BAA
Augment Therapy, Inc.
Last Updated: January 8, 2025
BY CLICKING THE "I ACCEPT" OR “ACCEPT[EB1] ” BUTTON, OR BY ACCESSING AND USING THE PORTAL, YOU AGREE TO BE BOUND BY THIS BUSINESS ASSOCIATE AGREEMENT AND REPRESENT THAT YOU ARE DULY AUTHORIZED TO ACCEPT THIS BUSINESS ASSOCIATE AGREEMENT ON BEHALF OF YOUR ORGANIZATION. IF YOU DO NOT AGREE TO THIS BUSINESS ASSOCIATE AGREEMENT, DO NOT CLICK THE "ACCEPT" BUTTON OR OTHERWISE USE THE PORTAL.
This BUSINESS ASSOCIATE AGREEMENT (this “BAA”) is made by and between Augment Therapy, Inc., a Delaware corporation with offices located at 8584 East Washington St. #128, Chagrin Falls, OH, 44023 (“Business Associate”), and the organization (corporation, limited liability company, limited partnership, etc.) entering into this BAA with Business Associate (“Covered Entity”), and is effective as of the date accepted (the “Effective Date”). Business Associate and Covered Entity are referred to herein collectively as the “Parties”, and individually, as a “Party.” Capitalized terms used in this BAA without definition shall have the respective meanings assigned to such terms in the Administrative Simplification section of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their implementing regulations as amended from time to time (collectively, “HIPAA”).
RECITALS
A. WHEREAS, Business Associate provides an augmented reality solution for pediatric therapeutic exercise both in the home and in the clinical setting as further described in the Terms of Use or other services agreement entered into between the Parties (the “Underlying Agreement”) (the “Services”), which may involve the creation, receipt, maintenance, access, transmission, Use, or Disclosure of PHI (as defined below) by Business Associate.
B. WHEREAS, Covered Entity and Business Associate agree to protect the privacy and provide for the security of PHI disclosed to Business Associate pursuant to the Underlying Agreement in accordance with federal and state laws, to the extent that state laws are more restrictive, including, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) provisions of the American Recovery and Reinvestment Act of 2009, and Title I of the Genetic Information Nondiscrimination Act of 2008, and any regulations promulgated thereunder, including the Privacy Rule, Security Rule, and Breach Notification Rule, as such laws and regulations may be amended from time to time (collectively, the “HIPAA Rules”, together with HIPAA and HITECH as the “Privacy Laws”).
C. WHEREAS, to comply with the Privacy Laws, the Parties must enter into an agreement that governs the creation, receipt, maintenance, access, transmission, Use, and Disclosure of the PHI by Business Associate in the course of performing the Services in connection with the Underlying Agreement.
AGREEMENT
Covered Entity and Business Associate agree as follows:
SECTION 1: DEFINITIONS
1.1 General Statement. The following terms used in this BAA will have the same meaning as those terms in the HIPAA Rules: Administrative Safeguards, Availability, Breach, Business Associate, Confidentiality, Covered Entity, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information (“EPHI”), Health Care Operations, Individual, Individually Identifiable Health Information, Integrity, Minimum Necessary, Physical Safeguards, Protected Health Information (“PHI”), Required by Law, Secretary, Security Incident, Subcontractor, Technical Safeguards, Unsecured PHI, Uses and Disclosures, and Workforce. A change to the Privacy Laws which modifies any defined term, or which alters the regulatory citation for the definition will be deemed incorporated into this BAA.
1.2 “Breach Notification Rule” means Part 2, Subtitle D of HITECH and Notification in the Case of Breach of Unsecured Protected Health Information at 45 C.F.R. Part 164 Subpart D.
1.3 “Privacy Rule” means the standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Subparts A and E of Part 164.
1.4 “Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164.
SECTION 2: PERMITTED USES AND DISCLOSURES OF PHI
2.1 Uses and Disclosures of PHI Pursuant to the Underlying Agreement. Except as otherwise limited in this BAA, Business Associate may use or disclose PHI to perform functions, activities or services for, or on behalf of, Covered Entity, as specified in the Underlying Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
2.2 Permitted Uses of PHI by Business Associate. Except as otherwise limited in this BAA, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. Business Associates’ management and administrative services includes performing big data analyses on Covered Entity PHI, including aggregated data that includes Covered Entity PHI.
2.3 Permitted Disclosures of PHI by Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed upon Business Associate pursuant to this BAA), and that the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Business Associate may disclose PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(l).
2.4 Data Aggregation. Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation services for the Health Care Operation of the Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
2.5 De-identified Data. Business Associate may de-identify PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and may use or disclose such de-identified data for any reason not prohibited by applicable law. Business Associate shall use a HIPAA-secure vendor who applies tokenization to de-identify data and shall not obtain or otherwise have access to the codes or tokens that could re-identify such PHI.
2.6 Authorizations. Notwithstanding anything in this BAA to the contrary, Business Associate may use and disclose any PHI received from Covered Entity or created by Business Associate on behalf of Covered Entity pursuant to the terms of, and for the purposes described in, an authorization signed by an Individual or the Individual’s personal representative in accordance with the requirements of 45 C.F.R. §164.508 (“Authorizations). The parties acknowledge and agree that uses and disclosures of PHI covered by such Authorizations shall not be subject to the terms of this BAA.
SECTION 3: OBLIGATIONS OF BUSINESS ASSOCIATE
3.1 Appropriate Safeguards. Business Associate will use appropriate safeguards and will comply with the Security Rule with respect to Electronic PHI, to prevent use or disclosure of such information other than as provided for by the Underlying Agreement and this BAA. Except as expressly provided in the Underlying Agreement or this BAA, Business Associate will not assume any obligations of Covered Entity under the Privacy Rule. To the extent that Business Associate is to carry out any of Covered Entity’s obligations under the Privacy Rule as expressly provided in the Underlying Agreement or this BAA, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.
3.2 Reporting of Improper Use or Disclosure, Security Incident or Breach. Business Associate will report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or any Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below). “Unsuccessful Security Incidents” will include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Business Associate’s notification to Covered Entity of a Breach will include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404. A Security Incident, for the purpose of this Section 3.2, does not include attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with Business Associate’s Corporate Information System (“non-PHI Information System”), as defined by Business Associate’s internal policies and procedures.
3.3 Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), as applicable, Business Associate will enter into a written agreement with any Subcontractor that creates, receives, maintains or transmits PHI on behalf of Business Associate for services provided to Covered Entity, providing that the Subcontractor agrees to restrictions and conditions that are substantially similar to those that apply through this BAA to Business Associate with respect to such PHI.
3.4 Access to PHI. The Parties do not intend for Business Associate to maintain any PHI in a Designated Record Set for Covered Entity. To the extent Business Associate possesses PHI in a Designated Record Set, Business Associate agrees to make such information available to Covered Entity pursuant to 45 C.F.R. § 164.524 and 42 U.S.C. § 17935(e) within ten (10) business days of Business Associate’s receipt of a written request from Covered Entity; provided, however, that Business Associate is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Covered Entity. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Business Associate, or inquiries about his or her right to access, Business Associate will either forward such request to Covered Entity or direct the Individual to Covered Entity.
3.5 Amendment of PHI. The Parties do not intend for Business Associate to maintain any PHI in a Designated Record Set for Covered Entity. To the extent Business Associate possesses PHI in a Designated Record Set, Business Associate agrees to make such information available to Covered Entity for amendment pursuant to 45 C.F.R. § 164.526 within twenty (20) business days of Business Associate’s receipt of a written request from Covered Entity. If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to Business Associate, or inquiries about his or her right to amendment, Business Associate will either forward such request to Covered Entity or direct the Individual to Covered Entity.
3.6 Documentation of Disclosures. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate will document, at a minimum, the following information (“Disclosure Information”): (a) the date of the disclosure; (b) the name and, if known, the address of the recipient of the PHI; (c) a brief description of the PHI disclosed; (d) the purpose of the disclosure that includes an explanation of the basis for such disclosure; and (e) any additional information required under the HITECH Act and any implementing regulations
3.7 Accounting of Disclosures. Business Associate agrees to provide to Covered Entity, within twenty (20) business days of Business Associate’s receipt of a written request from Covered Entity, information collected in accordance with Section 3.6 of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and 42 U.S.C. § 17935(c). If the Individual submits a written request for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528 directly to Business Associate, or inquiries about his or her right to an accounting, Business Associate will direct the Individual to Covered Entity.
3.8 Government Access to Records. Business Associate will make its internal practices, books and records relating to the use and disclosure of PHI received from or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and the Security Rule.
3.9 Mitigation. To the extent reasonable and practicable, Business Associate will cooperate with Covered Entity’s efforts, at Business Associate’s expense, to mitigate a harmful effect that is known to Business Associate of a use of disclosure of PHI by Business Associate that is not permitted by this BAA. Business Associate shall reasonably cooperate with Covered Entity’s investigation, analysis, notification and mitigation activities, at Covered Entity’s expense, if it is determined that the source of the Breach or Security Incident is Covered Entity.
3.10 Minimum Necessary. Business Associate will request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure, in accordance with 45 C.F.R § 164.514(d), and any amendments thereto.
SECTION 4: OBLIGATIONS OF COVERED ENTITY
4.1 Notice of Privacy Practices. Covered Entity will notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. Covered Entity will provide such notice no later than fifteen (15) days prior to the effective date of the limitation.
4.2 Notification of Changes Regarding Individual Permission. Covered Entity will obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing Business Associate with PHI. Covered Entity will notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. Covered Entity will provide such notice no later than fifteen (15) days prior to the effective date of the change.
4.3 Notification of Restrictions to Use or Disclosure of PHI. Covered Entity will notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. Covered Entity will provide such notice no later than (15) days prior to the effective date of the restriction. If Business Associate reasonably believes that any restriction agreed to by Covered Entity pursuant to this Section may materially impair Business Associate’s ability to perform its obligations under the Underlying Agreement of this BAA, the Parties will mutually agree upon any necessary modification of Business Associate’s obligations under such agreements.
4.4 Permissible Requests by Covered Entity. Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule, the Security Rule or the HITECH Act if done by Covered Entity, except as permitted pursuant to the provisions of Sections 2.2, 2.3, 2.4 and 2.5 of this BAA.
4.5 Minimum Necessary Disclosure. The Covered Entity shall provide to Business Associate only the “minimum necessary” PHI (as described in 45 C.F.R. 164.502(b)) required for Business Associate to perform its obligations under the Underlying Agreement(s).
SECTION 5: TERM AND TERMINATION
5.1 Term. The term of this BAA will commence as of the Effective Date and will terminate when all of the PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is infeasible to return or destroy PHI, Business Associate will extend the protections to such information, in accordance with Section 5.3.
5.2 Termination for Cause. Upon either Party’s knowledge of a material breach by the other Party of this BAA, such Party may terminate this BAA immediately if cure is not possible. Otherwise, the non-breaching party will provide written notice to the breaching Party detailing the nature of the breach and providing an opportunity to cure the breach with thirty (30) business days. Upon the expiration of such thirty (30) day cure period, the non-breaching Party may terminate this BAA if the breaching party does not cure the breach or if cure is not possible. If termination is not feasible, the non-breaching party may report the breach or violation to the Secretary.
5.3 Effect of Termination
5.3.1 Except as provided in Section 5.3.2, upon termination of the Underlying Agreement or this BAA for any reason, Business Associate will return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, at Covered Entity’s expense, and will retain no copies of the PHI. This provision will apply to PHI that is in the possession of subcontractors or agents of Business Associate.
5.3.2 If it is infeasible for Business Associate to return or destroy the PHI upon termination of the Underlying Agreement or this BAA (e.g., because Electronic PHI has been integrated into a database maintained by Business Associate and removal from the database is burdensome or impossible, or PHI has been aggregated with other PHI in a manner that makes it infeasible to extract PHI received from Covered Entity), Business Associate will: (a) extend the protections of this BAA to such PHI and (b) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
SECTION 6: BREACH REIMBURSEMENT
6.1 Breach Reimbursement. In the event of a Breach caused by Covered Entity, Covered Entity will reimburse Business Associate for its reasonable and substantiated costs related to such Breach, including (a) any sums reasonably required to conduct an independent security assessment to identify the source of the breach and/or to determine whether a Breach has occurred, (b) any related attorney’s fees, costs and expenses, including those incurred to defend Business Associate in any class action or other criminal or civil suit, (c) notification of individuals whose information has been compromised, and (d) any fines and assessments levied or collected by federal or state government agencies. This section shall survive termination of this Business Associate Agreement.
SECTION 7: COOPERATION IN INVESTIGATIONS
The Parties acknowledge that certain breaches or violations of this BAA may result in litigation or investigations pursued by federal or state governmental authorities of the United States resulting in civil liability or criminal penalties. Each Party will cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry.
SECTION 8: SURVIVAL
The respective rights and obligation of Business Associate that should survive termination of the BAA will survive the termination of this BAA and the Underlying Agreement.
SECTION 9: AMENDMENT
This BAA may be modified, or any rights under it waived, only by a written document executed by the authorized representatives of both Parties. In addition, if any relevant provision of the Privacy Rule, the Security Rule or the HIPAA Final Rule is amended in a manner that changes the obligation of Business Associate or Covered Entity that are embodied in terms of this BAA, then the Parties agree to negotiate in good faith appropriate non-financial terms or amendments to this BAA to give effect to such revised obligations.
SECTION 10: EFFECT OF BAA
In the event of any inconsistency between the provisions of this BAA and the Underlying Agreement, the provisions of this BAA will control. If a court or regulatory agency with authority over Business Associate or Covered Entity interprets the mandatory provisions of the Privacy Rule, the Security Rule or the HIPAA Final Rule, in a way that is inconsistent with the provisions of this BAA, such interpretation will control. Where provisions of this BAA are different from those mandated in the Privacy Rule, the Security Rule, or the HIPAA Final Rule, but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this BAA will control.
SECTION 11: GENERAL
This BAA is governed by, and will be construed in accordance with, the laws of the State that govern the Underlying Agreement. Any action relating to this BAA must be commenced within one year after the date upon which the cause of action accrued. Neither Party will assign this BAA without the prior written consent of the other Party, which will not be unreasonably withheld. If any part of a provision of this BAA is found illegal or unenforceable, it will be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provision of this BAA will not be affected. All notices relating to the Parties’ legal rights and remedies under this BAA will be provided in writing to a Party, will be sent to its address set forth in the Underlying Agreement, or to such other address as may be designated by that Party by notice to the sending Party, and will reference this BAA. Nothing in this BAA will confer any right, remedy, or obligation upon anyone other than Covered Entity and Business Associate. This BAA is the complete and exclusive agreement between the Parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications, and understandings (written and oral) regarding its subject matter. The parties have not created and do not intend to create by this BAA any third-party rights, including, but not limited to, third party rights for Covered Entity’s patients.
END OF BAA