Business Associate Agreement

Updated August 23, 2024

BUSINESS ASSOCIATE AGREEMENT

If Customer is a Covered Entity or a business associate and includes Protected Health Information in Customer Data or Voice Recordings provided to Alta Voice, Inc. as a business associate or sub-business associate, the Customer Terms of Service between the parties (the “Terms”) will automatically incorporate the terms of this Business Associate Agreement (“BAA”) as part of the overall agreement between the parties. If there is any conflict between a provision in this BAA and a provision in the Terms, this BAA will control. In this BAA, Customer is referred to as “Covered Entity” and Alta Voice, Inc. or Alta is referred to as “Business Associate.”

Unless otherwise defined in this BAA, all capitalized words, like PHI, have the meanings set forth in the HIPAA Privacy and Security Rules, 45 C.F.R. Parts 160, 162 and 164, as modified from time to time.

WHEREAS

  • Business Associate has been engaged by Covered Entity to perform certain services under a Software Subscription Agreement between the parties (the “Software Agreement”), wherein Business Associate may need to access, use and/or disclose PHI received from Covered Entity as a business associate; and
  • The parties desire to ensure that their respective rights and responsibilities under the Agreement are in accordance with applicable federal statutory and regulatory requirements relating to the access, use and disclosure of Protected Health Information (or “PHI”), including, without limitation, the Standards for Privacy of Individually Identifiable Health Information, and the Security Standards, collectively codified at 45 C.F.R. Parts 160, 162 and 164 (respectively the “Privacy Standards” and “Security Standards”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act, as set forth in Subtitle D of the American Recovery and Reinvestment Act of 2009 (“HITECH”); and
  • The purpose of this BAA is to satisfy certain standards and requirements of HIPAA, HITECH, the Privacy Standards, and the Security Standards, and regulations thereunder.

NOW, THEREFORE

In consideration of the foregoing recitals and the mutual covenants and agreements set forth herein, Business Associate and Covered Entity agree as follows:

1. Definitions

  • “Electronic Health Record” shall have the same meaning as the term “electronic health record” in the American Recovery and Reinvestment Act of 2009, § 13400(5).
  • “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 and regulations issued thereunder, as may be expanded by HITECH.
  • “Protected Health Information” or “PHI” has the meaning given to Protected Health Information in the HIPAA Rules. For purposes of this BAA, “PHI” is limited to PHI that is provided, created, exchanged or received by or between Business Associate and Covered Entity.
  • Other Terms. The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information (or “Electronic PHI”), Electronic Transactions Rule, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, Transaction, Unsecured Protected Health Information, and Use.
  • Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as then in effect or as amended.

2. Scope

This BAA sets forth the terms and conditions pursuant to which any and all PHI will be handled. Business Associate and Covered Entity will comply with all applicable laws, including those governing the creation, use, disclosure, access, storage, and maintenance of PHI.

3. Duties and Responsibilities of Business Associate

  • Use and Disclosure of PHI. Not Use or Disclose PHI other than as permitted or required by this BAA, as set forth in Section 4.a below, or as required by applicable law.
  • Safeguards. Use reasonable and appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 and HITECH with respect to electronic PHI, to protect the security of all PHI against Security Incidents, prohibited Uses or Disclosures of PHI or other misuse of PHI, as required by the HIPAA Rules.
  • Required Reporting. Report to Covered Entity, within thirty (30) days, any prohibited Use or Disclosure of PHI of which Business Associate becomes aware, by Business Associate, any of its employees, Subcontractors or agents, or any third party receiving or obtaining such PHI from or through Business Associate, including Breaches of Unsecured Protected Health Information, in addition to any other reporting obligations of Business Associate under the HIPAA Rules, as well as any Security Incident of which it becomes aware.
  • Subcontractors. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit PHI or Electronic PHI on behalf of Business Associate agree to same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI or Electronic PHI.
  • Individual and Third-Party Requests. If Business Associate receives a request from an Individual or any third party to inspect, obtain a copy of, or amend PHI, Business Associate will forward such request in writing to Covered Entity within five (5) business days of receiving the request.
  • Designated Record Sets. If Business Associate’s services under the Software Agreement require it to maintain a Designated Record Set, then:
    • Within ten (10) business days of Covered Entity’s request to Business Associate for a copy of PHI, Business Associate will provide the requested PHI to Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524.
    • Business Associate will make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526.
  • Accounting of Disclosures. Maintain and, within thirty (30) days of receiving a request, or sooner if Required by Law, make available the information required to provide an accounting of disclosures.
  • Comply with Applicable Obligations of Covered Entity. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).
  • Books and Records. Make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules.
  • Training. Business Associate will train its employees who may have access to PHI regarding the terms and conditions of this BAA and their obligations under the HIPAA Rules.
  • Electronic PHI. Business Associate will comply with the Security Standards and use appropriate administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that Business Associate creates.

4. Permitted Uses and Disclosures by Business Associate

  • Permitted Uses and Disclosures. Business Associate may Use or Disclose PHI:
    • As required to perform services for Covered Entity as specified under the Software Agreement or other agreement between the parties.
    • For Business Associate’s proper management and administration, or to carry out the legal responsibilities of Business Associate.
  • Required Uses and Disclosures. Business Associate shall disclose PHI when required by the Secretary of HHS under 45 C.F.R. Part 160, Subpart C to investigate or determine Business Associate’s compliance with Subchapter C of 45 C.F.R.
  • Access. Business Associate will make available PHI in accordance with 45 C.F.R. § 164.524, upon request from Covered Entity.
  • Minimum Necessary. Business Associate will make reasonable efforts to use, disclose, and request only the minimum amount of the PHI necessary to accomplish the intended purpose of the use, disclosure, or request.

5. Obligations of Covered Entity

  • Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR 164.520.
  • Notice of Changes in Consent. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI.

6. Term and Termination

  • Term. The term of this BAA shall begin upon the effective date of the Software Agreement and shall continue in effect until terminated as provided herein and until Business Associate returns or destroys all PHI of Covered Entity.
  • Termination at End of Business Association. This BAA will automatically terminate without further action of the parties upon the termination or expiration of the business association between Business Associate and Covered Entity.
  • Termination for Cause. If either party materially breaches this BAA, the other party may terminate this BAA and the underlying Software Agreement.
  • Effect of Termination. Within thirty (30) days of the termination of this BAA, Business Associate will either return to Covered Entity or destroy all PHI that Business Associate still maintains in any form.

7. Ownership

As between the parties, all PHI is and will remain the property of Covered Entity.

8. Limitation of Liability

NOTWITHSTANDING ANY OTHER PROVISION IN THIS BAA, UNDER NO CIRCUMSTANCES WILL BUSINESS ASSOCIATE HAVE ANY OBLIGATION OR LIABILITY HEREUNDER FOR ANY INCIDENTAL, INDIRECT, CONSEQUENTIAL, COLLATERAL, EXEMPLARY, PUNITIVE OR SPECIAL DAMAGES INCURRED BY COVERED ENTITY…

9. Miscellaneous

  • Assignment; Binding Effect. This BAA is personal to Business Associate and Covered Entity and may not be assigned or delegated by either party without the prior written consent of the other party in each instance.
  • Entire Agreement; Amendment. This BAA contains the entire agreement between the parties and supersedes all prior or contemporaneous agreements with respect to the subject matter hereof.
  • Severability. If any term or provision of this BAA shall to any extent be invalid or unenforceable, the remainder of this BAA shall not be affected thereby and each term shall be enforced to the fullest extent permitted by law.
  • Conflict. The terms of this BAA shall supersede any other conflicting or inconsistent terms in the Software Agreement.
  • Choice of Law and Venue. This BAA shall be construed in accordance with the laws of the State of Utah.
  • Notices. Any notice or report hereunder shall be deemed given if delivered or sent by first-class mail, postage prepaid, or by commercial delivery service.
  • Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.
Alta AI
support@altavoice.com