Are you a Covered Entity that is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)?
Persona understands the importance of the confidentiality, privacy, and security of an individual’s Protected Health Information (PHI) and supports and helps its customers in being HIPAA compliant.
HIPAA requires that Covered Entities (those subject to the HIPAA regulations) identify other businesses they disclose PHI to. These other businesses are known as Business Associates and are people or organizations that are contracted to perform functions for Covered Entities.
HIPAA allows Covered Entities to disclose PHI to Business Associates if the Business Associate assures that it will use the information only for the purposes for which it was engaged by the Covered Entity, will safeguard the information from misuse, and will help the Covered Entity comply with some of the Covered Entity’s duties under HIPAA. Covered Entities are required to enter into a Business Associate Agreement with Business Associates that includes the aforementioned assurances.
In this context, Persona is a Business Associate to its customers who are Covered Entities. As such, we will enter into a Business Associate Agreement with you upon your signing up of our service, in which Persona agrees as follows:
• Persona will not use or disclose PHI other than as permitted or required by the Business Associate Agreement or as required by law.
• Persona will use appropriate safeguards to prevent the use or disclosure of the PHI other than as provided for by the Business Associate Agreement.
• Persona will mitigate, to the extent practicable, any harmful effect that is known to Persona of a use or disclosure of PHI by Persona in violation of the requirements of the Business Associate Agreement.
• Persona will report to you any use or disclosure of the PHI not provided for by the Business Associate Agreement of which it becomes aware.
• Persona will ensure that any agent, including a subcontractor, to whom it provides PHI received from you, agrees to the same restrictions and conditions that apply through the Business Associate Agreement with respect to such information.
• Persona will make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from you available to the Secretary of Health and Human Services for purposes of determining your compliance with HIPAA.
Your obligations under this agreement would be as follows:
You will use appropriate safeguards to prevent unauthorized Use or Disclosure of PHI, consistent with this HIPAA Business Associate Agreement, and as otherwise required under the Security Rule.
You will provide us with any changes in, or revocation of, permission by an Individual to Use or Disclose PHI if such changes affect our permitted or required Uses or Disclosures of PHI under this HIPAA Business Associate Agreement. You will not agree to any request for a restriction that limits our permitted or required Uses or Disclosures of PHI under this HIPAA Business Associate Agreement unless you are required by law. In the event that you are required by law to agree to such a restriction, you will promptly notify us of the restriction. You will not request or cause us to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by you.
You will not include in your notice of privacy practices under HIPAA any limitation that limits our permitted or required Uses or Disclosures of PHI under this HIPAA Business Associate Agreement unless such a limit is required by law. In the event that you are required by law to include such a limitation in your notice of privacy practices, you will promptly notify us of the limitation.
This HIPAA Business Associate Agreement supersedes any pre-existing agreements between the parties relating to HIPAA covering the Services. To the extent of any conflict or inconsistency between the terms of this HIPAA Business Associate Agreement and the remainder of the Agreement, the terms of this HIPAA Business Associate Agreement will govern. Except as expressly modified or amended under this HIPAA Business Associate Agreement, the terms of the Agreement remain in full force and effect.