This Business Associate Agreement (this “Agreement”) is made on the date and time your PsyPack account is created, by and between the Business Associate (defined hereinafter), and the Covered Entity (defined hereinafter) in order to comply with the Health Insurance Portability and Accountability Act of 1996 and its related regulations (“HIPAA”) in connection with the use of the Psypack™ platform as per the "Terms and Conditions".
Each of the Business Associate and the Covered Entity is referred to as Party or Parties, collectively.
- Definitions
- “Business Associate” has the same meaning as the term “Business Associate” at 45 CFR 160.103, and in reference to the party to this Agreement, shall refer to shall refer to XequalsZero Pvt. Ltd., having regd. office at 289, Model Gram, Ludhiana, PB 141002, IN and CIN: U72900PB2018PTC048066.
- “Covered Entity” has the same meaning as the term “Covered Entity” at 45 CFR 160.103, and in reference to this Agreement, shall mean you.
- “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
- Obligations and Activities of Business Associate
The Business Associate agrees to:
- Not use or disclose Protected Health Information other than as permitted or required by the Agreement or as required by law;
- Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as provided for by the Agreement;
- Notwithstanding that the Business Associate has encrypted and reasonably secured all Protected Health Information, report to Covered Entity any use or disclosure of Protected Health Information not provided for by the Agreement of which it becomes aware, including breaches of unsecured Protected Health Information as required at 45 CFR 164.410, and any security incident of which it becomes aware. In particular, in case of breach of any unsecured Protected Health Information, the Business Associate shall notify the Covered Entity of such event without undue delay, and in any event, no later than five (5) Business days after discovery of the same;
- Notwithstanding that no Protected Health Information is made available by the Business Associate to any subcontractors, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
- Provide access, at the request of Covered Entity in a reasonable time and manner, to Protected Health Information in a Designated Record Set to Covered Entity in order to meet the requirements under 45 CFR 164.524;
- Make any amendment(s) to Protected Health Information in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526. In the event an individual requests an amendment to Protected Health Information, directly to the Business Associate, Business Associate shall promptly forward such request to the Covered Entity.;
- Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy the Covered Entity’s obligations under 45 CFR 164.528. If the Business Associate receives a direct request from an individual for an accounting of disclosures of Protected Health Information made by Business Associate, Business Associate agrees to promptly forward such request to Covered Entity;
- To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and
- Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules, as may be required under law.
- Permitted Uses and Disclosures by Business Associate
Subject to any other limitations in this Agreement:
- The Business associate may only use or disclose Protected Health Information as necessary to perform the services outlined in the Terms and Conditions.
- The Business associate may use or disclose Protected Health Information as required by law.
- The Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
The Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate;
Provided, however, that if disclosures are required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and only be used or further disclosed as required by law or for the purpose for which it was disclosed to the person, and the person shall notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- The Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B).
- The Business Associate may de-identify any and all Protected Health Information in accordance with 45 CFR. § 164.514(b). Covered Entity acknowledges and agrees that de-identified information is not Protected Health Information and that Business Associate may use such de-identified information for any lawful purpose.
- Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
- The Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.
- The Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
- The Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
- Permissible Requests by Covered Entity
Subject to any other provisions of this Agreement, the Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
- Term and Termination
- Term: The Term of this Agreement shall be effective as of the date mentioned above in this Agreement and shall terminate upon the termination of the subscription to Psypack™ or on the date when the Covered Entity is authorized to terminate for cause under paragraph (b) hereunder, whichever is earlier.
- Termination for Cause: The Covered Entity may terminate this Agreement if the Covered Entity determines the Business Associate to have violated a material term of the Agreement and the Business Associate has not cured the breach or ended the violation within the time specified by Covered Entity.
- Effect of Termination: Upon termination of this Agreement, the Business Associate, with respect to Protected Health Information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
- Only retain that Protected Health Information which is necessary for the Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
- Return to Covered Entity or, if agreed to by Covered Entity, destroy the remaining Protected Health Information that the Business Associate still maintains in any form;
- Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information to prevent use or disclosure of the Protected Health Information, other than as provided for in this Section, for as long as Business Associate retains the Protected Health Information;
- Not use or disclose the Protected Health Information retained by Business Associate other than for the purposes for which such Protected Health Information was retained and subject to the same conditions set out at clause 3(e)-(f) above under “Permitted Uses and Disclosures By Business Associate”, which applied prior to termination; and
- The obligations of the Business Associate under this Section shall survive the termination of this Agreement.
- The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
- Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.