Updated: October 1, 2021
These HIPAA Business Associate Terms apply in the event or to the extent that the Plan Sponsor, on behalf of the Plan Sponsor’s Infertility Health Reimbursement Arrangement (HRA) Plan (“the Plan”), intends to treat certain services provided by Carrot Fertility, Inc. (“the Business Associate”) pursuant to the parties’ separate services agreement (the “Master Services Agreement”), as provided under a group health plan within the meaning of the Employee Retirement Income Security Act of 1974. The Plan Sponsor intends to treat the Plan as a “covered entity” within the meaning of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health ("HITECH") Act, and implementing regulations, including the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 (collectively, the “HIPAA Rules”). Accordingly, these Business Associate Terms are necessary in the event or to the extent that, in providing services to the Plan Sponsor pursuant to the Master Services Agreement, the Business Associate creates, receives, uses or discloses Protected Health Information, including Electronic Protected Health Information, regarding any participant in the Plan. The Plan Sponsor and the Business Associate hereby agree as follows:
Capitalized terms used herein without definition shall have the respective meanings assigned to such terms under the HIPAA Rules.
Business Associate agrees to:
(a) Not use or disclose Protected Health Information other than as permitted or required by these Business Associate Terms or as Required By Law;
(b) Use appropriate safeguards and comply, where applicable, with subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as provided for by these Business Associate Terms;
(c) Report to the Plan any Use or Disclosure of Protected Health Information not provided for by these Business Associate Terms of which it becomes aware, including any Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware as soon as reasonably possible, but in no case later than within ten (10) business days. Notice is hereby deemed provided, and no further notice will be provided, of unsuccessful attempts at such unauthorized access, use or disclosure, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above, so long as no such incident results in unauthorized access to, or use or disclosure of, the Plan's electronic PHI;
(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information, including Electronic Protected Health Information, on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
(e) Make available Protected Health Information in a Designated Record Set to the Plan as necessary to satisfy the Plan’s obligations under 45 CFR 164.524;
(f) Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Plan pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy the Plan’s obligations under 45 CFR 164.526;
(g) Maintain and make available the information required to provide an accounting of Disclosures to the Plan as necessary to satisfy the Plan’s obligations under 45 CFR 164.528;
(h) To the extent the Business Associate is to carry out one or more of the Plan’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Plan in the performance of such obligation(s); and
(i) Make its internal practices, books, and records relating to the Use and Disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, the Plan available to the Secretary for purposes of determining the Plan’s compliance with the HIPAA Rules.
(a) General Use and Disclosure Provisions
Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, the Plan, as specified in the Master Services Agreement, as amended or renewed from time to time, provided that such Use or Disclosure would not violate the HIPAA Rules.
(b) Specific Use and Disclosure Provisions
(a) The Plan shall notify Business Associate of any limitation(s) in its Notice of Privacy
Practices under 45 CFR 164.520, to the extent that such limitation may affect Business
Associate's Use or Disclosure of Protected Health Information.
(b) The Plan shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate's Use or Disclosure of Protected Health Information.
(c) The Plan shall notify Business Associate of any restriction on the Use or Disclosure of Protected Health Information that the Plan has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate's Use or Disclosure of Protected Health Information.
(d) The Plan shall not request Business Associate to use or disclose Protected Health
Information in any manner that would not be permissible under Subpart E of 45 CFR
Part 164 if done by the Plan, except for any Use or Disclosure for data aggregation or
management and administration and legal responsibilities of the Business Associate.
(a) Term
The Term of these Business Associate Terms shall terminate upon termination of the Master Services Agreement (including any amendment or renewal thereof), or on the date the Plan terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
(b) Termination for Cause
Business Associate authorizes termination of these Business Associate Terms by the Plan, if the Plan determines Business Associate has violated a material term of these Business Associate Terms and Business Associate has not cured the breach or ended the violation within the time specified by the Plan.
(c) Obligations of Business Associate Upon Termination
Upon termination of these Business Associate Terms, for any reason, Business Associate, with respect to Protected Health Information received from the Plan, or created, maintained or received by Business Associate on behalf of the Plan, shall:
(d) Survival. The obligations of Business Associate under this Section shall survive the termination of these Business Associate Terms.
(a) Regulatory References
A reference in these Business Associate Terms to a section in the HIPAA Rules means the section as in effect or as amended.
(b) Amendment
Business Associate will use best efforts to take such action as is necessary to amend these Business Associate Terms from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. Accordingly, these Business Associate Terms may be amended by Business Associate from time to time, in compliance with the requirements of the HIPAA Rules and any other applicable law.
(c) Interpretation
Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
(d) Integration
These Business Associate Terms represent the entire agreement of the parties with respect to the subject matter hereof. If Business Associate and Plan Sponsor have entered into a separate Business Associate Agreement, the terms of that Business Associate Agreement will supersede these Business Associate Terms.
(e) Assignment
These Business Associate Terms are binding on, and shall inure to, the benefit of the Plan and Business Associate and their respective legal representatives, successors and permitted assigns.
(f) Conflicts
To the extent required under the HIPAA Rules, the terms and conditions of these Business Associate Terms shall prevail in the event these Business Associate Terms conflict with any provision of the Master Services Agreement.
Find out how our customizable fertility solutions do more for your people, groups, and organizations
Get started