AlpineForm BAA

The following contract is mandatory for HIPAA and HITECH compliance.

AlpineForm is known as a “business associate” under HIPAA Rules. This means that we are an entity that provides services that involve access to protected health information to covered entities. The HIPAA Rules require that covered entities enter into contracts with their business associates to ensure that protected health information is safeguarded. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate based on the relationship between the parties and the services being performed.

Contents:

• Definitions
• Introduction
• Our Obligations and Activities
• Our Permitted Uses and Disclosures
• Provisions for You to Inform Us of Privacy Practices and Restrictions
• Permissible Requests by You
• Term and Termination
• Miscellaneous
• About Subcontractors
• Governing Law and Jurisdiction

Definitions:

“HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

“We”, “us”, “our”, “ours”, and “AlpineForm” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Pruett & Co., LLC, DBA AlpineForm.

“You” and “yours” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean “your business.”

“PHI” and “ePHI” shall generally have the same meaning as the terms “protected health information” and “electronic protected health information,” respectively.

Introduction:

As a business associate, AlpineForm may use or disclose protected health information only as permitted or required by this business associate contract or as required by law. We are directly liable under HIPAA Rules and subject to civil and criminal penalties for using and disclosing protected health information not authorized by this contract or required by law. We are also directly liable and subject to civil penalties for failing to safeguard protected health information under the HIPAA Security Rule.

We help support HIPAA and HITECH compliance for your business, but our services do not address every compliance requirement. Your business is responsible for an adequate compliance program and having internal processes in place.

Our Obligations and Activities:

As a business associate, we agree to:

1. Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law.
2. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by this Agreement.
3. Report to you any use or disclosure of protected health information not provided for by the Agreement of which we become aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which we become aware. We will not send breach notifications on your behalf to individuals, the HHS Office for Civil Rights (OCR), or the media.
4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that our subcontractors that create, receive, maintain, or transmit protected health information on our behalf agree to the same restrictions, conditions, and requirements that apply to us.
5. Make available protected health information in a designated record set to you as necessary to satisfy your obligations under 45 CFR 164.524. In the event that we receive a request for protected health information from an individual, we will forward that request to you to fulfill.
6. Make any amendment(s) to protected health information in a designated record set as directed or agreed to by you, pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy your obligations under 45 CFR 164.526. In the event that we receive a request to amend or modify protected health information from an individual, we will forward that request to you and only fulfill it with your permission.
7. Maintain and make available the information required to provide an accounting of disclosures to you as necessary to satisfy your obligations under 45 CFR 164.528. In the event that we receive a request for an accounting of disclosures from an individual, we will forward that request to you to fulfill.
8. To the extent that we are to carry out one or more of your obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to you in the performance of such obligation(s); and
9. Make our internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

Our Permitted Uses and Disclosures:

1. We may use or disclose protected health information for activities directly related to our services. This includes:
   1. Creating, receiving, maintaining, and transmitting ePHI.
   2. Creating & storing documents that may include ePHI.
   3. Sending email messages that may include ePHI.
   4. Storing backup files that may include ePHI.
   5. Transmitting data to & from websites that may include ePHI.
2. We may use or disclose protected health information as required by law.
3. We agree to make uses and disclosures and requests for protected health information consistent with your minimum necessary policies and procedures.
4. We may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by you, except for the specific uses and disclosures set forth below.
   1. We may use protected health information for the proper management and administration of our business or to carry out our legal responsibilities.
   2. We may disclose protected health information for the proper management and administration of our business or to carry out our legal responsibilities, provided the disclosures are required by law, or if we obtain reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies us of any instances of which it is aware in which the confidentiality of the information has been breached.
   3. We may provide data aggregation services relating to the health care operations of the covered entity.
   4. We may use or disclose protected health information for related business purposes only after de-identifying the information in accordance with 45 CFR 164.514(a)-(c).

Provisions for You to Inform Us of Privacy Practices and Restrictions:

1. You shall notify us of any limitation(s) in the notice of your privacy practices under 45 CFR 164.520, to the extent that such limitation may affect our use or disclosure of protected health information.
2. You shall notify us of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect our use or disclosure of protected health information.
3. You shall notify us of any restriction on the use or disclosure of protected health information that you have agreed to or are required to abide by under 45 CFR 164.522, to the extent that such restriction may affect our use or disclosure of protected health information.

Permissible Requests by You:

1. You may request copies of any data containing protected health information for your business that we collect or store for you, at any time.
2. You shall not request us to use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by you, unless the request is for us to use or disclose protected health information for data aggregation or management and administration and legal responsibilities.

Term and Termination:

1. The Term of this Agreement shall be effective as of the date this agreement is signed and shall terminate on the date you cancel your service with Alpineform or terminate for cause as authorized below.
2. Termination for Cause. We authorize termination of this Agreement by you if you determine that we have violated a material term of the Agreement and we have not cured the breach or ended the violation.
3. Our Obligations. Upon termination of this Agreement for any reason, we, with respect to protected health information received from you, or created, maintained, or received by us on your behalf, shall:
   1. Retain only that protected health information which is necessary for us to continue its proper management and administration or to carry out our legal responsibilities;
   2. Return to you the remaining protected health information that we still maintain in any form;
   3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as we retain the protected health information;
   4. Not use or disclose the protected health information that we retain other than for the purposes for which such protected health information was retained and subject to the same conditions set above under “Our Permitted Uses and Disclosures” which applied prior to termination; and
   5. Return to you the protected health information retained by us when it is no longer needed by us for proper management and administration or to carry out legal responsibilities.
4. Survival. Our obligations shall survive the termination of this Agreement.

Miscellaneous:

1. Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
2. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
3. Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

About Subcontractors:

The HIPAA Rules allow business associates to also be subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate. Business associates are also required to enter into contracts with their business associates to ensure that protected health information is safeguarded.

AlpineForm utilizes subcontractors and has signed business associate agreements (BAAs) with each. These companies provide technical infrastructure for our services.

Governing Law and Jurisdiction:

The laws of the Commonwealth of Virginia shall govern the interpretation and enforcement of this agreement and any dispute. The parties irrevocably submit to the exclusive jurisdiction of the state and federal courts located in Harrisonburg, Virginia, concerning any dispute arising from or relating to this contract.

Any claim brought by a covered entity against AlpineForm shall proceed solely on an individual basis without the right for any claim to be pursued on a class action basis on or involving claims brought in a representative capacity on behalf of others.