Business Associate Agreement

Mendly LLC

This Business Associate Agreement (this “Agreement”) is entered into by and between the therapist or practice that accepts it (“Covered Entity”) and Mendly LLC, a Pennsylvania limited liability company (“Business Associate”), and is effective as of the date of acceptance (the “Effective Date”). Covered Entity and Business Associate may each be referred to as a “Party” and collectively as the “Parties.”

Recitals

A. Business Associate provides a software platform and related services (the “Services”) that enable Covered Entity to manage patients, collect daily check-in responses, and review summaries and insights derived from those responses. In providing the Services, Business Associate creates, receives, maintains, or transmits Protected Health Information on behalf of Covered Entity.

B. The Parties are committed to complying with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended by the HITECH Act, including the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Rules”).

C. This Agreement sets forth the terms under which Business Associate may use and disclose Protected Health Information received from, created on behalf of, or maintained for Covered Entity, and is intended to satisfy the business associate contract requirements of 45 C.F.R. § 164.504(e) and § 164.314(a).

1. Definitions

Capitalized terms used but not otherwise defined in this Agreement have the meanings ascribed to them in the HIPAA Rules, including “Breach,” “Designated Record Set,” “Electronic Protected Health Information” (“ePHI”), “Individual,” “Protected Health Information” (“PHI”), “Required by Law,” “Secretary,” “Security Incident,” “Subcontractor,” and “Unsecured PHI.” PHI is limited to information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.

2. Permitted Uses and Disclosures of PHI

2.1 Business Associate may use or disclose PHI only as necessary to perform the Services, as permitted or required by this Agreement, or as Required by Law, and shall not use or disclose PHI in any manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except as set forth below.

2.2 Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities.

2.3 Business Associate may disclose PHI for its proper management and administration or to carry out its legal responsibilities, provided the disclosure is Required by Law or Business Associate obtains reasonable assurances that the PHI will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and that the recipient will notify Business Associate of any breach of confidentiality.

2.4 Business Associate may provide data aggregation services relating to the health care operations of Covered Entity and may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c).

2.5 Business Associate shall make uses, disclosures, and requests for PHI consistent with the minimum necessary standard.

3. Obligations of Business Associate

Business Associate agrees to:

  • not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law;
  • use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI;
  • report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured PHI and any Security Incident, without unreasonable delay and no later than thirty (30) days after discovery;
  • ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to restrictions at least as stringent as those that apply to Business Associate;
  • make PHI in a Designated Record Set available to satisfy Covered Entity’s access obligations under 45 C.F.R. § 164.524;
  • make amendments to PHI as directed by Covered Entity under 45 C.F.R. § 164.526;
  • maintain and make available the information required to provide an accounting of disclosures under 45 C.F.R. § 164.528;
  • make its internal practices, books, and records available to the Secretary for determining compliance with the HIPAA Rules; and
  • mitigate, to the extent practicable, any harmful effect known to it of a use or disclosure of PHI in violation of this Agreement.

4. Obligations of Covered Entity

4.1–4.3 Covered Entity shall notify Business Associate of any limitation in its notice of privacy practices, any change in or revocation of an Individual’s permission, and any restriction on the use or disclosure of PHI, to the extent any of these may affect Business Associate’s use or disclosure of PHI.

4.4 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except as permitted under Sections 2.2 through 2.4.

4.5 Covered Entity is solely responsible for obtaining any consents or authorizations required from Individuals and for providing each Individual with a notice of privacy practices as required by 45 C.F.R. § 164.520.

5. Term and Termination

5.1 This Agreement is effective as of the Effective Date and remains in effect until all PHI is destroyed or returned to Covered Entity, or protections are extended in accordance with Section 5.3.

5.2 Upon knowledge of a material breach by Business Associate, Covered Entity may provide thirty (30) days to cure; if the breach is not cured, or if cure is not feasible, Covered Entity may terminate this Agreement and the Services.

5.3 Upon termination, Business Associate shall return or destroy all PHI it still maintains and retain no copies. Where return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as it maintains such PHI. This Section survives termination.

6. Miscellaneous

6.1 A reference to a section in the HIPAA Rules means the section as in effect or as amended and for which compliance is required.

6.2 The Parties agree to amend this Agreement as necessary for compliance with the HIPAA Rules and applicable law.

6.3 The obligations of Business Associate under Section 5.3 survive termination.

6.4 Any ambiguity shall be resolved to permit compliance with the HIPAA Rules. In the event of any inconsistency between this Agreement and any other agreement between the Parties regarding the Services, this Agreement controls with respect to its subject matter.

6.5 Nothing in this Agreement confers any rights upon any person other than the Parties and their successors and permitted assigns.

6.6 This Agreement is governed by the laws of the Commonwealth of Pennsylvania, without regard to its conflict-of-laws principles, except to the extent preempted by federal law.

6.7 Acceptance of this Agreement through the electronic process made available by Business Associate, including by clicking a box or button indicating agreement, constitutes a valid and binding execution of this Agreement, and the electronic record of such acceptance, including its date and time and the identity of the accepting individual, is admissible evidence of the Parties’ agreement.