Business Associate Agreement

Introduction

This Business Associate Agreement ("BAA") is entered into between:

Business Associate:
Leah Wellness, Inc. ("Leah," "we," "us," or "Provider")
A Delaware corporation providing healthcare intake and assessment services

Covered Entity:
The healthcare provider, practice, or clinic ("you," "your," or "Company") that has registered to use Leah's services

Purpose of This Agreement

This BAA establishes the obligations and responsibilities of Leah Wellness, Inc. when handling Protected Health Information (PHI) on behalf of healthcare providers using our platform. This agreement complies with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended.

When This Agreement Applies

  1. This BAA automatically becomes effective when you register for Leah's services

  2. It remains in effect as long as you use our platform

  3. It applies to all PHI we receive, maintain, or transmit on your behalf

Key Points

  • We handle PHI only for permitted purposes

  • We maintain appropriate security safeguards

  • We report any security incidents or breaches

  • We ensure our subcontractors protect PHI

  • We assist with patient rights requests

Agreement Structure

This BAA consists of:

  1. These introductory provisions

  2. The detailed terms below

  3. Any applicable state-specific requirement

    Business Associate Obligations

    • Obligations and Restrictions. Provider may not use or disclose PHI other than as described in this BAA, as permitted under the Privacy Rule, or as otherwise required by applicable law.

    • Permitted Uses and Disclosures. Except as otherwise permitted or required in this BAA, Provider may only use or disclose PHI as reasonably necessary to provide the Services or as otherwise required by applicable law.

    • Privacy and Information Security Program. Provider will maintain a privacy and information security program that takes steps to ensure that employees or agents of Provider comply with this BAA. This includes giving training to Provider’s workforce to ensure compliance with this BAA, implementing policies and practices that meet the current standards for the protection of PHI, and appointing Privacy and Security Officials as required under HIPAA.

    • Safeguards. Provider will implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI that it receives, creates, maintains, or transmits on behalf of Company. Provider will maintain appropriate technical and organizational safeguards to reduce the risk of misuse or disclosure of PHI except as permitted under this BAA. In addition, Provider will comply with its obligations under the Security Rule.

    • Assessments. Provider agrees to conduct regular assessments of its compliance with its obligations under the Privacy Rule and Security Rule. Provider will make available a summary of such assessments to Company upon Company’s reasonable request.

    • Mitigation of Risks. Provider agrees to mitigate, to the extent practicable, any harmful effect that is known to Provider of a use or disclosure of PHI by Provider and to promptly communicate to Company any actions taken pursuant to this paragraph.

    • Subcontractors. Except as restricted by applicable Limitations, (a) Provider may disclose PHI to a Subcontractor; and (b) may allow the Subcontractor to create, receive, maintain, or transmit PHI on its behalf. However, Provider must first ensure that each Subcontractor executes a binding, written agreement requiring the Subcontractor to protect PHI under terms substantially similar to and no less stringent than this BAA. Provider will not be in compliance with this BAA if Provider knew of a pattern of activity or practice of a Subcontractor that constituted a material breach or violation of the Subcontractor’s obligations under any agreement between Provider and the Subcontractor. Provider will conduct appropriate due diligence on all Subcontractors.

    • Books and Records to HHS. Upon request, Provider will make its books, records, and internal policies and procedures relating to the use and disclosure of PHI available to the Secretary of HHS for the purpose of determining Company’s and Provider’s compliance with HIPAA.

    • Audit of Books and Records. Upon reasonable request, Provider will make its books, records, and internal policies and procedures relating to its compliance with this BAA available to Company. However, Provider is not required to provide any information or records that interfere with Provider’s confidentiality or proprietary rights or that would otherwise impact Provider’s compliance with its legal obligations.

    • Individual Requests. Provider will take reasonable efforts to support Company in completing requests related to individuals’ rights under HIPAA as related to the Services in a timely manner, but in no event will Provider’s response take more than ten business days. Examples of individual rights under HIPAA include the right to access PHI pursuant to 45 CFR §164.524, amend PHI pursuant to 45 CFR §164.526, and receive accounting of disclosures pursuant to 45 CFR §164.528. If relevant to the Services, Provider will maintain an accounting of disclosures it makes on Company’s behalf as required under 45 CFR §164.528(a). Except as directed by Company or required by law, Provider will not respond directly to any individual requests regarding their rights under HIPAA.

    • Compliance with Covered Entity’s Obligations. To the extent that Provider carries out Company’s obligations under the Privacy Rule, Provider will comply with the requirements of the relevant Privacy Rule regulations that apply to Company in the performance of such obligations.

  4. Company Obligations

    • Notice of Privacy Practices. Upon request, Company will provide Provider with its current notice of privacy practices adopted as required by the Privacy Rule. Company will notify Provider if any limitations in its notice of privacy practices impact Provider’s use or disclosure of PHI under the BAA.

    • Notice of Changes. Company will notify Provider in a timely manner of any changes to how Company uses or discloses PHI to the extent that the changes impact how Provider uses or discloses PHI under the BAA.

    • Notice of Restrictions. Company will notify Provider in a timely manner of any restrictions agreed upon with an individual or their legal representative to the extent that the restrictions may impact Provider’s use or disclosure of PHI under the BAA.

    • Compliance with Laws. Company will only use and disclose PHI to Provider in accordance with its obligations under HIPAA and with applicable law.

  5. Data Rights & Restrictions

    • Offshoring PHI. Except as restricted by applicable Limitations, Provider is permitted to use and disclose PHI outside of the United States to provide the Services.

    • De-Identification. Except as restricted by applicable Limitations, Provider may de-identify PHI.

    • Aggregation. Except as restricted by applicable Limitations, Provider may aggregate PHI for its own purposes.

  6. Breach Notification

    • Breach Reporting. Provider will report to Company within the Breach Notification Period each use or disclosure of PHI not permitted under this BAA of which Provider becomes aware, including breaches of unsecured PHI as required by §164.410 of HIPAA and any Security Incident involving PHI. In addition, each party will comply with its notification obligations under HIPAA regarding a Security Incident involving PHI.

    • Unsuccessful Attempts. Company agrees that this section will be deemed as sufficient notice under Section 4.1 if Provider periodically receives unsuccessful attempts for unauthorized access to, use of, or disclosure of PHI, or for general interference with the general operation of Provider’s products and services.

    • Security Incident Reimbursement. Provider will reimburse Company for costs reasonably associated with a Security Incident caused by Provider or one of its Subcontractors.

    • Confidentiality. Provider will not disclose information related to a Security Incident except as required by applicable law.

  7. Term & Termination

    • Term. This BAA will start on the BAA Effective Date and will continue in effect until the later of when all obligations of the parties have been met under this BAA or when the Agreement ends or expires.

    • Termination. Either party may terminate this BAA if the other party fails to cure a material breach of the BAA within 30 days after receiving notice of the breach. A material breach of the BAA will be deemed a material breach of the Agreement.

    • Effect of Termination.

      1. Upon any expiration or termination of this BAA, or earlier if directed by Company, Provider will either return or destroy, at Company’s discretion and according to Company’s instructions, all PHI maintained in any form by Provider, its agents, or its Subcontractors.

      2. Provider may not retain any copies of PHI unless directed to do so by Company. However, if neither return nor destruction are feasible, Provider may retain PHI as long as Provider continues to comply with all provisions of this BAA for the time it retains PHI and limits the use or disclosure of retained PHI to those purposes that made the return or destruction of PHI infeasible.

  8. Definitions

    • Defining Variables. Variables have the meanings or descriptions given on the Cover Page. However, if the Cover Page omits or does not define a Variable, the default meaning will be “none” or “not applicable” and the correlating clause, sentence, or section does not apply to the BAA.

    • “BAA” means the Cover Page between Provider and Company that incorporates these BAA Standard Terms and any policies and documents referenced in or attached to the Cover Page.

    • “BAA Standard Terms” means these Common Paper BAA Standard Terms Version 1.0, which are posted at https://commonpaper.com/standards/business-associate-agreement/1.0.

    • “Breach” has the meaning given to it under HIPAA.

    • “Business Associate” has the meaning given to it under HIPAA.

    • “Covered Entity” has the meaning given to it under HIPAA.

    • “Cover Page” means a document that is signed by the parties, identifies Provider and Company, incorporates these BAA Standard Terms, and includes definitions or descriptions for Variables.

    • “Designated Record Set” has the meaning given to it under HIPAA.

    • “HHS” means the U.S. Department of Health and Human Services.

    • “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and regulations thereunder, as amended from time to time.

    • “Privacy and Security Officials” has the meaning given to it under HIPAA.

    • “Privacy Rule” means the federal privacy regulations issued pursuant to HIPAA, codified at 45 CFR Parts 160 and 164 (Subparts A & E).

    • “Protected Health Information” or “PHI” has the meaning given to it under HIPAA.

    • “Security Incident” has the meaning given to it under HIPAA.

    • “Security Rule” means the federal security regulations issued pursuant to HIPAA, codified at 45 CFR Parts 160 and 164 (Subparts A & C).

    • “Services” means the products and services provided by Provider under the Agreement.

    • “Subcontractor” means a third party to whom Provider provides PHI under this BAA.

    • “Variable” means a word or phrase in the BAA Standard Terms that is highlighted and capitalized, such as Limitations.