Mendly LLC
This Business Associate Agreement (this “Agreement”) is entered into by and between the therapist or practice that accepts it (“Covered Entity”) and Mendly LLC, a Pennsylvania limited liability company (“Business Associate”), and is effective as of the date of acceptance (the “Effective Date”). Covered Entity and Business Associate may each be referred to as a “Party” and collectively as the “Parties.”
A. Business Associate provides a software platform and related services (the “Services”) that enable Covered Entity to manage patients, collect daily check-in responses, and review summaries and insights derived from those responses. In providing the Services, Business Associate creates, receives, maintains, or transmits Protected Health Information on behalf of Covered Entity.
B. The Parties are committed to complying with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended by the HITECH Act, including the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Rules”).
C. This Agreement sets forth the terms under which Business Associate may use and disclose Protected Health Information received from, created on behalf of, or maintained for Covered Entity, and is intended to satisfy the business associate contract requirements of 45 C.F.R. § 164.504(e) and § 164.314(a).
Capitalized terms used but not otherwise defined in this Agreement have the meanings ascribed to them in the HIPAA Rules, including “Breach,” “Designated Record Set,” “Electronic Protected Health Information” (“ePHI”), “Individual,” “Protected Health Information” (“PHI”), “Required by Law,” “Secretary,” “Security Incident,” “Subcontractor,” and “Unsecured PHI.” PHI is limited to information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
2.1 Business Associate may use or disclose PHI only as necessary to perform the Services, as permitted or required by this Agreement, or as Required by Law, and shall not use or disclose PHI in any manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except as set forth below.
2.2 Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities.
2.3 Business Associate may disclose PHI for its proper management and administration or to carry out its legal responsibilities, provided the disclosure is Required by Law or Business Associate obtains reasonable assurances that the PHI will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and that the recipient will notify Business Associate of any breach of confidentiality.
2.4 Business Associate may provide data aggregation services relating to the health care operations of Covered Entity and may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c).
2.5 Business Associate shall make uses, disclosures, and requests for PHI consistent with the minimum necessary standard.
Business Associate agrees to:
4.1–4.3 Covered Entity shall notify Business Associate of any limitation in its notice of privacy practices, any change in or revocation of an Individual’s permission, and any restriction on the use or disclosure of PHI, to the extent any of these may affect Business Associate’s use or disclosure of PHI.
4.4 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except as permitted under Sections 2.2 through 2.4.
4.5 Covered Entity is solely responsible for obtaining any consents or authorizations required from Individuals and for providing each Individual with a notice of privacy practices as required by 45 C.F.R. § 164.520.
5.1 This Agreement is effective as of the Effective Date and remains in effect until all PHI is destroyed or returned to Covered Entity, or protections are extended in accordance with Section 5.3.
5.2 Upon knowledge of a material breach by Business Associate, Covered Entity may provide thirty (30) days to cure; if the breach is not cured, or if cure is not feasible, Covered Entity may terminate this Agreement and the Services.
5.3 Upon termination, Business Associate shall return or destroy all PHI it still maintains and retain no copies. Where return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as it maintains such PHI. This Section survives termination.
6.1 A reference to a section in the HIPAA Rules means the section as in effect or as amended and for which compliance is required.
6.2 The Parties agree to amend this Agreement as necessary for compliance with the HIPAA Rules and applicable law.
6.3 The obligations of Business Associate under Section 5.3 survive termination.
6.4 Any ambiguity shall be resolved to permit compliance with the HIPAA Rules. In the event of any inconsistency between this Agreement and any other agreement between the Parties regarding the Services, this Agreement controls with respect to its subject matter.
6.5 Nothing in this Agreement confers any rights upon any person other than the Parties and their successors and permitted assigns.
6.6 This Agreement is governed by the laws of the Commonwealth of Pennsylvania, without regard to its conflict-of-laws principles, except to the extent preempted by federal law.
6.7 Acceptance of this Agreement through the electronic process made available by Business Associate, including by clicking a box or button indicating agreement, constitutes a valid and binding execution of this Agreement, and the electronic record of such acceptance, including its date and time and the identity of the accepting individual, is admissible evidence of the Parties’ agreement.