PUBLIC EMPLOYEE RETIREMENT ADMINISTRATION COMMISSION

FIVE MIDDLESEX AVENUE, SUITE 304 | SOMERVILLE, MA 02145

PROSPER Business Associate Agreement

This Business Associate Agreement ("Agreement") is entered into as of _______________________________ (date) between and PERAC ("Covered Entity (CE)").

Business Associate:

Authorized Representative:

In witness whereof, the parties have executed this agreement by their duly authorized representatives as of the date first written above. The parties agree with the terms and conditions of this agreement.

Business Associate Authorized Representative: Signature: Date:

PERAC (Covered Entity): John Parsons, PERAC General Counsel 5 Middlesex Avenue, Suite 304, Somerville, MA 02145 Signature: Date:

ENTER BUSINESS NAME

PRINT NAME

GENERAL

1.
provides services to various entities in the healthcare industry. During the course of such relationships, may receive, use and provide certain Protected Health Information or "PHI" (as defined at 45 CFR Section 164.501, as amended) to comply with the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Regulation") 45 C.F.R. Parts 160 & 164 under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), and the requirements of Subtitle D of the American Recovery and Reinvestment Act of 2009 that relate to security or privacy that are made applicable to business associates (the "HITECH Act"). As those laws and regulations are amended from time to time, and its customers are required to enter into Business Associate Agreements in which is a "Business Associate (BA)" (as defined in 45 CFR Section 160.103, as amended).
2.
is required to report to covered entity any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware.
3.
Pursuant to the Agreement, BA will perform responsibilities that may be expected to involve receiving, using and providing PHI of customers to who- m is responsible as a BA under Section 160.103.
4.
And in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), is required to enter into an agreement with all of its subcontractors and agents that may receive, use and disclose PHI of customers.
5.
is committed to complying with the Privacy Regulation. Accordingly, and in consideration of providing rights to receive, use and provide PHI in connection with the Agreement, will: Make available PHI in a designated record set to the CE or "individual or the individual&rsquos designee" as necessary to satisfy CE&rsquos obligations under 45 CFR 164.524. Make any amendment(s) to PHI in a designated record set as directed or agreed to by the CE pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy CE&rsquos obligations under 45 CFR 164.526. Maintain and make available the information required to provide an accounting of disclosures to the CE as necessary to satisfy CE&rsquos obligations under 45 CFR 164.528. To the extent the BA is to carry out one or more of CE&rsquos obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the CE in the performance of such obligation(s). Make its internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

This agreement applies to any PHI that creates, receives or has access to from or on behalf of CE.

HIPAA

1.
may use and disclose PHI to provide CE with the services contemplated by the Principal Agreements. Except as expressly provided below, this agreement does not authorize to make any use or disclosure of the information that CE would not be permitted to make.
2.
will:
 
Not use or further disclose PHI except as permitted or required by the Principal Agreements or this Agreement, or as required by law.
 
Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the Principal Agreements or this Agreement, including administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of PHI.
 
Report to CE any use or disclosure of PHI not provided for by the Principal Agreements or this Agreement, and any security incident affecting a CE&rsquos electronic PHI, of which becomes aware. The report shall be made as soon as practical, and in any event within the limitations of the specific regulations for individual states.
 
is acutely aware of the senstivity in timescales and will undertake all reasonable efforts to expedite these reports. The report shall be made initially by telephone, or another number of which CE may from time to time notify , with written confirmation addressed to CE at the address below.
3.
Take appropriate measures, as directed by CE and at expense, to mitigate the harmful effects of any security incident or any unauthorized use or disclosure of PHI, and provide such reports as CE may reasonably request concerning such measures.
4.
Not disclose PHI to any person (other than its employed workforce) without the prior written consent of CE, and ensure that agents and subcontractors to whom provides PHI with CE&rsquos consent agree in writing to the same restrictions and conditions that apply to .
5.
Make any PHI that stores or maintains for CE in a designated record set available so CE can meet its obligation to provide access to the information, and provide a copy of such information to Covered Entity on request (including an electronic copy if maintains the information in electronic form).
6.
Make any PHI that maintains for CE in a designated record set available for amendment, and incorporate any amendments CE requests.
7.
Maintain and provide CE, as requested, with information concerning disclosures that makes of PHI to enable CE to comply with its obligation to account for disclosures.
8.
Make &rsquos internal practices, books, and records relating to use and disclosure of PHI available to CE and the Secretary of the United States Department of Health and Human Services, for purposes of determining the CE&rsquos and &rsquos compliance with their legal obligations.
9.
Upon termination of the Principal Agreements, return or destroy all PHI that maintains in any form and retain no copies of such information or, if return or destruction is not feasible (as determined by CE), extend the protections of this agreement to that information and limit further use and disclosure to those purposes that make the return or destruction of the information infeasible.

HITECH

1.
will comply with the provisions of the HIPAA Security Rule that are made applicable to business associates by section 13401(a) of the HITECH Act, with the additional provisions of the HITECH Act relating to security that are made applicable to business associates and incorporated into business associate contracts by section 13401(a) of the HITECH Act, and with the additional provisions of the HITECH Act relating to privacy that are made applicable to business associates and incorporated into business associate contracts by section 13404(a) of the HITECH Act.
2.
will report to Covered Entity the discovery of any breach of unsecured PHI that accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses on Covered Entity&rsquos behalf, in compliance with the requirements of Section 13402 of the HITECH Act and the regulations promulgated thereunder (45 CFR Parts 160 and 164, Subpart D). All such reports shall be made as provided in paragraph 2(c) above.

COVERED ENTITIES

1.
If Covered Entity determines that has violated a material term of this agreement, Covered Entity may immediately terminate the Principal Agreements.
2.
shall defend, indemnify and hold harmless Covered Entity against any claim, liability, cost or expense arising out of the acts or omissions of or its agents, employees and subcontractors, including any breach of the security or confidentiality of Protected Health Information in the possession of or its employees or agents.

TERMS

1.
Term. The Term of this Agreement shall be effective as of date of this agreement, and shall terminate after 36 months or on the date covered entity terminates for cause as authorized in this Agreement, whichever is sooner.
2.
Termination for Cause. This Agreement can be terminated by the covered entity, if the covered entity determines business associate has violated a material term of the Agreement and the business associate has not cured the breach or ended the violation within the time specified by covered entity.
3.
Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason, business associate shall destroy all PHI received from covered entity, or created, maintained, or received by business associate on behalf of covered entity, that the business associate still maintains in any form within a period of 90 days. Business associate shall retain no copies of the PHI.
4.
Survival. The obligations of business associate under this Section shall survive the termination of this Agreement.

INDEMNIFICATION

1.
Each party shall indemnify and hold harmless the other party and its respective affiliates, partners, members, shareholders, directors, officers, employees, contractors or agents, from and against any and all claims, causes of action, liabilities, losses, damages, lost profits, penalties, assessments, judgments, awards or costs (including cost of notification or remediation relating to notification for individuals whose PHI or personal information is inappropriately accessed, used or disclosed), including reasonable attorneys&rsquo fees and costs (collectively, "Liabilities"), arising out of, resulting from, or relating to (i) the breach of this Agreement by either party or its Authorized Users, or (ii) the negligent acts or omissions of either party or its employees, agents, subcontractors or Authorized Users.
2.
Indemnification by Covered Entity shall include, without limitation, indemnification of Liabilities arising out of, or resulting from, or relating to (i) Breaches of Protected Health Information or personal information resulting from the loss or theft of, or other unauthorized access to PHI communicated by Business Associate as requested by Covered Entity and/or its Authorized Users outside Business Associate&rsquos communications platform as permitted by this Agreement; (ii) loss, theft or other unauthorized access to Protected Health Information stored unencrypted on mobile devices used by Covered Entity and/or its Authorized Users; (iii) compliance by Business Associate with Covered Entity&rsquos directives hereunder; or (iv) use by Covered Entity or any Authorized User of Third Party Services.
3.
This Section shall survive the expiration or termination of this Agreement or the Arrangement.
BAA Facts
  • Who needs a BAA?
  • What if I don't have a BAA
  • BAA Quick FAQ
  • WHY BAA?
  • Planning Your BAA
 Sample BAA
  • Simple BAA
  • Better BAA
  • Best BAA
 Office Locations:

100 Florida Ave
Tampa Fl 33615