top of page

Business Associate Agreement
 

This Business Associate Agreement (the "BAA") is made and entered into by and between Berries Health Inc., a corporation incorporated under the laws of Delaware ("Business Associate"), and a Customer who has entered into a Terms of Use Agreement with the Business Associate ("Covered Entity").

 

WHEREAS, the Covered Entity is involved in activities within the healthcare sector that necessitate the handling and protection of PHI, and is recognized as a Covered Entity as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") and the regulations promulgated thereunder by the U.S. Department of Health and Human Services, including but not limited to 45 CFR Part 160 and Part 164, specifically at 45 CFR § 160 and § 164 (collectively referred to as "HIPAA Regulations");

 

WHEREAS, the Business Associate provides services that require the use or disclosure of PHI as defined under HIPAA Regulations, specifically referenced in 45 CFR § 160.103 of HIPAA, on behalf of the Covered Entity. In the course of providing these services, the Business Associate will receive, create, maintain, or transmit PHI on behalf of the Covered Entity, necessitating compliance with applicable provisions of HIPAA Regulations to ensure the confidentiality, integrity, and security of PHI;

 

WHEREAS, HIPAA Regulations mandate that the Covered Entity obtain satisfactory assurances from the Business Associate that the Business Associate will appropriately safeguard the PHI received or created on behalf of the Covered Entity, in accordance with the standards and requirements set forth in 45 CFR Part 160 and Part 164;

 

NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the Parties agree to the terms and conditions set forth herein to address the protection and disclosure of PHI in compliance with HIPAA Regulations, the HITECH Act, and other applicable laws, including the specific regulatory requirements set forth at 45 CFR § 160 and § 164 and as defined in 45 CFR § 160.103 of HIPAA.

 

1. Definitions:

 

Terms utilized herein, yet not explicitly defined, shall bear the same connotation as ascribed to them within the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act), including any pertinent regulations thereto.

 

2. Obligations and Activities of Business Associate:

 

a. Use and Disclosure of PHI:
 

i. Business Associate shall not use or disclose Protected Health Information (PHI) other than as permitted or required by this Agreement or as required by law.

​

ii. Business Associate shall only use or disclose PHI in accordance with the terms of this Agreement and as necessary to perform its obligations under any associated agreements with the Covered Entity.

 

b. Safeguards and Compliance:

 

i. Business Associate agrees to implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, in accordance with the Security Rule of HIPAA, as outlined in Subpart C of 45 CFR Part 164.

​

ii. Business Associate shall comply with all requirements of the Security Rule in relation to electronic PHI (ePHI) and shall ensure that any subcontractors or agents to whom it provides PHI also comply with such requirements.

​

iii. Business Associate shall promptly report to the Covered Entity any security incidents or breaches of unsecured PHI as required by the Breach Notification Rule under HIPAA.

​

iv. Business Associate shall maintain documentation of its security measures and provide such documentation to the Covered Entity upon request or as required by the Secretary of the U.S. Department of Health and Human Services.

​

v. Business Associate shall adhere to specific privacy and security practices, including but not limited to the use of encryption for ePHI transmitted over the internet or stored on portable devices, consistent with the guidelines provided by the National Institute of Standards and Technology (NIST) and other recognized standards. Business Associate shall ensure that all employees, subcontractors, and agents are trained in these practices and comply with them.

 

c. Minimum Necessary:

 

i. Business Associate agrees to only request, use, and disclose the minimum necessary amount of PHI to accomplish the intended purpose of the request, use, or disclosure, in accordance with the Minimum Necessary Rule under HIPAA.

 

d. Subcontractors:

 

i. Prior to disclosing PHI to any subcontractor or agent, Business Associate shall obtain satisfactory assurances in writing that the subcontractor or agent will appropriately safeguard the PHI in accordance with the terms of this Agreement and HIPAA Regulations.

 

ii. Business Associate shall ensure that any subcontractor or agent to whom it provides PHI agrees to the same restrictions and conditions that apply to Business Associate with respect to such PHI.

 

e. Access to PHI:

 

i. Business Associate shall provide access to PHI in a timely manner to the Covered Entity or an individual, as required by the Privacy Rule under HIPAA.

​

ii. Business Associate shall make any amendments to PHI as directed by the Covered Entity in accordance with the requirements of the Privacy Rule.

 

f. Breach Notification:

 

i. Business Associate shall promptly report any unauthorized use, disclosure of PHI, breaches of unsecured PHI as per 45 CFR § 164.410, or security incidents involving electronic PHI to Covered Entity within a maximum of 30 calendar days from discovery. This report will include necessary details for Covered Entity to fulfill its HIPAA and other legal reporting obligations, covering all unauthorized activities, breaches, and security incidents.

​

g. Data Retention and Disposal:

 

i. Business Associate shall retain PHI only for the period necessary to fulfill the purposes for which it was collected and in accordance with applicable legal requirements.

​

ii. Upon termination of this Agreement, Business Associate shall return or destroy all PHI received from or created or received on behalf of the Covered Entity that Business Associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, the Business Associate shall extend the protections of this Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

 

h. Training:

 

i. Business Associate shall provide training to its workforce regarding the requirements of this Agreement and HIPAA Regulations as necessary to perform their duties effectively and in compliance with applicable laws and regulations.

 

3. Permitted Uses and Disclosures by Business Associate:

 

a. Providing Services:

 

Business Associate is permitted to use or disclose PHI to the extent necessary to provide services, management, and administration services, which are part of the Business Associate's obligations under this Agreement and any associated agreements with the Covered Entity.

 

b. Data Aggregation Services:

 

Business Associate may use or disclose PHI to provide data aggregation services as it relates to the health care operations of the Covered Entity.

 

c. Required by Law:

 

Business Associate may use or disclose PHI when required by law.

 

d. Health Care Operations:

 

Business Associate is permitted to use and disclose PHI for the proper management and administration of the Business Associate and to carry out the legal responsibilities of the Business Associate.

 

e. Minimum Necessary Use and Disclosure:

 

Business Associate shall make uses and disclosures under this section consistent with its obligation to apply the minimum necessary standard to PHI.

 

4. Use of De-Identified Information:

 

The Business Associate is permitted to use and disclose de-identified health information created by de-identifying PHI received from, or created or received by the Business Associate on behalf of, the Covered Entity, provided that such de-identification conforms to the requirements of 45 CFR 164.514(b). The Business Associate must implement methods and processes that meet the standards for de-identification of PHI under HIPAA. The Business Associate agrees to not re-identify de-identified information or use de-identified information in a way that violates applicable law or could allow the information to be attributed to an individual.

 

5. Obligations of Covered Entity:

 

a. Notice of Privacy Practices:

 

Covered Entity shall provide Business Associate with its Notice of Privacy Practices (NPP) as required by the Privacy Rule under 45 CFR § 164.520, as well as any changes to that notice.

 

b. Restrictions and Changes:

 

Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information (PHI) that Covered Entity has agreed to in accordance with 45 CFR § 164.522, or any changes in, or revocation of, permission by an individual to use or disclose his or her PHI, to the extent that such changes affect Business Associate’s use or disclosure of PHI.

 

c. Permissions and Authorizations:

 

Covered Entity shall obtain any consent, authorization, or permission that may be required by the Privacy Rule or any other applicable law or regulation before it submits PHI to Business Associate for processing or handling.

 

d. Compliance and Cooperation:

 

Covered Entity shall comply with its obligations under HIPAA, the HITECH Act, and applicable state laws concerning the privacy and security of PHI. It shall also cooperate with Business Associate in the event of an investigation, audit, or inquiry by a governmental regulatory body related to the use or disclosure of PHI under this Agreement.

 

e. Informing of Policies and Procedures:

 

Covered Entity shall inform Business Associate of any changes in its policies and procedures that may affect Business Associate's handling of PHI.

 

f. Safeguards:

 

Covered Entity shall implement appropriate safeguards to prevent unauthorized use or disclosure of PHI prior to the disclosure of PHI to Business Associate, including ensuring that its workforce members' access to PHI is limited to the minimum necessary information required to perform their job functions.

 

6. Term and Termination:

 

a. Term:

 

This Agreement shall commence as of the Effective Date and shall remain in effect until terminated by either party or upon the termination of the underlying service agreement, whichever comes first.

 

b. Termination for Cause:

 

Either party may terminate this Agreement if the other party has breached a material term of the Agreement and fails to cure such breach within thirty (30) days of written notice. Upon termination for cause, the breaching party shall return or destroy all PHI received under the Agreement, if feasible.

 

c. Effect of Termination:

 

Upon termination of this Agreement, the Business Associate shall, if feasible, return or destroy all Protected Health Information (PHI) received from, or created on behalf of, the Covered Entity that it still maintains in any format, ensuring no copies are retained. If such return or destruction is infeasible, the Business Associate must continue to protect the PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible. This obligation survives the termination of the Agreement.

 

7. Indemnification:

 

The Business Associate agrees to indemnify, defend, and hold harmless the Covered Entity and its officers, directors, employees, and agents from and against any claims, actions, penalties, fines, damages, or costs (including reasonable attorneys' fees) arising out of the Business Associate's breach of this Agreement, misuse of PHI, or violation of HIPAA, the HITECH Act, or applicable state laws protecting the privacy and security of PHI.

 

8. No Third-Party Beneficiaries:

 

This Agreement is for the sole benefit of the Covered Entity and the Business Associate and does not create any rights or remedies in any third party, including but not limited to the clients or patients of the Covered Entity, or agents, officers, or employees of either party. No third party shall be considered a beneficiary of this Agreement, nor shall any third party have any rights to enforce the terms or conditions of this Agreement.

 

9. Governing Law:

 

This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without giving effect to any choice or conflict of law provision or rule. Any legal suit, action, or proceeding arising out of or related to this Agreement or the transactions contemplated hereby shall be instituted exclusively in the federal courts of the United States or the courts of the State of Delaware, in each case located in the city of Wilmington and County of New Castle, and each party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.

 

10. Effect on Prior Business Associate Agreement:

 

This Agreement supersedes any prior agreements, understandings, or negotiations, whether written or oral, relating to the subject matter hereof. This Agreement constitutes the entire agreement between the parties regarding the handling of Protected Health Information (PHI) and the obligations of the Business Associate and the Covered Entity under HIPAA and the HITECH Act. No amendment, change, or modification of any of the terms, provisions, or conditions of this Agreement shall be effective unless made in writing and signed or initialed by both parties.

 

11. Amendment:

 

This Agreement may be amended or modified only in writing signed by both parties. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of HIPAA, the HITECH Act, and other applicable laws.

bottom of page