HIPAA Business Associate Agreement (BAA)
Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.
“Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.
“Business Associate” shall have the same meaning as the term “business associate” in 45 CFR § 160.103 of HIPAA.
“Covered Entity” shall have the same meaning as the term “covered entity” in 45 CFR § 160.103 of HIPAA.
“HIPAA” collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.
“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information.
“Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103 of HIPAA, provided that it is limited to such protected health information that is received by Raven Health from, or created, received, maintained, or transmitted by Raven Health on behalf of, you through the use of the Raven Health Services.
“Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information.
2. Permitted Uses and Disclosures of Protected Health Information.
a. Performance of the Agreement. Except as otherwise limited in this BAA, Raven Health may Use and Disclose Protected Health Information for, or on behalf of, you to provide you with the Raven Health Services as specified in the Agreement; provided that any such Use or Disclosure would not violate HIPAA if done by you, unless expressly permitted under paragraph b. of this Section.
b. Management, Administration, and Legal Responsibilities. Except as otherwise limited in this BAA, Raven Health may Use and Disclose Protected Health Information for the proper management and administration of Raven Health and/or to carry out the legal responsibilities of Raven Health, provided that any Disclosure may occur only if: (1) Required by Law; or (2) Raven Health obtains written reasonable assurances from the person to whom the Protected Health Information is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person, and the person notifies Raven Health of any instances of which it becomes aware in which the confidentiality of the Protected Health Information has been breached.
3. Responsibilities of the Parties with Respect to Protected Health Information.
a. Raven Health’s Responsibilities. To the extent Raven Health is acting as a Business Associate, Raven Health agrees to the following:
i. Limitations on Use and Disclosure. Raven Health shall not Use and/or Disclose the Protected Health Information other than as permitted or required by the Agreement and/or this BAA or as otherwise Required by Law. Raven Health shall not disclose, capture, maintain, scan, index, transmit, share or Use Protected Health Information for any activity not authorized under the Agreement and/or this BAA. Raven Health Services shall not use Protected Health Information for any advertising, Marketing or similar commercial purpose of Raven Health or any third party. Raven Health shall not violate the HIPAA prohibition on the sale of Protected Health Information. Raven Health shall make reasonable efforts to Use, Disclose, and/or request the minimum necessary Protected Health Information to accomplish the intended purpose of such Use, Disclosure, or request.
ii. Safeguards. Raven Health shall: (1) use reasonable and appropriate safeguards to prevent Use and Disclosure of Protected Health Information other than as permitted in Section 2 herein; and (2) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule.
iii. Reporting. Raven Health shall report to you: (1) any Use and/or Disclosure of Protected Health Information that is not permitted or required by this BAA of which Raven Health becomes aware; (2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (3) any Breach of your Unsecured Protected Health Information that Raven Health may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than ninety-six (96) hours after Raven Health’s discovery of a Breach. Taking into account the level of risk reasonably likely to be presented by the Use, Disclosure, Security Incident, or Breach, the timing of other reporting will be made consistent with Raven Health’s and your legal obligations. For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Raven Health’s or its Subcontractors firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information. Notification(s) under this Section, if any, will be by any means Raven Health selects, including through e-mail. Raven Health’s obligation to report under this Section is not and will not be construed as an acknowledgement by Raven Health of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.
iv. Subcontractors. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, Raven Health shall require its Subcontractors who create, receive, maintain, or transmit Protected Health Information on behalf of Raven Health to agree in writing to: (1) the same or more stringent restrictions and conditions that apply to Raven Health with respect to such Protected Health Information; (2) appropriately safeguard the Protected Health Information; and (3) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. Raven Health remains responsible for its Subcontractors’ compliance with obligations in this BAA.
v. Disclosure to the Secretary. Raven Health shall make available its internal practices, records, and books relating to the Use and/or Disclosure of Protected Health Information received from you to the Secretary of the Department of Health and Human Services for purposes of determining your compliance with HIPAA, subject to attorney-client and other applicable legal privileges.
vi. Access. If Raven Health maintains Protected Health Information in a Designated Record Set for you, then Raven Health, at the request of you, shall within twenty (20) days make access to such Protected Health Information available to you in accordance with 45 CFR § 164.524 of the Privacy Rule.
vii. Amendment. If Raven Health maintains Protected Health Information in a Designated Record Set for you, then Raven Health, at your request, shall within twenty (20) days make available such Protected Health Information to you for amendment and incorporate any reasonably requested amendment in the Protected Health Information in accordance with 45 CFR § 164.526 of the Privacy Rule.
viii. Accounting of Disclosure. Raven Health, at your request, shall within forty-five (45) days make available to you such information relating to Disclosures made by Raven Health as required for you to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.
ix. Performance of a Covered Entity’s Obligations. To the extent Raven Health is to carry out a Covered Entity obligation under the Privacy Rule, Raven Health shall comply with the requirements of the Privacy Rule that apply to you in the performance of such obligation.
b. You Responsibilities.
i. No Impermissible Requests. You shall not request Raven Health to Use or Disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a Business Associate).
ii. Safeguards and Appropriate Use of Protected Health Information. You are responsible for implementing appropriate privacy and security safeguards to protect your Protected Health Information in compliance with HIPAA. Without limitation, it is your obligation to:
1. Not include Protected Health Information in information you submit to technical support personnel through a technical support request or within the subject or body of a support case management or support ticket. In addition, Raven Health does not act as, or have the obligations of, a Business Associate under HIPAA with respect to your data once it is sent from you outside of the Raven Health Services over the public Internet.
2. During use of the Raven Health Services, implement privacy and security safeguards in the systems, applications, and software that you control, configure, and upload.
4. Term and Termination.
a. Term. This BAA shall continue in effect until the earlier of (1) termination by a party for breach as set forth in Section 4.b, below, or (2) expiration of your Agreement.
b. Termination for Breach. Upon written notice, either party immediately may terminate the Agreement and this BAA if the other party is in material breach or default of any obligation in this BAA. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice.
c. Return, Destruction, or Retention of Protected Health Information Upon Termination. Upon expiration or termination of the Agreement and this BAA, Raven Health shall return or destroy all Protected Health Information in its possession, if it is feasible to do so. If it is not feasible to return or destroy any portions of the Protected Health Information upon termination of the Agreement and this BAA, then Raven Health shall extend the protections of this BAA, without limitation, to such Protected Health Information and limit any further Use or Disclosure of the Protected Health Information to those purposes that make the return or destruction infeasible for the duration of the retention of the Protected Health Information.
a. Interpretation. The parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Except where this BAA conflicts with the Agreement, all other terms and conditions of the Agreement remain unchanged. Any captions or headings in this BAA are for the convenience of the parties and shall not affect the interpretation of this BAA.
b. Amendments; Waiver. This BAA may not be modified or amended except in a writing duly signed by authorized representatives of the parties. A waiver with respect to one event shall not be construed as continuing, as a bar to, or as a waiver of any right or remedy as to subsequent events.
c. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the parties, and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
d. Severability. In the event that any provision of this BAA is found to be invalid or unenforceable, the remainder of this BAA shall not be affected thereby, but rather the remainder of this BAA shall be enforced to the greatest extent permitted by law.
e. No Agency Relationship. It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between you and Raven Health under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this BAA shall be construed to make or render Raven Health your agent.
THIS BETA TEST AGREEMENT (“Beta Agreement”) is made by and between Raven Health, LLC, a Delaware limited liability company (“Raven Health”), and the user (“Beta Tester”). WHEREAS, Raven Health has developed and has the right to license a proprietary electronic health record and practice management software-as-a-service system targeted for use by health care providers engaged in applied behavioral analysis treatment (the “Raven Health Services”);
WHEREAS, Currently the Raven Health Services are not generally available for commercial distribution; and
WHEREAS, The parties desire to enter a mutually beneficial agreement whereby the Beta Tester will obtain early access to the Raven Health Services and Raven Health will obtain information about Beta Tester’s experience with the Raven Health Services.
NOW, THEREFORE, The parties agree as follows.
2. Evaluation and Reports
2.1 Acknowledgment of Beta Testing. The parties acknowledge and agree that the Raven Health Services is a beta version that may contain bugs, defects, and errors. The parties further agree that use of the Raven Health Services is being provided to Beta Tester [free of charge] in exchange for Beta Tester’s evaluation of the Raven Health Services, as well as the additional undertakings of Beta Tester below.
2.2 Beta Tester Reports. During the term of this Beta Agreement, Beta Tester shall test and evaluate the Raven Health Services and document its experience and report on the operational status of the Raven Health Services. As requested by Raven Health from time to time, Beta Tester agrees to provide Raven Health with one or more written reports (“Evaluation Reports”), in a mutually agreeable format, documenting Beta Tester’s experience with the Raven Health Services. The Evaluation Report will contain, without limitation, (i) the results of Beta Tester’s use and evaluation of the Raven Health Services, including any defects, failures, errors, and bugs found and any information necessary, and in sufficient detail, for Raven Health to evaluate the Raven Health Services, and (ii) any recommendations for additions, changes and modifications to the Raven Health Services.
2.3 Ownership of Reports. Beta Tester hereby assigns and grants to Raven Health all right, title and interest to any reports, evaluations, recommendations, and suggestions relating to the Raven Health Services and any inventions relating to any improvement, modification or enhancement of the Raven Health Services conceived in, or made as a result of, Beta Tester’s performance of this Beta Agreement, including, without limitation, the Evaluation Reports. Without limiting the generality of the forgoing, all such information shall be the exclusive property of Raven Health and Raven Health may disclose and use such information for any purposes whatsoever without obligation of any kind to Beta Tester subject only to the limitation set forth in Section 2.4.
2.4 Publicity. Raven Health shall have the continuous right during the term of this Beta Agreement and thereafter to disclose to the public or any third party that Beta Tester has used the Raven Health Services and identify Beta Tester as a reference (“Identification and Reference Right”). Raven Health shall also have the right to issue any press release or other public statement regarding Beta Tester’s testing and use of the Raven Health Services that contains content beyond that permitted by the Identification and Reference Right, subject to Beta Tester’s approval of any such press release or other statement, which approval shall not be unreasonably withheld and which shall be deemed given if not denied within ten (10) days after Raven Health shall have provided such content to Beta Tester.
3. Testing Period
3.1 Term. The term of this Beta Agreement shall commence on the Effective Date and shall continue until the later of (i) 12 months following the Effective Date, or (ii) 30 days following the first commercial release of the Raven Health Services. Upon expiration or earlier the termination of this Beta Agreement, the parties shall have no further obligations to one another except for those obligations related to the provisions that survive the expiration or termination of this Beta Agreement as set forth in Section 6.9.
3.2 Termination. Raven Health may terminate this Beta Agreement at any time without cause upon 15 days prior written notice to Beta Tester.
3.3 Effect of Expiration or Termination. Unless otherwise agreed upon in writing, upon the expiration or the earlier termination of this Beta Agreement, Beta Tester shall: (A) return to Raven Health all documentation related to the Raven Health Services and all other documents and tangible items in Beta Tester’s possession that are proprietary to Raven Health or contain Confidential Information (as such term is defined in Section 5 below); and (B) immediately cease using the Raven Health Services and permanently delete the Raven Health Services.
4. Commercial Release. Notwithstanding anything in this Beta Agreement to the contrary, Raven Health is under no obligation to develop, maintain or market the Raven Health Services or to release production or general availability versions. If Raven Health releases an updated version of the Raven Health Services during the term of this Beta Agreement, Raven Health will provide such version to Beta Tester upon Beta Tester’s prior written request; provided, however, that the terms and conditions of this Beta Agreement shall apply to all updated versions of the Raven Health Services.
5. Confidential Information
5.1 Obligations. During the term of this Beta Agreement and thereafter, Beta Tester shall regard as confidential and will retain in strict confidence all knowledge of Raven Health’s business and business activities (past, present and future), software products, including the Raven Health Services, all related documentation, application development plans, programs, documentation, techniques and know how, whether in tangible or intangible form and whether or not marked as “confidential” that may be obtained from any source as a result of this Beta Agreement, together with all such other information designated by Raven Health as confidential (collectively, “Confidential Information”). Beta Tester agrees that during the term of this Beta Agreement and thereafter, except as permitted in this Beta Agreement or expressly by Raven Health, Beta Tester shall not use, disclose or distribute to any person, firm or entity any Confidential Information, and neither Beta Tester nor its officers, directors, employees, consultants, representatives or agents shall make known, divulge or communicate any Confidential Information to any person, firm or enterprise. Beta Tester agrees to use no less than reasonable efforts to ensure that the provisions of this Section 5.1 are observed. Without limiting the generality of the foregoing, Confidential Information shall include the terms of this Beta Agreement and Beta Tester’s conclusions and findings with regard to the operation and function of the Raven Health Services, whether in writing or otherwise, developed pursuant to Section 2.2.
5.2 Exceptions. As used in this Beta Agreement, the term “Confidential Information” shall not include any information which Beta Tester can demonstrate (i) is in the public domain, (ii) was known by Beta Tester prior to its disclosure by Raven Health and was not obtained in such circumstances subject to a requirement of confidentiality, (iii) was received lawfully from a third party without an obligation of confidentiality, (iv) was developed independently and without the use of any Confidential Information provided pursuant to this Beta Agreement, based upon written records, or (v) is required to be disclosed by Beta Tester by law or pursuant to an order of any court or administrative body; provided, however, that Beta Tester shall provide Raven Health with prompt notice of such request or order, including copies of subpoenas or orders requesting such Confidential Information, cooperate reasonably with Raven Health in resisting the disclosure of such Confidential Information via a protective order or other appropriate legal action, and shall not make disclosure pursuant thereto until Raven Health has had a reasonable opportunity to resist such disclosure, unless Beta Tester is ordered otherwise.
5.3 Injunctive Relief. Beta Tester acknowledges that the restrictions contained in this Section 5 are reasonable and necessary to protect Raven Health’s legitimate interests. Beta Tester understands and agrees that the remedies at law for the violation of any of the covenants or provisions of this Section 5 will be inadequate, that such violations will cause irreparable injury within a short period of time, and that the disclosing party shall be entitled to preliminary injunctive relief and other injunctive relief against such violation without the necessity of proving actual damages. Such injunctive relief shall be in addition to, and in no way in limitation of, any and all other remedies Raven Health shall have at law and in equity for the enforcement of those covenants and provisions.
6.1 Relationship of the Parties. The parties hereto shall each be independent contractors in the performance of their obligations under this Beta Agreement, and nothing contained herein shall be deemed to constitute either party as the agent or representative of the other party, or both parties as joint venturers or partners for any purpose.
6.2 Notices. Any and all notices necessary or desirable to be served hereunder shall be in writing and shall be personally delivered, sent by certified mail or overnight delivery service to the intended recipient. Any notice sent by mail shall be deemed delivered on the second business day following the postmark date which it bears. Any notice sent by hand delivery shall be deemed received when delivered. Any notice sent by a nationally recognized overnight carrier shall be deemed received when delivered, as reflected in the records of the delivery service.
6.3 Assignment. This Beta Agreement may not be assigned or transferred by Beta Tester without the prior written consent of Raven Health and any attempt to do so will be void. This Beta Agreement will be binding upon and inure to the benefit of the parties and their respective successors and permitted assigns.
6.4 Governing Law and Venue. This Beta Agreement shall be governed by and construed under the laws of the State of Michigan without regard to conflicts of laws provisions. The parties agree that any suit to enforce any provision of this Beta Agreement or arising out of or based on this Beta Agreement or the business relationship between the parties shall be brought in the United States District Court for the Eastern District of Michigan or in the appropriate state court of law located in Detroit, Michigan.
6.5 Severability. If any provision of this Beta Agreement is held to be invalid, illegal or unenforceable in any respect, that provision shall be limited or eliminated to the minimum extent necessary so that this Beta Agreement shall otherwise remain in full force and effect and enforceable.
6.6 Entire Beta Agreement. This Beta Agreement, and all documents incorporated by reference, constitutes the entire Beta Agreement between the parties pertaining to the subject matter hereof, and any and all written or oral agreements previously existing between the parties are expressly canceled.
6.7 Waiver. No waiver of any breach of any provision of this Beta Agreement will constitute a waiver of any prior, concurrent or subsequent breach of the same or any other provisions hereof, and no waiver will be effective unless made in writing and signed by an authorized representative of the waiving party.
6.8 Amendments. Unless as otherwise provided in this Beta Agreement, any amendments to this Beta Agreement must be in writing and signed by authorized representatives of both parties.
6.9 Survival. The following Sections shall survive the termination or expiration of this Beta Agreement: Sections 2.3, 2.4, 3.3, 4, 5 and 6.
6.10 Counterparts. This Beta Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which taken together shall constitute one and the same instrument.