**Please save or print this form as confirmation that you entered into this agreement with AnswerFirst Communications Inc.**

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“BAC”), is effective upon its execution with AnswerFirst Communications, Inc. (the “Business Associate”) and undersigned health care provider or other service provider (the “Covered Entity” or “You” or “Your”).

Pursuant to the Administrative Simplification provisions of the Health InsurancePortability and Accountability Act of 1996 (“HIPAA”), and Standards for the Privacy And Security of Individually Identifiable Health Information, found at 45 C.F.R. Parts 160, 162 and 164, Covered Entity is required to protect certain individually identifiable health information (“Protected Health Information”, or “PHI”);

Covered Entity is also required to protect PHI that is in an electronic format (“Electronic Protected Health Information” or “EPHI”);

Pursuant to the provisions of the Health Information Technology for Economic And Clinical Health Act (the “HITECH Act”), Covered Entity is required to comply with additional privacy and security obligations, as well as obligations related to the breach of unsecured PHI or EPHI;

In order to protect the privacy and security of PHI, including EPHI, created or maintained by or on behalf of Covered Entity, HIPAA requires Covered Entity to enter into “business associate agreements” with certain individuals and entities providing services for or on behalf of the Covered Entity if such services require the use or disclosure of PHI or EPHI (“Business Associates”);

Covered Entity and Business Associate have entered into, or are entering into, or may subsequently enter into, agreements or other documented arrangements (collectively, the “Business Arrangements”) which require or may require Business Associate to access, create, receive, use, disclose, or maintain PHI and/or EPHI on behalf of Covered Entity;

Covered Entity and Business Associate desire to enter into this Business Associate Agreement to enable both parties to comply with HIPAA, the HITECH Act and other applicable law.

The Parties for good and valuable consideration agree as follows:

1. Definitions

  • Covered Entity – Shall mean the provider, together with all of its divisions and subsidiaries entering into this agreement with the Business Associate.
  • Business Associate – Shall mean AnswerFirst Communications, Inc.
  • Business Arrangements – Shall mean documented arrangements by and between Covered Entity and Business Associate whereby Business Associate will access, create, receive, use, disclose, or maintain PHI and/or EPHI on behalf of Covered Entity.
  • HIPAA – Shall mean the Health Insurance Portability and Accountability Act of 1996 and those regulations found at 45C.F.R. Parts 160, 162, and 164.
  • HITECH Act – Shall mean the Health Information Technology for Economic and Clinical Health Act.
  • HHS – Shall mean the United States Department of Health and Human Services.
  • Successful Security Incident – Shall mean the unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system which impacts any PHI or EPHI that is subject to this Agreement.
  • Unsuccessful Security Incident – Shall mean the attempted, but unsuccessful, unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system and does not impact any PHI or EPHI that is subject to this Agreement.
  • Any terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms have under HIPAA and the HITECH Act.

2. Purpose. Covered Entity and Business Associate have entered into certain Business Arrangements whereby Business Associate may access, create, receive, use, disclose, or maintain PHI and/or EPHI on behalf of Covered Entity. Such Business Arrangements shall be conducted in a manner that ensures the privacy and security of PHI and EPHI in accordance with HIPAA, the HITECH Act and with all applicable federal and state laws and regulations.

3. Term and Termination.

3.1 The term of this Agreement shall commence the earlier of today or the date upon which Business Associate first accessed, created, received, used, disclosed, or maintained PHI on behalf of Covered Entity.

3.2 Covered Entity, at its sole discretion, may immediately terminate this Agreement upon the occurrence of the any of the following:

  • Business Associate’s breach of any material obligation under this Agreement for five (5) days after written notice of such breach; or
  • A violation of any provision of HIPAA, the HITECH Act, or applicable federal and/or state law or regulation relating to the privacy and security of PHI.

3.3. Upon the termination of all Business Arrangements, either party may terminate this Agreement by providing written notice to the other party.

3.4 Upon termination of this Agreement for any reason, BusinessAssociate agrees either to return to Covered Entity or to destroy all PHI received from Covered Entity or otherwise through the performance of services for Covered Entity, that is in the possession or control of Business Associate or its agents. In the case of PHI which is not feasible to “return or destroy,” BusinessAssociate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. Business Associate further agrees to comply with HIPAA, the HITECH Act and other applicable state or federal law, which may require a specific period of retention, redaction, or other treatment of such PHI.

4. Use or Disclosure of Protected Health Information. Except as otherwise required by law, Business Associate shall use or disclose PHI noncompliance with 45 C.F.R. § 164.504 (e). Furthermore, Business Associate shall use or disclose PHI (i) solely for the benefit of Covered Entity and only for the purpose of performing services, including data aggregation services, for Covered Entity as such services are defined in the Business Arrangements between Covered Entity and Business Associate, (ii) as necessary for the proper management and administration of Business Associate to carry out its legal responsibilities, provided that such uses are permitted under federal and state law. Business Associate agrees that all disclosures of PHI shall be the minimum necessary to accomplish the intended purpose of the disclosure. Except to the extent necessary to perform its obligations under the Business Arrangements, Business. Associate may not de-identify PHI received from, or created on behalf of Covered Entity without the express written authorization of Covered Entity.

5. Appropriate Safeguards. Business Associate will use appropriate safeguards to prevent use or disclosure of PHI other than as expressly provided by this Agreement. Business Associate will implement administrative, physical and technical safeguards that reasonably protect the confidentiality, integrity and availability of the PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate acknowledges and agrees that the HITECH Act requires Business Associate to comply with 45 C.F.R. §§ 164.308, 164.310,164.312 and 164.316 to the same extent as if it were a Covered Entity. To The extent feasible, Business Associate will use commercially reasonable efforts to ensure that the technology safeguards used by Business Associate to secure PHI will render such PHI unusable, unreadable and indecipherable to individuals that are not authorized to acquire or have access to such PHI. Such technology safeguards should meet or exceed security guidance issued by HHS.

6. ePHI Transmissions and Release of Liability. Business Associate provides its Covered Entities clients with the ability to receive and view ePHI notifications via a secure message platform and/or secure message portal. Should you choose to have ePHI notices sent via secure email, web hook, API connection or other secure electronic means, the Business Associate agrees to transmit ePHI using encryption. You agree to and acknowledge that:

  1. You have opted not to solely utilize our secure messaging platform and/or our secure messaging portal for receiving or retrieving PHI.
  2. You understand that AnswerFirst is not able to independently verify the end-point security of Covered Entity or its providers, vendors or partners.
  3. You understand the risks associated with sending and/or receiving insecure email or other types of electronic transmissions.
  4. You have established and will maintain appropriate electronic transmission security to allow you to receive and /or send secure transmissions.

6.1 Indemnification. You agree to indemnify and hold harmless AnswerFirst, its employees and agents, from and against any and all manner of claims, demands, causes of action, liabilities, damages costs and expenses (including reasonable attorney’s fees) arising from the unauthorized use or disclosure of ePHI resulting from Your failure to have appropriate endpoint security in place for electronic transmissions.

7. Reporting of Improper Use or Disclosure. Business Associate agrees that it shall report to the Covered Entity any use or disclosure of protected health information not provided for by this Agreement. Such report shall be made within ten (10) business days of discovery. Further, Business Associate shall report any successful “security incident” of which it becomes aware within five (5) business days of discovery. The parties agree and acknowledge that “unsuccessful security incidents” occur on a daily basis and this section shall serve as ongoing notice of unsuccessful security incidents. In addition to Business Associates obligations under Section 7, Business Associate agrees to mitigate to the extent practical any harmful effect that is known to Business Associate and is a result of a use or disclosure of PHI by Business Associate in violation of this Agreement.

8. Data Breach Notification and Mitigation. Business Associate agrees to implement reasonable systems for the discovery and prompt reporting of any “breach” of “unsecured PHI” as those terms are defined by 45 C.F.R.§ 164.402 (“HIPAA Breach”). Business Associate will, following the discovery of a HIPAA Breach, notify Covered Entity immediately and in no event later than five (5) business days after Business Associate discovers such HIPAA Breach, unless Business Associate is prevented from doing so by 45 C.F.R. § 164.412 concerning law enforcement investigations. For purposes of reporting a HIPAA Breach to CoveredEntity, the discovery of a HIPAA Breach shall occur as of the first day on which such HIPAA Breach is known to the Business Associate or, by exercising reasonable diligence, would have been known to the BusinessAssociate. No later than seven (7) business days following a HIPAA Breach, Business Associate shall provide Covered Entity with sufficient information to permit Covered Entity to comply with the HIPAA Breach Notification requirements set forth at 45 C.F.R. § 164.400 et seq. Business Associate may assume the HIPAA Breach notification obligations absent an objection from Covered Entity. Following a HIPAA Breach, BusinessAssociate will have a continuing duty to inform Covered Entity of new information learned by Business Associate regarding the HIPAA Breach.Business Associate agrees to mitigate to the extent practicable, any harmful effect that is known to Business Associate that is directly related to a HIPAA Breach under this Agreement.

9. Sub-Contractors and Agents. Business Associate may disclose PHI to its sub-contractors and agents only as necessary for Business Associate to perform its obligations under the Business Arrangements with Covered Entity. Business Associate agrees that anytime PHI is provided or made available to any sub-contractors or agents, Business Associate must obtain satisfactory written assurances from the sub-contractor or agent that contains the same terms, conditions and restrictions on the use and disclosure of Protected Health Information as contained in this Agreement.

10. Right of Access to Designated Record Sets. If the Business Associate maintains any PHI that is part of the “Designated Record Set” as that term is defined under HIPAA, the Business Associate shall make such PHI available, for inspection and copying, to an individual as required under 45 C.F.R. 164.524. Prior to providing access, but within the time frame specified in 45 C.F.R. 164.524, the Business Associate shall notify the Covered Entity of the request for access and ascertain if there are any legitimate reasons that access should not be granted.

11. Amendment and Incorporation of Amendments. If the BusinessAssociate maintains any PHI that is part of the “Designated Record Set” as that term is defined under HIPAA, the Business Associate shall make suchPHI available for amendment as required under 45 C.F.R. 164.526 and shall, within ten (10) days, provide Covered Entity with a copy of the Amendment. Prior to allowing the amendment, Business Associate shall notify the Covered Entity of the request to amend and ascertain if there are any legitimate objections to the amendment. In the event that CoveredEntity accepts an amendment to the Designated Record Set, BusinessAssociate agrees to incorporate any amendments to PHI in accordance with 45. C.F.R. 164.526.

12. Accounting of Disclosures. At the request of Covered Entity, Business Associate shall make available all information required for Covered Entity To provide an accounting of disclosures of PHI with respect to an individual requesting such accounting in accordance with 45 C.F.R.§164.528, as amended by Section 13405(c) of the HITECH Act and any related regulations or guidance in accordance with such provision.Business Associate shall provide the Covered Entity such information necessary to provide an accounting within thirty (30) days of the CoveredEntity’s request or such shorter time as may be required by state or federal law. Such accounting obligations shall survive termination of thisAgreement and shall continue as long as Business Associate maintains PHI. In the event that Business Associate receives a request for an accounting it shall notify Covered Entity within five (5) days of receipt of such request.

13. Records and Audit. If Business Associate receives a request, made by or on behalf of HHS, requiring Business Associate to make available its internal practices, books, and records relating to the use and disclosure of the PHI to HHS for the purpose of determining the compliance of CoveredEntity with HIPAA, then Business Associate shall promptly notify Covered Entity that Business Associate has received such a request. Business Associate shall make its books and records relating to the use and disclosure of PHI by Covered Entity available to HHS and its authorized representatives for purposes of determining the compliance of Covered Entity with HIPAA.

14. Interpretation. An ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with HIPAA, the HITECH Act and other applicable law.

15. Regulatory References. A reference in this Agreement to a section of HIPAA or the HITECH Act shall mean the section as currently in effect or as amended.

16. Amendment. Covered Entity and Business Associate agree that amendment of this Agreement may be required to ensure that both parties are in compliance with HIPAA, the HITECH and/or other applicable federal or state law.

17. Governing Law. This Agreement shall be governed by the laws of Florida.

18. Binding Nature and Assignment. This Agreement shall be binding on the Parties hereto and their successors and assigns, but neither Party may assign this Agreement without the prior written consent of the other, which consent shall not be unreasonably withheld.

19. Notices. Whenever under this Agreement one party is required to give notice to the other, such notice shall be deemed to have been given if in writing and sent by (i) personal delivery; (ii) certified or registered mail, return receipt requested; (iii) overnight delivery service with proof of delivery or facsimile with return facsimile acknowledging receipt to the address listed below:

COVERED ENTITY:
The address previously entered in the request for establishing services.

BUSINESS ASSOCIATE:
AnswerFirst Communications, Inc
1602 N. 21st Street.
Tampa, FL. 33606

Either Party may at any time change its address for notification purposes by providing the other party written notice stating the change and setting forth the new address.

20. Entire Agreement. This Agreement consists of this document, and constitutes the entire agreement between the Parties. There are no understandings or agreements relating to this Agreement which are not fully expressed in this Agreement and no change, waiver or discharge of obligations arising under this Agreement shall be valid unless in writing and executed by the Party against whom such change, waiver of discharge is sought to be enforced.

21. Third Party Beneficiaries. Nothing in this Agreement shall be considered or construed as conferring any right or benefit on a person nota party to this Agreement nor imposing any obligations on either Party Hereto to persons not a party to this Agreement.

22. Attorney’s Fees. In the event an arbitration, suit or action is brought by any party under this Agreement to enforce any of its terms, or in any appeal therefrom, it is agreed that the prevailing party shall be entitled to reasonable attorneys fees to be fixed by the arbitrator, trial court, and/or appellate court.


I attest that I have read, understand, agree to and am legally authorized to immediately enter into and be bound by this executed Business Associate Agreement.