Business Associate Agreement

1. Definitions.

Terms used in this Pharmacy Terms and Conditions but not otherwise defined in this BAA or the Agreement shall have the meaning ascribed to them by HIPAA. For purposes of this BAA only, when August is receiving, maintaining, or transmitting PHI from, via or on behalf of Pharmacy in connection the August Platform, August shall be referred to as “Business Associate,” and Pharmacy shall be referred to as “Pharmacy.”

2. Use and Disclosure.

Business Associate agrees not to use or disclose PHI other than as permitted or required by this Pharmacy Terms and Conditions, the Agreement or as Required by Law. Business Associate shall comply with the provisions of this Pharmacy Terms and Conditions relating to privacy and security of PHI and that are applicable to Business Associates, and Business Associate shall not Use or Disclose PHI in any manner that would constitute a violation of HIPAA.

3. Appropriate Safeguards.

Business Associate agrees to use appropriate safeguards designed to prevent the use or disclosure of PHI other than as provided for by this Pharmacy Terms and Conditions, the Agreement or as Required by Law. Without limiting the generality of the foregoing sentence, Business Associate will:

  1. Implement administrative, organizational, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information contained within PHI (“Electronic PHI”) as required by the Security Rule; and comply with the applicable requirements, policies, procedures and documentation requirements of the Security Rule.
  2. Report to Pharmacy any Security Incident involving Electronic PHI or involving systems in which Electronic PHI is stored, maintained, or over which it is transmitted, of which Business Associate becomes aware. Any actual, successful Security Incident will be reported to Pharmacy in writing without unreasonable delay.
  3. Notify Pharmacy following the discovery of a Breach of Unsecured PHI involving Pharmacy in accordance with 45 C.F.R. § 164.410 without unreasonable delay and in no event later than sixty (60) days (or within any shorter deadline imposed by applicable state law) after discovery of the Breach. The notice shall include the following information if known (or can be reasonably obtained) by Business Associate: (i) contact information for the Individuals who were or who may have been impacted by the Breach (e.g., first and last name, mailing address, street address, phone number, email address); (ii) a brief description of the circumstances of the Breach, including the date of the Breach and date of discovery; (iii) a description of the types of Unsecured PHI involved in the Breach (e.g., names, social security numbers, dates of birth, addresses, account numbers of any type, and similar information); and (iv) a brief description of what the Business Associate has done or is doing to investigate the Breach and mitigate harm to the Individuals impacted by the Breach. A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach.
  4. Report, without unreasonable delay but in all cases within ten (10) business days, to Pharmacy any access, Use or Disclosure of PHI by Business Associate or a third party to which Business Associate disclosed PHI which is not permitted by this Agreement and of which Business Associate becomes aware.
  5. Comply with the requirements of Subpart E that apply to the Pharmacy in the performance of such obligations, to the extent that Business Associate carries out one or more of Pharmacy's obligations under Subpart E of 45 C.F.R. Part 164.

4. Mitigation.

  1. Business Associate agrees to take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Pharmacy Terms and Conditions (including, without limitation, any Security Incident or Breach of Unsecured PHI). Business Associate agrees to reasonably cooperate and coordinate with Pharmacy in the investigation of any violation of the requirements of this Pharmacy Terms and Conditions and/or any Security Incident or Breach. Business Associate shall also reasonably cooperate and coordinate with Pharmacy in the preparation of any reports or notices to the Individual, a regulatory body or any third party required to be made under HIPAA or any other federal or state laws, rules or regulations, provided that any such reports or notices shall be subject to the prior written approval of Pharmacy.
  2. If Business Associate becomes aware of a Use or Disclosure of PHI in violation of this Pharmacy Terms and Conditions by Business Associate or by a third party to which Business Associate disclosed PHI, Business Associate shall report any such Use or Disclosure to Pharmacy within forty-eight hours.
  3. Any notice delivered under this Section 4 of the Pharmacy Terms and Conditions shall include the identification of each individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or Disclosed as well as any other relevant information regarding the improper Use or Disclosure.

5. Minimum Necessary.

To the extent required by the “minimum necessary” requirements of HIPAA, Business Associate shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure. Business Associate agrees to follow guidance issued by the Secretary regarding what constitutes “minimum necessary” with respect to the Use or Disclosure of PHI and Electronic Protected Health Information. Until such time that such guidance is issued, Business Associate shall limit its Use or Disclosure of PHI, to the extent practicable, to the limited data set (as defined in 45 C.F.R. § 164.514(e)(2)), or to the minimum necessary to accomplish the intended purpose of such Use, Disclosure or request, respectively. See corresponding Pharmacy obligation in Section 12.b of this Pharmacy Terms and Conditions.

6. Subcontractors.

Business Associate shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits PHI on behalf of Business Associate; provided that Business Associate obtains Pharmacy’s consent and approval before arranging such agreement with any Subcontractor, and provided further that the foregoing consent shall not apply to service providers, vendors, and agents that provide non-material services in the ordinary course of business consistent with past practice that are not solely engaged for the purpose of this Pharmacy Terms and Conditions. Business Associate shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions or conditions that apply to Business Associate through this Pharmacy Terms and Conditions with respect to such information.

7. Access to Designated Record Sets.

To the extent that Business Associate possesses or maintains PHI in a Designated Record Set, Business Associate agrees to provide access, within ten (10) days of a request by Pharmacy, and in the manner designated by the Pharmacy, to PHI in a Designated Record Set created or received by Business Associate solely on behalf of Pharmacy only, to Pharmacy or, as directed by Pharmacy, to an Individual in order to meet the requirements of the HIPAA Regulations. If an Individual makes a request for access to PHI directly to Business Associate, Business Associate shall notify Pharmacy of the request within three (3) business days of such request. Pharmacy shall have the sole responsibility to make decisions regarding whether to approve a request for access to PHI.

8. Amendments to Designated Record Sets.

To the extent that Business Associate possesses or maintains PHI in a Designated Record Set, Business Associate agrees to provide information to Pharmacy for amendment and to incorporate any such amendment(s) to PHI in a Designated Record Set that the Pharmacy directs or agrees to pursuant to the HIPAA Regulations within ten (10) days of a request by Pharmacy, and in the manner designated by the Pharmacy. If an Individual makes a request for an amendment to PHI directly to Business Associate, Business Associate shall notify Pharmacy of the request within three (3) business days of such request. Pharmacy will have the sole responsibility to make decisions regarding whether to approve a request for an amendment to PHI.

9. Access to Books and Records.

Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Pharmacy’s PHI received from, or created or received by Business Associate on behalf of, Pharmacy available to the Secretary for purposes of the Secretary determining Pharmacy’s and Business Associate’s compliance with the Privacy Rule.

10. Accountings.

Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Pharmacy to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA. Business Associate agrees to, within ten (10) days of request from Pharmacy, make available to Pharmacy such information as is in Business Associate’s possession and as would be required for Pharmacy to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA. If Business Associate receives a request for an accounting for PHI directly from an Individual, Business Associate shall forward such request to Pharmacy within ten (10) business days. Pharmacy shall have the sole responsibility to provide an accounting of such disclosures to an Individual.

11. Permitted Uses and Disclosures by Business Associate.

  1. Services. Except as otherwise limited in this Pharmacy Terms and Conditions, Business Associate may use or disclose PHI to perform the Services, functions, activities or other services for, or on behalf of, Pharmacy for Application as specified in the Agreement, provided that such use or disclosure would not violate HIPAA if done by Pharmacy.
  2. Use for Administration of Business Associate. Except as otherwise limited in this Pharmacy Terms and Conditions, Business Associate may use Pharmacy’s PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. Pharmacy acknowledges and agrees that proper management and administration of Business Associate includes, without limitation, modifications of, upgrades to, and the development and/or addition of additional features and functionality for, the Services and the Pharmacy Site.
  3. Disclosure for Administration of Business Associate. Except as otherwise limited in this Pharmacy Terms and Conditions, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that (i) disclosures are Required By Law, or (ii) Business Associate obtains reasonable written assurances from the third party to whom the information is disclosed that the third party will (1) protect the confidentiality of PHI, (2) use or further disclose the PHI only as Required By Law or for the purpose for which it was disclosed to the third party, and (3) notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
  4. Data Aggregation. Business Associate may use PHI to provide Data Aggregation services relating to the Health Care Operations of Pharmacy if required or permitted under this Pharmacy Terms and Conditions or the Agreement. For clarity, all such Data Aggregation must be de-identified.
  5. De-Identified Information. Business Associate may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Business Associate may use or disclose such de-identified health information for any purpose permitted by law.

12. Obligations of Pharmacy.

  1. Pharmacy shall not request Business Associate to use or disclose Pharmacy’s PHI in any manner that would not be permissible under the Privacy Rule if done by Pharmacy. Pharmacy shall notify Business Associate of restriction(s) in the Use or Disclosure of PHI to which Pharmacy has agreed to the extent such restriction affects Business Associate’s permitted Uses or Disclosures.
  2. Minimum Necessary PHI. Consistent with Business Associate’s mutual obligation in Section 5 of this Pharmacy Terms and Conditions, when Pharmacy discloses PHI to Business Associate, Pharmacy shall provide the minimum amount of PHI necessary for the accomplishment of Business Associate’s purpose consistent with obligations as set forth in 45 C.F.R. § 164.502(b).
  3. Permissions; Restrictions. Pharmacy represents and warrants that it has appropriate business associate agreements with any of its Clients that allow it to share PHI with Business Associate as described in this Pharmacy Terms and Conditions. Pharmacy shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her Pharmacy’s PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

13. Compliance with HIPAA Transaction Standards.

When providing Services, and to the extent applicable, Business Associate shall comply with all applicable HIPAA standards and requirements (including, without limitation, those specified in 45 C.F.R. Part 162) with respect to the transmission of health information in electronic form in connection with any transaction for which the Secretary has adopted a standard under HIPAA (“Covered Transactions”). Business Associate will make its Services and/or products compliant with HIPAA’s standards and requirements no less than thirty (30) days prior to the applicable compliance dates under HIPAA. Business Associate represents that it is aware of all current HIPAA standards and requirements regarding Covered Transactions, and Business Associate shall comply with any modifications to HIPAA standards and requirements which become effective from time to time. Business Associate shall require all of its agents and subcontractors (if any) who assist Business Associate in providing its Services and/or products to comply with the terms of this Section 13.

14. Effect of Termination.

  1. Return of PHI. Upon termination of the Agreement for any reason, Business Associate shall return or destroy, without unreasonable delay, all PHI received from Pharmacy, or created or received by Business Associate on behalf of Pharmacy. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
  2. Infeasibility. In the event that Business Associate determines in its sole reasonable discretion that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this Pharmacy Terms and Conditions to such PHI and limit further uses and disclosures of PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains PHI. Without limiting the generality of the foregoing, Pharmacy acknowledges and agrees that: (i) it is infeasible for Business Associate to delete PHI from its backup tapes or other backup systems; and (ii) it is infeasible for Business Associate to delete all PHI during an ongoing investigation in connection with a Security Incident or Breach of Unsecured PHI, and that temporarily retaining certain PHI may be necessary for such investigation.