01
Definitions
Terms used but not otherwise defined in this Agreement have the meaning given to them by the HIPAA Rules (the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164).
- Covered Entity means the agency or organization that has enabled Cardon Health for its use.
- Business Associate means Agentic Labs Inc., operating Cardon Health.
- Protected Health Information (PHI) has the meaning at 45 CFR 160.103, limited to information Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity.
- Electronic PHI (ePHI) means PHI transmitted or maintained in electronic media.
02
Permitted uses and disclosures
Business Associate may use or disclose PHI only as necessary to perform the services described in the underlying customer agreement, as required by law, or as otherwise permitted by this Agreement.
- Business Associate may use PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities.
- Business Associate may disclose PHI for such purposes only if the disclosure is required by law, or Business Associate obtains reasonable assurances that the information will remain confidential and that the recipient will notify Business Associate of any breach.
- Business Associate may provide data aggregation services relating to the health care operations of Covered Entity, and may de-identify PHI in accordance with 45 CFR 164.514(a)-(c).
- Business Associate will not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted above.
03
Safeguards
Business Associate will use appropriate administrative, physical, and technical safeguards, and comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
Business Associate will implement reasonable and appropriate safeguards including encryption of PHI in transit and at rest, access controls, audit logging, and workforce access limited to the minimum necessary to perform the services.
04
Reporting of use, disclosure, and breach
Business Associate will report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, any Security Incident with respect to ePHI, and any Breach of Unsecured PHI as required by 45 CFR 164.410.
- Breach notification to Covered Entity will be made without unreasonable delay and in no case later than the period required by applicable law, and will include the information reasonably available to Business Associate about the incident.
- Business Associate will mitigate, to the extent practicable, any harmful effect that is known to it of a use or disclosure of PHI in violation of this Agreement.
05
Subcontractors
In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate will ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to that PHI.
06
Access, amendment, and accounting
Business Associate will, to the extent it maintains PHI in a Designated Record Set:
- Make PHI available to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524 (access).
- Make PHI available for amendment and incorporate any amendments as necessary to satisfy 45 CFR 164.526.
- Maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy 45 CFR 164.528.
To the extent Business Associate carries out an obligation of Covered Entity under the Privacy Rule, it will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of that obligation. Business Associate will make its internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
07
Term and termination
This Agreement is effective as of the effective date above and remains in effect until the underlying customer agreement terminates and all PHI is returned or destroyed as described below.
Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity may provide an opportunity to cure, and may terminate the underlying agreement if the breach is not cured within a reasonable time. On termination, Business Associate will, if feasible, return or destroy all PHI received from, or created or received on behalf of, Covered Entity, and retain no copies. Where return or destruction is not feasible, Business Associate will extend the protections of this Agreement to the retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
08
Survival, amendment, and interpretation
The obligations of Business Associate under the termination provisions survive termination of this Agreement. The parties agree to amend this Agreement as necessary for compliance with the HIPAA Rules and other applicable law. Any ambiguity in this Agreement will be resolved to permit compliance with the HIPAA Rules.
Where a separately signed customer BAA is in place, that signed agreement controls for that customer relationship.