For those members of the medical community please note that Legal Solutions 2 U, APC, a California licensed law firm evaluated BrandRep’s manual touch marketing (MTM) solutions for Review Generation and determined that it provided “the medical industry with a balance of functionality for marketing within HIPAA regulations”. In other words as a health care provider you are protected when using BrandRep’s MTM tools for marketing. With our system you retain the confidential health information of your client as detailed further below. We act almost like your telephone or internet service provider in that all you disclose to us is a telephone number or email address of your client and their name to be populated to a particular customer service survey that you manually select. At no time do we ask you to provide any actual medical information of any of your clients, nor does our system request the source of your list. You are merely sending a text message or email message to a self-generated list using our system. Just like your telephone carrier would retain and track the date and time of incoming or outgoing calls or messages, so do we for the benefit of tracking your campaigns. At any time you can delete your list from our system. The list is manually uploaded by you into our system, the emails or text messages requesting a survey of your performance are selected by you, and messages are only sent to your manually uploaded list. The list could be people who came into your office just to sell you something, and your request is strictly customer service driven with no pecuniary interest on your side. In other words you are in complete control all the way through this process, with some facilitation or help from our MTM systems. By definition the Review Generation marketing plan is not selling or soliciting any products or service, but instead facilitating an opportunity for you to reach out to your list for the sole purpose of requesting a public posting of your customer service activities. We are merely your facilitation tool and we do not want nor can you disclose any medical information of your clients to us. But for more details on this subject see below. BrandRep is a mere conduit for the temporary storage of transmitted data incident to the review generation transmission. BrandRep transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by law within the meaning of 78 Federal Register 5571-5572.
What Is HIPAA.
The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (see Pub. L. 104-191). The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.
A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.
Protected Health Information.
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).” 45 CFR 160.103 “Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
What is “Marketing”?
The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.” This definition of marketing has certain exceptions, as discussed below. Examples of “marketing” communications requiring prior authorization are:
- A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.
- A communication from a health insurer promoting a home and casualty insurance product offered by the same company.
What Is a “Business Associate?”
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.
Examples of Business Associates.
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
About Business Associates
If a covered entity engages a business associate to help carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that:
- Establishes specifically what the business associate has been engaged to do
- Requires the business associate to comply with HIPAA
General Provision.
The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
Privacy Provision.
The business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; Appropriate safeguards are used to prevent a use or disclosure of the protected health information other than as provided for by the contract
Situations in Which a Business Associate Contract Is NOT Required.
With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.
With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents.
But for those Professionals that just feel more comfortable having a HIPAA Business Associate Agreement in place we have included one just for you.
BUSINESS ASSOCIATE AGREEMENT
BrandRep LLC (hereinafter Business Associate) operates the http://brandrep.com website. This website, including all content, features, functionality, programs, applications, or services provided on or through the websites are referred to, collectively, in this Business Associate Agreement, as the “Site.” By using the Site, whether accessed via computer, mobile device, or other technology, manner, or means, you agree to the terms and conditions of this Business Associate Agreement, which is a binding legal agreement between you and BrandRep. In this Business Associate Agreement, “you” means the health care provider, whether an individual or entity, that conducts transactions in electronic form that are covered by the Health Insurance Portability and Accountability Act of 1996, as amended from time to time (“HIPAA”), and that has created an account on the Site. You are referred to in this Business Associate Agreement as Covered Entity.
1. Background and Purpose of Business Associate Agreement.
Through the Site, Business Associate provides electronic messaging and related technology services (the “Service”) to and on behalf of health care provider customers, including Covered Entity. Covered Entity possesses Individually Identifiable Health Information (as hereinafter defined) that is protected under HIPAA, the HIPAA Privacy Regulations (as hereinafter defined), the HIPAA Security Regulations (as hereinafter defined) and the HITECH Standards (as hereinafter defined) and is permitted to use or disclose such information only in accordance with such laws and regulations. Business Associate may need to receive, access, maintain, use and disclose Individually Identifiable Health Information held by Covered Entity to provide the Review Generation Service to Covered Entity, and Covered Entity wishes to ensure that Business Associate will appropriately safeguard the privacy, confidentiality, integrity and availability of Individually Identifiable Health Information.
2. Definitions.
The following terms, when used in this Business Associate Agreement, shall have the following meanings, provided that the terms set forth below shall be deemed to be modified to reflect any changes made to such terms from time to time as defined in HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HITECH Standards.
- “Breach” means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under 45 C.F.R. Part 164, Subpart E which compromises the security or privacy of the Protected Health Information. “Breach” shall not include:
- Any unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of the Covered Entity or Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule; or
- Any inadvertent disclosure by a person who is authorized to access Protected Health Information at the Covered Entity or Business Associate to another person authorized to access Protected Health Information at the Covered Entity or Business Associate, respectively, or Organized Health Care Arrangement in which the Covered Entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule; or
- A disclosure of Protected Health Information where the Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
- “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the Business Associate of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a Business Associate of another Covered Entity, to permit data analyses that relate to the health care operations of the respective Covered Entities.
- “Electronic Protected Health Information” or “Electronic PHI” means Protected Health Information that is transmitted by or maintained in electronic media as defined in the HIPAA Security Regulations.
- “HIPAA Privacy Regulations” means the regulations promulgated under HIPAA by the United States Department of Health and Human Services to protect the privacy of Protected Health Information, including, but not limited to, 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subpart A and Subpart E.
- “HIPAA Security Regulations” means the regulations promulgated under HIPAA by the United States Department of Health and Human Services to protect the security of Electronic Protected Health Information, including, but not limited to, 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subpart A and Subpart C.
- “HITECH Standards” means the privacy, security and security Breach notification provisions applicable to a Business Associate under Subtitle D of the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), and any regulations promulgated thereunder.
- “Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, that is;
- created or received by a health care provider, health plan, employer, or health care clearinghouse;
and- relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual;
and- that identifies the individual; or
- with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
- “Protected Health Information” or “PHI” means Individually Identifiable Health Information transmitted or maintained in any form or medium that (i) is received by Business Associate from Covered Entity, (ii) Business Associate creates for its own purposes from Individually Identifiable Health Information that Business Associate received from Covered Entity, or (iii) is created, received, transmitted or maintained by Business Associate on behalf of Covered Entity. Protected Health Information excludes Individually Identifiable Health Information in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g, records described at 20 U.S.C. § 1232g(a)(4)(B)(iv), and employment records held by the Covered Entity in its role as employer.
- “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
- Any terms capitalized, but not otherwise defined, in this Business Associate Agreement shall have the same meaning as those terms have under HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HITECH Standards and shall be deemed to be modified to reflect any changes made to such terms from time to time as defined in HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HITECH Standards.
3. Obligations and Activities of Business Associate
- Use or Disclosure. Business Associate agrees to not use or further disclose Protected Health Information other than as expressly permitted or required by this Business Associate Agreement or as required by law.
- Safeguards. Business Associate agrees to use appropriate safeguards to prevent any use or disclosure of the Protected Health Information other than uses and disclosures expressly provided for by this Business Associate Agreement. Business Associate further agrees to use appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of any Electronic Protected Health Information in accordance with the HIPAA Security Regulations.
- Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Business Associate Agreement.
- Reporting. Business Associate agrees to report to Covered Entity any use or disclosure of Protected Health Information in violation of this Business Associate Agreement by Business Associate or by a third party to which Business Associate disclosed Protected Health Information pursuant to Section 3.e (Subcontractors and Agents), in the time and manner agreed to by the Parties. Business Associate further agrees to report promptly to Covered Entity any Security Incident of which it becomes aware. Notwithstanding the foregoing provisions of this Section 3.d., Business Associate shall promptly report to Covered Entity any Breach consistent with the regulations promulgated under HITECH by the United States Department of Health and Human Services at 45 C.F.R. Part 164, Subpart D.
- Subcontractors and Agents. Business Associate agrees to ensure that any agents, including subcontractors, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity agree to the same restrictions and conditions that apply through this Business Associate Agreement to Business Associate with respect to such information.
- Access. Because Business Associate will not be maintaining Protected Health Information in a Designated Record Set, Business Associate will not be required to provide Covered Entity access to Protected Health Information. In the event any individual requests access to Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity in the time and manner reasonably designated by Covered Entity such that Covered Entity can respond to such individual in accordance with 45 C.F.R. § 164.524. Any denials of access to the Protected Health Information requested shall be the responsibility of Covered Entity. To the extent that any record of communications of Protected Health Information through the Site must, under HIPAA or the HIPAA Privacy Regulations, be maintained in a Designated Record Set of Covered Entity, it is the responsibility of Covered Entity to include such record in the Designated Record Set that is made available to individuals requesting access to or seeking to amend records containing their PHI.
- Amendment. Because Business Associate will not be maintaining Protected Health Information in a Designated Record Set, Business Associate will not be required to provide Protected Health Information to Covered Entity for amendment or incorporate any such amendments in the Protected Health Information pursuant to 45 C.F.R. §164.526.
- Audit and Inspection. Business Associate agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information and the security of Electronic Protected Health Information, available to Covered Entity, or, at the request of Covered Entity, to the Secretary of Health and Human Services (the “Secretary of HHS”) or any officer or employee of HHS to whom the Secretary of HHS has delegated such authority for the purposes of the Secretary of HHS determining Covered Entity’s compliance with the HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HITECH Standards. Such information shall be made available in a time and manner designated by Covered Entity or the Secretary of HHS.
- Documentation of Disclosures. Business Associate agrees to document such disclosures of Protected Health Information, and such information related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.
- Accounting. Upon receipt of notice by or on behalf of Covered Entity that Covered Entity has received a request for an accounting of disclosures of Protected Health Information, Business Associate shall make available to Covered Entity, in the time and manner reasonably designated by Covered Entity, that information collected in accordance with Section 3.i (Documentation of Disclosures) of this Business Associate Agreement, to permit Covered Entity to respond to the request in accordance with 45 C.F.R. § 164.528.
- Compliance with the HITECH Standards. Notwithstanding any other provision in this Business Associate Agreement, no later than the Effective Date, unless a separate effective date is specified by law or this Business Associate Agreement for a particular requirement (in which case the separate effective date shall be the effective date for that particular requirement), Business Associate shall comply with the HITECH Standards, including, but not limited to: (i) compliance with the requirements regarding minimum necessary under HITECH § 13405(b); (ii) requests for restrictions on use or disclosure to health plans for payment or health care operations purposes when the provider has been paid out of pocket in full consistent with HITECH § 13405(a); (iii) the prohibition of sale of PHI without authorization unless an exception under HITECH § 13405(d) applies; (iv) the prohibition on receiving remuneration for certain communications that fall within the exceptions to the definition of marketing under 45 C.F.R. § 164.501 unless permitted by this Business Associate Agreement and Section 13406 of HITECH; (v) the requirements relating to the provision of access to certain information in electronic access under HITECH § 13405(e); (vi) compliance with each of the Standards and Implementation Specifications of 45 C.F.R. §§ 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards) and 164.316 (Policies and Procedures and Documentation Requirements); and (vii) the requirements regarding accounting of certain disclosures of PHI maintained in an Electronic Health Record (as defined in HITECH § 13405(c)) to the extent that Business Associate discloses any PHI maintained in an Electronic Health Record on behalf of the Covered Entity pursuant to this Business Associate Agreement. Changes to this Business Associate Agreement may be required to comply with any regulations promulgated pursuant to HITECH. In such case, Covered Entity will be asked to agree to a new business associate agreement in order to continue use of the Review Generation Service.
- Minimum Necessary Use and Disclosure. In using and disclosing PHI, Business Associate shall make reasonable efforts to limit the use and/or disclosure of PHI to the minimum amount of information necessary as determined by Covered Entity to accomplish the intended purpose of the use or disclosure.
- Electronic Transactions Regulations. If Business Associate conducts any Transaction for or on behalf of Covered Entity which is covered under the Electronic Transactions Standards from and after the Effective Date, Business Associate agrees that it will comply with, and cause its employees, agents and representatives, and subcontractors to comply with, the applicable requirements of the Electronic Transactions Standards.
4. Permitted Uses and Disclosures by Business Associate
- General Use and Disclosure Provisions. Except as otherwise limited in this Business Associate Agreement, Business Associate may use or disclose Protected Health Information in connection with its provision of the Review Generation Service, as described in part in the Privacy Policy of Business Associate, and as expressly permitted by this Business Associate Agreement, if such use or disclosure of Protected Health Information would not violate HIPAA, the HIPAA Privacy Regulations or the HITECH Standards if done by Covered Entity.
- Specific Use and Disclosure Provisions.
- Except as otherwise limited in this Business Associate Agreement, Business Associate may use and disclose Protected Health Information for the proper management and administration of the Business Associate or to meet its legal responsibilities; provided, however, that such Protected Health Information may be disclosed for such purposes only if the disclosures are required by law or the Business Associate obtains certain reasonable assurances from the person to whom the information is disclosed. The required reasonable assurances are that:
- the information will remain confidential;
- the information will be used or further disclosed only as required by law or for the purpose for which the information was disclosed to the person;
and- the person will notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Business Associate may use and disclose Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
- Business Associate may use and disclose PHI received by Business Associate in its capacity as a Business Associate of Covered Entity to provide Review Generation Services and/or Data Aggregation services, if any, relating to the health care operations of Covered Entity and other covered entity customers of Business Associate.
- Business Associate may de-identify any and all PHI, provided that Business Associate implements de-identification criteria in accordance with the HIPAA Privacy Regulations. De-identified information does not constitute PHI and is not subject to the terms of this Business Associate Agreemen
5. Obligations of Covered Entity
- Requested Uses and Disclosures. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Privacy Regulations or the HITECH Standards if done by Covered Entity or that is not otherwise expressly permitted under Section 4 (Permitted Uses and Disclosures by Business Associate) of this Business Associate Agreement.
- Consents and Authorizations. Covered Entity will obtain any consent or authorization that may be required by the HIPAA Privacy Regulations, or applicable state law prior to furnishing Business Associate the Protected Health Information pertaining to any individual.
- Revocations or Restrictions. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an individual, into use or disclose PHI, including any restrictions on use or disclosure, if such changes affect Business Associate’s permitted or required uses or disclosures.
- Transmission of Protected Health Information. Covered Entity will not transmit to Business Associate any Protected Health Information that is subject to any arrangements permitted or required of the Covered Entity under applicable regulations that may impact in any manner the use and/or disclosure of Protected Health Information by Business Associate under this Business Associate Agreement, including, but not limited to, restrictions on use and/or disclosure of Protected Health Information as provided for in the HIPAA Privacy Regulations.
6. Term and Termination
- Term. This Business Associate Agreement shall continue in effect until superseded by a subsequent business associate agreement between the Parties or terminated in accordance with the provisions of Section 6.b (Termination for Cause) or Section 6.c (Automatic Termination).
- Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity may, in its sole discretion, either (1) provide Business Associate with written notice (by e-mail or regular mail) of and an opportunity to cure such breach and then terminate this Business Associate Agreement if Business Associate does not cure the breach within time period specified by Covered Entity, or (2) terminate this Business Associate Agreement immediately. In the event that termination of the Business Associate Agreement is not feasible, Business Associate acknowledges and agrees that Covered Entity has the right to report the breach to the Secretary of HHS. Upon Business Associate’s knowledge of a material breach by the Covered Entity of this Business Associate Agreement, Business Associate may, in its sole discretion, provide Covered Entity with written notice (by e-mail or regular mail) of and an opportunity to cure such breach and then terminate this Business Associate Agreement if Covered Entity does not cure the breach within the time period specified by Business Associate. In the event that termination of the Business Associate Agreement is not feasible, Covered Entity acknowledges and agrees that Business Associate has the right to report the breach to the Secretary of HHS.
- Automatic Termination. This Business Associate Agreement will automatically terminate without any further action of the Parties when Covered Entity ceases to use the Review Generation Service, which shall be deemed to have occurred when no representative of Covered Entity has logged in to the Site to use the Review Generation Service in six (6) months, or at such time that Covered Entity has stopped paying Business Associate for the Review Generation Services.
- Effect of Termination.
- Upon termination of this Business Associate Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall also apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
- Notwithstanding the foregoing, in the event that Business Associate determines that returning or destroying the Protected Health Information is not feasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction not feasible. Upon mutual Business Associate Agreement of the Parties that return or destruction of Protected Health Information is not feasible, Business Associate shall extend the protections of this Business Associate Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction not feasible, for so long as Business Associate maintains such Protected Health Information.
7. Miscellaneous
- Regulatory References. A reference in this Business Associate Agreement to a section in HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations or the HITECH Standards means the section as in effect or as amended from time to time, and for which compliance is required.
- Survival. The respective rights and obligations of Business Associate under Section 6.d (Effect of Termination) of this Business Associate Agreement shall survive the termination of this Business Associate Agreement.
- Interpretation. Any ambiguity in this Business Associate Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with applicable law protecting the privacy, security and confidentiality of Protected Health Information, including, but not limited to, HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations or the HITECH Standards.
- State Law. Nothing in this Business Associate Agreement shall be construed to require Business Associate to use or disclose Protected Health Information without a written authorization from an individual who is a subject of the Protected Health Information, or written authorization from any other person, where such authorization would be required under state law for such use or disclosure.
- No Third Party Beneficiaries. Nothing express or implied in this Business Associate Agreement is intended or shall be deemed to confer upon any person other than Covered Entity, Business Associate, and their respective successors and assigns, any rights, obligations, remedies or liabilities.
- Primacy. To the extent that any provisions of this Business Associate Agreement conflict with the provisions of any other Business Associate Agreement or understanding between the Parties, this Business Associate Agreement shall control with respect to the subject matter of this Business Associate Agreement.
- Independent Contractors. No provision of this Business Associate Agreement is intended to create, nor shall be deemed or construed to create, any employment, agency or joint venture relationship between Covered Entity and Business Associate other than that of independent entities contracting with each other hereunder solely for the purpose of effectuating the provisions of this Business Associate Agreement. None of the Parties nor any of their respective representatives shall be construed to be the agent, employer, or representative of the other.
- Arbitration. Either Covered Entity or Business Associate may, without the other’s consent, elect mandatory, binding arbitration of any claim, dispute, or controversy raised by either Covered Entity or Business Associate against the other arising under this Business Associate Agreement (each a “Claim”). All Claims, other than injunctive relief, are subject to arbitration, no matter what theory they are based on or what remedy they seek. If Covered Entity or Business Associate elects arbitration, the arbitration will be conducted as an individual arbitration. Neither Covered Entity nor Business Associate consents or agrees to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with an arbitration on a class or representative basis. No arbitration will be consolidated with any other arbitration proceeding without the consent of all parties. This arbitration provision applies to and includes any Claims made and remedies sought as part of any class action, private attorney general action, or other representative action. American Arbitration Association (“AAA”) will administer the arbitration. The AAA will apply its rules, codes, or procedures in effect at the time the arbitration is filed. The arbitration shall be before a single arbitrator. In the event Covered Entity files a Claim in arbitration, Business Associate will reimburse Covered Entity for the initial arbitration filing fee paid by Covered Entity up to $500. If there is an arbitration hearing, Business Associate will pay any fees of the arbitrator and the arbitration administrator for the first two days of the hearing. If Covered Entity prevails in the arbitration of any Claim against Business Associate, then Business Associate will reimburse Covered Entity for any fees Covered Entity paid to the arbitration organization in connection with the arbitration. All other fees, including attorneys’ fees, will be allocated in accordance with the AAA rules.
- Execution. This Business Associate Agreement has been executed electronically by a duly authorized representative of Covered Entity. By executing this Business Associate Agreement, Covered Entity agrees to the terms and conditions set forth herein.