This Business Associate Amendment (this “BAA”) is made and entered into by and between medQue, Inc. and User if and for so long as applicable under the medQue User Terms of Service (the “Terms”), and is effective as of the date the Terms are initially accepted by the User or the date on which this BAA becomes applicable. This BAA is intended to implement the requirements of HIPAA as they relate to the use of the Service by the User, and support the parties’ compliance requirements thereunder.
The User must have a valid and existing registration to use the Service in order for this BAA to be effective, and this BAA shall govern each party’s respective obligations regarding Protected Health Information (as defined below) during the term of the User’s use of the Service.
The parties agree as follows:
For purposes of this BAA, any capitalized term not otherwise defined herein will have the meaning given to it in the Terms and/or under HIPAA.
“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.
“Protected Health Information” or “PHI” will have the meaning given to it under HIPAA if provided to medQue as the User Content in connection with the User’s permitted use of the Service.
“Security Rule” means 45 C.F.R., Part 164, Subpart C, under HIPAA.
This BAA applies to the extent the User is acting as a Covered Entity or Business Associate, to create, receive, maintain or transmit PHI via the Service and where medQue, as a result, is deemed under HIPAA to be acting as a Business Associate of the User.
This BAA is applicable only to the Service. medQue may expand the scope of the Service. If medQue expands the scope of the Service then this BAA will automatically apply to such additional new functionality and features as of the date the Service is updated, or the date medQue has otherwise provided written communication regarding an update to the scope of the Service to the User (whichever date is earlier).
Permitted Use and Disclosure
medQue may use and disclose PHI only as permitted under HIPAA as specified in the Terms and under this BAA. medQue may also use and disclose PHI for the proper management and administration of medQue’s business and to carry out the legal responsibilities of medQue, provided that any disclosure of PHI for such purpose may only occur if (i) required by applicable law; or (ii) medQue obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that medQue will be notified of any Breach.
By the User
The User is responsible for determining if he or she is a Covered Entity and/or a Business Associate and, if they are, ensuring that they use the Service in compliance with HIPAA. The User is responsible for fulfilling an individual's right of access, amendment, and accounting in accordance with the requirements under HIPAA.
The User will not request medQue or the Service to use or disclose PHI in any manner that would not be permissible under HIPAA if done by a Covered Entity itself (unless otherwise expressly permitted under HIPAA for a Business Associate). The User will not use the Service to create, receive, maintain or transmit PHI in violation of HIPAA requirements. If the User uses the Service in connection with PHI, the User will take appropriate measures to limit use of PHI in the Service to the minimum extent necessary for the User to carry out such authorized use of such PHI. The User agrees that medQue has no obligation to protect PHI under this BAA to the extent the User creates, receives, maintains, or transmits such PHI outside of the Service (including the User’s use of offline or on-premise storage tools or third party services or applications).
medQue and the User will use appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI, consistent with this BAA, and as otherwise required under the Security Rule, with respect to the Service.
medQue will promptly notify the User following the discovery of a Breach resulting in the unauthorized use or disclosure of PHI in violation of this BAA in the most expedient time possible under the circumstances, consistent with the legitimate needs of applicable law enforcement and applicable laws, and after taking any measures necessary to determine the scope of the Breach and to restore the reasonable integrity of the Service by using commercially reasonable efforts to mitigate any further harmful effects to the extent practicable. medQue will send any applicable Breach notice to the email address for the User’s account (as indicated in the Service by the User) or via direct communication with the User. For clarity, the User and not medQue, is responsible for complying with any Organizational Policies within the Service and medQue will have no obligations relating thereto. The User is hereby advised that medQue may periodically receive unsuccessful attempts for unauthorized access, use, disclosure, modification or destruction of information or interference from third-parties, as part of the general operation of the Service and, even if such events are defined as a Security Incident under HIPAA, medQue will not provide the User any additional notice regarding such unsuccessful attempts.
Agents and Subcontractors
medQue will take appropriate measures to ensure that any Service Providers used by medQue to perform its obligations under the Terms that require access to PHI on behalf of medQue are bound by written obligations that provide the same material level of protection for PHI as this BAA. To the extent medQue uses agents and subcontractors in its performance of obligations hereunder, medQue will remain responsible for their performance as if performed by medQue itself under the Terms.
The User shall not use the Service in any manner that would interfere with its obligation to give individuals their rights of access, amendment, and accounting in accordance with the requirements under HIPAA. The User is responsible for managing their use of the Service to appropriately respond to such individual requests. medQue will reasonably cooperate with the User to enable the User to respond to individual requests with respect to any PHI stored within the Service.
Access to Records
To the extent required by law, and subject to applicable attorney client privileges, medQue will make its internal practices, books, and records concerning the use and disclosure of PHI received from the User, or created or received by medQue on behalf of the User, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.
Return/Destruction of Information
The User may immediately terminate this BAA and account to use the Service upon 10 days written notice to medQue if medQue has materially breached this BAA and such breach is not reasonably capable of being cured.
This BAA will expire upon the earlier of: (i) the expiration or termination of the User’s account to use the Service; or (ii) the execution of an updated BAA that supersedes this BAA.
It is the parties’ intent that any ambiguity under this BAA be interpreted consistently with the intent to comply with applicable laws.
Effect of Amendment
The User and medQue agree that the User’s acceptance of this BAA, pursuant to the provisions of the Terms, constitutes a written agreement between the parties.