Free, web-based medical correspondence management

Business Associate Agreement

(Last updated 7/6/2017)

At Arctrieval, Inc., we respect the rules and regulations regarding creation, receipt, maintenance, and transmittal of Protected Health Information (as defined herein) that may be provided to us by Covered Entities (as defined in 45 C.F.R. 160.103.) This Business Associate Agreement describes how we will use and protect such Protected Health Information and is meant to be a contract between the Covered Entity and Arctrieval. This Business Associate Agreement is a part of our Privacy Policy and Terms of Use, which Covered Entities and other parties are required to accept in order to use the Site.

BY USING THE SITE, COVERED ENTITIES AGREE TO BE BOUND BY THE TERMS OF THIS BUSINESS ASSOCIATE AGREEMENT. USE OF THE SITE AND THE SERVICES SHALL CONTSTITUTE AN AGREEMENT TO BE BOUND BY THE TERMS OF THIS BUSINESS ASSOCIATE AGREEMENT. ANY COVERED ENTITIES WHO DO NOT AGREE WITH THIS AGREEMENT SHOULD NOT USE THIS SITE!

I. GENERAL

Pursuant to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and any amendments thereto (hereinafter “HIPAA”); and the HIPAA Security and Privacy rule, 45 CFR Parts 160 and 164, and any amendments thereto (hereinafter the “HIPAA Security and Privacy Rule”) as well as other applicable federal and state privacy and confidentiality rules, health care providers who use Arctrieval’s Web site to facilitate the exchange of Protected Health Information and any other services or products that Arctrieval may offer from time-to-time, (each a “Covered Entity”) and Arctrieval, Inc., (“Business Associate”) (jointly “the Parties”) wish to enter into this agreement (“Agreement”) to address the requirements of the HIPAA Security and Privacy Rule with respect to “business associates,” as that term is defined in the HIPAA Security and Privacy Rule.

Business Associate acknowledges that it is required to establish and implement appropriate safeguards (including certain administrative requirements) for “Protected Health Information” (“PHI”) as defined by HIPAA in any form or medium, including electronic, the Business Associate may create, receive, maintain, transmit, use, or disclose in connection with certain functions, activities, or services (collectively “services”) to be provided by Business Associate to or on behalf of Covered Entity.

The services to be provided by Business Associate are identified in a separate agreement (“Terms of Use”) between Covered Entity and Business Associate and include, but are not limited to, the exchange of Protected Health Information and any other services or products that Arctrieval may offer from time-to-time.

The Parties acknowledge and agree that Business Associate may create, receive, maintain, transmit, use or disclose PHI if within the scope of, and necessary to achieve, the obligations and responsibilities of the Business Associate in performing on behalf of, or providing services to, the Covered Entity pursuant to the Terms of Use.

II. TERMS AND CONDITIONS

2.1 Definitions. All terms used in this Agreement shall have the meanings set forth in the HIPAA Security and Privacy Rule, unless otherwise defined herein.

2.2 Existing Terms of Use, Privacy Policy All existing Arctrieval Terms of Use and Arctrieval Privacy Policy are subject to this Agreement and are hereby amended by this Agreement. In the event of conflict between the terms of any Terms of Use, Privacy Policy, and this Agreement, the terms and conditions of this Agreement shall govern. Where provisions of this Agreement are different from those mandated by the HIPAA Security and Privacy Rule, but are nonetheless permitted by the Rule, the provisions of this Agreement shall control. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Business Associate and the respective successors or assigns of the Business Associate, any rights, remedies, obligations, or liabilities whatsoever.

III. USE AND DISCLOSURE OF PHI

3.1 Use of PHI. Business Associate agrees to create, receive, maintain, transmit, use, or disclose PHI only in a manner that is consistent with this Agreement and the HIPAA Security and Privacy Rule and only in connection with providing the services identified the Terms of Use to or on behalf of Covered Entity. Accordingly, in providing services to or on behalf of the Covered Entity, the Business Associate, for example, will be permitted to arrange, create, receive, maintain, and/or transmit PHI consistent with the HIPAA Security and Privacy Rule, without obtaining authorization from Covered Entity. PHI does not include summary health information or information that has been de-identified in accordance with the standards for de-identification provided for in the HIPAA Security and Privacy Rule.

3.2 Other Permissible Use and Disclosures. As permitted by 42 CFR §164.504(e)(4) Business Associate also may use or disclose PHI it receives in its capacity as a Business Associate to the Covered Entity if:

3.2.1. The use relates to: (1) the proper management and administration of the Business Associate or to carry out legal responsibilities of the Business Associate, or (2) data aggregation services relating to the health care operations of the Covered Entity; or

3.2.2. The disclosure of PHI received in such capacity may be made in connection with a function, responsibility, or service identified above in 3.2.1. and such disclosure is (1) required by law, or (2) the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential, and the person agrees to notify the Business Associate of any breaches of confidentiality; or

3.2.3. The disclosure of PHI is made, if applicable, pursuant to 42 CFR §423.884(b), not withstanding any provisions to the contrary, Covered Entity agrees that the Business Associate (on behalf of the Covered Entity) may disclose PHI to the Center for Medicare and Medicaid Services (“CMS”) to the extent necessary to comply with Subpart R of 42 CFR §423 relating to applications for drug subsidy payments.

IV. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

4.1. General Obligations. Business Associate acknowledges that Business Associate is required by law to comply with sections 164.308, 164.310, 164.312 and 164.316 of the HIPAA Security Rule, and all additional security requirements of the Health Information Technology for Economic and Clinical Health ("HITECH") Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA), that are applicable to Covered Entities. Business Associate further acknowledges that Business Associate is required by law to comply with the use and disclosure requirements of section 162.504(e) of the HIPAA Privacy Rule and all other privacy requirements of Subtitle D of the HITECH Act that are applicable to Covered Entities. HIPAA compliance requirements include, but are not limited to:

4.1.1. Subcontractors. Business Associate represents to Covered Entity that (i) any disclosure it makes will be permitted or required under applicable laws, (ii) that Business Associate will obtain reasonable written assurances from any person or entity to whom Business Associate discloses the PHI that the PHI will be held confidentially and used or further disclosed only as required and permitted under the HIPAA Security and Privacy Rule and other applicable laws, and (iii) any such person or entity agrees to be governed by the same restrictions and conditions contained in this Agreement, and will notify Business Associate of any breaches of confidentiality of the PHI.

4.1.2. Permissible Disclosures. Except as otherwise limited in this Agreement, Business Associate may disclose PHI to other Business Associates of the Covered Entity (i) as directed by the Covered Entity, or (ii) to perform its duties under the Terms of Use. Notwithstanding any provision hereof, or any other prior agreement by the Parties, it shall be the Covered Entity’s sole responsibility (and not the responsibility of Business Associate) to ensure that the Covered Entity has entered into the appropriate Business Associate agreements with its Business Associate’s.

4.1.3. Safeguards. (i) Business Associate shall maintain safeguards as reasonably necessary to ensure that PHI is not used or disclosed except as provided for by this Agreement; notwithstanding the forgoing, Covered Entity agrees and acknowledges that Business Associate is not the author of PHI and maintains no control over the PHI that may be provided via the services of Arctrieval, including but not limited to incomplete or inaccurate PHI and production mistakes caused by the negligence of Covered Entity. (ii) Business Associate shall implement administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule. (iii) Business Associate shall implement administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of electronic PHI (“ePHI”) that it creates, maintains, or transmits on behalf of Covered Entity as required by 45 CFR §164.314. (iv) Business Associate shall insure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it.

4.1.4. Impermissible Use and Disclosure. Business Associate shall report to Covered Entity within ten (10) calendar days of knowledge of any use or disclosure of PHI that is in violation of this Agreement and not permitted under the HIPAA Security and Privacy Rule. Notwithstanding the forgoing, it is Covered Entity’s sole responsibility to monitor and ensure the proper, lawful use of its account with Arctrieval, regardless of whether Covered Entity authorized such access or use. In no event shall Business Associate be liable for the disclosure of PHI that was caused by Covered Entity’s failure to maintain the security of its account.

4.1.5. Accounting of Disclosures. Business Associate shall respond to Covered Entity’s request for the information it has which would be appropriate for an accounting of disclosures of PHI as provided for in CFR §164.528 of the HIPAA Security and Privacy Rule within ten calendar days of receipt of request. Business Associate shall not be required to maintain a record of disclosures of PHI: (a) made to an individual who is the subject of the PHI, or (b) made pursuant to an authorization that is valid under HIPAA.

4.1.6 Access to PHI. Business Associate shall report to Covered Entity a request from an individual for PHI as provided for in 45 CFR § 164.524 as soon as reasonable after receiving said request. In the event Covered Entity fails to object to such a request and deny the same within thirty (30) calendar days, and where said denial is made pursuant to CFR §164.524 of the HIPAA Privacy Rule, Business Associate shall respond to the individual requesting access to PHI. Notwithstanding the forgoing, in the event Covered Entity has retained the professional services of Business Associate for the complete facilitation of record production Covered Entity agrees and acknowledges that Business Associate may respond to requests for PHI without further notice to Covered Entity.

4.1.7. Disclosures Required by Law. Business Associate may disclose PHI to report violations of law to appropriate Federal or State authorities, consistent with CFR §164.502.

4.1.8. Access to Secretary of Health and Human Services (“HHS”). Business Associate shall make available to the Covered Entity, HHS, or its agents, the Business Associate’s internal practices, books, and records relating to the use and disclosure of PHI as required in CFR §164.504 of the HIPAA Security and Privacy Rule.

4.1.9. Cooperation. Business Associate shall cooperate with Covered Entity to comply with the HIPAA Security and Privacy Rule. Notwithstanding the forgoing, in the event such undertakings for cooperation are outside the scope of the Terms of Use, Covered Entity agrees and acknowledges that said undertakings shall be subject to Business Associate’s then-current time and materials rate.

4.1.10. Electronic Transactions. Business Associate, its agents, and subcontractors shall comply with applicable requirements of Standards for Electronic Transactions (45 CFR §§160 and 162).

4.1.11. Security Incidents. Business Associate shall report to Covered Entity any security incident, as defined in 45 CFR § 164.304, of which it becomes aware within ten (10) calendar days of knowledge of such incident.

4.1.12. Breaches. Pursuant to 45 CFR § 164.410, in the event of a breach by Business Associate of unsecured PHI, as the terms “breach” and “unsecured PHI” are defined in 45 CFR § 164.402, Business Associate shall report such breach to Covered Entity within ten calendar days of knowledge of such breach. Business Associate’s report shall include all information available to allow Covered Entity to provide a notification of breach consistent with 45 CFR § 164.404.

V. OBLIGATIONS OF COVERED ENTITY

5.1. Receipt of PHI. If Covered Entity wishes to receive PHI, it shall create and maintain a user account for such persons authorized to represent Covered Entity who can receive and disclose PHI for set forth in Section 4.1 above the same. By creating and maintaining such a user account, Covered Entity represents to Business Associate that all individuals with access to said account are authorized to represent Covered Entity and can receive and disclose PHI for set forth in Section 4.1 above.

5.2. Right to Use. Covered Entity shall provide Business Associate with any changes in, or revocation of, or authorization by an individual who is the subject of PHI to disclose such PHI, if such changes affect Business Associate's performance under this Agreement or the Terms of Use.

5.3. Restrictions of Use. Covered Entity is solely responsible for ensuring that any PHI made available via the Arctrieval services complies with any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522. Business Associate shall not be held liable for disclosures of PHI that violate this provision.

5.4. Accounting of Disclosures. Covered Entity shall cooperate with Business Associate to provide Accounting of Disclosures when requested.

VI. TERMINATION

6.1. Term. The term of this Agreement shall be effective as of the date Covered Entity registers to use the Services. Unless otherwise terminated, this Agreement shall end when all of the PHI provided by Covered Entity to Business Associate is destroyed, returned to the Covered Entity, or protected as described in (c) below.

6.2. Termination for Cause. Upon Covered Entity’s knowledge of a material breach of Business Associate’s obligation under this Agreement or of HIPAA, or upon Business Associate’s knowledge of a material breach of Covered Entity’s obligation under this Agreement or of HIPAA, and subject to (6.3) below, Covered Entity or Business Associate may commence termination of this Agreement by providing written Notice of Termination to the other Party.

6.3. Termination not feasible. If termination would cause irreparable business interruption or harm to a patient, or is otherwise not feasible, Parties shall make all efforts reasonable to cure breach or mitigate harm to individuals caused by such breach. If this occurs and this Agreement is not terminated, Covered Entity or Business Associate shall report the situation to the Secretary of Health and Human Services.

6.4. Return or Destruction of PHI. It is Business Associate’s privacy practice to delete all electronic copies of PHI on its systems within a reasonable time after a confirmed delivery to the entity that the requesting party designates (i.e. a covered entity, attorney, insurance company, the individual who is the subject of the PHI, or another designated third party) or as requested by the providing party. Any PHI contained in a medical record release authorization consent form is part of such form and is retained indefinitely, as described in Arctrieval’s Privacy Policy.

VII. MISCELLANEOUS

7.1. Indemnification. Covered Entity shall, to the fullest extent permitted by law, protect, defend, indemnify, and hold harmless Business Associate as well as its respective directors, officers, employees, contractors, parents, subsidiaries, agents, third-party content providers, and (“Indemnitees”) from and against any and all losses, costs, claims, penalties, fines, demands, liabilities, legal actions, judgments, and expenses of every kind (including reasonable attorneys’ fees, including at trial and on appeal) asserted or imposed against any Indemnitees arising out of or related to the acts or omissions of the Covered Entity and any individual or entity using its account to access the Arctrieval services as well as its respective directors, officers, employees, contractors, parents, subsidiaries, agents, third-party content providers related to material breach of this Agreement; use of the services; the unauthorized use of the services by any entity or individual using Covered Entity’s account; and/or the failure to comply with HIPAA.

7.2. Severability. If any provision of this Agreement is held invalid or unenforceable, such invalidity or non-enforceability shall not invalidate or render unenforceable any other portion of this Agreement. The entire Agreement will be construed as if it did not contain the particular invalid or unenforceable provision(s), and the rights and obligations of Business Associate and Covered Entity will be construed and enforced accordingly.

7.3. Waiver. The failure by one Party to require performance of any provision of this Agreement shall not affect that Party’s right to require performance at any time thereafter, nor shall a waiver of any breach or default of this Agreement constitute a waiver of any subsequent breach or default or a waiver of the provision itself.

7.4. Amendment. Business Associate may amend this Agreement at any time in its sole discretion where the same shall become effective following the posting of a notice to the Website and notification of Covered Entity via email.

7.5. Entire Agreement. This Agreement supersedes and replaces any and all prior Business Associate Agreements between the Parties. To the extent that the Terms of Use and/or Privacy Policy address the rights and obligations contained in this Agreement, this Agreement supersedes and replaces all provisions in the Terms of Use and Privacy Policy related to the subject matter of this Agreement.