EMDR Tappers BAA
Last Updated: 20 August 2023
Business Associate Agreement (BAA)
THIS Business Associate Agreement (this “Agreement”) dated as of the date agreed to on the application (the “Effective Date”) is by and between EMDR Tappers LLC, a corporation with offices at 300 COLONIAL CENTER PKWY, STE 100N, ROSWELL, GA 30076, United States (“Business Associate”), and signing entity (“Covered Entity”).
A. Covered Entity is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
B. Covered Entity is interested in Business Associate furnishing digital bilateral stimulation tools, internet platform for providing bilateral stimulation at a distance and related services to Covered Entity and Business Associate has the expertise necessary to provide such services. The provision of the Business Associates online bilateral stimulation tools, history log of bilateral stimulation sessions and related services to the Covered Entity shall be governed by the Business Associates standard terms and conditions, other than as modified by this agreement.
C. In the course of Business Associate’s furnishing services to Covered Entity in accordance with the Agreement, Covered Entity may disclose certain Protected Health Information held by Covered Entity (“PHI”) to Business Associate.
NOW, THEREFORE, the parties, in consideration of the mutual agreements herein contained and for other good and valuable consideration, the receipt and adequacy of which are acknowledged, do hereby agree as follows:
Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule.
a. Business Associate. “Business Associate” shall mean Hush Communications Canada Inc.
b. Covered Entity. “Covered Entity” shall mean the entity signing the agreement that will utilize EMDR Tappers web or mobile application to create EMDR sessions with clients online.
c. Designated Record Set. “Designated Record Set” shall have the same meaning as the term “designated record set” at 45 CFR 164.501.
d. HIPAA Rules “HIPAA Rules” shall mean the Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Part 160 and Part 164.
e. Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
f. Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
g. Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR 164.103.
h. Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designate.
1. Obligations and Activities of Business Associate
To the extent Business Associate receives PHI on behalf of Covered Entity, Business Associate agrees to maintain the privacy and security of such PHI as set out herein and as required by the
HIPAA Rules. Further
a. Business Associate agrees not to use or disclose PHI other than as permitted or required by the Agreement or as Required By Law.
b. Business Associate agrees to use appropriate safeguards and comply with subpart C of 45 CFR part 164 with respect to electronic protected health information, to prevent use or disclosure of the PHI other than as provided for by this Agreement.
c. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
d. Business Associate agrees to report to Covered Entity any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 169.410 and any security incident of which it becomes aware.
e. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
f. Business Associate agrees to make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or to the Secretary, in a time and manner (within30 calendar days following written request from Covered Entity) or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Rules.
g. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
h. Business Associate agrees to provide to Covered Entity or an Individual, within 30 calendar days after written request, information collected in accordance with Section 1.
g., of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
i. Business Associate agrees to provide to Covered Entity, within 30 days of a written request, any PHI in a Designated Record Set (if and to the extent one is maintained by Business Associate) as necessary to satisfy Covered Entity’s obligations under 45 CFR
164.524. If an Individual makes a request for access to PHI directly to Business Associate, Business Associate shall notify Covered Entity of the request within 5 days of such request and will co-operate with Covered Entity and Covered Entity shall prepare and send the response to the Individual.
j. Within 30 days of a written request from Covered Entity, Business Associate agrees to make any amendments to any PHI in a Designated Record Set (if and to the extent one is maintained by Business Associate) as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526. If an Individual makes a request for an amendment to PHI directly to Business Associate, Business Associate shall notify Covered Entity of the request within 5 business days of such request and will co-operate with Covered Entity and Covered Entity shall prepare and send the response to the Individual.
2. Permitted Uses and Disclosures by Business Associate
Except as otherwise limited in this Agreement, Business Associate may only use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in this Business Associate Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
3. Specific Use and Disclosure Provisions
Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 164.502(j)(1).
4. Obligations of Covered Entity
Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
5. Permissible Requests by Covered Entity
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
6. Term and Termination
a. Term. The Term of this Agreement shall be effective as of the date of this agreement, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.
b. Termination by Business Associate. Should the Business Associate terminate its secure online bilateral stimulation tools account and related services to the Covered Entity in accordance with its standard terms and conditions, this agreement will be terminated as at the same date.
c. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either:
1. Provide an opportunity for Business Associate to cure the breach or end the violation within 10 calendar days. If Business Associate does not cure the breach or end the violation within 10 days, this agreement may be terminated.
2. Covered Entity shall immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible; or
3. If neither termination nor cure are feasible, Covered Entity shall report the violation to the Secretary.
d. Effect of Termination.
1. Upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI;
2. Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI;
4. Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out in Section 2 above under “Permitted Uses and Disclosures By Business Associate” which applied prior to termination; and
5. Return to Covered Entity, or if agreed to by Covered Entity destroy, the PHI retained by Business Associate when it is no longer needed by Business Associate
for its proper management and administration or to carry out its legal responsibilities.
a. Regulatory References. A reference in this Agreement to the HIPAA Rules means the HIPAA Rules as in effect or as amended.
b. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the HIPAA Rules and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.
c. Survival. The respective rights and obligations of Business Associate under Section 6, of this Agreement shall survive the termination of this Agreement.
d. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule.
This document is only valid after agreeing and digitally signing the agreement on behalf of the Covered Entity using the digital app EMDR Tappers.