Pursuant to 45 C.F.R. Parts 160 and 164
This Business Associate Agreement ("Agreement") is entered into as of the Effective Date set forth in the signature block below, by and between the undersigned covered entity ("Covered Entity") and UMET Labs, LLC ("Business Associate"), a provider of AI-assisted clinical documentation services.
This Agreement is entered into pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, "HIPAA Rules"). The parties intend for this Agreement to satisfy the applicable requirements of the HIPAA Rules and to govern Business Associate's use, disclosure, and safeguarding of Protected Health Information received from or created on behalf of Covered Entity.
Unless otherwise defined herein, all capitalized terms shall have the meanings set forth in the HIPAA Rules. For purposes of this Agreement:
| Business Associate | UMET Labs, LLC, which performs services for or on behalf of Covered Entity that require access to PHI. |
| Covered Entity | A HIPAA-covered health care provider, health plan, or health care clearinghouse that has engaged SnapNotes for services. |
| PHI | Protected Health Information as defined at 45 C.F.R. § 160.103, including Electronic PHI (ePHI). |
| Breach | The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Rules that compromises the security or privacy of such information, as defined at 45 C.F.R. § 164.402. |
| Security Incident | The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, per 45 C.F.R. § 164.304. |
| Subcontractor | Any person or entity to whom Business Associate delegates a function, activity, or service involving PHI. |
Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, the underlying services agreement, or as required by law. Permitted uses include:
Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, in accordance with 45 C.F.R. Part 164, Subpart C (Security Rule).
Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI, in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(D) and § 164.308(b)(2).
The parties acknowledge that Business Associate does not maintain Protected Health Information in a Designated Record Set, as defined at 45 C.F.R. § 164.501, on behalf of Covered Entity. SnapNotes functions solely as a documentation workflow tool; Covered Entity remains solely responsible for maintaining the official medical record in its electronic health record system or equivalent.
Accordingly, the individual rights obligations set forth at 45 C.F.R. §§ 164.524 (right of access) and 164.526 (right of amendment) do not apply to Business Associate, as Business Associate does not maintain PHI in a form that constitutes a Designated Record Set. Any request by an Individual for access to or amendment of records shall be directed to and handled exclusively by Covered Entity.
Business Associate shall maintain and make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528. Such records shall be maintained for a minimum of six (6) years from the date of the disclosure.
Business Associate shall make reasonable efforts to use, disclose, and request only the minimum necessary PHI to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 C.F.R. § 164.514(d).
Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity's compliance with the HIPAA Rules.
Covered Entity shall:
This Agreement shall be effective as of the Effective Date and shall remain in effect until terminated as set forth herein or until the underlying services agreement expires or is terminated.
Either party may terminate this Agreement immediately upon written notice if the other party has materially breached any provision of this Agreement and failed to cure such breach within thirty (30) days of receiving written notice specifying the breach in reasonable detail. Where cure is not possible, the non-breaching party may terminate immediately.
Upon termination for any reason, Business Associate shall, at Covered Entity's election, return or destroy all PHI in its possession. If return or destruction is not feasible, Business Associate shall provide written notice of the reasons and shall extend the protections of this Agreement to such PHI, limiting further uses and disclosures to those purposes that make return or destruction infeasible, for so long as Business Associate retains the PHI.
All PHI received from, or created or received by Business Associate on behalf of, Covered Entity remains the sole property of Covered Entity. Nothing in this Agreement shall be construed to grant Business Associate any ownership interest in, or intellectual property rights to, any PHI. Business Associate's stewardship of PHI does not confer any proprietary rights to such information.
Business Associate shall indemnify, defend, and hold harmless Covered Entity and its officers, directors, employees, and agents from and against any claims, losses, damages, fines, penalties, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to Business Associate's breach of this Agreement or its obligations under the HIPAA Rules, to the extent such claims result from the negligent or wrongful acts or omissions of Business Associate.
Covered Entity shall indemnify, defend, and hold harmless Business Associate and its officers, directors, employees, and agents from and against any claims, losses, damages, fines, penalties, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to Covered Entity's breach of this Agreement or its obligations under the HIPAA Rules, to the extent such claims result from the negligent or wrongful acts or omissions of Covered Entity.
The indemnified party shall: (a) promptly notify the indemnifying party in writing of any claim; (b) grant the indemnifying party sole control of the defense and settlement of the claim; and (c) provide reasonable cooperation and assistance. The indemnifying party shall not settle any claim in a manner that imposes obligations or liability on the indemnified party without prior written consent.
Except as set forth in Section 7.2, in no event shall either party's total aggregate liability to the other party under or in connection with this Agreement exceed the total fees paid or payable by Covered Entity to Business Associate in the twelve (12) months immediately preceding the event giving rise to the claim.
The limitation in Section 7.1 shall not apply to: (a) a party's indemnification obligations for third-party claims; (b) damages arising from a party's gross negligence or willful misconduct; or (c) a party's obligations to return or destroy PHI upon termination.
In the event of any dispute, claim, or controversy arising out of or relating to this Agreement (a "Dispute"), the parties shall first attempt to resolve the matter informally. Either party may initiate informal resolution by providing written notice of the Dispute to the other party. The parties shall negotiate in good faith for a period of thirty (30) days from the date of such notice (the "Negotiation Period") before initiating arbitration.
If the parties are unable to resolve a Dispute during the Negotiation Period, the Dispute shall be submitted to and resolved exclusively by binding arbitration administered by the American Arbitration Association ("AAA") in accordance with its Commercial Arbitration Rules then in effect. The arbitration shall be conducted by a single arbitrator mutually agreed upon by the parties, or if the parties cannot agree, appointed by the AAA.
Notwithstanding the foregoing, either party may seek emergency injunctive or other equitable relief from a court of competent jurisdiction to prevent irreparable harm, including unauthorized use or disclosure of PHI, without first engaging in the informal dispute resolution process or arbitration. Such an application shall not be deemed a waiver of the right to arbitrate the underlying Dispute.
Each party waives any right to assert any claims against the other party as a plaintiff or class member in any class action or representative proceeding. The arbitrator shall have no authority to consolidate claims or to fashion a proceeding as a class or representative action.
The parties acknowledge their obligations under the HITECH Act, including without limitation the provisions of Subtitle D relating to privacy and security of PHI. Business Associate shall comply with all applicable provisions of the HITECH Act and any regulations promulgated thereunder by the U.S. Department of Health and Human Services. The parties agree to amend this Agreement as necessary to comply with any changes in applicable law or regulation, without further consideration required.
This Agreement shall be governed by and construed in accordance with the laws of the State of North Carolina, without regard to its conflict of law provisions, except to the extent preempted by federal law.
This Agreement constitutes the complete agreement between the parties with respect to the subject matter hereof and supersedes all prior negotiations, representations, warranties, and understandings with respect to such subject matter.
If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
This Agreement may be amended only by a written instrument signed by authorized representatives of both parties, or as required by changes in applicable law.
Nothing in this Agreement is intended to create, nor shall it be construed to create, any rights in any third party, including any patient or Individual whose PHI may be subject to this Agreement.
All notices under this Agreement shall be in writing and delivered to the address set forth in the underlying services agreement, or to such other address as a party may designate in writing. Notice by email shall be deemed effective upon confirmation of receipt.
This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures shall be deemed valid and binding to the same extent as original signatures.
No waiver of any right under this Agreement shall be deemed effective unless set forth in a written instrument signed by the waiving party. No waiver of any past breach shall constitute a waiver of any future breach.
IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the Effective Date written below.