Skip to main content
Digital EMS Solutions
Subscription AgreementBusiness AssociatePrivacy Policy← Back to home
Legal · HIPAA

Business Associate Agreement

The obligations governing Digital EMS Solutions' handling of Protected Health Information (PHI) on behalf of a Covered Entity, in compliance with HIPAA and the HITECH Act.

Business Associate: Digital EMS Solutions, Inc.45 C.F.R. Parts 160 & 164California corporation

Contents

Preamble & Recitals1 · Definitions2 · Obligations of Business Associate3 · Permitted Uses & Disclosures4 · Obligations of Covered Entity5 · Term & Termination6 · Miscellaneous
Mockup notice. This page reproduces the structure and substance of the published Business Associate Agreement for design-review purposes. The controlling document is the executed agreement between the parties. View the live version at digitalemsinc.com/business-associate-agreement.

Preamble & Recitals

This Business Associate Agreement ("Agreement") is entered into as of the Effective Date (as set forth in the Underlying Agreement) by and between the covered entity ("Covered Entity") and Digital EMS Solutions Inc., a California corporation ("Business Associate").

A.Business Associate performs certain functions, activities, or services for, or on behalf of, Covered Entity (the "Services") pursuant to one or more underlying agreements (the "Underlying Agreement(s)"), and in the course of performing the Services, Business Associate creates, receives, maintains, or transmits Protected Health Information ("PHI").

B.The parties are entering into this Agreement to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations, including the Privacy, Security, Breach Notification, and Enforcement Rules (45 C.F.R. Parts 160 and 164).

1Definitions

Terms used but not otherwise defined in this Agreement have the same meaning as those terms in the HIPAA Rules.

  • Breach — as defined in 45 C.F.R. § 164.402.
  • Electronic Protected Health Information (EPHI) — as defined in 45 C.F.R. § 160.103.
  • HITECH Act — the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009.
  • Protected Health Information (PHI) — as defined in 45 C.F.R. § 160.103, limited to information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
  • Unsecured Protected Health Information — as defined in 45 C.F.R. § 164.402.

2Obligations of Business Associate

2.1 Use and Disclosure of PHI

Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, the Underlying Agreement, or as Required by Law, and shall not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity.

2.2 Safeguards

Business Associate shall implement and use appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, and shall comply with the applicable HIPAA Security Rule requirements (45 C.F.R. Part 164, Subpart C) with respect to EPHI.

2.3 Reporting Obligations

  • Non-Permitted Uses or Disclosures. Any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured PHI.
  • Breaches of Unsecured PHI. Business Associate shall notify Covered Entity following discovery of any Breach of Unsecured PHI without unreasonable delay, and in no event later than five (5) calendar days after discovery. The notice shall include, to the extent possible, identification of each affected individual and other information Covered Entity is required to include in its notification.
  • Security Incidents. Business Associate shall report any successful Security Incident. Unsuccessful attempts (pings, port scans, unsuccessful log-on attempts) are excluded.

2.4 Subcontractors

Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement.

2.5 Access to Designated Record Set

To the extent Business Associate maintains PHI in a Designated Record Set, it shall, upon request, provide access to Covered Entity to meet the requirements of 45 C.F.R. § 164.524.

2.6 Amendment of PHI

To the extent Business Associate maintains PHI in a Designated Record Set, it shall make any amendments to PHI as directed by Covered Entity pursuant to 45 C.F.R. § 164.526.

2.7 Accounting of Disclosures

Business Associate shall document disclosures of PHI and related information as would be required for Covered Entity to respond to a request for an accounting under 45 C.F.R. § 164.528.

2.8 Direct HIPAA Compliance

Business Associate acknowledges that it is directly subject to certain provisions of the HIPAA Rules and is liable for any violations thereof.

2.9 Records and Audits

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

2.10 Mitigation

Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect known to it of a use or disclosure of PHI in violation of this Agreement.

3Permitted Uses and Disclosures by Business Associate

3.1 General Use and Disclosure

Business Associate may use or disclose PHI as necessary to perform the Services, provided that such use or disclosure complies with the Minimum Necessary principle and would not violate the HIPAA Rules if done by Covered Entity.

3.2 Specific Uses

Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out its legal responsibilities, and may use PHI to create de-identified health information in accordance with 45 C.F.R. § 164.514(b).

4Obligations of Covered Entity

4.1 Notice of Privacy Practices

Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices that may affect Business Associate's use or disclosure of PHI.

4.2 Notice of Changes

Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes may affect Business Associate's duties.

4.3 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

5Term and Termination

5.1 Term

This Agreement is effective as of the Effective Date and terminates when all PHI is returned to Covered Entity or destroyed.

5.2 Termination for Cause

Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall provide an opportunity to cure within thirty (30) business days. If Business Associate does not cure within the specified timeframe, Covered Entity may terminate this Agreement and the Underlying Agreement(s).

5.3 Return or Destruction of PHI

Upon termination, Business Associate shall return or destroy all PHI. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible. Destruction must render the PHI unusable, unreadable, or indecipherable.

6Miscellaneous

  • 6.1 Indemnification.Business Associate agrees to indemnify, defend, and hold harmless Covered Entity and its officers, directors, employees, and agents from and against any claims, losses, liabilities, costs, and other expenses (including reasonable attorneys' fees) resulting from or arising out of any material breach of this Agreement or violation of the HIPAA Rules by Business Associate or its subcontractors.
  • 6.2 Insurance. Business Associate shall maintain, at its sole expense, professional liability (errors and omissions) and/or cyber liability insurance in an amount not less than $1,000,000 per occurrence and $2,000,000 in the aggregate.
  • 6.3 Regulatory References. A reference to a section in the HIPAA Rules means the section as in effect or as amended.
  • 6.4 Amendment. The Parties agree to amend this Agreement as necessary for compliance with the HIPAA Rules.
  • 6.5 Survival. The respective rights and obligations of Business Associate under Section 5.3 survive termination of this Agreement.
  • 6.6 Governing Law. This Agreement is governed by the laws of the State of California.

Note: The document references an "Effective Date (as set forth in the Underlying Agreement)" rather than stating an explicit date within its text.

Digital EMS Solutions

The ePCR you already know how to use. Built for fire-based EMS, offline-first, NEMSIS 3.5 compliant.

HIPAA compliant

Legal

Master Subscription AgreementBusiness Associate AgreementPrivacy Policy

Contact

Long Beach, California, USA

Main: (866) 620-5521

Fax: (909) 992-3096

info@digitalEMSinc.com
© Digital EMS Inc. All rights reserved.Long Beach, California