Parties

This Business Associate Agreement (the “Agreement”) is entered into by and between (a) the Customer that has accepted PsyFi’s Terms of Service for the Services (the “Covered Entity” or, if applicable, a “Business Associate” acting on behalf of a Covered Entity) and (b) Oaken Cloud Technologies, LLC d/b/a PsyFi Technologies (the “Business Associate”).

This Agreement is incorporated into the Terms of Service by reference where applicable.

Definitions

Capitalized terms not defined herein have the meaning ascribed by HIPAA, including 45 C.F.R. Parts 160 and 164.

Obligations of Business Associate

• Use or disclose PHI only as permitted by this Agreement, as required by law, or as otherwise authorized in writing by Covered Entity.
• Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI as required by the Security Rule.
• Mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI in violation of this Agreement.
• Ensure that any Subcontractor to whom Business Associate provides PHI agrees in writing to substantially the same restrictions and conditions.
• Make PHI available to Covered Entity as necessary for individuals to access and amend their PHI, and to provide an accounting of disclosures, as required by 45 C.F.R. §§ 164.524, 164.526, and 164.528.
• Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance.

Obligations of Covered Entity

• Notify Business Associate of any limitation in Covered Entity’s notice of privacy practices, changes in permissions by individuals, or restrictions agreed to that affect Business Associate’s use or disclosure of PHI.
• Not request or require Business Associate to use or disclose PHI in a manner not permitted by law.

Permitted Uses & Disclosures

Business Associate may use and disclose PHI to provide Services to Covered Entity; for the proper management and administration of Business Associate; and to carry out legal responsibilities, provided that disclosures are required by law or Business Associate obtains reasonable assurances from the recipient regarding confidentiality and permitted further use.

Safeguards

Business Associate shall maintain policies and procedures, workforce training, access controls, encryption, logging, and other safeguards proportionate to risk. For additional detail, see PsyFi’s Security & Compliance documentation referenced in the master agreement.

Breach Notification

Business Associate will report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI as defined by 45 C.F.R. § 164.402, without unreasonable delay and in no case later than 30 calendar days after discovery. Notice will include, to the extent available, the identification of affected individuals and information sufficient to support Covered Entity’s notification obligations.

Subcontractors

Business Associate will ensure that Subcontractors agree in writing to restrictions and conditions that are substantially similar to those applicable to Business Associate with respect to PHI.

Term & Termination

• Term. This Agreement becomes effective when Customer accepts the Terms of Service (or other written agreement that incorporates this Agreement) and remains in effect until terminated in accordance with this Section.
• Termination for Cause. Covered Entity may terminate this Agreement if it determines that Business Associate has materially breached it and Business Associate has not cured the breach within a reasonable time after receiving written notice.
• Effect of Termination. Upon termination, Business Associate will return or destroy PHI, if feasible. If return or destruction is infeasible, Business Associate will extend protections and limit further uses to those purposes that make the return or destruction infeasible.

Miscellaneous

• This Agreement is governed by the laws applicable to the master agreement between the parties.
• This Agreement may be amended to comply with changes in HIPAA and related laws.
• Any ambiguity shall be resolved to permit compliance with HIPAA.
• This Agreement may be executed electronically. Customer’s acceptance of the Terms of Service (including by clicking “I agree” or creating an account) constitutes execution of this Agreement where applicable.