Business Associate Agreement
Terms and Conditions of Use
(Including Applicable Business Associate Contract Provisions)This site set forth the terms and conditions (these “Terms and Conditions”) of the business associate arrangement between The Lash Group, LLC. (“Lash Group”), to the extent that Lash Group meets the definition of a “Business Associate” under Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (Pub. L. 104-191), as amended by, among other authorities, the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) (42 U.S.C. § 17921 et seq.) (a section of the American Recovery and Reinvestment Act of 2009), and various implementing regulations, including, as defined below, the Privacy Rule, Security Rule and Breach Notification Rule, by providing services through a pharmaceutical or biologic product manufacturer (“Product Manufacturer”) sponsored patient support program (the “Program”).
Covered Entity and Lash Group desire to enter into these Terms and Conditions to address certain requirements that are now or will become applicable to Covered Entity (and, in certain instances, Lash Group) HIPAA, the HITECH Act, the Privacy Rule, Security Rule and the Breach Notification Rule. To the extent that Lash Group meets the definition of a “Business Associate,” as defined in 45 C.F.R. § 160.103 and the associated guidance issued by the Department of Health and Human Services (“HHS”) by providing services to or on behalf of Covered Entity in connection with the Program (the “Services”), Covered Entity and Lash Group agree to the following terms and conditions concerning PHI disclosed to Lash Group by Covered Entity.
If Covered Entity does not agree with these Terms and Conditions, Covered Entity should not access or otherwise utilize any service provided through the Program. As these Terms and Conditions may be revised from time to time, Covered Entity should review them periodically. Furthermore, by accessing or otherwise utilizing the Program, Covered Entity agrees to execute any and all documents that are necessary to access the Program, and the services offered through it, available to Covered Entity. This is a legally binding agreement that sets forth the entire agreement between Covered Entity and Lash Group, and these Terms and Conditions supersede any conflicting terms in any other agreement between the parties with respect to the use of the Program, including how information collected by Lash Group through the Program may be used or disclosed.
Limitations of Program ServicesIt is not the responsibility of Lash Group to provide insurance benefit or claims status information from all payers or to ensure the accuracy of the information provided. Covered Entity agrees that Lash Group, its affiliates, and their respective officers, directors, employees, agents and representatives shall not be responsible or be held liable for any delays, interruptions or other errors that may occur or arise out of any claims, reimbursement, payment or other electronic transactions between Covered Entity and a payer or other third parties. The Program does NOT promise or guarantee coverage, payment or reimbursement, in whole or in part, of a claim by a payer or other third parties. Covered Entity agrees that it accepts responsibility for all applicable claims and for its access to the Program.
User ResponsibilityIN NO EVENT SHALL LASH GROUP, ITS AFFILIATES, AND ANY OF THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, AGENTS AND REPRESENTATIVES, AND THEIR RESPECTIVE HEIRS AND ASSIGNS, BE LIABLE FOR ANY DAMAGES OF ANY KIND OR NATURE, INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, SPECIAL (INCLUDING LOSS OF PROFIT), PUNITIVE, OR OTHER DAMAGES ARISING FROM OR IN CONNECTION WITH THE EXISTENCE OR USE OF THE PROGRAM, REGARDLESS OF WHETHER PRODUCT MANUFACTURER, LASH GROUP OR ANY OF THE OTHER ENTITIES OR PERSONS LISTED ABOVE HAS BEEN ADVISED AS TO THE POSSIBILITY OF SUCH DAMAGES. THIS INCLUDES DAMAGES TO, OR FOR VIRUSES THAT MAY INFECT, COVERED ENTITY’S COMPUTER EQUIPMENT. WITHOUT LIMITING THE FOREGOING, EVERYTHING THROUGH THE PROGRAM IS PROVIDED TO COVERED ENTITY “AS IS” AND “AS AVAILABLE” BASIS, AND PRODUCT MANUFACTURER AND LASH GROUP MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND OR NATURE WITH RESPECT TO THE PROGRAM. PRODUCT MANUFACTURER AND LASH GROUP HEREBY DISCLAIM ALL REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS OR IMPLIED, CREATED BY LAW, CONTRACT OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, OR NON-INFRINGEMENT.PRODUCT MANUFACTURER AND LASH GROUP MAKE NO WARRANTY THAT THE PROGRAM WILL MEET COVERED ENTITY’S REQUIREMENTS, OR THAT ANY PROGRAM SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE, CURRENT, ACCURATE, COMPLETE OR ERROR-FREE OR THAT THE RESULTS THAT MAY BE OBTAINED BY USE OF THE PROGRAM WILL BE ACCURATE OR RELIABLE. IN ADDITION, NEITHER PHARMACEUTICAL PRODUCT MANUFACTURER NOR LASH GROUP MAKE ANY WARRANTY WITH RESPECT TO THE INTEROPERABILITY OF ANY SYSTEM WITH THE PROGRAM, INCLUDING, WITHOUT LIMITATION, ANY SYSTEM USED BY COVERED ENTITY OR ANY PAYER, WHETHER PROVIDED BY A THIRD PARTY LICENSOR OR OTHERWISE. The parties acknowledge that some jurisdictions may not allow the exclusion of implied warranties, so some of the above exclusions may not apply to Covered Entity. COVERED ENTITY UNDERSTANDS AND ACKNOWLEDGES THAT ITS SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO ANY DEFECT IN OR DISSATISFACTION WITH THE PROGRAM IS TO CEASE TO USE THE PROGRAM SERVICES. COVERED ENTITY MAY HAVE OTHER RIGHTS WHICH MAY VARY FROM STATE TO STATE.
Compliance with HIPAA and the Privacy and Security Rules
To the extent Lash Group is considered a “Business Associate” under HIPAA, the following terms are applicable:
Any citations in the definitions below shall reference the provision as currently drafted or as it may be subsequently updated, amended or revised, as applicable. Capitalized terms or phrases used, but not otherwise defined, in these Terms and Conditions shall have the same meaning as those terms or phrases in the Privacy Rule, Security Rule or Breach Notification Rule, as applicable.
1.1 “Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402.
1.2 “Breach Notification Rule” shall mean the interim final rule related to breach notification for Unsecured Protected Health Information at 45 C.F.R. Parts 160 and 164.
1.3 “Designated Record Set” shall have the meaning given to such phrase in 45 C.F.R. § 164.501.
1.4 “Electronic Protected Health Information” or “ePHI” shall have the meaning given to such phrase in 45 C.F.R. § 160.103, subject to the definition of PHI below.
1.5 “Individual” shall have the meaning given to such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
1.6 “Privacy Officer” shall have the meaning given to such phrase in 45 C.F.R. § 164.530(a)(1).
1.7 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and 164, Subparts A and E.
1.8 “Protected Health Information” or “PHI” shall have the meaning as given to such phrase in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.9 “Required by Law” shall have the meaning given to such phrase in 45 C.F.R. § 164.103.
1.10 “Security Rule” shall mean the Security Standards for Protection of Electronic Protected Health Information, codified at 45 C.F.R. § 164 Subparts A and C.
1.11 “Secretary” shall mean the Secretary of HHS, or his or her designee.
1.12 “Security Incident” shall have the meaning given to such phrase in 45 C.F.R. § 164.304.
1.13 “Unsecured PHI” shall have the meaning given to such phrase in the Breach Notification Rule at 45 C.F.R. § 164.402.
2. Permitted uses and disclosures of protected health information by Lash Group
2.1 Services. Except as otherwise specified herein, Lash Group may make any and all uses and disclosures of PHI necessary to perform the Services. All other uses and disclosures not authorized by these Terms and Conditions are prohibited. Moreover, Lash Group may use and disclose PHI for the purposes authorized by these Terms and Conditions only: (i) to its employees, subcontractors and agents, in accordance with Section 3.5; (ii) as directed by Covered Entity; or (iii) as otherwise permitted by the terms of these Terms and Conditions including, but not limited to, Sections 2.2 and 2.3.
2.2 Uses and Disclosures by Lash Group. Unless otherwise limited herein, Lash Group may:
2.2.1 Use, consistent with 45 C.F.R. § 164.504(e)(4), the PHI in its possession if necessary (i) for its proper management and administration and/or (ii) to carry out any present or future legal responsibilities of Lash Group provided that such uses are permitted under state and federal confidentiality laws.
2.2.2 Disclose, consistent with 45 C.F.R. § 164.504(e)(4), the PHI in its possession to third parties for the purpose of its proper management and administration and/or to carry out any present or future legal responsibilities of Lash Group, provided that (i) the disclosures are Required by Law, as provided for in 45 C.F.R. § 164.103; or (ii) Lash Group has received from the third party written assurances regarding its confidential handling of such PHI as required under 45 C.F.R. § 164.504(e)(4) and the third party notifies Lash Group of any breaches in the confidentiality of the PHI.
2.3 Additional Activities of Lash Group. In addition to using and disclosing the PHI to perform the Services and the purposes enumerated in Section 2.2, Lash Group may:
2.3.1 De-identify any and all PHI provided that the de-identification conforms to the requirements of 45 C.F.R. § 164.514(b). Pursuant to 45 C.F.R. § 164.502(d)(2), de-identified information does not constitute PHI and is not subject to the terms of these Terms and Conditions.
2.3.2 Use and/or disclose PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
3. Privacy rule and Hitech Act responsibilities of Lash Group
With regard to its use and/or disclosure of PHI, Lash Group agrees to do the following:
3.1 Use and/or disclose the PHI only as permitted or required by these Terms and Conditions, including as permitted in Section 2.2 and 2.3, or as otherwise permitted or Required by Law.
3.2 Report to Covered Entity’s designated Privacy Officer, in writing, any use and/or disclosure of the PHI that is not permitted or required by these Terms and Conditions of which Lash Group becomes aware within fifteen (15) days of Lash Group becoming aware of such unauthorized use and/or disclosure.
3.3 Establish procedures for mitigating, to the extent practicable, any deleterious effects from any improper use and/or disclosure of PHI that Lash Group reports to Covered Entity.
3.4 To the extent it agrees to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Lash Group agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
3.5 Require all of its subcontractors and agents that create, receive, maintain or transmit PHI on behalf of Lash Group under these Terms and Conditions to agree, in writing, to adhere to substantially similar restrictions and conditions (in all material respects) on the use and/or disclosure of PHI and other restrictions and requirements that relate to PHI that apply to Lash Group pursuant to Sections 2 through 5.
3.6 Make available all records, books and practices relating to the use and/or disclosure of PHI to the Secretary for purposes of determining Covered Entity’s compliance with the Privacy Rule, subject to attorney-client and other applicable legal privileges.
3.7 Upon prior written request, make available during normal business hours at Lash Group’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of PHI to Covered Entity within fifteen (15) days for purposes of enabling Covered Entity to determine Lash Group’s compliance with the terms of these Terms and Conditions.
3.8 Within fifteen (15) days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an Individual to inspect and obtain a copy of PHI about the Individual that is maintained in a Designated Record Set, for as long as the PHI is maintained in the Designated Record Set, in accordance with 45 C.F.R. § 164.524; to amend PHI or a record about the Individual in a Designated Record Set, for as long as PHI is maintained in the Designated Record Set, in accordance with 45 C.F.R. § 164.526; and for an accounting of the disclosures of the Individual’s PHI in accordance with 45 C.F.R. § 164.528.
3.9 Disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder, unless the disclosure is not subject to the minimum necessary standard, as described in to 45 C.F.R. § 164.502(b).
3.10 To the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
4. Security rule and Hitech Act responsibilities of Lash Group
With regard to its use and/or disclosure of ePHI, Lash Group agrees to do the following:
4.1 Comply with 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316, with respect to ePHI, to prevent use or disclosure of ePHI other than as provided for by these Terms and Conditions.
4.2 Require all of its subcontractors and agents that create, receive, maintain, or transmit ePHI on behalf of Lash Group to agree, in writing, to adhere to substantially similar restrictions and conditions (in all material respects) concerning ePHI that apply to Lash Group pursuant to this Section 4.
4.3 Report to Covered Entity any Security Incident of which it becomes aware that involves the Confidentiality, Integrity or Availability of the ePHI that it creates, receives, maintains or transmits for or on behalf of Covered Entity. The parties agree that this Section satisfies any reporting required by Lash Group of attempted but Unsuccessful Security Incidents (as defined below) for which the parties agree no additional report shall be required. For purposes of these Terms and Conditions, “Unsuccessful Security Incidents” include but are not limited to activity such as “pings” and other broadcast attacks on Lash Group’s firewall, port scans, unsuccessful log-on attempts, denials of service and any other attempts to penetrate such computer networks or systems that do not result in unauthorized access, use or disclosure of ePHI. Separate from the requirements related to Security Incident reporting, Lash Group shall also make the reports to Covered Entity as set forth in Section 5, related to a Breach of Unsecured PHI.
4.4 Authorize termination of these Terms and Conditions by Covered Entity if Covered Entity determines that Lash Group has violated a material term of these Terms and Conditions, in accordance with Section 6.2.
5. Breach notification rule obligations
5.1 Lash Group will notify Covered Entity within fifteen (15) days of the discovery of a Breach of Unsecured PHI.
5.2 Any notice pursuant to Section 5.1 will include, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Lash Group, to have been accessed, acquired or disclosed during such Breach. Lash Group will also provide Covered Entity other available information that Covered Entity is required to include in its notification to the Individual.
6. Term and termination
6.1 Term. These Terms and Conditions shall become effective on the Effective Date and shall continue in effect until all obligations of the Parties have been met, unless terminated as provided in this Section 6. In addition, certain provisions and requirements of these Terms and Conditions shall survive its expiration or other termination in accordance with Section 7.1 herein.
6.2 Termination by Covered Entity. As provided for under 45 C.F.R. § 164.504(e)(2)(iii) and under 45 C.F.R. § 164.314(a)(2)(D), Covered Entity may immediately terminate these Terms and Conditions if Covered Entity makes the determination, in its sole discretion, that Lash Group has breached a material term of these Terms and Conditions. Alternatively, Covered Entity may choose to: (i) provide Lash Group with written notice of the existence of an alleged breach; and (ii) afford Lash Group an opportunity to cure said alleged breach. Failure to cure in the manner set forth in this Section 6.2 is grounds for the immediate termination of these Terms and Conditions by Covered Entity.
6.3. Termination by Lash Group. Lash Group shall have the same rights and options related to termination as set forth in Section 6.2 with respect to Covered Entity.
6.4 Effect of Termination. Upon the event of termination pursuant to this Section 6, Lash Group agrees to return or destroy all PHI pursuant to 45 C.F.R. § 164.504(e)(2)(ii)(I), if it is feasible to do so. Prior to doing so, Lash Group further agrees to recover any PHI in the possession of its subcontractors or agents. If it is not feasible for Lash Group to return or destroy said PHI, Lash Group agrees to extend any and all protections, limitations and restrictions contained in these Terms and Conditions to Lash Group’s use and/or disclosure of any PHI retained after the termination of these Terms and Conditions, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible. If it is infeasible for Lash Group to obtain, from a subcontractor or agent any PHI in the possession of the subcontractor or agent, Lash Group will require the subcontractors and agents to agree to extend any and all protections, limitations and restrictions contained in these Terms and Conditions to the subcontractors’ and/or agents’ use and/or disclosure of any PHI retained after the termination of these Terms and Conditions, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible.
6.5 Survival. The respective rights and obligations of Lash Group and Covered Entity under the provisions of Sections 2, 3, 4, 5, 6.4, 7.1, solely with respect to PHI Lash Group retains in accordance with Section 6.3 because it is not feasible to return or destroy such PHI, shall survive termination of these Terms and Conditions for as long as Lash Group retains such PHI.