Business Associate Agreement

Home > Business Associate Agreement

Business Associate Agreement

This Business Associate Agreement ("Agreement") is effective as of the date of acceptance set forth on the final page of this agreement and is made between Mentalyc Inc., located at 2261 Market Street #4569, San Francisco, CA 94114 (“Mentalyc”), and the organization identified and entered into Mentalyc’s systems by its representative and set forth on the final page of this agreement (“Company”).

RECITALS

Company is a HIPAA Covered Entity or Business Associate. Company and Mentalyc will engage in a business relationship in which Mentalyc provides certain services to Company. In this relationship, Mentalyc may receive, use, maintain, disclose, or otherwise process PHI as a Business Associate for or on behalf of company in the course of performing such services.

The parties to this Agreement hereby agree as follows:

1. Definitions

Affiliate: With respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party. For purposes of this agreement, “control” means an economic or voting interest of at least fifty percent (50%).

HIPAA Laws: Refers collectively to the Health Insurance Portability and Accountability Act, and the Health Information Technology for Economic and Clinical Health (HITECH) Act, including all regulations under 45 C.F.R. Parts 160 and 164, as modified, supplemented, and amended.

PHI: Protected Health Information as defined in 45 C.F.R. § 160.103, limited to PHI received by Mentalyc from or created, received, maintained, or transmitted by Mentalyc on behalf of Company through Company’s use of the Services.

Security Measures: The administrative, physical, and technical safeguards required under the HIPAA Security Rule.

Services: The AI scribe services provided by Mentalyc to Company, whereby Mentalyc processes PHI on behalf of Company.

2. Permitted Uses and Disclosures of PHI

2.1 Performance of the Agreement for Mentalyc Services

Mentalyc shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.

2.2 Management, Administration, and Legal Responsibilities

Mentalyc may use and disclose PHI for proper management and administration or to carry out legal responsibilities, provided disclosure occurs only if required by law or if Mentalyc obtains reasonable assurances of confidentiality from the recipient.

3. Responsibilities with Respect to PHI

3.1 Mentalyc’s Responsibilities

a. Limitations on Use, Disclosure, and Sale: Mentalyc shall only use the minimum necessary PHI for proper business purposes and shall not sell PHI.

b. Safeguards: Mentalyc shall implement appropriate safeguards to prevent improper use or disclosure of PHI.

c. Subcontractors: Mentalyc shall ensure subcontractors agree in writing to the same or more stringent restrictions on PHI.

d. Reporting to Company: Mentalyc shall report to Company any unauthorized use, disclosure, or security incidents concerning PHI.

e. Unsuccessful Security Incidents: Mentalyc is not required to report unsuccessful security incidents unless they result in unauthorized access.

f. Disclosures to the Secretary: Mentalyc shall make its practices, books, and records available for compliance review by the Secretary.

g. Access and Amendment: Company shall be responsible for access and amendment requests for the Designated Record Set.

h. Accounting of Disclosures: Mentalyc shall provide information on disclosures for Company’s compliance with accounting requirements.

i. Privacy and Security Rule Compliance: Mentalyc shall comply with applicable Privacy and Security Rule provisions.

3.2 Company’s Responsibilities

a. No Impermissible Requests: Company shall not request Mentalyc to use or disclose PHI in violation of HIPAA Laws.

b. Contact Information for Notices: Company shall maintain accurate contact information for receiving notifications.

c. Safeguards and Appropriate Use of PHI: Company is responsible for safeguarding its PHI and for excluding PHI from technical support requests.

d. Communicating Changes to Mentalyc: Company shall notify Mentalyc of any changes that may affect Mentalyc’s use of PHI.

4. Term and Termination

4.1 Term

The term of this Agreement begins upon acceptance and terminates upon termination of all services requiring a BAA, unless terminated sooner.

4.2 Termination for Breach

If either party is aware of a material breach, they may terminate this Agreement or report violations to the Secretary if cure is not feasible.

5. Post-Termination Obligations

5.1 Return, Destruction, or Retention of PHI Upon Termination

Upon termination, Mentalyc shall return or destroy all PHI received from Company. If return or destruction is infeasible, Mentalyc will continue to protect such PHI.

6. Limitation of Liability

Mentalyc’s total and aggregate liability to customer for all damages arising out of or in connection with a breach of this agreement caused by Mentalyc will not exceed ten thousand dollars. This limitation applies to all causes of action in the aggregate, including, without limitation, breach of contract, misrepresentations, negligence, strict liability and other torts. These limitations apply notwithstanding any failure of essential purpose of any remedy.

7. Notices

All legal notices under this Agreement shall be delivered via electronic mail to the specified addresses for both Mentalyc and Company.

8. Miscellaneous

a. No Agency Relationship: The parties are independent contractors.

b. No Third-Party Rights: This Agreement does not confer rights to third parties.

c. Amendments and Waivers: Any amendments must be in writing and duly executed.

d. Governing Law: This Agreement is governed by the laws of the State of Delaware.