This Orchestra Health Business Associate Agreement (this “Agreement”) is entered into between you and the health care entity by which you are authorized (“you”, “Healthcare Entity”, the “Covered Entity”) and Orchestra One Inc. ("us", “we”, the “Business Associate”), as of the date of your consent to these terms (the “Agreement Effective Date”). You represent, warrant and agree that you are authorized to enter into this Agreement on behalf of yourself and the Healthcare Entity and to bind yourself and the Healthcare Entity to the terms and conditions herein. This Agreement is being entered into to govern the Covered Entity's use of our online servicing for direct-pay medical care providers (the “Orchestra Health Service”) under the terms and conditions of service consented to by the parties in a separate agreement (“TOS Agreement”).
Any term capitalized but not defined herein or within the TOS Agreement shall have the same meaning as within the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 (“HIPAA Rules”).
Our Obligations and Activities
We agree to: Not use or disclose protected health information other than as permitted or required by this Agreement or as required by law; Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information (“ePHI”), to prevent use or disclosure of protected health information other than as provided for by this Agreement or the TOS; Report to you any use or disclosure of protected health information not provided for by this Agreement of which we become aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which we become aware; In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on our behalf agree to the same restrictions, conditions, and requirements that apply to us with respect to such information; Make available to you protected health information in a designated record set as necessary to satisfy your obligations under 45 CFR 164.524; Make any amendments to protected health information in a designated record set as directed or agreed to by you pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy your obligations under 45 CFR 164.526; Maintain and make available the information required to provide an accounting of disclosures to you as necessary to satisfy your obligations under 45 CFR 164.528; Comply with the requirements of Subpart E that apply to you in the performance of your obligations under Subpart E of 45 CFR Part 164, to the extent we are to carry out one or more of such obligations; and Make our internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. Business Associates Permitted Uses and Disclosures We shall only use or disclose protected health information as necessary to perform the services set forth in the TOS Agreement between the parties. We may use or disclose protected health information as required by law. We agree to make uses and disclosures and requests for protected health information consistent with your minimum necessary policies and procedures provided to us in writing in advance. We shall not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by you, except for the specific uses and disclosures set forth below. We may use protected health information for our own proper managerial and administrative duties, or to carry out our legal responsibilities. We may disclose protected health information for our own proper managerial and administrative functions, or to carry out our legal responsibilities, provided the disclosures are required by law, or that we obtain reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies us of any instances of which it is aware in which the confidentiality of the information has been breached. We may provide data aggregation services relating to your health care operations.
Covered Entity Duty to Inform Business Associate of Privacy Practices and Restrictions
You hereby agree to notify us of any and all of the following: Any limitations in your notice of privacy practices under 45 CFR 164.520 if such limitation affects or may affect our use and/or disclosure of protected health information. Any changes in, alterations to or revocation of an individual's permissions to use or disclose his/her protected health information, if such changes affect may affect our use and/or disclosure of protected health information. Any restriction on the use and/or disclosure of protected health information that you have agreed to or are bound by under 45 CFR 164.522, to the extent that such restriction affects or may affect our use and/or disclosure of protected health information.
Permissible Requests by Covered Entity
The Covered Entity shall not request Orchestra's use and/or disclosure of protected health information in any manner impermissible under Subpart E of 45 CFR Part 164 if undertaken by the Covered Entity, except as specified in Section 3 of this Agreement.
This Agreement is effective as of the Effective Date, and shall remain in effect until either party terminates the Agreement. This Agreement may be terminated by either party for any reason upon the provision of sixty (60) days written notice to the non-terminating party. All obligations of the parties under this Section shall survive the termination of this Agreement.
Obligations of Business Associate Upon Termination
Upon termination of this Agreement for any reason, with respect to protected health information received from you, or created, maintained, or received by us on your behalf, we shall: Retain only that protected health information which is necessary for us to continue to properly perform our own managerial and administrative duties, or to carry out our legal responsibilities; Only retain and/or utilize any protected health information to the extent that it is fully anonymized and incapable of being traced to, in any way or by any means, to the individual from which this information has originated; Destroy the remaining protected health information that we still maintain in any form; Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as we retain the protected health information; Not use or disclose the protected health information we retain other than for the purposes for which such protected health information was originally retained, and subject to the conditions in Section 3 of this Agreement which applied prior to termination; and Destroy the protected health information we retain when it is no longer needed to properly perform our own managerial and administrative duties, or to carry out our legal responsibilities.
By signing up, you are the signatory acting on authorized behalf of the entity or institution being provided the Orchestra Health Service as described herein and are agreeing to be bound by and become a party to this Agreement. If you do not agree to the terms and conditions of this Agreement or you are not authorized to bind your respective Healthcare Entity to this Agreement, do not sign up for an account and instead contact us directly for further assistance at firstname.lastname@example.org.