Business Associates

Oatmeal Health operates the https://oatmealhealth.com website. These websites, including all content, features, functionality, programs, applications, or services provided on or through the websites are referred to, collectively, in this Business Associate Agreement, as the “Site.” By using the Site, whether accessed via computer, mobile device, or other technology, manner, or means, you agree to the terms and conditions of this Business Associate Agreement, which is a binding legal agreement between you and OATMEAL HEALTH. In this Business Associate Agreement, “you” means the health care provider, whether an individual or entity, that conducts transactions in electronic form that are covered by the Health Insurance Portability and Accountability Act of 1996, as amended from time to time (“HIPAA”), and that has created an account on the Site. You are referred to in this Business Associate Agreement as Covered Entity.

1. Background and Purpose of Business Associate Agreement.
Through the Site, Business Associate provides electronic messaging and related technology services (the “Service”) to and on behalf of health care provider customers, including Covered Entity.
Covered Entity possesses Individually Identifiable Health Information (as hereinafter defined) that is protected under HIPAA, the HIPAA Privacy Regulations (as hereinafter defined), the HIPAA Security Regulations (as hereinafter defined) and the HITECH Standards (as hereinafter defined) and is permitted to use or disclose such information only in accordance with such laws and regulations.
Business Associate may need to receive, access, maintain, use and disclose Individually Identifiable Health Information held by Covered Entity to provide the Service to Covered Entity, and Covered Entity wishes to ensure that Business Associate will appropriately safeguard the privacy, confidentiality, integrity and availability of Individually Identifiable Health Information.

2. Definitions.
The following terms, when used in this Business Associate Agreement, shall have the following meanings, provided that the terms set forth below shall be deemed to be modified to reflect any changes made to such terms from time to time as defined in HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HITECH Standards.
a. “Breach” means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under 45 C.F.R. Part 164, Subpart E which compromises the security or privacy of the Protected Health Information. “Breach” shall not include:
1. Any unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of the Covered Entity or Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule; or
2. Any inadvertent disclosure by a person who is authorized to access Protected Health Information at the Covered Entity or Business Associate to another person authorized to access Protected Health Information at the Covered Entity or Business Associate, respectively, or Organized Health Care Arrangement in which the Covered Entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule; or

3. A disclosure of Protected Health Information where the Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
b. “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the Business Associate of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a Business Associate of another Covered Entity, to permit data analyses that relate to the health care operations of the respective Covered Entities.
c. “Electronic Protected Health Information” or “Electronic PHI” means Protected Health Information that is transmitted by or maintained in electronic media as defined in the HIPAA Security Regulations.
d. “HIPAA Privacy Regulations” means the regulations promulgated under HIPAA by the United States Department of Health and Human Services to protect the privacy of Protected Health Information, including, but not limited to, 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subpart A and Subpart E.
e. “HIPAA Security Regulations” means the regulations promulgated under HIPAA by the United States Department of Health and Human Services to protect the security of Electronic Protected Health Information, including, but not limited to, 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subpart A and Subpart C.
f. “HITECH Standards” means the privacy, security and security Breach notification provisions applicable to a Business Associate under Subtitle D of the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), and any regulations promulgated thereunder.
g. “Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, that is;
1. created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2. relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
a. that identifies the individual; or
b. with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
h. “Protected Health Information” or “PHI” means Individually Identifiable Health Information transmitted or maintained in any form or medium that (i) is received by Business Associate from Covered Entity, (ii) Business Associate creates for its own purposes from Individually Identifiable Health Information that Business Associate received from Covered Entity, or (iii) is created, received, transmitted or maintained by Business Associate on behalf of Covered Entity. Protected Health Information excludes Individually Identifiable Health Information in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g, records described at 20 U.S.C. § 1232g(a)(4)(B)(iv), and employment records held by the Covered Entity in its role as employer.
i. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
j. Any terms capitalized, but not otherwise defined, in this Business Associate Agreement shall have the same meaning as those terms have under HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HITECH Standards and shall be deemed to be modified to reflect any changes made to such terms from time to time as defined in HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HITECH Standards.

3. Obligations and Activities of Business Associate

a. Use or Disclosure. Business Associate agrees to not use or further disclose Protected Health Information other than as expressly permitted or required by this Business Associate Agreement or as required by law.
b. Safeguards. Business Associate agrees to use appropriate safeguards to prevent any use or disclosure of the Protected Health Information other than uses and disclosures expressly provided for by this Business Associate Agreement. Business Associate further agrees to use appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of any Electronic Protected Health Information in accordance with the HIPAA Security Regulations.
c. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Business Associate Agreement.
d. Reporting. Business Associate agrees to report to Covered Entity any use or disclosure of Protected Health Information in violation of this Business Associate Agreement by Business Associate or by a third party to which Business Associate disclosed Protected Health Information pursuant to Section 2.e (Subcontractors and Agents), in the time and manner agreed to by the Parties. Business Associate further agrees to report promptly to Covered Entity any Security Incident of which it becomes aware.

Notwithstanding the foregoing provisions of this Section 2.d., Business Associate shall promptly report to Covered Entity any Breach consistent with the regulations promulgated under HITECH by the United States Department of Health and Human Services at 45 C.F.R. Part 164, Subpart D.
e. Subcontractors and Agents. Business Associate agrees to ensure that any agents, including subcontractors, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity agree to the same restrictions and conditions that apply through this Business Associate Agreement to Business Associate with respect to such information.
f. Access. Because Business Associate will not be maintaining Protected Health Information in a Designated Record Set, Business Associate will not be required to provide Covered Entity access to Protected Health Information. In the event any individual requests access to Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity in the time and manner reasonably designated by Covered Entity such that Covered Entity can respond to such individual in accordance with 45 C.F.R. § 164.524. Any denials of access to the Protected Health Information requested shall be the responsibility of Covered Entity. To the extent that any record of communications of Protected Health Information through the Site must, under HIPAA or the HIPAA Privacy Regulations, be maintained in a Designated Record Set of Covered Entity, it is the responsibility of Covered Entity to include such record in the Designated Record Set that is made available to individuals requesting access to or seeking to amend records containing their PHI.
g. Amendment. Because Business Associate will not be maintaining Protected Health Information in a Designated Record Set, Business Associate will not be required to provide Protected Health Information to Covered Entity for amendment or incorporate any such amendments in the Protected Health Information pursuant to 45 C.F.R. §164.526.
h. Audit and Inspection. Business Associate agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information and the security of Electronic Protected Health Information, available to Covered Entity, or, at the request of Covered Entity, to the Secretary of Health and Human Services (the “Secretary of HHS”) or any officer or employee of HHS to whom the Secretary of HHS has delegated such authority for the purposes of the Secretary of HHS determining Covered Entity’s compliance with the HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HITECH Standards. Such information shall be made available in a time and manner designated by Covered Entity or the Secretary of HHS.
i. Documentation of Disclosures. Business Associate agrees to document such disclosures of Protected Health Information, and such information related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.
j. Accounting. Upon receipt of notice by or on behalf of Covered Entity that Covered Entity has received a request for an accounting of disclosures of Protected Health Information, Business Associate shall make available to Covered Entity, in the time and manner reasonably designated by Covered Entity, that information collected in accordance with Section 2.i (Documentation of Disclosures) of this Business Associate Agreement, to permit Covered Entity to respond to the request in accordance with 45 C.F.R. § 164.528.
k. Compliance with the HITECH Standards. Notwithstanding any other provision in this Business Associate Agreement, no later than the Effective Date, unless a separate effective date is specified by law or this Business Associate Agreement for a particular requirement (in which case the separate effective date shall be the effective date for that particular requirement), Business Associate shall comply with the HITECH Standards, including, but not limited to: (i) compliance with the requirements regarding minimum necessary under HITECH § 13405(b); (ii) requests for restrictions on use or disclosure to health plans for payment or health care operations purposes when the provider has been paid out of pocket in full consistent with HITECH § 13405(a); (iii) the prohibition of sale of PHI without authorization unless an exception under HITECH § 13405(d) applies; (iv) the prohibition on receiving remuneration for certain communications that fall within the exceptions to the definition of marketing under 45 C.F.R. § 164.501 unless permitted by this Business Associate Agreement and Section 13406 of HITECH; (v) the requirements relating to the provision of access to certain information in electronic access under HITECH § 13405(e); (vi) compliance with each of the Standards and Implementation Specifications of 45 C.F.R. §§ 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards) and 164.316 (Policies and Procedures and Documentation Requirements); and (vii) the requirements regarding accounting of certain disclosures of PHI maintained in an Electronic Health Record (as defined in HITECH § 13405(c)) to the extent that Business Associate discloses any PHI maintained in an Electronic Health Record on behalf of the Covered Entity pursuant to this Business Associate Agreement. Changes to this Business Associate Agreement may be required to comply with any regulations promulgated pursuant to HITECH. In such case, Covered Entity will be asked to agree to a new business associate agreement in order to continue use of the Service.
l. Minimum Necessary Use and Disclosure. In using and disclosing PHI, Business Associate shall make reasonable efforts to limit the use and/or disclosure of PHI to the minimum amount of information necessary as determined by Covered Entity to accomplish the intended purpose of the use or disclosure.
m. Electronic Transactions Regulations. If Business Associate conducts any Transaction for or on behalf of Covered Entity which is covered under the Electronic Transactions Standards from and after the Effective Date, Business Associate agrees that it will comply with, and cause its employees, agents and representatives, and subcontractors to comply with, the applicable requirements of the Electronic Transactions Standards.

4. Permitted Uses and Disclosures by Business Associate
a. General Use and Disclosure Provisions. Except as otherwise limited in this Business Associate Agreement, Business Associate may use or disclose Protected Health Information in connection with its provision of the Service, as described in part in the Privacy Policy of Business Associate, and as expressly permitted by this Business Associate Agreement, if such use or disclosure of Protected Health Information would not violate HIPAA, the HIPAA Privacy Regulations or the HITECH Standards if done by Covered Entity.
b. Specific Use and Disclosure Provisions.
1. Except as otherwise limited in this Business Associate Agreement, Business Associate may use and disclose Protected Health Information for the proper management and administration of the Business Associate or to meet its legal responsibilities; provided, however, that such Protected Health Information may be disclosed for such purposes only if the disclosures are required by law or the Business Associate obtains certain reasonable assurances from the person to whom the information is disclosed. The required reasonable assurances are that:
a. the information will remain confidential;
b. the information will be used or further disclosed only as required by law or for the purpose for which the information was disclosed to the person; and
c. the person will notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
2. Business Associate may use and disclose Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
3. Business Associate may use and disclose PHI received by Business Associate in its capacity as a Business Associate of Covered Entity to provide Data Aggregation services relating to the health care operations of Covered Entity and other covered entity customers of Business Associate.
4. Business Associate may de-identify any and all PHI, provided that Business Associate implements de-identification criteria in accordance with the HIPAA Privacy Regulations. De-identified information does not constitute PHI and is not subject to the terms of this Business Associate Agreement.

5. Obligations of Covered Entity

a. Requested Uses and Disclosures. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Privacy Regulations or the HITECH Standards if done by Covered Entity or that is not otherwise expressly permitted under Section 4 (Permitted Uses and Disclosures by Business Associate) of this Business Associate Agreement.
b. Consents and Authorizations. Covered Entity will obtain any consent or authorization that may be required by the HIPAA Privacy Regulations, or applicable state law prior to furnishing Business Associate the Protected Health Information pertaining to any individual.
c. Revocations or Restrictions. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an individual, into use or disclose PHI, including any restrictions on use or disclosure, if such changes affect Business Associate’s permitted or required uses or disclosures.
d. Transmission of Protected Health Information. Covered Entity will not transmit to Business Associate any Protected Health Information that is subject to any arrangements permitted or required of the Covered Entity under applicable regulations that may impact in any manner the use and/or disclosure of Protected Health Information by Business Associate under this Business Associate Agreement, including, but not limited to, restrictions on use and/or disclosure of Protected Health Information as provided for in the HIPAA Privacy Regulations.

6. Term and Termination
a. Term. This Business Associate Agreement shall continue in effect until superseded by a subsequent business associate agreement between the Parties or terminated in accordance with the provisions of Section 6.b (Termination for Cause) or Section 6.c (Automatic Termination).
b. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity may, in its sole discretion, either (1) provide Business Associate with written notice (by e-mail or regular mail) of and an opportunity to cure such breach and then terminate this Business Associate Agreement if Business Associate does not cure the breach within time period specified by Covered Entity, or (2) terminate this Business Associate Agreement immediately. In the event that termination of the Business Associate Agreement is not feasible, Business Associate acknowledges and agrees that Covered Entity has the right to report the breach to the Secretary of HHS.

Upon Business Associate’s knowledge of a material breach by the Covered Entity of this Business Associate Agreement, Business Associate may, in its sole discretion, provide Covered Entity with written notice (by e-mail or regular mail) of and an opportunity to cure such breach and then terminate this Business Associate Agreement if Covered Entity does not cure the breach within the time period specified by Business Associate. In the event that termination of the Business Associate Agreement is not feasible, Covered Entity acknowledges and agrees that Business Associate has the right to report the breach to the Secretary of HHS.
c. Automatic Termination. This Business Associate Agreement will automatically terminate without any further action of the Parties when Covered Entity ceases to use the Service, which shall be deemed to have occurred when no representative of Covered Entity has logged in to the Site to use the Service in six (6) months.
d. Effect of Termination.
1. Upon termination of this Business Associate Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall also apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
2. Notwithstanding the foregoing, in the event that Business Associate determines that returning or destroying the Protected Health Information is not feasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction not feasible. Upon mutual Business Associate Agreement of the Parties that return or destruction of Protected Health Information is not feasible, Business Associate shall extend the protections of this Business Associate Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction not feasible, for so long as Business Associate maintains such Protected Health Information.

7. Miscellaneous
a. Regulatory References. A reference in this Business Associate Agreement to a section in HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations or the HITECH Standards means the section as in effect or as amended from time to time, and for which compliance is required.
b. Survival. The respective rights and obligations of Business Associate under Section 6.d (Effect of Termination) of this Business Associate Agreement shall survive the termination of this Business Associate Agreement.
c. Interpretation. Any ambiguity in this Business Associate Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with applicable law protecting the privacy, security and confidentiality of Protected Health Information, including, but not limited to, HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations or the HITECH Standards.
d. State Law. Nothing in this Business Associate Agreement shall be construed to require Business Associate to use or disclose Protected Health Information without a written authorization from an individual who is a subject of the Protected Health Information, or written authorization from any other person, where such authorization would be required under state law for such use or disclosure.
e. No Third Party Beneficiaries. Nothing express or implied in this Business Associate Agreement is intended or shall be deemed to confer upon any person other than Covered Entity, Business Associate, and their respective successors and assigns, any rights, obligations, remedies or liabilities.
f. Primacy. To the extent that any provisions of this Business Associate Agreement conflict with the provisions of any other Business Associate Agreement or understanding between the Parties, this Business Associate Agreement shall control with respect to the subject matter of this Business Associate Agreement.
g. Independent Contractors. No provision of this Business Associate Agreement is intended to create, nor shall be deemed or construed to create, any employment, agency or joint venture relationship between Covered Entity and Business Associate other than that of independent entities contracting with each other hereunder solely for the purpose of effectuating the provisions of this Business Associate Agreement. None of the Parties nor any of their respective representatives shall be construed to be the agent, employer, or representative of the other.
h. Arbitration. Either Covered Entity or Business Associate may, without the other’s consent, elect mandatory, binding arbitration of any claim, dispute, or controversy raised by either Covered Entity or Business Associate against the other arising under this Business Associate Agreement (each a “Claim”). All Claims, other than injunctive relief, are subject to arbitration, no matter what theory they are based on or what remedy they seek. If Covered Entity or Business Associate elects arbitration, the arbitration will be conducted as an individual arbitration. Neither Covered Entity nor Business Associate consents or agrees to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with an arbitration on a class or representative basis. No arbitration will be consolidated with any other arbitration proceeding without the consent of all parties. This arbitration provision applies to and includes any Claims made and remedies sought as part of any class action, private attorney general action, or other representative action. American Arbitration Association (“AAA”) will administer the arbitration. The AAA will apply its rules, codes, or procedures in effect at the time the arbitration is filed. The arbitration shall be before a single arbitrator. In the event Covered Entity files a Claim in arbitration, Business Associate will reimburse Covered Entity for the initial arbitration filing fee paid by Covered Entity up to $500. If there is an arbitration hearing, Business Associate will pay any fees of the arbitrator and the arbitration administrator for the first two days of the hearing. If Covered Entity prevails in the arbitration of any Claim against Business Associate, then Business Associate will reimburse Covered Entity for any fees Covered Entity paid to the arbitration organization in connection with the arbitration. All other fees, including attorneys’ fees, will be allocated in accordance with the AAA rules.
i. Execution. This Business Associate Agreement has been executed electronically by a duly authorized representative of the Covered Entity. By executing this Business Associate Agreement, the Covered Entity agrees to the terms and conditions set forth herein.