This Business Associate Agreement (“BAA”) is entered into by and between noonshade LLC (DBA Practice Gadgets) (“Business Associate”) and the entity accessing the Services (“Covered Entity”).
1. PURPOSE AND APPLICABILITY
1.1 Applicability. This BAA applies only if, and to the extent that, Covered Entity provides Business Associate with Protected Health Information (“PHI”) as defined by 45 CFR § 160.103. 1.2 Administrative Intent. Covered Entity acknowledges that the Services are administrative in nature and that Business Associate has instructed Covered Entity not to upload PHI to the Services. This BAA is executed as a precautionary measure to ensure HIPAA compliance in the event of unauthorized data entry by Covered Entity.
2. OBLIGATIONS OF BUSINESS ASSOCIATE
2.1 Limited Use and Disclosure. Business Associate shall not use or disclose PHI other than as permitted by the Terms of Service or as Required by Law. 2.2 Safeguards. Business Associate shall use commercially reasonable administrative, physical, and technical safeguards to prevent the unauthorized use or disclosure of PHI, consistent with the HIPAA Security Rule. 2.3 Breach Reporting. Business Associate shall notify Covered Entity of any Breach of Unsecured PHI of which it becomes aware within five (5) business days of discovery. 2.4 Subcontractors. Business Associate shall ensure that any subcontractors (e.g., cloud infrastructure providers) that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate.
3. OBLIGATIONS OF COVERED ENTITY
3.1 Minimum Necessary. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by the Covered Entity. 3.2 Prohibited Data. Covered Entity remains responsible for its breach of the "No PHI" mandate in the Terms of Service. In the event of such a breach, Covered Entity shall cooperate with Business Associate to identify and purge said data.
4. TERM AND TERMINATION
4.1 Term. This BAA terminates when the Covered Entity’s subscription to the Services expires or is cancelled. 4.2 Return or Destruction. Upon termination, Business Associate shall, if feasible, return or destroy all PHI maintained in any form. Due to the nature of cloud-based database storage, "destruction" may consist of purging the data from the active database and allowing backup cycles to overwrite the data in the ordinary course of business.
5. INDEMNIFICATION
Covered Entity shall indemnify and hold Business Associate harmless against any and all claims, losses, or government fines resulting from Covered Entity’s provision of PHI to the Services in violation of the Terms of Service.