1. Definitions
For purposes of this Business Associate Agreement ("Agreement"):
- Covered Entity means the healthcare provider using Varick's services
- Business Associate means Varick, Inc.
- Protected Health Information (PHI) has the meaning given such term in 45 C.F.R. § 160.103
- HIPAA Rules means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164
2. Permitted Uses and Disclosures
Business Associate may use or disclose PHI only:
- As necessary to perform services specified in the underlying service agreement
- For Business Associate's proper management and administration
- To carry out legal responsibilities of Business Associate
- As required by law
- For data aggregation services relating to health care operations of Covered Entity
3. Prohibited Uses and Disclosures
Business Associate shall not:
- Use or disclose PHI except as permitted by this Agreement or required by law
- Use or disclose PHI in a manner that would violate HIPAA Rules if done by Covered Entity
- Use or disclose PHI for marketing purposes
- Sell PHI except as permitted by 45 C.F.R. § 164.502(a)(5)(ii)
4. Safeguards
Business Associate shall implement appropriate safeguards to prevent unauthorized use or disclosure of PHI, including:
- Administrative safeguards including workforce training and access management
- Physical safeguards including facility access controls and workstation security
- Technical safeguards including access control, audit controls, integrity controls, and transmission security
- Encryption of PHI at rest and in transit
5. Reporting Obligations
Business Associate shall:
- Report any use or disclosure of PHI not provided for by this Agreement within 24 hours of discovery
- Report any security incident affecting PHI immediately upon discovery
- Provide Covered Entity with information necessary to assess breach notification requirements
6. Individual Rights
Business Associate shall:
- Provide access to PHI in a designated record set upon request
- Make amendments to PHI as directed by Covered Entity
- Provide an accounting of disclosures of PHI as requested
- Make available PHI in electronic format when requested
7. Subcontractors
Business Associate shall obtain satisfactory assurances in the form of a written contract that any subcontractors will safeguard PHI in accordance with HIPAA Rules and the terms of this Agreement.
8. Termination
Upon termination of this Agreement, Business Associate shall return or destroy all PHI received from Covered Entity, except as required by law. If return or destruction is not feasible, Business Associate shall extend protections of this Agreement to such PHI and limit further uses and disclosures.
9. Compliance with HIPAA Security Rule
Business Associate shall comply with the applicable requirements of the HIPAA Security Rule with respect to electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity.
10. Minimum Necessary
Business Associate shall make reasonable efforts to limit use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, except for disclosures to or requests by a health care provider for treatment purposes.
11. Contact Information
For questions about this Business Associate Agreement or to report HIPAA-related incidents, contact: hipaa@varick.health