administration Platform Employer Agreement.