MPOWR BUSINESS ASSOCIATE AGREEEMENT
This MPOWR Business Associate Agreement (“BAA“) is provided by MPOWR Group, LLC (“MPOWR”), and is an addendum to the Terms of Service for certain applicable MPOWR software-as-a-service platforms (any of which may be referred to as an “MPOWR System”). This BAA is applicable to certain customers or licensees of an MPOWR System (each of whom is referred to herein as a “Customer”) if each of the following is true:
- Customer is a Covered Entity, Business Associate, or Subcontractor as those terms are defined in this BAA;
- Customer’s MPOWR System is included in the list of eligible MPOWR Systems as described at: mpowr.com/eligible-products; and
- Customer uses its MPOWR System to create, receive, maintain, or transmit Protected Health Information, as that term is defined in this BAA.
The purpose of this BAA is to satisfy Customer’s regulatory obligations under the HIPAA Rules (defined below). This BAA applies independently to each MPOWR System and is an addendum to the Underlying Agreement (defined below) for each applicable MPOWR System.
1. DEFINITIONS. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Business Associate, Covered Entity, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
1.1. The term “HIPAA Rules” means the privacy, security, breach notification, and enforcement rules set forth at 45 C.F.R. Part 160 and Part 164, which together form the Administrative Simplification regulations under the Health Insurance Portability and Accountability Act of 1996 (as amended from time to time, including amendments made pursuant to the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and the American Recovery and Reinvestment Act of 2009). The privacy, security, breach notification rules may be independently referred to, respectively, as the “Privacy Rule”, the “Security Rule”, and the “Breach Notification Rule”.
1.2. The term “Underlying Agreement” means the Terms of Service for each MPOWR System that is covered by this BAA.
2. OBLIGATIONS AND ACTIVITIES OF MPOWR.
2.1. MPOWR agrees to not use or disclose Protected Health Information other than as permitted or required by this BAA or as Required By Law.
2.2. MPOWR agrees to use appropriate safeguards, and comply with the Security Rule, with respect to ePHI, to prevent use or disclosure of Protected Health Information other than as provided for by this BAA.
2.3. MPOWR agrees to report to Customer any use or disclosure of Protected Health Information not provided for by this BAA of which it becomes aware, and any Security Incident of which it becomes aware. Notwithstanding the foregoing, MPOWR shall not be required to report “Minor Security Incidents,” which are defined as pings, port scans, and other routine, minor and unsuccessful attempts to communicate with or through MPOWR’s firewall and network, so long as no such incident results in the defeat or circumvention of any security control, or in the unauthorized access, use or disclosure of PHI.
2.4. MPOWR agrees to report to Customer any Breaches of Unsecured Protected Health Information no later than 60 calendar days of discovery. Such notice shall include the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by MPOWR to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, MPOWR shall provide any additional information reasonably requested by Customer for purposes of investigating the Breach and any other available information that Customer is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available.
2.5. MPOWR agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of MPOWR agree to the same restrictions, conditions, and requirements that apply to MPOWR with respect to the Protected Health Information.
2.6. To the extent that MPOWR maintains a Designated Record Set, MPOWR agrees to make available Protected Health Information in a Designated Record Set to Customer or an individual as necessary to satisfy Customer’s obligations under 45 C.F.R. § 164.524.
2.7. To the extent that MPOWR maintains a Designated Record Set, MPOWR agrees to make any amendments to Protected Health Information in a Designated Record Set as directed or agreed to by Customer pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Customer’s obligations under 45 C.F.R. § 164.526.
2.8. MPOWR agrees to maintain and make available the information required to provide an accounting of disclosures to Customer or an individual as necessary to satisfy Customer’s obligations under 45 C.F.R. § 164.528.
2.9. To the extent that MPOWR is to carry out one or more of Customer‘s obligations under the Privacy Rule, MPOWR agrees to comply with the requirements of the Privacy Rule that apply to the Customer in the performance of such obligations.
2.10. MPOWR agrees to make its internal practices, books, and records, including policies and procedures regarding Protected Health Information, relating to the use and disclosure of Protected Health Information and Breach of any Unsecured Protected Health Information received from Customer, or created or received by the MPOWR on behalf of Customer, available to the Secretary of the Department of Health and Human Services.
2.11. To the extent that Protected Health Information disclosed to MPOWR includes any patient records from a program as defined in 42 C.F.R. § 2.11 (“Part 2 Program”), MPOWR:
(a) acknowledges that in receiving, storing, processing, or otherwise dealing with any patient records from the Part 2 Program, it is fully bound by the regulations 42 C.F.R. § 2; and
(b) will resist in judicial proceedings any efforts to obtain access to patient identifying information related to substance use disorder diagnosis, treatment, or referral for treatment if necessary, except as permitted by 42 C.F.R. § 2.
3. PERMITTED AND REQUIRED USES AND DISCLOSURES OF PHI BY MPOWR.
3.1. MPOWR may only use or disclose Protected Health Information as necessary to perform the services as set forth in the Underlying Agreement and as otherwise permitted by this BAA or the HIPAA Rules.
3.2. MPOWR may not use or disclose Protected Health Information in a manner that would violate the Privacy Rule if done by Customer, except that:
(a) MPOWR may use Protected Health Information for the proper management and administration of MPOWR or to carry out the legal responsibilities of MPOWR.
(b) MPOWR may disclose Protected Health Information for the proper management and administration of MPOWR or to carry out the legal responsibilities of MPOWR, provided that: (i) the disclosures are Required By Law; or (ii) MPOWR obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and will be used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the person, and the person notifies MPOWR, in accordance with the breach notification requirements of this BAA, of any instances, of which it is aware, in which the confidentiality of the information has been breached.
(c) MPOWR may provide Data Aggregation services relating to the Health Care Operations of Customer.
(d) MPOWR may use or disclose Protected Health Information as Required By Law.
4. CUSTOMER OBLIGATIONS.
4.1. Customer may not use any MPOWR System to the extent Customer’s Notice of Privacy Practices is inconsistent with this BAA or would require any changes or limitations with respect to MPOWR’s use or disclosure of Protected Health Information as described herein.
4.2. Customer may not use an MPOWR System to create, receive, maintain, or transmit any Protected Health Information if doing so would be inconsistent with any conditions, restrictions, or limitations imposed upon Customer, including any restrictions agreed upon between Customer and any individual who may be the subject of such Protected Health Information.
4.3. Customer may not use an MPOWR System in a manner that is inconsistent with the HIPAA Rules, nor may Customer request MPOWR to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Rules if done by Customer.
5. TERM AND TERMINATION.
5.1. Term. The term of this BAA shall begin on the date that the Underlying Agreement becomes effective. Unless it is terminated earlier as provided below, this BAA shall remain in effect as long as Customer’s MPOWR System is included in the list of eligible MPOWR Systems as described at: mpowr.com/eligible-products.
5.2. Termination for Cause. Upon either party’s knowledge of material breach of this BAA by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed 30 calendar days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA, upon written notice to the other party.
5.3. Obligations Upon Termination. Upon termination or expiration of this BAA for any reason, MPOWR and Customer, as applicable, shall do the following:
(a) Prior to any act or omission by Customer that would cause this BAA to terminate as provided in Sections 5.1 or 5.2 above, Customer will remove and delete all Protected Health Information that it and its authorized users have created, received, or stored in the MPOWR System.
(b) MPOWR will delete any remaining Protected Health Information (and any other Customer Data) stored within the MPOWR System in accordance with the Underlying Agreement.
(c) To the extent the Underlying Agreement permits MPOWR to retain Protected Health Information after the termination of this BAA, MPOWR will continue to use appropriate safeguards and comply with the Security Rule to prevent use or disclosure of the Protected Health Information, other than as provided for in the Underlying Agreement and this BAA, for as long as MPOWR retains the Protected Health Information.
(d) MPOWR agrees to not use or disclose the Protected Health Information retained by MPOWR other than for the purposes which such Protected Health Information was retained and subject to the same conditions set out above which applied prior to termination.
(e) MPOWR agrees to destroy the Protected Health Information retained by MPOWR when it is no permitted or required to retain the information in accordance with the terms of the Underlying Agreement.
5.4. Survival. The obligations of MPOWR under this Section shall survive the termination of this BAA.
6.1. Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
6.2. Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. Additionally, this Agreement may be unilaterally amended upon thirty (30) days written notice by MPOWR to incorporate any revisions necessary to assure ongoing compliance with the requirements of the HIPAA Rules.
6.3. Interpretation. Any ambiguity shall be resolved in favor of a meaning that permits Customer and MPOWR to comply with the HIPAA Rules. Any inconsistency between the BAA’s provisions and the HIPAA Rules, including all amendments, as interpreted by the Secretary, a court, or another regulatory agency with authority over the parties, shall be interpreted according to the interpretation of the Secretary, the court, or the regulatory agency. Any provision of this BAA that differs from those required by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this BAA.
6.4. Terms of Service Incorporated by Reference. This BAA applies independently to each applicable MPOWR System and is an addendum to the Terms of Service for each applicable MPOWR System. Accordingly, the Terms of Service for the MPOWR System to which this BAA is applied are incorporated herein by reference with respect to that MPOWR System.