Business Associate Agreement

This Business Associate Agreement (“BAA”) supplements and is made a part of any and all agreements entered into by and between Granger Genetics, LLC, a Virginia limited liability corporation (“Granger”) and any Business Associate (“BA”) submitting a Requisition.

RECITALS

  1. Granger is a “Covered Entity” as defined under 45 C.F.R. § 160.103
  2. Granger and BA are entering into or have entered into, and may in the future enter into, one or more agreements (each an “Underlying Agreement”) under which BA performs functions or activities for or on behalf of, or provides services to Granger (“Services”) that involve receiving, creating, maintaining and/or transmitting Protected Health Information (“PHI”) of Granger as a “Business Associate” of Granger as defined under 45 C.F.R. § 160.103. This BAA shall only be operative in the event and to the extent this BAA is incorporated into an Underlying Agreement between Granger and BA.
  3. Granger and BA desire to protect the privacy and provide for the security of PHI used by or disclosed to BA in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the regulations promulgated thereunder by the U.S. Department of Health and Human Services (45 C.F.R. Parts 160, 162 and 164) (the “HIPAA Regulations”), and other applicable laws and regulations. The purpose of this BA Agreement is to satisfy certain standards and requirements of HIPAA, the HIPAA Regulations, including 45 CFR § 164.504(e), and similar requirements under Virginia law.
  4. Granger has designated all of its HIPAA health care components as a single component of its entity and therefore this BA Agreement is binding on all Granger health care components. This BA Agreement is effective on the date Granger first receives a requisition from the BA.

1. DEFINITIONS

Except for PHI, all capitalized terms in this BAA shall have the same meaning as those terms in the HIPAA Regulations.
PHI shall have the same meaning as “protected health information” in the HIPAA Regulations that is created, received, maintained, or transmitted by Business Associate or any Subcontractor on behalf of Granger and shall also include “medical information” as defined at Cal. Civ. Code § 56.05.

2. OBLIGATIONS OF BA

BA agrees to:

  1. Comply with the requirements of the Privacy Rule that apply to Granger in carrying out Granger’s obligations, to the extent BA carries out any obligations of Granger under the Privacy Rule. BA also agrees to comply with the requirements of Virginia state privacy laws and regulations that apply to Granger in carrying out Granger’s obligations, unless otherwise mutually agreed to by BA and Granger.
  2. Not Use or Disclose PHI other than as permitted or required by the Underlying Agreement or as required by law.
  3. Use appropriate safeguards, and comply, where applicable, with 45 C.F.R. § 164 Subpart C with respect to ePHI, to prevent the Use or Disclosure of PHI other than as provided for by the Underlying Agreement(s) and the BAA.
  4. Notify Granger, orally and in writing, as soon as possible, but in no event more than five (5) calendar days, after BA becomes aware of any Use or Disclosure of the PHI not permitted or required by the BAA or Underlying Agreement(s), including Breaches of unsecured PHI as required by 45 C.F.R. § 164.410 and potential compromises of Granger PHI, including potential inappropriate access, acquisition, use or disclosure of Granger PHI (each, collectively an “Incident”). BA shall be deemed to be aware of any Incident, as of the first day on which it becomes aware of it, or by exercising reasonable diligence, should have been known to its officers, employees, agents or sub-suppliers. The notification to Granger shall include, to the extent possible, each individual whose unsecured PHI has been, or is reasonably believed by BA to have been, accessed, acquired, used or disclosed during Incident. BA shall further provide Granger with any other available information that Granger is required to include in a notification to affected individuals at the time of the notification to Granger, or promptly thereafter as information becomes available. BA shall take prompt corrective action to remedy any Incident, and, as soon as possible, shall provide to Granger in writing: (i) the actions initiated by the BA to mitigate, to the extent practicable, any harmful effect of Incident; and (ii) the corrective action BA has initiated or plans to initiate to prevent future similar Incidents.
  5. Ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the BA agree to the same restrictions, conditions, and requirements that apply to the BA with respect to Granger PHI.
  6. If BA maintains PHI in a Designated Record Set, BA shall make the PHI in the Designated Record Set available to Granger, or if directed by Granger to the Individual or the Individual’s designee, as necessary to satisfy Granger’s obligations under 45 C.F.R. § 164.524.
  7. If BA maintains PHI in a Designated Record Set, BA shall make any amendments directed or agreed to by Granger pursuant to 45 C.F.R. § 164.526 or take other measures as necessary to satisfy Granger’s obligations under 45 C.F.R. § 164.526.
  8. Maintain and make available the information required to provide an accounting of disclosures to Granger, or if directed by Granger to the Individual, as necessary to satisfy Granger’s obligations under 45 C.F.R. § 164.528.
  9. Make its internal practices, books, and records relating to the Use and Disclosure of PHI available to Granger, and to the Secretary for purposes of determining Granger’s compliance with HIPAA and their implementing regulations.

3. PERMITTED USES AND DISCLOSURES BY BA

BA may only Use or Disclose the Minimum Necessary PHI to perform the services set forth in the Underlying Agreement.

4. TERM AND TERMINATION

  1. Termination for Cause. Granger may terminate this BAA and any Underlying Agreement(s), if Granger determines BA has violated a material term of the BAA.
  2. Upon termination of this BAA for any reason, with respect to PHI received from Granger, or created, maintained, or received by BA on behalf of Granger, BA shall return to Granger, or if agreed to by Granger, destroy, all Granger PHI that BA still maintains in any form, and retain no copies of Granger PHI.To the extent return or destruction of Granger PHI is not feasible, BA shall (1) retain only that PHI which is necessary for BA to continue its proper management and administration or to carry out its legal responsibilities; and (2) continue to use appropriate safeguards for Granger PHI and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent Use or Disclosure of the PHI, other than as provided for in this Section, for as long as BA retains the PHI.
  3. The obligations of BA under this Section 4.B shall survive the termination of this BAA and any Underlying Agreement(s).