Business Associate Agreement (BAA)

Business Associate Agreement (BAA)

This BUSINESS ASSOCIATE AGREEMENT (the “BAA”) is made and entered into by and between Hoop Care Inc., a company incorporated under the laws of Delaware (the “Business Associate”) and a client who has entered a Terms of Service Agreement (the “Agreement”) with the Business Associate (the “Covered Entity”), in accordance with the meaning given to those terms at 45 CFR §164.501. This BAA applies to the processing carried out by the Business Associate on behalf of the Covered Entity. In this BAA, the Covered Entity and Business Associate are each a “Party” and, collectively, are the “Parties”.

‍

BACKGROUND

I. The Covered Entity is either a “covered entity” or a “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the HITECH Act (as defined below), and the related regulations promulgated by HHS (collectively, “HIPAA”).

II. The Parties have entered into one or more agreements under which the Business Associate provides or will provide certain specified services to the Covered Entity (collectively, the “Agreement”).

III. In providing services pursuant to the Agreement, the Business Associate will have access to Protected Health Information (PHI).

IV. By providing services pursuant to the Agreement, the Business Associate will become a “business associate” of the Covered Entity under HIPAA.

V. Both Parties are committed to complying with all applicable laws governing the confidentiality and privacy of health information, including the HIPAA Privacy Rule.

VI. Both Parties intend to protect the privacy and provide for the security of Protected Health Information (PHI) disclosed to the Business Associate pursuant to this BAA, HIPAA, and other applicable laws.

AGREEMENT

In consideration of the mutual covenants and continued provision of PHI by the Covered Entity to the Business Associate under this BAA, the Parties agree as follows:

1. Definitions

For purposes of this BAA, the Parties define the following:

• “Breach”: As defined in 45 CFR §164.402.

• “Protected Health Information (PHI)”: Information as defined in 45 CFR §§164.501 and 160.103.

• “Security Rule”: Security standards as per 45 CFR Part 160 and Part 164, Subparts A and C.

Other definitions follow the meaning provided in HIPAA, HITECH, and applicable federal regulations.

2. Use and Disclosure of PHI

A. The Business Associate may use or disclose PHI as reasonably necessary to provide services to the Covered Entity under the Agreement.

B. The Business Associate will not use or disclose PHI other than as permitted by this BAA, HIPAA, or required by law.

3. Safeguards Against Misuse of PHI

The Business Associate will use appropriate safeguards to protect PHI and will implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI.

4. Reporting of Disclosures and Breaches

The Business Associate will report to the Covered Entity any unauthorized use or disclosure of PHI, or any Breach of Unsecured PHI within five (5) business days of discovery.

5. Mitigation of Harm

The Business Associate will take reasonable steps to mitigate any harmful effects from a breach or unauthorized disclosure of PHI.

6. Agents and Subcontractors

The Business Associate will ensure that any agents or subcontractors who have access to PHI agree to the same restrictions and conditions that apply to the Business Associate under this BAA.

7. Access to PHI

The Business Associate will provide access to PHI within a Designated Record Set to enable the Covered Entity to meet its obligations under 45 CFR §164.524.

8. Termination

Upon termination of this BAA, the Business Associate will return or destroy all PHI. If returning or destroying PHI is not feasible, the Business Associate will continue to protect the PHI in accordance with this BAA.

9. Miscellaneous Provisions

A. Regulatory References: A reference in this BAA to HIPAA regulations means the regulations as currently in effect or as amended.

B. Amendments: This BAA may only be amended by written agreement between the Parties.

Contact Information for Notices:

• If to the Business Associate:

Hoop Care Inc.

Email: dpo@hoopcare.com

• If to the Covered Entity:

Email: [Provide Client’s Email Address]

This BAA is effective upon the execution of the associated Terms of Service Agreement and will remain in effect until all PHI is returned, destroyed, or secured as required by this BAA.