Last Updated: May 2, 2023

This Business Associate Agreement (“BAA”) and the terms and conditions contained herein apply to Company’s use of those Services specified within a Subscription Order Form entered into by and between Home Care Pulse, LLC, doing business as Activated Insights (“Activated Insights”), and Company, as expressly incorporated into and made a part of the Subscription Order Form by reference therein. By way of execution of the Subscription Order Form, both Activated Insights, as a Business Associate of Company, and Company, as a Covered Entity, have agreed to be bound by this BAA, which shall be effective as of the date of Company’s signature on the Subscription Order Form (“Effective Date”). All capitalized terms used herein but not defined shall have the meanings ascribed to them in the Agreement to which this BAA applies.

Activated Insights provides Services to Company pursuant to one or more underlying Subscription Order Forms that incorporate by reference Activated Insights’ Terms of Services (each Subscription Order Form that incorporates by reference the Terms of Service is an “Agreement”), pursuant to which Activated Insights may create, receive, maintain, or transmit Protected Health Information (“PHI”) of Company in order to enable Activated Insights to perform one or more Services for Company related Company’s Treatment, Payment or Health Care Operations.

Activated Insights and Company desire to comply with the Health Insurance Portability Activated Insights and Accountability Act of 1996 (“HIPAA”) and the Final Rule for Standards for Privacy of Individually Identifiable Health Information adopted by the United States Department of Health and Human Services and codified at 45 C.F.R. Part 160 and Part 164, Subparts A, C (“Security Rule”), and E (“Privacy Rule”) as well as Subtitle D of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).

Capitalized terms within this BAA shall have the same meaning as those terms are defined at 45 C.F.R. §§ 160.103, 164.103, 164.304, 164.402, and 164.501. This BAA applies to uses and disclosures of all PHI that Activated Insights creates for or on behalf of, or receives from or on behalf of, Company.

Activated Insights and Company hereby agree as follows:

1. Permitted Uses and Disclosures. Activated Insights may use and disclose PHI:

  1. in the course of performing Services for or on behalf of Company;
  2. as required or permitted by law, regulation, regulatory agency, or by any accrediting body to whom Company or Activated Insights may be required to disclose such PHI;
  3. as set forth in an authorization that complies with HIPAA and HITECH; or
  4. to provide Data Aggregation services, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

Except as otherwise limited in this BAA, Activated Insights may use PHI for the proper management and administration of Activated Insights or to carry out the legal responsibilities of Activated Insights.

2 . Activated Insights’ Obligations

  • Ensure, through a written contractual agreement that complies with 45 C.F.R. § 164.314, that its agents and Subcontractors to whom it may provide PHI agree to the same terms and conditions as are applicable to Activated Insights.
  • Implement appropriate and reasonable safeguards to prevent use or disclosure of PHI other than as permitted herein, including those safeguards required pursuant to 45 C.F.R. § 164.308, 164.310, 164.312, 164.314, and 164.316, and comply, as applicable, with the requirements of 45 C.F.R. Part 164, Subpart C.
  • Make available to the Secretary of Health and Human Services, Activated Insights’ internal practices, books and records relating to the use or disclosure of PHI for purposes of determining Company’s compliance with HIPAA.
  • Report to Company and mitigate, to the extent practicable, any harmful effect that is known to Activated Insights of uses or disclosures of PHI of which Activated Insights becomes aware that do not comply with the terms herein, including Breaches of Unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware.
  • Make uses and disclosures and requests for PHI consistent with Activated Insights’ minimum necessary policies and procedures.

3. Company’s Obligations

  • Notify Activated Insights of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Activated Insights’ use or disclosure of PHI.
  • Notify Activated Insights of any changes in, or revocation of, permission by an individual to use or disclose PHI to the extent that such changes may affect Activated Insights’ use or disclosure of PHI.
  • Notify Activated Insights of any restriction to the use or disclosure of PHI that Company has agreed to in accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect Activated Insights’ use or disclosure of PHI.
  • Request Activated Insights to use or disclose PHI only in a manner permissible under HIPAA and HITECH if done by the Company.

4. Term and Termination

The term of this BAA shall commence as of the Effective Date and shall terminate when all of the PHI provided by Company to Activated Insights, or created or received by Activated Insights on behalf of Company, is destroyed or, if it is infeasible to destroy the PHI, when protections are extended to such information, as provided herein. Company may terminate this BAA if Activated Insights fails to cure or take substantial steps to cure a material breach of this BAA within thirty (30) days after receiving written notice of such material breach from Company. If the underlying agreement terminates or expires, Activated Insights will maintain Company’s PHI for sixty (60) days in order for Company to resubmit claims as necessary. Company’s PHI will then be destroyed by Activated Insights. If such destruction of PHI is not feasible, Activated Insights will continue to abide by the terms set forth herein with respect to such PHI, and further uses and disclosures of such PHI will be limited to those purposes that make destruction infeasible. This Section 4 shall survive the termination of this BAA.

5. Agreement

This BAA, as part of the applicable Agreement, constitutes the entire agreement between the Parties concerning its subject matter. This BAA may be amended only in writing signed by Company and Activated Insights. The Parties agree to take such action to amend this BAA as is necessary to comply with the requirements of HIPAA and HITECH. This BAA and the rights and obligations of the Parties hereunder shall in all respects be governed by, and construed in accordance with, the laws of the State of Idaho, including all matters of construction, validity, and performance. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA and HITECH, as applicable.

6. Liability

All liability of Activated Insights under this BAA is subject to the limitation of liability provisions set forth in the Agreement. In any event, Activated Insights’ aggregate liability arising from or relating to this BAA, HIPAA or the transactions contemplated under this BAA shall not, in the aggregate, exceed the amounts paid by Company to Activated Insights under the Agreement during the 12-month period immediately preceding the event that caused the damage relating to the first claim made under the Agreement.