HIPAA Business Associate Agreement

1. Definitions

1.1 General Definitions

Terms used but not otherwise defined in this Agreement have the meanings given to them in the HIPAA Rules.

1.2 Key Terms

Business Associate

Mainstream Technology Group and its employees, agents, and subcontractors providing managed security services to Covered Entity.

Covered Entity

The healthcare organization (healthcare provider, health plan, or healthcare clearinghouse) that has engaged Business Associate for services.

Protected Health Information (PHI)

Any information about health status, provision of healthcare, or payment for healthcare that can be linked to an individual and is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.

Electronic Protected Health Information (ePHI)

PHI that is transmitted by or maintained in electronic media.

Security Incident

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Breach

The acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA that compromises the security or privacy of the PHI.

2. Obligations & Activities of Business Associate

2.1 Permitted Activities

Business Associate shall perform the following services on behalf of Covered Entity:

• Configuration, management, and monitoring of security systems that may process ePHI
• Management of network infrastructure that transmits ePHI
• Security monitoring and incident response for systems containing ePHI
• Technical support for systems and applications that process ePHI
• Backup and disaster recovery services for systems containing ePHI
• Compliance documentation and reporting as required by HIPAA

2.2 Compliance with HIPAA Rules

Business Associate agrees to:

• Not use or disclose PHI except as permitted by this Agreement or required by law
• Use appropriate safeguards to prevent unauthorized use or disclosure of PHI
• Comply with the Security Rule (45 CFR Part 164, Subpart C) with respect to ePHI
• Report to Covered Entity any use or disclosure of PHI not permitted by this Agreement
• Report to Covered Entity any security incident involving ePHI
• Ensure that any subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions

2.3 Minimum Necessary

Business Associate shall limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR § 164.502(b) and § 164.514(d).

3. Permitted Uses & Disclosures of PHI

3.1 Services to Covered Entity

Business Associate may use or disclose PHI only to perform the services specified in the underlying service agreement and only as permitted by this Agreement or required by law.

3.2 Business Associate's Management & Administration

Business Associate may use PHI for its proper management and administration, provided that:

• Such use is necessary for Business Associate's management and administration
• Business Associate obtains reasonable assurances from the recipient that the information will be held confidentially
• The recipient agrees to notify Business Associate of any breaches of which it becomes aware

3.3 Data Aggregation Services

Business Associate may use PHI to provide data aggregation services relating to the healthcare operations of Covered Entity, if such use is permitted by the underlying service agreement.

3.4 Required by Law

Business Associate may use or disclose PHI as required by law, provided that Business Associate provides notice to Covered Entity when feasible before such use or disclosure.

4. Prohibited Uses & Disclosures of PHI

4.1 No Sale of PHI

Business Associate shall not receive remuneration in exchange for PHI, except with the prior written consent of Covered Entity and as permitted by 45 CFR § 164.502(a)(5)(ii).

4.2 No Marketing Use

Business Associate shall not use or disclose PHI for marketing purposes without the prior written consent of Covered Entity and written authorization from the individual, as required by 45 CFR § 164.508.

4.3 Limitations on Fundraising

Business Associate shall not use or disclose PHI for fundraising purposes without the prior written consent of Covered Entity.

5. Safeguards & Security

5.1 Administrative Safeguards

Business Associate implements administrative safeguards including:

• Security Management Process - Policies to prevent, detect, contain, and correct security violations
• Security Personnel - Designated security official responsible for HIPAA compliance
• Information Access Management - Policies limiting access to ePHI to authorized personnel
• Workforce Training - Regular HIPAA security and privacy training for all personnel
• Security Incident Procedures - Documented incident response and reporting procedures
• Contingency Planning - Disaster recovery and business continuity plans
• Business Associate Contracts - Subcontractor agreements meeting HIPAA requirements

5.2 Physical Safeguards

Business Associate implements physical safeguards including:

• Facility Access Controls - Policies limiting physical access to systems containing ePHI
• Workstation Security - Policies governing proper use of workstations accessing ePHI
• Device & Media Controls - Policies for disposal, reuse, and removal of devices containing ePHI

5.3 Technical Safeguards

Business Associate implements technical safeguards including:

• Access Controls - Unique user identification, emergency access procedures, automatic logoff, encryption and decryption
• Audit Controls - Hardware, software, and procedural mechanisms to record and examine access to ePHI
• Integrity Controls - Mechanisms to ensure ePHI is not improperly altered or destroyed
• Transmission Security - Technical security measures guarding against unauthorized access to ePHI transmitted over networks

5.4 Encryption

Business Associate shall encrypt all ePHI at rest and in transit using encryption standards that meet or exceed those required by NIST (National Institute of Standards and Technology) and HIPAA Security Rule guidelines.

5.5 Security Risk Analysis

Business Associate conducts periodic security risk analyses to identify potential risks and vulnerabilities to ePHI and implements security measures to reduce risks and vulnerabilities to a reasonable and appropriate level.

6. Reporting & Breach Notification

6.1 Security Incident Reporting

Business Associate shall report to Covered Entity any security incident involving ePHI of which it becomes aware within 24 hours of discovery.

Note: The parties acknowledge that unsuccessful security incidents (such as pings, port scans, unsuccessful login attempts, denials of service, and malware blocked at the perimeter) occur frequently and are not required to be reported under this Agreement.

6.2 Breach Discovery & Investigation

Business Associate shall investigate any suspected breach and determine whether a breach has occurred under the HIPAA Breach Notification Rule (45 CFR § 164.400 et seq.). Business Associate shall document its investigation and determination.

6.3 Breach Notification to Covered Entity

Business Associate shall notify Covered Entity without unreasonable delay and in no case later than 10 business days after discovery of any breach of unsecured PHI.

Notification shall include, to the extent available:

• Identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed
• A brief description of what happened, including the date of the breach and date of discovery
• A description of the types of PHI involved (e.g., full name, Social Security number, date of birth, medical record number, diagnosis, etc.)
• The investigation undertaken and any mitigation steps taken
• Procedures individuals should follow to protect themselves from potential harm
• Business Associate's contact information for individuals to learn more

6.4 Cooperation with Breach Notification

Business Associate shall cooperate with Covered Entity in meeting Covered Entity's obligations under the HIPAA Breach Notification Rule, including assisting with any required notifications to affected individuals, the media, or the Secretary of Health and Human Services.

6.5 Mitigation

Business Associate shall take reasonable steps to mitigate any harmful effects of a use or disclosure of PHI in violation of this Agreement.

7. Individual Rights

7.1 Access to PHI

Business Associate shall provide access to PHI in its possession or control to Covered Entity or, as directed by Covered Entity, to an individual, within 10 business days of a request to enable Covered Entity to fulfill its obligations under 45 CFR § 164.524.

7.2 Amendment of PHI

Business Associate shall make PHI available to Covered Entity for amendment and incorporate any amendments to PHI within 10 business days when notified by Covered Entity, in accordance with 45 CFR § 164.526.

7.3 Accounting of Disclosures

Business Associate shall document all disclosures of PHI and information related to such disclosures as required to provide an accounting of disclosures to Covered Entity or individuals, in accordance with 45 CFR § 164.528.

Business Associate shall provide such accounting to Covered Entity or, as directed by Covered Entity, to an individual within 30 days of a request.

7.4 Restriction Requests

Business Associate shall comply with any restrictions on the use or disclosure of PHI that Covered Entity has agreed to under 45 CFR § 164.522, provided that Covered Entity has notified Business Associate of such restrictions.

8. Subcontractors & Agents

8.1 Subcontractor Requirements

Business Associate shall ensure that any subcontractors or agents to whom it provides PHI received from, or created or received by Business Associate on behalf of, Covered Entity agree to the same restrictions and conditions that apply to Business Associate under this Agreement, including compliance with the HIPAA Rules.

8.2 Subcontractor Agreements

Business Associate shall enter into written agreements with all subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate that contain terms substantially similar to this Agreement.

8.3 Liability for Subcontractors

Business Associate shall be liable for any acts or omissions of its subcontractors that violate this Agreement or the HIPAA Rules to the same extent as if such acts or omissions were committed by Business Associate itself.

8.4 Current Subcontractors

Business Associate currently uses the following types of subcontractors that may access PHI:

• Cloud infrastructure providers (for backup and disaster recovery services)
• Security software vendors (for monitoring and threat detection)
• Specialized security consultants (for incident response when required)

A complete list of active subcontractors is available upon request. Business Associate shall notify Covered Entity of any new subcontractors before they are granted access to PHI.

9. Term & Termination

9.1 Term

This Agreement shall be effective as of the date of the underlying service agreement and shall continue in effect until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.

9.2 Termination for Cause

Covered Entity may terminate this Agreement and the underlying service agreement immediately if:

• Business Associate breaches any material term of this Agreement
• Business Associate is unable to cure the breach within 30 days of written notice
• Termination is required by law or regulation

9.3 Effect of Termination

Upon termination of this Agreement for any reason:

• Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity
• This provision shall apply to PHI in the possession of subcontractors or agents of Business Associate
• Business Associate shall retain no copies of the PHI

9.4 Infeasibility of Return or Destruction

If Business Associate determines that return or destruction of PHI is infeasible, Business Associate shall:

• Notify Covered Entity of the conditions making return or destruction infeasible
• Extend the protections of this Agreement to such PHI
• Limit further uses and disclosures to those purposes that make return or destruction infeasible
• Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164

9.5 Survival

The obligations of Business Associate under this Section 9 shall survive the termination of this Agreement.

10. Miscellaneous

10.1 Regulatory Compliance

The parties agree that this Agreement shall be interpreted in a manner consistent with the HIPAA Rules. Any ambiguity in this Agreement shall be resolved in favor of a meaning that complies with the HIPAA Rules.

10.2 Amendment

The parties agree to amend this Agreement from time to time as necessary to comply with changes to the HIPAA Rules and other applicable laws and regulations. Covered Entity may terminate this Agreement upon 30 days' written notice if Business Associate does not agree to proposed amendments that Covered Entity reasonably determines are necessary to comply with the HIPAA Rules.

10.3 Interpretation

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules. This Agreement shall be interpreted to permit Business Associate to comply with the HIPAA Rules as they apply to business associates.

10.4 Regulatory References

A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended, and for which compliance is required.

10.5 No Third-Party Beneficiaries

Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

10.6 Indemnification

Business Associate shall indemnify, defend, and hold harmless Covered Entity from and against any claims, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to Business Associate's breach of this Agreement or violation of the HIPAA Rules.

10.7 Assistance with Compliance

Business Associate shall provide reasonable assistance to Covered Entity in responding to:

• Individual requests for access, amendment, or accounting of disclosures
• Investigations or compliance reviews by the Office for Civil Rights (OCR)
• Other regulatory inquiries related to PHI in Business Associate's possession

10.8 Notice

All notices required or permitted under this Agreement shall be in writing and delivered to: