Business Associate Agreement

Effective Date: 

This BUSINESS ASSOCIATE AGREEMENT (“Agreement”) by and Between:

Reneu Wellness Club, LLC, a New York limited liability company with its principal office at 18 Hidden Meadow Crossing, Lancaster, NY 14086 ("Business Associate") AND

, a 

 .

with its principal place of business at 

(“Covered Entity”)

WHEREAS, Business Associate is a Management Services Organization and is providing services to Covered Entity under one or more managed services agreements (each an "Underlying Agreement");

WHEREAS, the parties wish to execute this Agreement in compliance with the HIPAA Rules (as herein defined);

NOW, THEREFORE, the parties agree as follows:

1. Definitions

1.1. Catch-all definition. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

1.2. Business Associate. "Business Associate" shall generally have the same meaning as the term "business associate" at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Reneu Wellness Club LLC.

1.3. Covered Entity. "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103, and in reference to the party to this agreement, shall mean the healthcare provider identified above.

1.4. HIPAA Rules. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

2. Obligations and Activities of Business Associate

Business Associate agrees to:

2.1. Not use or disclose protected health information other than as permitted or required by the Agreement, the Underlying Agreement, or as required by law;

2.2. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;

2.3. Report to Covered Entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware. For breaches of unsecured protected health information:

(a) Business Associate shall conduct an investigation without unreasonable delay and in no case later than five (5) business days after discovery of the breach;

(b) Business Associate shall notify Covered Entity in writing of the breach within five (5) business days of discovery, or sooner if required by applicable law;

(c) Such notification shall include, to the extent available at the time of notification:

(i) A brief description of the breach, including the date of the breach and the date of discovery;

(ii) The types of unsecured protected health information involved in the breach;

(iii) The identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the breach;

(iv) A brief description of what Business Associate is doing to investigate the breach, mitigate harm to individuals, and protect against further breaches;

(v) Contact information for individuals to ask questions or obtain additional information;

(d) Business Associate shall cooperate with Covered Entity in meeting Covered Entity's obligations under 45 CFR 164.410, including providing additional information as it becomes available and assisting with breach notifications to affected individuals and the Secretary as required by law;

(e) For security incidents that do not constitute breaches of unsecured protected health information, Business Associate shall report such incidents to Covered Entity within three (3) business days of discovery and provide written documentation within ten (10) business days.

2.4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;

2.5. Make available protected health information in a designated record set to the Covered Entity as necessary to satisfy covered entity's obligations under 45 CFR 164.524;

2.6. Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity's obligations under 45 CFR 164.526;

2.7. Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528;

2.8. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and

2.9. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

3. Permitted Uses and Disclosures by Business Associate

3.1. Business Associate may only use or disclose protected health information as necessary to perform the services set forth in an Underlying Agreement.

3.2. Business Associate may use and disclose De‑identified Data for any lawful purpose, including but not limited to: data analytics, product development, research, business operations, benchmarking, marketing, monetization, and commercial resale, provided such uses do not result in Re‑identification, all in accordance with 45 CFR 164.514(a)-(c).

3.3. Business Associate may use or disclose protected health information as required by law.

3.4. Business Associate agrees to make uses and disclosures and requests for protected health information consistent with Covered Entity's minimum necessary policies and procedures.

3.5. Business Associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except for the specific uses and disclosures set forth below.

3.6. Business Associate may use protected health information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

3.7. Business Associate may provide data aggregation services relating to the health care operations of the covered entity.

4. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions

4.1. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of protected health information.

4.2. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect Business Associate's use or disclosure of protected health information.

4.3. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of protected health information that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of protected health information.

5. Permissible Requests by Covered Entity

Covered Entity shall not request Business Associate to use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.

6. Term and Termination

6.1Term. The Term of this Agreement shall be effective as of the Effective Date, and shall terminate concurrent with the termination of all Underlying Agreements then in effect.

6.2. Termination for Cause. Covered Entity may terminate this Agreement if Covered Entity determines Business Associate has violated a material term of the Agreement and Business Associate has not cured the breach or ended the violation within thirty (30) days.

6.3. Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason, Business Associate, with respect to protected health information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

Retain only that protected health information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;

Return to Covered Entity the remaining protected health information that the Business Associate still maintains in any form;

Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as Business Associate retains the protected health information;

Not use or disclose the protected health information retained by Business Associate other than for the purposes for which such protected health information was retained and subject to the same conditions set out at Section 3 which applied prior to termination; and

Return to Covered Entity or destroy the protected health information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

6.4Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.

7.Miscellaneous

7.1. This Agreement may be amended or modified only in a writing signed by the Parties.

7.2. No party may assign its respective rights and obligations under this Agreement without the prior written consent of the other party.

7.3. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the parties other than that of independent parties contracting with each other solely for the purposes of effective the provisions of this Agreement and any other agreements between the parties evidencing their business relationship.

7.4. This Agreement shall be governed by the laws of the State of New York and venue for any claims brought in connection with the Agreement or an Underlying Agreement shall be Erie County, New York.

7.5. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion.

7.6. The provisions of this Agreement are intended to establish the minimum requirements regarding Business Associate's use and disclosure of protected health information. This Agreement, together with the Underlying Agreement(s), constitutes the entire agreement of the parties relating to Business Associate's use or disclosure of protected health information.

7.7. To the extent the terms of this Agreement are unclear, this Agreement shall be construed to allow for compliance by the parties with the HIPAA Rules.

7.8. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect.

IN WITNESS WHEREOF

the undersigned have executed this Agreement as of the Effective Date.

IN WITNESS WHEREOF, the undersigned have executed this Agreement as of the Effective Date.