This updated and expanded Business Associate Agreement (“BAA”), taking effect from the moment your account is activated with Fred Not Freud, LLC, DBA Reflective (“Effective Date”), constitutes a legally binding arrangement. The agreement involves you, herein referred to as the “Covered Entity,” and Fred Not Freud, LLC, DBA Reflective hereafter mentioned as the “Business Associate.” This document supersedes any previous agreements of similar nature between the involved entities and modifies the existing Terms of Service between the Covered Entity and the Business Associate, subject to changes from time to time (together known as the “Agreement”).
Preamble
- The Covered Entity is recognized as a “covered entity” as per the definition in 45 C.F.R. § 160.103.
- The Business Associate, in its capacity to provide services under the Agreement, may handle, produce, receive, or transmit Protected Health Information (“PHI”) for the Covered Entity.
- Both entities are committed to the protection and confidentiality of PHI, aligning with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), along with other pertinent federal and state regulations.
- This BAA is crafted to fulfill specific HIPAA obligations and criteria, particularly those in 45 C.F.R. §§ 164.308(b), 164.314(a), 164.502(e), and 164.504(e).
- The BAA’s applicability is contingent upon the Business Associate meeting the criteria of a “business associate” as defined in 45 C.F.R. § 160.103.
Provisions of the Agreement
I. Definitions
- The term “Breach” aligns with the definition in 45 C.F.R. § 164.402, concerning Unsecured PHI managed by the Business Associate.
- Definitions of terms like “Data Aggregation,” “Designated Record Set,” “ePHI,” and others follow their respective descriptions in 45 C.F.R. §§ 164.402, 164.501, and 160.103.
- Terms not explicitly defined in this document are interpreted as per their established meanings under HIPAA.
II. Authorized Handling and Disclosure of PHI
- The Business Associate is permitted to handle and disclose PHI as needed to fulfill services under the Agreement, adhering to the Privacy Rule and relevant state laws.
- PHI utilization by the Business Associate is allowed for administrative, management, and legal obligations under certain conditions.
- Usage of PHI is also permissible for compliance with legal reporting requirements, data aggregation functions, and generation of de-identified information following applicable laws.
III. Obligations of the Business Associate
- The Business Associate is obliged to comply with the Agreement and relevant legal standards in handling and disclosing PHI.
- Obligations to maintain suitable safeguards and adhere to the Security Rule and HITECH regarding ePHI are emphasized.
- Any Reportable Event, as defined in this BAA, must be promptly reported by the Business Associate, along with efforts to mitigate any potential harm.
- The Business Associate is tasked with ensuring that its subcontractors conform to similar PHI protection standards.
- Detailed provisions for accessing, amending, and accounting for PHI disclosures are included, with specific compliance mandates.
IV. Duties of the Covered Entity
- The Covered Entity must notify the Business Associate of any alterations in its privacy practices, revocations of PHI authorizations, imposed restrictions, and any other changes impacting the Business Associate’s PHI handling.
- The Covered Entity is responsible for ensuring that its PHI disclosure requests are in compliance with HIPAA and other legal standards.
V. Duration and Conditions for Termination
- The term of the BAA coincides with the duration of the Agreement, encompassing various termination scenarios.
- Procedures for the return or destruction of PHI post-termination are explicitly outlined.
VI. Additional Clauses
- This section encompasses regulatory references, amendments, interpretative clauses, the comprehensive nature of the agreement, the relational dynamics between the parties, clauses for third-party beneficiaries, severability, assignment, governing law, dispute resolution, and notice procedures.
- Communication to the Business Associate should be directed to Fred Not Freud, LLC at 191 Presidential Boulevard, Bala Cynwyd, PA 19004 US, or via email at support@reflectiveapp.com. Notifications to the Covered Entity will be sent to the email address provided at the time of account creation.
The parties retain the right to amend the notification addresses through written notice. This BAA, in combination with the Agreement, represents the full and complete understanding between the parties on the subject matter.