This Business Associate Agreement ("BAA") is made and entered into by and between any customer that has purchased the ChatDash HIPAA Add-On ("you" or "your") and ChatDash, LLC ("we," "our," or "us") for the purpose of implementing the requirements of HIPAA to support the parties' compliance requirements under HIPAA. In this BAA, Covered Entity and Business Associate are each a "Party" and, collectively, are the "Parties".
Covered Entity shall not enter, submit, or transmit any Protected Health Information ("PHI") through or into the Services unless and until Covered Entity has purchased and activated the ChatDash HIPAA Add-On plan under the Agreement.
I. Covered Entity is either a "covered entity" or "business associate" of a covered entity as each are defined under the HIPAA and the related regulations promulgated by HHS (collectively, "HIPAA") and, as such, is required to comply with HIPAA provisions regarding the confidentiality and privacy of Protected Health Information;
II. The Parties have entered into a "Terms of Service" agreement under which Business Associate provides or will provide certain specified services (the "Services") to Covered Entity (the "Agreement");
III. In providing Services pursuant to the Agreement, Business Associate may have access to Protected Health Information;
IV. By providing the Services pursuant to the Agreement, ChatDash will become a "business associate" of the Covered Entity as such term is defined under HIPAA;
V. Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the "Privacy Rule"); and
VI. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA and other applicable laws.
NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:
All terms used but not otherwise defined in this BAA will have the same meaning as in HIPAA.
"Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
"HIPAA" means the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 and the rules and regulations thereunder, as amended, including with respect to the HITECH Act.
"Protected Health Information" or "PHI" will have the same meaning as the term "protected health information" in HIPAA, 45 C.F.R. § 160.103, except limited to information: (a) that is created, received, maintained, or transmitted by us on your behalf; and (b) will not include information to the extent that it is exempt from HIPAA under Section 1179 of the Social Security Act, 42 U.S.C. § 1320d-8.
"Individual" will have the same meaning as the term "individual" in HIPAA, 45 C.F.R. § 160.103, and will include a person who qualifies as a personal representative in accordance with the HIPAA "Privacy Rule" as described in 45 C.F.R. § 164.502(g).
"Unsecured PHI" means any PHI as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary.
Except as otherwise limited in this BAA, we may:
Use or disclose PHI in our possession to perform the Services, provided that such use or disclosure would not violate HIPAA if done by you;
Use PHI for our proper management and administration and to carry out any of our legal responsibilities;
Use PHI to create de-identified health information in accordance with the HIPAA "Privacy Rule" as described in 45 C.F.R. § 164.514(b);
Disclose PHI in our possession to a third party for our proper management and administration or to fulfill any of our legal responsibilities, provided that: (i) the disclosure is required by law; or (ii) we have received reasonable written assurances from the person to whom PHI will be disclosed that: (a) the information will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed; and (b) we will be notified of any instances of which the person becomes aware that the confidentiality of the information has been breached.
We will not use or disclose PHI other than as permitted or required by this BAA or as required by law. We agree to use appropriate safeguards and to comply, where applicable, with the security standards for protection of electronic PHI.
Reporting
We will report to you in writing any use or disclosure of PHI not provided for by this BAA of which we become aware and we agree to report to you any security incident affecting electronic PHI of which we becomes aware. We agree to report any such event within five business days of becoming aware of the event.
We will notify you in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of a Breach. We will not reimburse you for any costs incurred by you in complying with the requirements of Subpart D of 45 CFR §164 that are imposed on you as a result of a Breach committed by us.
Mitigation of Disclosures
We will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to us of any use or disclosure of PHI by us or our agents or subcontractors in violation of the requirements of this BAA.
Agents or Subcontractors
We will ensure that any agents or subcontractors that create, receive, maintain, or transmit PHI on our behalf agree in writing to the same or similar restrictions and conditions that apply through this BAA to us with respect to such PHI, including complying with the applicable requirements of the Security Rule.
Access to PHI by Individuals
In the event any Individual or personal representative requests access to the Individual's PHI directly from us, we will forward that request to you within ten business days.
Accounting of Disclosures
We will maintain and, upon your request, provide you with the information necessary for you to provide an Individual with an accounting of disclosures as required by 45 C.F.R. § 164.528.
Availability to Books and Records
We will make available our internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining your and our compliance with HIPAA, and this BAA.
You will use appropriate safeguards to prevent against unauthorized use or disclosure of PHI, consistent with this BAA, and as otherwise required under the Security Rule. With regard to the use, storage, or disclosure of PHI by us, you agree to:
Designated Record Set Restriction
You will not use our Services to store PHI considered to be a Designated Record Set.
"Designated Record Set" means a group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
Individual Permissions
You will report to us any changes in, or revocation of, permission by an individual to use or disclose PHI, if such changes affect our permitted or required uses or disclosures of PHI under this BAA. You will not agree to any request for a restriction that limits our permitted or required uses or disclosures of PHI under this BAA unless you are required by law. In the event that you are required by law to agree to such a restriction, you will promptly notify us of the restriction. You will not request or cause us to use or disclose PHI in any manner that would not be permissible under HIPAA if done by you.
Access to PHI by Individuals
Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual's right to obtain access to PHI shall be your sole responsibility.
Notice of Privacy Practices Limits
You will not include in your HIPAA notice of privacy practices any limitation that limits our permitted or required uses or disclosures of PHI under this BAA unless such a limit is required by law. In the event that you are required by law to include such a limitation in your notice of privacy practices, you will promptly notify us of the limitation.
Excluded Services
You acknowledge that the services covered by this BAA are limited to the ChatDash core platform. This BAA explicitly excludes certain optional features, including the "Visual Workflow Builder" (powered by Albato). You agree not to use these excluded services for any purpose involving the creation, reception, maintenance, or transmission of Protected Health Information (PHI).
Our data stewardship does not confer data ownership rights on us with respect to any data entered by you under the Agreement.
This BAA will become effective on the date of your acceptance of the Agreement and this BAA, and will continue in effect until the Agreement is terminated by either party.
You may terminate immediately the Agreement and this BAA at any time.
If we determine that you have breached a material term of the Agreement or this BAA, then we will provide you with written notice of the existence of the breach and shall provide you with 7 days to cure the breach. Your failure to cure the breach within the 7-day period will be grounds for immediate termination of the Agreement and this BAA by us.
Your Responsibilities Prior to Termination
You are solely responsible for printing all PHI that is being maintained by us and you must store this information elsewhere (not with us) prior to termination of the Agreement or this BAA.
Our Responsibilities Upon Termination
Upon termination of the Agreement or this BAA for any reason all PHI maintained by us will be destroyed; the exception being we will retain backup copies of such information for a limited period of time, after which the backup copies will be destroyed. This provision will apply to PHI in the possession of our agents and subcontractors and will survive termination of this BAA.
This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will govern.
Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.
All notices, requests and demands or other communications to be given under this BAA to a Party will be made to the Party's email address given below:
If to you:
[Account owner's info]
If to us:
Habeen Jun
(732) 522-8052
support@chat-dash.com