Business Associates Agreement

Please scroll through the Business Associate Agreement for Privacy and Security. Select "Agree" or "Decline" at the bottom of the scroll.

BeneMedical, LLC & Business Associate Agreement for Privacy and Security

This Business Associates Agreement ("Agreement") is entered into between the Acknowledged User via Section 10. of this agreement (hereafter "Covered Entity") and BeneMedical, LLC (hereafter "Business Associate") and shall be effective as of the Acknowledgement via Section 10. of this agreement ("Effective Date"). The purpose of this Agreement is to comply with the requirements the Privacy and Security Standards under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as published by the Secretary of the U. S. Department of Health and Human Services (DHHS). This Agreement defines the parties' rights and responsibilities under HIPAA for the exchange of PHI (Protected Health Information) and EPHI (Electronic Protected Health Information) as defined in this Agreement and establishes that the Business Associate desires to provide satisfactory assurances required by the Privacy Standards. This Agreement sets forth the terms and conditions that govern the use and disclosure of Protected Health Information which is provided to the Business Associate by the Covered Entity.

1. Business Associate Services

The Business Associate provides services for the Covered Entity that involve the use and disclosure of Protected Health Information. The specific services provided by the Business Associate are those activities associated with the normal use of as defined by the Business Associate.

2. Definitions

PHI - Protected Health Information (PHI) is defined, under the Privacy Standards, as any information that identifies an individual and describes their health status, sex, age, ethnicity, or other demographic characteristics, whether or not that information is stored or transmitted electronically. PHI includes oral, written, and electronic information. EPHI - Electronic Protected health Information (EPHI) is defined as PHI that is stored or transmitted electronically. Security Incident - A security incident is defined as an attempted or successful unauthorized access, use, disclosure, modification or destruction of EPHI.

3. Description of Permitted Uses and Disclosures

In order for Business Associate to provide its services to Covered Entity in accordance with this Agreement, Covered Entity intends to disclose Protected Health Information to Business Associate and expects Business Associate to use the Protected Health Information to perform its services under this Agreement such as: (a) Use of the Protected Health Information in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of Business Associate provided that such uses are permitted under state and federal confidentiality laws; and (b) Disclosure of the Protected Health Information in its possession to third parties for the purposes of proper management and administration or to fulfill any present or future legal responsibilities of Business Associate provided that (i) such uses are permitted under state and federal confidentiality laws or; (ii) Business Associate has received third party written assurances regarding its confidential handling of such Protected Health Information as required by Privacy Standards, and (c) Aggregation of the Protected Health Information with the protected health information of other covered entities that Business Associate has in its possession through its capacity to provide its services to other covered entities, provided that the purpose of such aggregation is to provide covered entities with data analyses relating to their healthcare operations. Under no circumstances may Business Associate disclose Protected Health Information of Covered Entity to another covered entity absent the explicit authorization of Covered Entity, and (d) De-identification of Protected Health Information provided that the de-identification conforms to the requirements of Privacy Standards and further provided that Covered Entity is sent the documentation required by Privacy Standards that shall be in the form of a written assurance from Business Associate. Pursuant to Privacy Standards, de-identified information does not constitute Protected Health Information and is not subject to the terms of this Agreement.

4. Responsibilities of Business Associates

With regard to its use and disclosure of Protected Health Information, the Business Associate agrees to do the following: (a) Use and/or disclose the Protected Health Information only as permitted or required by this Agreement or as otherwise required by law; (b) Report to the designated privacy officer of the Covered Entity, by fax or electronic mail, any use or disclosure or security incident with PHI (electronic or other format) that is not permitted or required by the Privacy Rule or this agreement. Notification by the business associate to the covered entity must be made as soon as possible but not more than 60 calendar days from the discovery of a breach by the business associate. Information regarding a breach shall include (if available): - A brief description of what happened, including the date of the breach (if known) and the date of discovery of the breach; - A description of the types of unsecured PHI that were involved in the breach (i.e., full name, social security number, date of birth, home address, account number, diagnosis, disability code, and other types of PHI). Note - only the types of PHI will be listed, not the actual individual's information; - Any steps an individual should take to protect themselves from potential harm resulting from the breach (i.e., recommendations for an individual to contact credit bureaus, and how to make contact if credit card information was involved); - A brief description of what the business associate is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches, including the imposition of employee sanctions, if appropriate; and - Contact information for the business associate for the practices Compliance Officer to ask questions or learn additional information. - Plain Language - Breach notification requirements specify that the notice must be in plain language that the affected individual(s) can easily understand. (c) Use commercially reasonable efforts to maintain the security of PHI and to prevent unauthorized use and/or disclosure of such information, including the implementation of administrative, physical and technical safeguards to protect EPHI, and must require subcontractors to implement reasonable and appropriate safeguards to protect EPHI; (d) Require all of its employees, representatives, subcontractors or agents that receive or use or have access to PHI under this Agreement to agree in writing to adhere to the same terms and conditions on the use and/or disclosure of PHI that apply herein, including the obligation to return or destroy the Protected Health Information as provided under (h) of this section. (e) Make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of PHI to the Secretary of DHHS for purposes of determining the Covered Entity's compliance with the Privacy and Security Standards, subject to attorney-client and other applicable legal privileges. (f) Upon written request, make available during normal business hours at Business Associate's offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of PHI to the Covered Entity within ten (10) days, for purposes of enabling the Covered Entity to determine the Business Associate's compliance with the terms of this Agreement; (g) Upon written request, provide PHI in accordance with the individual's right to access, inspect, and copy their health information. This means the Covered Entity's patients shall continue to have the right to inspect and/or obtain copies of their PHI maintained by the Business Associate. (h) Within forty five (45) days of receiving a written request from the Covered Entity, provide to the Covered Entity such information, as is requested by the Covered Entity, to permit the Covered Entity to respond to a request by the subject individual for amendment and accounting purposes of the disclosures of the individual's PHI; (i) Return to the Covered Entity or destroy, as requested by the Covered Entity, within fifteen (15) days of the termination of this Agreement, the PHI in Business Associate's possession and retain no copies or back-up tapes. If this isn't possible, then the Business Associate must agree to limit disclosures of protected information beyond the termination of the contract.

5. Responsibilities of Covered Entity

With regard to the use and/or disclosure of PHI by the Business Associate, the Covered Entity hereby agrees: (a) To inform the Business Associate of any changes in the form of notice of privacy practices that the Covered Entity provides to individuals and provide the Business Associate a copy of the notice currently in use; and (b) To notify the Business Associate, in writing and in a timely manner, of any restrictions on the use and/or disclosure of Protected Health Information agreed to by the Covered Entity.

6. Mutual Representation and Warranty

Each party represents and warrants to the other party that all of its employees, agents, representatives and members of its work force, whose services may be used to fulfill obligations under this Agreement, are or shall be appropriately informed of the terms of this Agreement and are under legal obligation to fully comply with all provisions of this Agreement.

7. Term and Termination

(a) This Agreement shall become effective on the Effective Date and shall continue in effect until all obligations of the parties have been met, unless terminated as provided herein or by mutual agreement of the parties. (b) As provided for under the Privacy and Security Standards, the Covered Entity may immediately terminate this Agreement and any related agreement if it determines that the Business Associate has breached a material provision of this Agreement, including, without limitation, the confidentiality and privacy provisions of the contract. Alternatively, the Covered Entity may choose to: (i) provide the Business Associate with ten (10) days written notice of the existence of an alleged material breach; and (ii) afford the Business Associate an opportunity to cure said alleged material breach upon mutually agreeable terms. Failure to cure the alleged material breach in the manner set forth in this paragraph is grounds for the immediate termination of the Agreement. If termination is not feasible, the Covered Entity shall report the breach to the Secretary of DHHS. This Agreement will automatically terminate without any further action of the parties upon the termination or expiration of the Service Agreement. (c) This Agreement shall have an automatic renewal on the anniversary of the Effective Date with both parties having the option to terminate the Agreement without reason by providing the other party with a written notice of such termination at least thirty (30) days prior to the anniversary of the Effective Date. The respective rights and obligations of Business Associate and Covered Entity under the provisions of sections 4(i) and 8 shall survive the termination of this Agreement indefinitely.

8. Modification and Amendment

This Agreement may be modified or amended by the Business Associate, with or without agreement of the Covered Entity. The Covered Entity may not modify or amend this Agreement without the express written consent of the Business Associate. If modification or amendment is made by the Business Associate, the Covered Entity must be notified within 30 days.

9. Contact Information

Except as explicitly noted on this site, the services available through this site are offered by BeneMedical, LLC, a Limited Liability Company, located at 509 Central Avenue, Suite 228, Laurel, MS 39440. Our telephone number is (855)747-3444. If you notice that any user is violating these Business Associate Agreement for Privacy and Security, please contact us at

10. Acknowledgement

By selecting "Agree" below I acknowledge I understand and accept the Business Associate Agreement for Privacy and Security as presented herein. I also acknowledge I may, if I choose, to print and save a copy of this Agreement.

© 2019 BeneMedical, LLC