Business Associate Agreement


This Business Associate Agreement ("Business Associate Agreement") is entered into by and between All-Star Dental Academy™ (the “Company”) and...

Your Full Name (required):

WHEREAS, Covered Entity and Business Associate are parties to a services agreement or other formal business relationship, the terms of which are incorporated herein by reference (“Underlying Agreement”) that may involve the receipt, creation, transmission, or maintenance of protected health information of Business Associate’s customers (“PHI”); and

WHEREAS, Covered Entity and Business Associate are subject to the Privacy and Security Regulations promulgated by the United States Department of Health and Human Services (“HHS”) at 45 CFR Parts 160, 162 and 164 that were issued pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended, and the rules and regulations promulgated thereunder (“HIPAA”) and pursuant to the provisions of the Health Information Technology for Economic and Clinical Health Act of 2009, as amended, and the rules and regulations promulgated thereunder (“HITECH” and, together with HIPAA, the “Regulations”).

NOW, THEREFORE, for and in consideration of the mutual covenants and conditions herein, the consideration set forth in the Underlying Agreement, and other good and valuable consideration, receipt and adequacy of which are hereby acknowledged, the parties agree as follows:

1. Definitions. Unless otherwise defined herein, capitalized terms shall have the same meaning as set forth in the Regulations.

2. Restrictions on Use of PHI. Business Associate may use PHI only to perform the permitted and required uses and disclosures as provided by the Underlying Agreement and this Business Associate Agreement (collectively, the “Agreements”) or as required by law. Business Associate shall not use or disclose PHI received from Covered Entity in any manner that would constitute a violation of the Regulations if Covered Entity made the same use or disclosure, except that Business Associate: (a) may use or disclose such PHI to comply with Business Associate’s proper management and administration, and (b) may use or disclose such PHI for Business Associate’s legal responsibilities. Business Associate may disclose PHI for the purposes described in this Section 2 only if Business Associate obtains reasonable written assurances from the person or entity to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person or entity, and such person or entity notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached, or such disclosure is required by law. Without limiting the foregoing, Business Associate may not de-identify or aggregate PHI for any reason, except as otherwise provided in the Agreements and then solely on behalf of Covered Entity. Business Associate agrees to make its uses, disclosures and requests for protected health information consistent with Covered Entity’ minimum necessary policies and procedures.

3. Application of the Regulations to Business Associate. Business Associate understands and acknowledges that all applicable provisions of the Regulations apply directly to Business Associate and to each of its subcontractors and agents (and their subcontractors and agents) who receive or have access to the PHI and that Business Associate and each such subcontractor or agent is subject to compliance with all applicable provisions of the Regulations, including without limitation, all applicable security and privacy laws, rules and regulations contained in or promulgated under the Regulations. Without limiting the foregoing, Business Associate shall ensure that any agent or subcontractor of Business Associate that creates, receives, maintains, or transmits PHI on behalf of Business Associate (“Subcontractor”) agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information (“Sub-BA Agreement”); each Sub-BA Agreement shall require the applicable Subcontractor to enter into a similar written agreement with each of its subcontractors and agents who receive, create, transmit or maintain PHI or otherwise have access to the PHI. If Covered Entity is itself a business associate (or subcontractor of a business associate) with respect to the PHI, Business Associate agrees that it shall comply with all provisions of the business associate agreement between Covered Entity and the applicable covered entity or business associate with respect to the PHI.

4. Safeguards for Protection and Security of PHI; Report of Unauthorized Use or Disclosure. Business Associate agrees that it will implement reasonable and appropriate safeguards to prevent any use or disclosure of PHI in violation of the Agreements or the Regulations. Business Associate agrees that it will report to Covered Entity any unauthorized use or disclosure of PHI promptly (but in no event more than five (5) business days) after Business Associate becomes aware of any such violation. Business Associate’s notification to Covered Entity shall be in the content and form required by HITECH. In addition and without limiting the foregoing, Business Associate shall: (a) implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Protected Health Information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Regulations; (b) ensure that any agent, including a Subcontractor, to whom Business Associate provides PHI agrees in writing to implement reasonable and appropriate safeguards to protect such information; (c) promptly report any security incident that Business Associate becomes aware of to Covered Entity in accordance with the Regulations but in no event more than five (5) days after Business Associate becomes aware of such security incident.

5. Cooperation by Business Associate. Business Associate agrees to cooperate with Covered Entity in promptly: (a) making PHI available for access to the individual to whom it relates; (b) making appropriate amendments to PHI as directed by an individual to whom it relates; (c) if applicable, make available PHI in a designated record set to Covered Entity; and (d) providing an accounting of disclosures of PHI received under the Agreements as requested by an individual to whom it relates, except to the extent the Regulations provide otherwise. Such cooperation shall include the notification to Covered Entity by Business Associate within ten (10) business days after receiving any such request for access, amendment or accounting.

6. HHS. Business Associate agrees to make its internal practices, books and records relating to the use and disclosure of PHI received from or created or received by Business Associate on behalf of Covered Entity available to the Secretary of HHS for purposes of determining Covered Entity’s compliance with the Regulations.

7. Limitations on Use or Disclosure. Covered Entity agrees to notify Business Associate promptly after becoming aware of any arrangements permitted or required of Covered Entity by the Regulations that may impact in any manner the use or disclosure of PHI by Business Associate under the Agreements, including: (a) restrictions on use or disclosure of PHI agreed to by Covered Entity upon request of an individual; and (b) changes in, or withdrawal of, an individual’s consent or authorization with respect to the disclosure of his/her PHI.

8. Termination. Business Associate agrees that any material violation of this Agreement or any material violation of that portion of the Underlying Agreement relating specifically to the permitted and required uses and disclosures of PHI by Business Associate shall constitute a material default under the Agreements. Covered Entity shall be entitled to immediately terminate this Agreement and the Underlying Agreement upon written notice to Business Associate. Upon termination of the Agreements, Business Associate shall promptly return or destroy all PHI or, if the parties mutually determine that such return or destruction is not feasible, Business Associate agrees that the provisions of this Agreement shall continue to apply to such PHI, and further uses and disclosures of such PHI shall be restricted to only those purposes which make the return or destruction of the information infeasible.

9. HITECH. Business Associate acknowledges and understands that HITECH (including the rules and regulations promulgated thereunder) imposes direct responsibility on Business Associate for its conduct as a business associate and that Business Associate is subject to direct liability for both civil and criminal penalties for its violations of the Regulations and may be subject to direct liability for both civil and criminal penalties for the violations of its Subcontractors. Any limitation of liability in the Underlying Agreement shall not apply to damages hereunder. Each party agrees to indemnify and hold harmless the other party and the other party’s directors, officers, agents and employees, from and against any and all penalties, claims, actions, liability, loss, damages or expense (including court costs and reasonable attorneys’ fees) arising out of the indemnifying party’s act or failure to act resulting in damages relating to the unauthorized access to, or the disclosure, loss, destruction or use of PHI, or other violation of this Agreement.

10. Miscellaneous. The term of this Agreement shall co-terminus with the term of Underlying Agreement. All title to the PHI shall remain the sole property of Covered Entity. Any notice or other communication by either party to the other shall be in writing and shall be given in accordance with the notice provisions of the Underlying Agreement. If any portion of this Agreement is inconsistent with the terms of the Underlying Agreement, the terms of this Agreement shall prevail. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but which together shall constitute one and the same instrument. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein or therein confer, upon any person other than Covered Entity and Business Associate and their respective successors or assigns in interest, any rights, remedies, obligations, or liabilities whatsoever. The Agreements set forth the entire, final and exclusive agreement between the parties as to the subject matter hereof and thereof, and supersedes all prior and contemporaneous agreements, understandings, negotiations and discussions, whether oral or written, between the parties. Except as provided in the following sentence, any amendment or modification to this Agreement must be in writing and signed by both parties. Upon the occurrence of changes or amendments to the Regulations or other law that affect the legality of the Agreements or any provision in the Agreements, Covered Entity and Business Associate agree to modify the Agreements to the extent necessary to permit Covered Entity to comply with any changes in the Regulations. Any ambiguity in this Business Associate Agreement shall be interpreted to permit compliance with the Regulations.

IN WITNESS WHEREOF the parties have caused this Business Associate Agreement to be executed in by their duly authorized representatives.

Your Full Name (Electronic Signature - Type Name):

Your Email (required)

Your Company (required)

Date (required)