281-496-3737 sales@travisoft.com
[hmenu id=2]

BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

WHEREAS, Client has engaged Travis to provide certain software services relating to COBRA administration (“Services”) that may lead to Client’s request that Travis receive, use or disclose information that is determined to be Protected Health Information (“PHI”) of its Covered Entity clients.

WHEREAS, this Business Associate Agreement is incorporated by reference into the End User License Agreement between the parties (herein referred to as License Agreement);

NOW, THEREFORE, for valuable consideration the receipt of which is hereby acknowledged and intending to establish a business associate relationship under 45 CFR §164, the parties hereby agree as follows:

I. Definitions

  1. “Breach” means the acquisition, access, use or disclosure of PHI in a manner not permitted under this part which compromises the security or privacy of the PHI as described in 45 CFR 164.402. Notwithstanding the foregoing, the term “Breach” shall not include (i) any unintentional acquisition, access or use of PHI by an employee or individual acting under the authority of Client or Travis if (A) such acquisition, access, or use was made in good faith and within the scope of authority or other professional relationship of such employee or individual, respectively, with Client or Travis and (B) such information does not result in the further use of disclosure in a manner not permitted by the Privacy Rule; (ii) any inadvertent disclosure by an individual who is otherwise authorized to access PHI at a facility operated by a Client or Travis to another similarly situated individual at the same facility and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted by the Privacy Rule; and (iii) a disclosure of PHI where Client or Travis has a good faith belief that an unauthorized person to whom disclosure is made would not reasonably have been able to retain such information.
  1. “CFR” means the Code of Federal Regulations. A reference to a CFR section means that section, as amended from time to time; provided, however, that if future amendments change the designation of a section reference, or transfer a substantive regulatory provision reference to a different section, the modified section references shall be deemed to be amended accordingly.
  1. “Covered Entity” means a Health Plan, Health Care Clearinghouse or a Health Care Provider as these terms are further defined in 45 CFR §160.103.
  1. “Data Aggregation” means the combining of PHI created or received by Travis in its capacity as a business associate of Client with the PHI received by Travis in its capacity as a business associate of another covered entity or subcontractor of another business associate to permit data analyses that relate to health care operations of the respective covered entities.
  1. “Designated Record Set” means the term “designated record set” used in 45 CFR §164.501 and shall include a group of records maintained for a Covered Entity that are: (i) the enrollment, payment, claims adjudication and case or medical management record systems maintained by or for Covered Entity by Client and/or Travis or (ii) used, in whole or in part, by or for a Covered Entity to make decisions about Individuals. For purposes of this definition, “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a Covered Entity.
  1. “Disclose” or “Disclosure” means the release, transfer, or divulging in any manner of, or the provision of access to, information outside the entity holding the information.
  1. “Electronic Health Record” shall have the same meaning as the term “electronic protected health information” in ARRA, §13400(5).
  1. “Electronic PHI” or “ePHI” shall mean PHI that is transmitted by or maintained in electronic media.
  1. “HHS” means the U.S. Department of Health and Human Services.
  1. “Individual” means the person who is subject of PHI and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
  1. “Protected Health Information” or “PHI” means information (including genetic information) that is created or received from or on behalf of Covered Entity and is information about an individual, whether oral or recorded in any form or medium: (i) that relates to the past, present, or future physical or mental condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual, and (ii) that identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. PHI does not include individually identifiable health information i: (i) education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. §1232g; (ii) records described at 20 U.S.C. §1232g(a)(4)(B)(iv); (iii) records held by the Client in its role as employer; and (iv) regarding an Individual who has been deceased for more than 50 years.
  1. “Required By Law” shall mean a mandate contained in federal law that compels a covered entity to make a use or Disclosure of PHI and that is enforceable by a court of law. Required by Law includes, but is not limited to, court orders and court-ordered warrants; a subpoena or summons issued by a court, grand jury, governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions or participation with respect to health care providers participating in the program; and status or regulations that require the production of information, including statues or regulations that require such information if payment is sought under a federal government program providing public benefits.
  1. “Security Incident” shall mean the attempted or successful unauthorized access, Use, or Disclosure, modification or destruction of information or interference with system operations in an information system. However, the parties acknowledge and agree that this definition shall not include the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no notice to Covered Entity or the other party shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on either party’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, Use or Disclosure of PHI.
  1. “Subcontractor” shall have the same meaning as the term “subcontractor” in 45 CFR §160.103.
  1. “Technical Safeguards” means the technology and the policy and procedures for its use that protect ePHI and control access to it.
  1. “Unsecured PHI” shall mean the PHI (including ePHI) that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of the Health and Human Services Department.
  1. “Use” shall mean the sharing, employment, application, utilization, examination or analysis of information.

Terms used but not otherwise defined herein, shall have the same meaning as those terms in the HIPAA Rules and HITECH Standards.

II. Obligations and Activities of Travis

  1. Travis agrees not to use or disclose PHI other than as permitted or required by this Agreement, or as Required By Law. Travis  will take reasonable efforts to limit requests for, Use, and Disclosure of PHI to the minimum necessary to accomplish the intended request, use or disclosure.
  1. Travis agrees to use appropriate safeguards to prevent the Use or Disclosure of PHI other than as provided for by this Agreement or otherwise permitted or Required by Law. Travis shall implement and maintain reasonable and appropriate administrative, technical and physical safeguards to protect PHI from loss, misuse and unauthorized access, Disclosure, alteration and destruction, including but not limited to maintaining written policies and procedures to detect, prevent or mitigate identity theft based on PHI or information derived from PHI.  In addition, Travis agrees to implement and maintain administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any ePHI in compliance with the security requirements of Applicable Law.
  1. Travis agrees to mitigate, to the extent practicable, any harmful effect that is known to Travis of a Use or Disclosure of PHI by Travis in violation of the requirements of this Agreement.
  1. To the extent known by Travis, Travis agrees to report in writing or electronically to Client any Use or Disclosure of PHI other than as permitted by this Agreement promptly after Travis has actual knowledge of such Use or Disclosure and to report promptly and without unreasonable delay to Client each Security Incident that it becomes aware as determined by Travis, including breaches of Unsecured PHI pursuant to the requirements of 45 CFR §164.410. Following the discovery of a Breach of Unsecured PHI, Travis shall notify Client of such Breach promptly after Travis has actual knowledge of such use or disclosure.  All reports of Breaches of Unsecured Protected Health Information shall be made in compliance with 45 CFR 410 and will include the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired or disclosed during the Breach. A Breach will be treated as discovered as of the first day that such Breach is known or reasonably should have been known by Travis.
  1. Travis agrees to ensure in its agreement with any agent, including a subcontractor, to whom it provides PHI (including ePHI) received from, or created or received by Travis on behalf of the Client, any conditions with respect to such information that are at least as restrictive as those that apply through this Agreement to Travis. Travis agrees to ensure that any agents, including sub-agents, to whom it provides PHI (including ePHI) received from, or created or received by Travis on behalf of the Client, agree in writing to implement the reasonable and appropriate safeguards that are at least as restrictive as those that apply to Travis through this Agreement to protect the PHI.
  1. Travis agrees to provide access, at the request of Client, and in a reasonable time and manner, to PHI in a Designated Record Set, to Client in order to meet the requirements under 45 CFR §164.524; provided, however, that the applicability of this provision is limited to the extent the Designated Record Set is maintained by the Travis for the Client.
  1. If Travis maintains PHI (including ePHI) in a Designated Record Set, Travis agrees to make available to Client such information that may be required to assist with Client’s and/or Covered Entity’s obligations to respond to a request for access to PHI as provided under 45 CFR §164.524 or to respond to a request to amend PHI pursuant to 45 CFR § 164.526 in a reasonable time and manner. Travis shall refer to Client all such requests that Travis may receive from Individuals.  If Client requests Travis to amend PHI in Travis’s possession to comply with 45 CFR §164.526, Travis shall effectuate such amendments no later than the date they are required to be made in accordance with 45 CFR §164.526; provided that if Travis receives such a request from Client less than ten (10) business days prior to such date, Travis will effectuate such amendments as soon as is reasonably practicable.
  1. Upon reasonable notice, Travis agrees to make internal practices, books, and records, including policies and procedures on PHI, relating to the use and disclosure of PHI received from, or created or received by Travis on behalf of the Client, available to the Client, or available to the Secretary of the Health and Human Services Department, at Client’s expense, for purposes of the Secretary determining Client’s or Covered Entity’s compliance with Applicable Law, including policies and procedures for PHI, relating to the use and disclosure of PHI received from, created, or received by Travis on behalf of Client will be made available to the Client, Covered Entity, or the Secretary, in a reasonable time and manner, or in a time designated by the Secretary, for purposes of the Secretary determining Client’s, Covered Entity’s and/or Travis’s compliance with Applicable Law.
  1. If applicable, Travis agrees to provide Client, within a reasonable time, such information necessary to permit Client to respond to a request by an Individual for an accounting of disclosures as provided under 45 CFR §164.528. Travis shall refer to Client all such requests that Travis may receive from Individuals.
  1. To the extent that Travis or any subcontractor is conducting all or part of an electronic (using electronic media) transaction, on behalf of Client, for which the Secretary of the Health and Human Services Department has adopted a standard that is covered and regulated under 45 CFR Part 162, Travis shall comply with all applicable requirements for use of an identifier and shall conduct any such transaction as a “standard transaction”, as such term is defined under 45 CFR Part 162. Travis shall require any agent or subcontractor to comply with all applicable requirements of 45 CFR Part 162.

III. Permitted Uses and Disclosures to Travis

Except as otherwise limited in this Agreement, Travis may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Client as needed for the Services provided that such Use or Disclosure would not violate Applicable Law if done by Client or the minimum necessary policies and procedures of the Client.  Without limiting the generality of the foregoing, Travis shall not sell PHI or Use or Disclose of any PHI for purposes of marketing or fundraising, as provided in Applicable Law.

Specific Use and Disclosure Provisions

  1. Except as otherwise limited in this Agreement, Travis may use PHI for the proper management and administration of Travis or to carry out any present or future legal responsibilities of Travis, each as related to activities performed pursuant to the applicable software support services.
  1. Except as otherwise limited in this Agreement, Travis may Disclose PHI for the proper management and administration of Travis or to fulfill present or future legal responsibilities of Travis, provided that such Disclosure is either Required By Law or Travis obtains reasonable assurances from any person to whom the PHI is disclosed that: (i) it will remain confidential, (ii) any use or further disclosure shall be limited to the purpose for which it was disclosed to such person or as Required By Law, and (iii) Travis is notified of any instances of which it is aware in which the confidentiality of the information has been breached.
  1. Except as otherwise limited in this Agreement, Travis may use PHI to provide Data Aggregation services relating to the health care operations of the Covered Entity and Client.
  1. Notwithstanding the foregoing, Travis’s Use or Disclosure of PHI (including ePHI) shall not be deemed a breach of this Agreement to the extent the Use or Disclosure is incident to a Use or Disclosure otherwise permitted hereunder or otherwise permitted or required by 45 CFR Part 164, Subpart E, consistent with 45 CFR § 164.502
  1. Travis may use PHI to report violations of law to appropriate federal and state authorities, consistent with §164.502(j)(1) and any regulations under ARRA.
  1. Travis may create de-identified data, provided that Travis de-identifies the information in accordance with the Privacy Rule. De-identified information does not constitute PHI and is not subject to the terms and conditions of this Agreement.

IV. Obligations of Client

  1. If Client is a subcontractor for a Covered Entity and to the extent that Travis will have access to PHI of any Covered Entity client of Client’s, Client represents and warrants that it has executed business associate agreements with said Covered Entities that set forth the Client and Covered Entities’ obligation under HIPAA and Client’s obligation to relay Covered Entity’s instructions, privacy policies and other information to Travis.
  1. Client shall: (i) provide the Travis with the notice of its privacy practices or if applicable, the privacy practices maintained by its clients who are Covered Entities produced in accordance with 45 CFR § 164.520, as well as any changes to such notice; (ii) provide Travis with any changes in, or any revocation of, permission by an Individual to Use or Disclose PHI, if such changes affect the Travis’s permitted or required Uses and Disclosures; (iii) notify Travis of any restriction to the Use or Disclosure of PHI that the applicable Covered Entity has agreed to in accordance with 45 CFR§ 164.522, to the extent that such restrictions may affect the Travis’s Use or Disclosure of PHI; and (iv) not request Travis to Use or Disclose PHI in any manner that would not be permissible under Applicable Law if done by the applicable Covered Entity, except as set forth in Article III of this Agreement.
  1. Client shall not request Travis to use or disclose PHI (including ePHI) in any manner that would not be permissible under Applicable Law or is not otherwise authorized or permitted under this Agreement.
  1. Client acknowledges and agrees that the Privacy Rules allow a Covered Entity or its business associate to Disclose or provide access to PHI, other than Summary Health Information, to the Plan Sponsor only after the Plan Sponsor has amended its plan documents to provide for the permitted and required Uses and Disclosures of PHI and to require the Plan Sponsor to provide a certification to the Plan that certain required provisions have been incorporated into the Plan documents before the Plan may Disclose, either directly or through a Business Associate, any PHI to the Plan Sponsor. Client shall not submit any such request to Travis unless Client has verified the Plan documents have been so amended and that the Plan has received such certification from the Plan Sponsor.
  1. Client agrees that it has entered into Business Associate agreements with each third party to whom Client directs and authorizes Travis to disclose PHI.

V. Term and Termination

  1. Term. This Agreement shall be effective as of the date executed by both parties, and shall terminate on the later of the (i) the end of the current License Term immediately following Client’s decision not to continue the subscription to the T-COBRAWEB application, as detailed in the License Agreement or (ii) when all of the PHI provided by Client to Travis,  or maintained, or created or received by Travis on behalf of Client, is destroyed or returned to Client, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.
  1. Material Breach.
  1. Upon the Client’s knowledge of a failure to perform Travis’s obligations under this Agreement, the Client shall provide a reasonable opportunity for Travis to cure the breach or end the violation, with a reasonable time as determined by both parties. The Client may terminate this Agreement if Travis does not cure the breach or end the violation within the time agreed to by the parties. If neither termination nor cure is feasible, the Client shall report the breach or violation to the Secretary of the Health and Human Services Department.
  1. Upon Travis’s knowledge of a failure to perform the Client’s obligations under this Agreement, Travis shall provide a reasonable opportunity for the Client to cure the breach or end the violation, with a reasonable time as determined by both parties. Travis may terminate this Agreement if the Client does not cure the breach or end the violation within the time agreed to by the parties. If neither termination nor cure is feasible, Travis shall report the breach or violation to the Secretary of the Health and Human Services Department.
  1. Obligations After Termination. Travis’s obligations under Sections II and III of this Agreement shall survive the termination of this Agreement with respect to any PHI (including ePHI) that remains in possession of Travis.

VI. Miscellaneous

  1. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Client and Travis to comply with the requirements of Applicable Law, as each further may be amended or revised.
  1. Rights and Obligations. Nothing express or implied in this Agreement shall confer upon any person other than Client, Travis, and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
  1. Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original.
  1. Modification to Services. This Agreement is intended only to change the terms and conditions of and the rights and obligations of the parties as related to the Use, security and Disclosure of PHI (including ePHI) and shall have no effect on corresponding agreements, if any, previously entered into by the parties outside of such Use, security and Disclosure of PHI (including ePHI).
  1. Interpretation of Agreement. Any uncertainty or ambiguity in this Agreement shall be resolved in favor of a meaning that permits Client and Travis to comply with the Applicable Law.
  1. Governing Law. This Agreement shall be governed by the laws of the State of Delaware without regard to its choice of laws or conflict of laws provisions, to the extent not preempted by ERISA and not inconsistent with Federal law.
  1. Waiver of Provisions. The waiver by any party of any breach of any provision of this Agreement shall not be construed as a waiver of any subsequent breach of the same or of any other provision. The failure to exercise any right hereunder shall not operate as a waiver of such right.
  1. Notices. Any required notice to be given by one party to the other shall be given in accordance with the License Agreement between the parties.
  1. Third Party Beneficiaries. Except with respect to those entities and individuals, if any, entitled to indemnification pursuant to this Agreement, no provision of this Agreement is for the benefit of any person who is not a party hereto (including without limitation any current or former employee or Plan participant) and no such party shall have any right or cause of action hereunder, nor shall this Agreement be construed or interpreted so as to confer a right of employment, continued employment, coverage, or continued coverage on any employee of the Client or Travis or any affiliates or on any Plan participant.
  1. Indemnity by Client. Client agrees to defend, indemnify and hold harmless Travis, its affiliates and each of their respective directors, officers, employees, agents or assigns from and against any and all actions, causes of action, claims, suits and demands whatsoever, and from all damages, liabilities, costs, charges, debts, fines, government investigations, proceedings, and expenses whatsoever (including reasonable attorneys’ fees and expenses related to any litigation or other defense of any claims), which may be asserted or for which they may now or hereafter become subject arising in connection with (i) any misrepresentation, breach of warranty or non-fulfillment of any undertaking on the part of the party under this Agreement; and (ii) any claims, demands, awards, judgments, actions, and proceedings made by any person or organization arising out of or in any way connected with the party’s performance under this Agreement.
  1. Indemnity by Travis. Travis agrees to pay actual costs for notification and any associated mitigation incurred by Client, including but not limited to, costs associated with providing notice, printing, mailing, credit monitoring, identity theft protection, call center services, etc., if Client and Travis determine in their reasonable and supported discretion that a Breach by Travis warrants such measures.  Travis shall also reimburse Client for all reasonable costs, expenses, damages, and other losses resulting from any Unauthorized Use or Disclosure, Security Incident, or Breach involving PHI maintained by Client or its subcontractors.

    In no event shall the aggregate liability of Travis and its licensors exceed the amounts actually paid by and/or due from the Client within the 12 months preceding such claim. In no event shall either Travis and/or its licensors be liable to anyone for any indirect, punitive, special, exemplary, incidental or consequential damages (including loss of data, revenue profits, use or other economic advantage) arising out of or in any way connected to a violation by Travis its obligations in this Agreement, even if the party from which damages are being sought or such party’s licensors have been previously advised of the possibility of such damages.  The obligations of this paragraph shall survive the expiration or earlier termination of this Agreement.

  1. Replace & Supersede. This Agreement shall replace and supersede in its entirety any prior Business Associate Agreement(s) between the parties.
  1. Independent Parties. The relationship between the Client and Travis is at all times that of independent contracting entities. Neither party is the agent or representative of the other, nor shall either party be liable for the acts or omissions of the other, its agents, or its employees.