Save to PDF Print
Business Associate Agreement (BAA)

This Business Associate Agreement (the "Agreement"), effective as of the (the "Effective Date"), is made by and between the Parties named in Section 1 for the good, valuable and mutual consideration described herein, the sufficiency and receipt of which both Parties acknowledge.

1.    THE PARTIES

The Parties to this Agreement are:

1.A     Wound Reference, Inc, a California corporation

Business Address

1662 Chestnut Street, San Francisco, CA 94123

Wound Reference, Inc is defined as a "Business Associate" by The HIPAA Rules and referred to in this Agreement as "Business Associate".

And

1.B      Guest Account, a CA

26 Williams Drive

Guest Account is defined as a "Covered Entity" by The HIPAA Rules and is referred to in this Agreement as "Covered Entity".

Business Associate and Covered Entity are sometime referred to in this Agreement individually as a "Party" and collectively as the "Parties".

2.    HIPAA AND THE HIPAA RULES

2.A     HIPAA

The Parties must comply with United States statutory law known as the Health Insurance Portability and Accountability Act of 1996 as amended and any amendments and modifications to the law that become effective during the term of this Agreement.[1] The statutory law is referred to in this Agreement as "HIPAA".

2.B      THE HIPAA RULES

The Parties must comply with Federal administrative law consisting of regulations authorized by HIPAA called the Privacy Rule, Security Rule, Breach Notification Rule and Enforcement Rule and any amendments, additions and modifications to the regulations that become effective during the term of this Agreement. [2] The regulations are referred to in this Agreement as "The HIPAA Rules".

3.    THIS AGREEMENT

This Agreement is a Business Associate Contract between the Parties in compliance with The HIPAA Rules to accomplish the following purposes:

3.A     To enable Covered Entity to obtain satisfactory assurances from Business Associate that it will appropriately safeguard all Protected Health Information (PHI) including Electronic Protected Health Information (EPHI) that Covered Entity Discloses to Business Associate and that Business Associates creates, receives, maintains or transmits on behalf of Covered Entity,

3.B      To document the satisfactory assurances described Sub-section 3.A in writing;

3.C      To establish the permitted and required Uses and Disclosures of PHI including EPHI by Business Associate; and

3.D     To confirm and document the exchange and receipt of mutual promises made by the Parties that during the Term of this Agreement each Party will perform its obligations in compliance with HIPAA and The HIPAA Rules and establish and document the performance required of each Party by this Agreement.

4.    DEFINED TERMS USED IN THIS AGREEMENT

The following terms are defined in The HIPAA Rules and are capitalized for clarity and ready reference in this Agreement. Any change to HIPAA or The HIPAA Rules modifying a defined term or the citation of a defined term in this Agreement shall be deemed incorporated into this Agreement on the effective date of such change.

4.A     "Access of Individuals to Protected Health Information" shall mean the procedures described in 45 CFR §164.524 of The HIPAA Rules and is referred to in this Agreement as "Access of an Individual to PHI."

4.B      "Accounting of Disclosures of Protected Health Information" shall mean the procedures described in 45 CFR §164.528 of The HIPAA Rules and is referred to in this Agreement as "Accounting of Disclosures of PHI."

4.C      "Amendment of Protected Health Information" shall mean the procedure described in 45 CFR §164.526 of The HIPAA Rules and is referred to in this Agreement as "Amendment of PHI."

4.D     "Availability" shall have the same meaning as the term "availability" defined in 45 CFR §164.304 of The HIPAA Rules.

4.E.     "Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the Privacy Rule which compromises the security or privacy of the Protected Health Information as defined in 45 CFR §164.402 of The HIPAA Rules.

4.F      "Breach Notification Rule" shall mean the regulations set forth in The HIPAA Rules at 45 CFR § 164.400-414.

4.G     "Business Associate" shall have the same meaning as the term "business associate" defined in 45 CFR §160.103 of The HIPAA Rules. Business Associate identified in this Agreement as a Party is a "business associate" as defined by the HIPAA Rules.

4.H     "Business Associate Contract" shall mean written contract required by The HIPAA Rules and described at 45 CFR §§ 164.308(b), 164.314(a), 164.502(e) and 164.504(e). This Agreement is a Business Associate Contract as defined by The HIPAA Rules.

4.I       "Confidentiality" shall have the same meaning as the term "confidentiality" defined in 45 CFR §164.304 of The HIPAA Rules.

4.J       "Covered Entity" shall have the same meaning as the term "covered entity" defined in 45 CFR §160.103 of The HIPAA Rules. Covered Entity identified in this Agreement as a Party is a "covered entity" as defined by The HIPAA Rules.

4.K      "Data Aggregation" shall have the same meaning as the term "data aggregation" defined in 45 CFR §164.501 of The HIPAA Rules.

4.L      "Date of Discovery" means the first day on which a Breach is known or, by exercising Reasonable Diligence would have been known to any person, other than the person committing the breach, who is a workforce member or agent of the Covered Entity or Business Associate as defined by 45 CFR §164.404(a)(2) and 45 CFR §164.410(a)(2) of The HIPAA Rules.

4.M    "Designated Record Set" shall have the same meaning as the term "designated record set" defined in 45 CFR §164.501 of The HIPAA Rules.

4.N.    "Disclosure" shall have the same meaning as the term "disclosure" defined in 45 CFR §160.103 of The HIPAA Rules and Disclose means to make a Disclosure.

4.O     "Electronic Protected Health Information" shall have the same meaning as the term "electronic protected health information" defined in 45 CFR § 160.103 of The HIPAA Rules. Electronic Protected Health Information is referred to in this Agreement as "EPHI". All EPHI is also "Protected Health Information" (PHI) – see definition in Sub-section 4.W.

4.P      "Enforcement Rule" shall mean the regulations set forth in The HIPAA Rules at 45 CFR Part 160, Subparts C, D and E.

4.Q     "Individual" shall have the same meaning as the term "individual" defined in 45 CFR §160.103 of The HIPAA Rules.

4.R      "Integrity" shall have the same meaning as the term "integrity" defined in 45 CFR §164.304 of The HIPAA Rules.

4.S      "Marketing" shall have the same meaning as the term "marketing" defined in 45 CFR §164.501 of The HIPAA Rules.

4.T      "Minimum Necessary" shall have the same meaning as "minimum necessary" defined in 45 CFR §164.502(b) and 45 CFR §164.514(d) of The HIPAA Rules.

4.U     "Organized Health Care Arrangement" shall have the same meaning as "organized health care arrangement" as defined in 45 CFR §160.103.501 of The HIPAA Rules.

4.V     "Privacy Rules" shall mean the regulations set forth in The HIPAA Rules at 45 CFR Part 160 and Subparts A and E of Part 164.

4.W    "Protected Health Information" shall have the same meaning as the term "protected health information" defined in 45 CFR §160.103 of The HIPAA Rules. Protected Health Information is referred to in this Agreement as "PHI".

4.X      "Reasonable Diligence" shall have the same meaning as the term "reasonable diligence" defined in 45 CFR §160.401 of The HIPAA Rules.

4.Y      "Remuneration" shall have the same meaning as "financial remuneration" defined in section (3) of the definition of Marketing in 45 CFR §164.501 of The HIPAA Rules including direct or indirect remuneration for the Sale of Protected Health Information in accordance with 45 CFR §164.502(a)(5)(ii)(B)(1) of The HIPAA Rules.

4.Z      "Required by Law" shall have the same meaning as the term "required by law" defined in 45 CFR §164.103 of The HIPAA Rules.

4.AA  "Restriction" shall mean a restriction of Uses and Disclosures of Protected Health Information in accordance with 45 CFR §164.522(a), a restriction to accommodate an Individual’s request for confidential communications in accordance with 45 CFR §164.522(b) or a restriction of unencrypted electronic transmission of an Individual’s PHI to the Individual in accordance with The HIPAA Rules explained at 78 FR 5634, Jan. 25, 2013 and 79 FR 7302, Feb. 6, 2014.

4.BB   "Sale of Protected Health Information" shall have the same meaning as the term "sale of protected health information" defined in 45 CFR §164.502(a)(5)(ii)(b) of The HIPAA Rules. Sale of Protected Health Information sometimes is referred to in this Agreement as "Sale of PHI."

4.CC   "Secretary" shall mean the Secretary of U.S. Department of Health and Human Services (HHS) or any other officer or employee of HHS to whom the authority involved has been delegated as defined in 45 CFR § 160.103 of The HIPAA Rules.

4.DD  "Security Incident" shall have the same meaning as the term "security incident" defined in 45 CFR § 164.304 of The HIPAA Rules.

4.EE    "Security Rule" shall mean the regulations set forth in The HIPAA Rules at 45 CFR Part 160 and Subparts A and C of Part 164.

4.FF    "State Law" shall have the same meaning as the term "state law" defined in 45 CFR §164.202 of The HIPAA Rules.

4.GG  "Subcontractor" means a Business Associate that creates, receives, maintains, or transmits Protected Health Information on behalf of a Business Associate as defined in 45 CFR § 160.103 of The HIPAA Rules and are referred to in this Agreement as a "Subcontractor Business Associate".

4.HH  "Unsecured Protected Health Information" shall have the same meaning as the term "unsecured protected health information" defined in 45 CFR §164.402 of The HIPAA Rules and means Protected Health Information that in not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance issued under HIPAA (section 13402(h)(2) of Public Law 111-5). Unsecured Protected Health Information is referred to in this Agreement as "Unsecured PHI."

4.II      "Use" shall have the same meaning as the term "use" defined in 45 CFR §160.103 of The HIPAA Rules.

5.    THE SPECIFIC PROTECTED HEALTH INFORMATION (PHI) AND ELECTRONIC PROTECTED HEALTH INFORMATION (EPHI) THAT ARE THE SUBJECT OF THIS AGREEMENT

In this Agreement the defined terms Protected Health Information – PHI and Electronic Protected Health Information – EPHI refer exclusively and only to:

5.A     PHI and EPHI Business Associate creates, receives, maintains or transmits on behalf of Covered Entity to perform a function or activity regulated by The HIPAA Rules;

5.B      PHI and EPHI Disclosed to Business Associate by or on behalf of Covered Entity so that Business Associate may provide legal, actuarial, accounting, consulting, Data Aggregation, management, administrative, accreditation, or financial services to or for Covered Entity

5.C      PHI and EPHI that a Subcontractor Business Associate creates, receives, maintains, or transmits on behalf of Business Associate related to a function or activity described in Sub-section 5.A or provision of a service described in Sub-section 5.B.

6.    UNDERLYING BUSINESS AGREEMENT

Business Associate and Covered Entity have a business relationship established by one or more written or oral contracts or agreements made before, on or after the Effective Date involving Use, Disclosure, creation, receipt, maintenance or transmission of PHI and/or EPHI described in Section 5 that are referred to in this Agreement collectively as the "Underlying Business Agreement".

6.A     THE UNDERLYING BUSINESS AGREEMENT – HIPAA AND THE HIPAA RULES

The Underlying Business Agreement requires Business Associate to perform a function or activity or provide a service involving the PHI and/or EPHI described in Section 5 that is subject to compliance with HIPAA and The HIPAA Rules. Accordingly, Business Associate and Covered Entity must enter into a Business Associate Contract.

6.B      EFFECT OF THIS AGREEMENT – CONSIDERATION

This Agreement is a Business Associate Contract. The Parties agree that the terms, conditions, promises and performance described in this Agreement are required by HIPAA and The HIPAA Rules to perform their respective obligations established by the Underlying Business Agreement. Accordingly, the mutual promises and obligations of the Parties set forth in this Agreement are good, valuable, sufficient and mutual consideration given, received, and accepted by each Party for this Agreement and elements of the good, valuable, sufficient and mutual consideration given, received, and accepted by each Party for the Underlying Business Agreement that permit the Parties to continue their established business relationship or establish a new business relationship.

6.C      THIS AGREEMENT INCORPORATED IN UNDERLYING BUSINESS AGREEMENT

The Parties agree that this Agreement is incorporated by reference in the Underlying Business Agreement and by execution of this Agreement, do hereby amend the Underlying Business Agreement to include this Agreement. This Agreement supersedes and renders null and void any provision in the Underlying Business Agreement, whether made before or after the Effective Date, that conflicts with HIPAA or The HIPAA Rules.

7.    OBLIGATIONS OF BUSINESS ASSOCIATE UNDER THIS AGREEMENT

7.A     Business Associate shall not Use or further Disclose PHI other than as permitted or required by this Agreement, the Underlying Business Agreement or as Required by Law.

7.B      Business Associate shall appropriately safeguard all PHI including EPHI that Covered Entity Discloses to Business Associate and that Business Associate creates, receives, maintains or transmits on behalf of Covered Entity.

7.C      Business Associate shall comply with the applicable requirements of the Security Rule during the Term of the Agreement and, if necessary, comply with the Security Rule and The HIPAA Rules that are applicable to fulfill any obligations that survive the Agreement’s termination in accordance with Section 12 and Sub-section 10.C of this Agreement.

7.D     Business Associate shall enter into a written Business Associate Contract with any Subcontractor Business Associate to which it Discloses PHI including EPHI or that creates, receives, maintains, or transmits EPHI on its behalf by which it shall obtain satisfactory assurances that the Subcontractor Business Associate agrees to comply with the same restrictions and conditions that apply to Business Associate with respect to all PHI including EPHI, comply with applicable requirements of the Security Rule and appropriately safeguard all such PHI including EPHI.

7.E      Business Associate shall not engage the services of a Subcontractor Business Associate, enter into a Business Associate Contract with a Subcontractor Business Associate described in Sub-section 7.D, Disclose PHI including EPHI or permit a Subcontractor Business Associate to create, receive, maintain, or transmit PHI and EPHI on its behalf unless the Subcontractor Business Associate is at all relevant times subject to the laws of the United States including the Secretary’s Enforcement of HIPAA and The HIPAA Rules and civil enforcement by Business Associate of the Business Associate Contract with a Subcontractor Business Associate.

7.F      If Business Associate knows of a pattern of activity of practice of a Subcontractor Business Associate that constitutes a material breach or violation of the Subcontractor Business Associate’s obligations under the Business Associate Contract described in Sub-section 7.D, Business Associate shall take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, terminate the Business Associate Contract with the Subcontractor Business Associate.

7.G     Business Associate shall not Disclose PHI for Marketing for which it receives Remuneration unless the Individual has executed a valid authorization stating Remuneration is involved in accordance with 45 C.F.R. §164.508(a)(3) of the HIPAA Rules and shall not Disclose PHI which is a Sale of PHI unless the Individual has executed a valid authorization stating Remuneration is involved in accordance with 45 C.F.R. §164.508(a)(4) of The HIPAA Rules.

7.H     Business Associate, when Using, Disclosing or requesting PHI, shall make reasonable efforts to limit the PHI to the Minimum Necessary to accomplish the intended purpose of the Use, Disclosure or request.

7.I       Business Associate shall comply with applicable requirements of the Breach Notification Rule and shall notify Covered Entity of any Breach of Unsecured PHI it discovers not later than ten (10) business days after Business Associate's Date of Discovery of the Breach of Unsecured PHI.

7.J       Business Associate shall report to Covered Entity any Use or Disclosure of information not provided for by this Agreement or the Underlying Business Agreement of which it becomes aware not later than ten (10) business days after it becomes aware of such Use or Disclosure.

7.K      Business Associate shall report any Security Incident of which it becomes aware to Covered Entity not later than thirty (30) calendar days after it becomes aware of such Security Incident. The Parties agree that this Sub-section 7.K constitutes ongoing notice by Business Associate to Covered Entity of "unsuccessful" Security Incidents that do not represent substantial risks to PHI, such as Pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service and any combination of the above and no additional notice to Covered Entity shall be required provided that no such unsuccessful Security Incident results in Unauthorized Acquisition, Access, Use, Disclosure, modification or destruction of EPHI or interference with Business Associate's Information System operations related to EPHI.

7.L      If Business Associate maintains PHI of an Individual in a Designated Record Set, Business Associate shall make the PHI available to Covered Entity within five (5) business days after receiving a request for the PHI from Covered Entity as provided in Sub-section 9.B in order for Covered Entity to satisfy Covered Entity’s obligations regarding Access of an Individual to PHI in accordance with 45 CFR § 164.524 of The HIPAA Rules.

7.M    If Business Associate maintains PHI of an Individual in a Designated Record Set, Business Associate shall make the PHI available to Covered Entity within five (5) business days after receiving notice from Covered Entity as provided in Sub-section 9.C. that the PHI is subject to an Individual's request for Amendment in accordance with 45 CFR § 164.526 of The HIPAA Rules. Covered Entity shall be solely responsible for determining the appropriate response to a request for Amendment and Business Associate shall incorporate any such amendments in the Individual's Designated Record Set maintained by Business Associate

7.N     Business Associate will maintain and make available to Covered Entity the information required to provide an Accounting of Disclosures of PHI in accordance with 45 CFR § 164.528 of The HIPAA Rules within five (5) business days of receipt of notice requesting such information from Covered Entity as provided in Sub-section 9.D.

7.O     Business Associate, to the extent it is required to carry out an obligation of Covered Entity under the Privacy Rule, shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of the obligation.

7.P      Business Associate, if required by the Underlying Business Agreement to make Uses or Disclosures of PHI subject to Restrictions, shall comply with each such Restriction immediately upon receipt of notification of the Restriction from Covered Entity as provided in Sub-section 9.E and shall comply with the Restriction during the Term of this Agreement or until Covered Entity notifies Business Associate that the Restriction has been terminated.

7.Q     Business Associate will Disclose PHI to the Secretary in accordance with 45 CFR § 164.502(a)(4)(i) of The HIPAA Rules when required by the Secretary under the Enforcement Rule to investigate or determine Business Associate’s compliance with The HIPAA Rules.

7.R      Business Associate will make its internal practices, books and records relating to the Use and Disclosure of PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary in accordance with 45 CFR § 164.504(e)(2)(ii)(I) of The HIPAA Rules for purposes of determining Covered Entity’s compliance with The Privacy Rule.

8.    PERMITTED USES AND DISCLOSURES OF PHI BY BUSINESS ASSOCIATE

8.A     Business Associate may Use or Disclose PHI for its proper management and administration or carry out its legal responsibilities if the Disclosure is Required by Law or Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will be held confidentially and used or further Disclosed only as Required by Law or for the purposes for which it was Disclosed to the person and that person notifies Business Associate of any instances of which it is aware in which the Confidentiality of the information has been Breached.

8.B      Business Associate may provide Data Aggregation services if performance of such services is provided for in the Underlying Business Agreement.

9.    OBLIGATIONS OF COVERED ENTITY

9.A     Covered Entity shall make reasonable efforts to limit any Use, Disclosure or request of PHI made to Business Associate to the Minimum Necessary to accomplish the intended purpose of the Use, Disclosure, or request.

9.B      Covered Entity shall notify Business Associate in a timely manner in accordance with 45 CFR § 164.524 and 45 CFR § 164.502(a)(4)(ii) of The HIPAA Rules, so that Business Associate may make the PHI available to Covered Entity as necessary to satisfy Covered Entity's obligations regarding a request for Access of Individuals to PHI as provided in Sub-section 7.L.

9.C      Covered Entity shall notify Business Associate in a timely manner in accordance with 45 CFR § 164.526 of The HIPAA Rules, as necessary, so Business Associate may make available PHI for Amendment of PHI and incorporate any Amendment of PHI in a Designated Record Set as provided in Sub-section 7.M.

9.D     Covered Entity shall notify Business Associate in a timely manner in accordance with 45 CFR § 164.528 of The HIPAA Rules, as necessary, to enable Business Associate to fulfill any obligation regarding an Accounting of Disclosures of PHI as provided in Sub-section 7.N.

9.E      Covered Entity shall notify Business Associate of any Restriction of the Use or Disclosure of an Individual's PHI that is applicable to Business Associate's performance of its obligations required by the Underlying Business Agreement when and if such Restriction becomes effective during the Term of this Agreement and shall notify Business Associate when and if such Restriction is terminated.

10.  TERM AND TERMINATION

10.A   TERM

The Term of this Agreement shall commence on the Effective Date and shall continue in full force and effect until such time as the Parties terminate the business relationship referred to in Sub-section 5.A or terminate this Agreement pursuant to a provision of this Section 10, provided, however, that any termination is subject to the provisions of Sub-section 10.C and Section 12 concerning survival of certain obligations and provisions of this Agreement.

10.B   TERMINATION

The Parties may terminate this Agreement by mutual consent in writing executed by the Parties and on terms that are agreeable to the Parties provided the Agreement is no longer required under HIPAA or The HIPAA Rules.

10.B.1    If Business Associate knows of a pattern of activity or practice of Covered Entity that constitutes a material breach or violation of Covered Entity’s obligations under this Agreement, Business Associate shall take reasonable steps to cure the breach or end the violation, as applicable. If such steps are unsuccessful, Business Associate, if feasible, shall terminate this Agreement and the Underlying Business Agreement with Covered Entity by providing notice in accordance with Section 13.

10.B.2    Either Party, upon learning or having reasonable cause to believe that the other Party has committed a material breach or violation of this Agreement, shall give written notice to the other Party describing the material breach or violation and granting the other Party a period of thirty (30) days to cure the material breach or violation or submit proof that it has not committed such material breach or violation. If such material breach or violation was committed and is not cured within thirty (30) days, this Agreement and the Underlying Business Agreement shall be terminated by written notice to the Party that committed the material breach or violation, provided, however, that if substantial cure is in progress the Parties may extend the period to cure the material breach or violation by mutual agreement in writing by providing notice in accordance with Section 13.

10.B.3    Business Associate may terminate this Agreement and the Underlying Business Agreement immediately if Covered Entity is determined to have violated HIPAA or The HIPAA Rules in any administrative, judicial or other legal proceeding regardless of whether the violation involves this Agreement or the Underlying Business Agreement by giving written notice to Covered Entity.

10.B.4    If either Party believes in good faith that any provision of this Agreement fails to comply with modifications or administrative or judicial interpretations of HIPAA or The HIPAA Rules, such Party shall give written notice to the other Party stating its specific concerns. For a period of thirty (30) days following provision of notice, the Parties shall address in good faith such concerns and amend this Agreement, if necessary. If, after such thirty-day period, a Party believes in good faith that the Agreement fails to comply with HIPAA or The HIPAA Rules, that Party has the right to terminate this Agreement and the Underlying Business Agreement by written notice to the other Party.

10.C   EFFECT OF TERMINATION

When this Agreement is terminated, if feasible, Business Associate shall return to Covered Entity or destroy all PHI (including EPHI) received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate still maintains in any form and retain no copies of such PHI or, if such return or destruction is not feasible, extend the protections of this Agreement to PHI and EPHI and limit further Uses and Disclosures to those purposes that make the return or destruction of the information infeasible. When it becomes feasible, Business Associate shall return to Covered Entity or, if agreed to by Covered Entity, destroy PHI and EPHI retained by Business Associate. Business Associate’s obligations under this Agreement regarding PHI and EPHI that is not returned or destroyed at termination of this Agreement shall remain in full force and effect and survive termination of this Agreement in accordance with Section 12 and Sub-section 7.C.

11.  SEVERABILITY CLAUSE

If an Arbitrator or Court of competent jurisdiction shall declare any provision of this Agreement to be invalid, illegal or unenforceable, that provision shall be severed from this Agreement and all the remaining provisions of this Agreement shall continue in full force and effect. The invalidity, illegality or unenforceability of any term of this Agreement shall not affect the validity, legality or enforceability of the remaining terms of this Agreement. However, if permitted by applicable law, any invalid, illegal or unenforceable provision may be considered in determining the intent of the Parties with respect to other provisions of this Agreement.

12.  SURVIVAL OF COVENANTS

Any provision in this Agreement that is specifically stated to survive the termination of this Agreement and any provision which, by its terms, cannot be performed prior to the termination of this Agreement or which, by its terms, continues beyond the Term of this Agreement shall be deemed to survive the termination of this Agreement and shall be enforceable by the Parties including but not limited to Business Associate’s obligation to extend all protections described in this Agreement to PHI and EPHI that is not returned or destroyed upon termination in accordance with Sub-section 10.C.

13.  NOTICE

Any notice or other communication required or permitted under this Agreement shall be in writing and shall be deemed sufficiently given to a Party if (a) delivered personally; (b) sent by certified U.S. Mail, return receipt requested; or (c) sent by a national overnight delivery service (such as Federal Express or UPS with delivery verification) addressed to the Party at the address of its principal place of business set forth in this Agreement or to such other address furnished by written notice to the other Party by means of the procedures set forth in this Section.

14.  ASSIGNABILITY

No Party may assign its respective rights and obligations under this Agreement without the prior written consent of the other Party and such consent shall not be withheld unreasonably.

15.  ENTIRE BUSINESS ASSOCIATE AGREEMENT – AMENDMENT MUST BE IN WRITING

This is the entire Business Associate Agreement between the Parties. This Agreement shall not be altered, amended or modified except in writing executed by the Parties.

15.A   Amendments to the Underlying Business Agreement or the making of an Underlying Business Agreement between the Parties after the Effective Date shall not be construed as an amendment of this Agreement.

15.B   The Parties agree to take such action as is necessary to amend this Agreement to the extent necessary to allow either Party to comply with HIPAA and The HIPAA Rules during the Term of this Agreement.

15.C   Regardless of whether this Agreement is amended in writing to conform to an amendment of HIPAA or The HIPAA Rules it shall be construed to comply with HIPAA, The HIPAA Rules and applicable State Law in accordance with Sub-sections 20.A and 20.B.

16.  WAIVER

Failure of either Party at any time to require strict performance of any provision of this Agreement shall not be considered to be an implied waiver of any breach, or of any succeeding breach, of such provision or an implied waiver of any right of the Party to take any action or obtain any relief permitted under this Agreement. A waiver of any right, duty or obligation established by this Agreement must be an express written waiver executed by the Party making the waiver.

17.  FORCE MAJEURE – SECURITY RULE EXCEPTION

17.A   FORCE MAJEURE

If either Party is delayed or prevented from fulfilling its obligations under this Agreement by Force Majeure, the Party shall not be liable under this Agreement for the delay or failure. Force Majeure means any cause beyond the reasonable control of a Party, including but not limited to acts of God, civil or military disruption, terrorism, fire, strike, flood, riot, war, or inability, due to the aforementioned causes, to obtain necessary labor, materials or facilities.

17.B   HIPAA SECURITY RULE EXCEPTION TO FORCE MAJEURE

The provisions of Sub-section 17.A concerning Force Majeure shall not relieve either Party of its responsibility under the Security Rule to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to ensure the Confidentiality, Integrity and Availability of all EPHI the Party creates, receives, maintains, or transmits; protect against any reasonably anticipated threats or hazards to the security or Integrity of such information and protect against any reasonably anticipated Uses or Disclosures of such information that are not permitted or required under Privacy Rule.

18.  RELATIONSHIP BETWEEN THE PARTIES

The Parties to this Agreement are independent contractors.

18.A   This Agreement does not create a joint venture, partnership, merger, and employer-employee relationship or Organized Health Care Arrangement between the Parties nor does it make either Party an agent of the other.

18.B   No provision of this Agreement is intended to create, nor may be deemed to create, any relationship between the Parties other than that of independent parties contracting with each other for the purpose of complying with HIPAA and The HIPAA Rules.

18.C   Nothing in this Agreement is intended to confer on Covered Entity the authority or right provide interim instructions in order to control Business Associate's conduct in the course of performing Business Associate's obligations under this Agreement.

19.  EXECUTION AND COUNTERPARTS, COUNTERPARTS AND FACSIMILE DELIVERY

The Parties may execute this Agreement in any number of counterparts, and each counterpart shall, for all purposes, be deemed an original instrument. All such counterparts together shall constitute but one and the same Agreement. The Parties may sign and deliver this Agreement by facsimile or electronic transmission and may execute this Agreement in compliance with applicable e-signature law. At the request of either Party, the Parties shall also provide signed counterparts to each other.

20.  MISCELLANEOUS

20.A   COMPLIANCE WITH HIPAA AND THE HIPAA RULES

Any ambiguity in this Agreement shall be construed and resolved to permit the Parties to comply with HIPAA and The HIPAA Rules.

20.B   STATE LAW

In accordance with 45 CFR § 160.203 of The HIPAA Rules, the Parties shall comply with applicable State Law that is not preempted by The HIPAA Rules.

20.C   GOVERNING LAW

This Agreement and the rights and obligations of the Parties shall be governed and construed by HIPAA, The HIPAA Rules and the law of the State of California without regard to applicable conflict of laws principles.

20.D   VENUE

Any dispute relating to this Agreement shall be resolved by alternative dispute resolution or in a state or federal court located in California and Covered Entity consents to such venue.

20.E    SUCCESSORS AND ASSIGNS

This Agreement is binding upon all successors and assigns of the Parties.

20.F    NO THIRD PARTY BENEFICIARY

Nothing in this Agreement, whether expressed or implied, shall be considered or construed to confer any rights, remedies, obligations, or liabilities or to impose any obligation whatsoever on any person other than the Parties and the respective successors or assigns of the Parties.

20.G   CAPTIONS

Each Section and Sub-section in this Agreement is identified by a caption for convenience only. No caption is substantive or may be used to construe the meaning of any Section, Sub-section or provision of this Agreement.

20.H   EQUITABLE RELIEF

The Parties recognize that a breach of this Agreement by one Party may result in irreparable or immediate harm to the other Party. Accordingly, either Party shall have the right to seek equitable relief to enjoin, restrain, redress, mitigate or prevent irreparable harm in a court of competent jurisdiction to enforce the terms of this Agreement while reserving its rights to pursue all other available remedies from the other Party under this Agreement or the Underlying Business Agreement. In the event a Party seeks equitable relief from a court of competent jurisdiction under this section, the prevailing Party shall be entitled to receive its costs from the other Party including actual attorneys’ fees that are reasonably incurred.

IN WITNESS WHEREOF:

The Parties hereby execute this Business Associate Agreement and confirm it is in full force and effect as of the Effective Date written above.

 

COVERED ENTITY
By: Guest Account
Name: Guest User
Title:
Date:
BUSINESS ASSOCIATE
By: Wound Reference, Inc.
Name: Elaine Song
Title: Co-founder
Date:


[1]   United States statutes that, as of the Effective Date, consist of sections 1171-1180 of the Social Security Act (Administrative Simplification), sections 262 and 264 of Public Law 104-191 (Health Insurance Portability and Accountability Act of 1996), section 105 of Public Law 110-233 (Genetic Information Nondiscrimination Act of 2008), sections 13400-13424 of Public Law 111-5 (Health Information Technology for Economic and Clinical Health Act or ‘‘HITECH Act") and section 1104 of Public Law 111-148 (Patient Protection and Affordable Care Act).

[2]   45 CFR Parts 160 and Subparts A, C, D and E of Part 164