Olanah Logo

Business Associate Agreement

This Business Associate Agreement ("BAA") is made and entered into as of the dates written below, effective as of the date that the Covered Entity creates an account for services registered with the Business Associate ("Effective Date") by and between Olanah, LLC ("Business Associate"), a limited liability company organized under the laws of the State of Wisconsin and the holder of the account registered with the Business Associate ("Covered Entity") (each a "Party" and collectively the "Parties").

Background

Covered Entity is either a "covered entity" or "business associate" of a covered entity, as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, "HIPAA") and, as such, is required to comply with HIPAA's provisions regarding the confidentiality and privacy of Protected Health Information;

The Parties have entered into or will enter into one or more agreements under which Business Associate provides or will provide certain specified services to Covered Entity (collectively, the "Services Agreement");

In providing services pursuant to the Services Agreement, Business Associate will have access to Protected Health Information;

By providing the services pursuant to the Services Agreement, Business Associate will become a "business associate" of the Covered Entity, as such term is defined under HIPAA;

Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including but not limited to the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the "Privacy Rule"); and

Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of the BAA, HIPAA, and other applicable laws.

1. Definitions

As used in the BAA:

  • "Affiliate" means a subsidiary or partner of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.
  • "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
  • "Breach Notification Rule" means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.
  • "Business Associate" has the meaning given in 45 CFR § 160.103.
  • "Data Aggregation" means, with respect to PHI created or received by Business Associate in its capacity as the "business associate" under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other "covered entity" under HIPAA, to permit data analyses that relate to the Health Care Operations of the respective covered entities.
  • "Designated Record Set" has the meaning given in the Privacy Rule, including 45 CFR §164.501.B.
  • "De-Identify" means alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).
  • "Electronic PHI" means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103.
  • "Health Care Operations" has the meaning given in 45 CFR §164.501.
  • "HHS" means the U.S. Department of Health and Human Services.
  • "HITECH Act" means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
  • "Individual" has the same meaning given to that term in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
  • "Privacy Rule" means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
  • "Protected Health Information" or "PHI" has the meaning given to the term "protected health information" in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
  • "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
  • "Security Rule" means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
  • "Unsecured Protected Health Information" or "Unsecured PHI" means any "protected health information" as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h).

2. Use and Disclosure of PHI

  • Except as otherwise provided in the BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the BAA to Covered Entity and to undertake other activities of Business Associate permitted or required of Business Associate by the BAA or as required by law.
  • Except as otherwise limited by the BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate's business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI shall be held confidential as provided under the BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI.

By using Olanah LLC's services, you agree to be bound by this Business Associate Agreement.

Last Updated: 2025-02-10