Articles Tagged ‘Business Associate Agreement’

HIPAA Business Associate Agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT and Privacy Policy

This HIPAA Business Associate Agreement (“Agreement”) is made effective as of January 1, 2020, by and between AITS Corp. Clients (“Covered Entity”), and AITS Corp (“Business Associate”), of 8101 Sandy Spring Rd. Suite 100-N Laurel, MD 2707 [Address] (collectively, the “Parties”). 
WHEREAS, Business Associate, in connection with its services, may maintain, transmit, create or receive data for or from Covered Entity that constitutes Protected Health Information (“PHI”);
WHEREAS, Covered Entity is or may be subject to the requirements of the Federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and related regulations;
WHEREAS, with respect to the foregoing, Business Associate is or may be subject to the requirements of HIPAA, HITECH and related regulations; 
NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the Parties hereby agree as follows:
1. Definitions.

  1. General. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
  2. Specific. 
    1. Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean AITS Corp. [Business Associate].
    2. Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean AITS Corp. Clients [Covered Entity].
    3. Electronic Health Record. “Electronic Health Record” shall have the same meaning as the term “electronic health record’ in the HITECH Act, Section 13400. 
    4. HIPAA. “HIPAA” collectively refers to the HIPAA Statute, including the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164, the HITECH Act, and any associated Regulations, as such may be amended from time to time.

2. Obligations and Activities of Business Associate.

  1. Business Associate agrees not to use or disclose PHI other than as permitted or required by the Agreement or as required by law.
  2. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement.
  3. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware.
  4. In accordance with 45 CFR 164.502(e)(1) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
  5. In accordance with 45 CFR 164.524, Business Associate agrees to make available PHI in a designated record set to the Covered Entity within 60 days of a request by Covered Entity for access to PHI about an individual. In the event that any individual requests access to PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity within 60 days of receiving such request.

How access requests should be handled : Send an email request to This email address is being protected from spambots. You need JavaScript enabled to view it..

  1. In accordance with 45 CFR 164.526, Business Associate agrees to make any amendment(s) to PHI in a designated record within 60 days of a request by Covered Entity. Business Associate shall provide such information to Covered Entity for amendment and incorporate any amendments in the PHI as required by 45 CFR 164.526. In the event a request for an amendment is delivered directly to Business Associate, Business Associate shall forward such request to Covered Entity within 60 days of receiving such request.
  2. How amendments should be handled (Optional): Send an email request to This email address is being protected from spambots. You need JavaScript enabled to view it..
  3. Except for disclosures of PHI by Business Associate that are excluded from the accounting obligation as set forth in 45 CFR 164.528 or regulations issued pursuant to HITECH, Business Associate shall record for each disclosure the information required to be recorded by Covered Entities pursuant to 45 CFR 164.528. Within 90 days of notice by Covered Entity to Business Associate that it has received a request for an account of disclosures of PHI, Business Associate shall make available to Covered Entity, or if requested by Covered Entity, to the individual, the information required to be maintained pursuant to this Agreement. In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall forward such request to Covered Entity within 90 days of receiving such request.

How disclosure requests should be handled (Optional): Send an email request to This email address is being protected from spambots. You need JavaScript enabled to view it..

  1. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
  2. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with HIPAA.

3. Permitted Uses and Disclosures by Business Associate

  1. Business Associate may use or disclose PHI for the following purposes:
    1. As necessary to perform the services as agreed to between the Parties, notwithstanding the restrictions on such uses and disclosures as set forth in HIPAA and this Agreement.
  2. Business Associate may only de-identify PHI if permitted by Covered Entity and in any event may only de-identify PHI in accordance with 45 CFR 164.514(a)-(c).
  3. Business Associate may use or disclose PHI as required by law or where Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
  4. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity except for the specific uses and disclosures set forth herein.

4. Permissible Requests by Covered Entity

  1. Except as otherwise permitted by this Agreement, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity. 

5. Term and Termination

  1. Term. The Term of this Agreement shall be effective on the first day of services and shall terminate on the date the business relationship, or any services agreements, between the Parties end or are terminated or on the date Covered Entity terminates for cause as authorized in paragraph (b) of this Section. 
  2. Termination for Cause. Business Associate authorizes termination of this Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the Agreement and Business Associate has not cured the breach or ended the violation within 60 days written notice. If it is determined by Covered Entity that cure is not possible, Covered Entity may immediately terminate this Agreement. The termination of this Agreement shall automatically terminate the business relationship and any services agreements between the Parties. 
  3. Obligations of Business Associate Upon Termination. Upon termination of this Agreement, Business Associate shall either return or destroy all PHI that Business Associate still maintains in any form. Business Associate shall not retain any copies of such PHI. In the event Business Associate determines that returning or destroying the PHI is infeasible, the terms of this Agreement shall survive termination with respect to such PHI and limit further uses and disclosures of such PHI for so long as Business Associate maintains such PHI. In addition, Business Associate shall continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI for as long as business associate retains the PHI. 
  4. Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.

6. General Provisions. 

  1. This agreement sets forth the entire understanding of the Parties. Any amendments must be in writing and signed by both Parties. This Agreement shall be construed under the laws of the State of Maryland, without regard to conflict of law provisions. Any ambiguity in the terms of this Agreement shall be resolved to permit compliance with HIPAA. Any references in this Agreement to a section in HIPAA means the section as in effect or as may be amended. This Agreement may be modified or amended from time to time as is necessary for compliance with the requirements of HIPAA and other applicable law. Amendments must be made in writing and signed by the Parties. The failure of either Party to enforce any provision of this Agreement shall not be construed as a waiver or limitation of that Party's right to subsequently enforce and compel strict compliance with every provision of this Agreement. The terms of this Agreement are hereby incorporated into any service or business agreement that may be entered into between the Parties with the intent to form a business relationship. In the event of a conflict of terms between this Agreement and any such service or business agreement the terms of this Agreement shall prevail.

 

Although the internet is an incredible tool, it can also come with security risks. Modern consumers use the internet for many different facets of their daily lives, many of which require them to provide personal identifying information. It’s important to us at AITS Corp. to keep our customers safe online and ensure that personal information stays private.

 

We know just how important your privacy is to you, so we’ve made privacy a priority in every aspect of our online operations. To protect your privacy, AITS Corp. follows global best practices for customer privacy and data protection.

 

  • We won’t sell or give away your name, mail address, phone number, email address or any other personal information to third parties.
  • We use state-of-the-art security measures to protect your information from unauthorized users. We maintain and update our systems regularly to ensure the best possible privacy protection.

 

ONLINE PRIVACY POLICY

 

NOTICE

 

When we need information to personally identify you or contact you, we will explicitly state this upfront. You will need to consent to provide this information. Some scenarios where this may happen include creating a user ID and password, purchasing a premium subscription, signing up for a newsletter, or downloading software programs. We use and store this personal information for three primary purposes, and, for your convenience, you will only have to provide this information once to use our online services. This information will never be used for any other purpose. The three purposes are:

 

  • To help you find the software, services, or information you need quickly.
  • To help us create content most relevant to you.
  • To alert you to product upgrades, special offers, updated information, and other new services from AITS Corp..

 

 

CONSENT

 

If you choose not to register or provide personal information, you can still use most of [YOUR WEBSITE ADDRESS]. However, you will not be able to access areas that require registration. After you have completed your registration, you will be able to opt in to services like electronic newsletters and other communications from us. This allows AITS Corp. to communicate with you about our products, programs, events, and services via email, telephone, or postal mail.  If you do not wish to receive this type of communication, you may select the option stating that you do not wish to receive marketing messages.

 

AITS Corp. occasionally allows other companies to offer our registered customers information about their products and services via postal mail only. If you do not wish to receive these offers, you may select the option stating that you do not wish to receive marketing materials from third parties. Registered users will only receive communications that they have consented to.

 

 

 

ACCESS

 

Registered users will be able to review and update any information they have provided to AITS Corp. at any time. We always make it easy for our registered users to:

 

  • View and edit any personal information you have already provided to us.
  • Give or revoke consent to marketing information from us as well as sale offers from third parties.
  • Sign up for electronic newsletters about our services and products.

 

 

SECURITY

 

AITS Corp. has taken strong measures to keep your personal information secure and honor your privacy practices. We take precautions to protect your data from unauthorized access or loss. We offer safe and secure e-commerce transactions that are encrypted using SSL technology to protect your data.

 

Every customer transaction is guaranteed under the Fair Credit Billing Act. This legislation states that your bank cannot hold you liable for more than $50.00 in fraudulent credit card charges. If your bank does hold you liable for this amount, we will cover the liability in situations where your credit card was used fraudulently. In the event of unauthorized use of your credit card, you must notify your credit card provider in accordance with its reporting rules and procedures.

 

AITS Corp. strictly protects the security of your personal information and honors your choices for its intended use. Your personal information is never shared outside the company without your permission, except under the conditions explained above. Inside the company, data is stored in password-controlled servers with limited access. Your information may be stored and processed in [YOUR COUNTRY] or any other country where AITS Corp., its subsidiaries, affiliates or agents are located.

 

You also have a significant role in protecting your information. Do not share your username and password with others, as this can compromise your personal security online.

 

 

NOTICE TO PARENTS

 

Parents or guardians: we want to help you protect your children's privacy. We encourage you to talk to your children about safe and responsible use of their personal information while using the Internet.

 

The AITS Corp. site does not publish content that is targeted at children. However, if you are concerned about your children providing AITS Corp. any personal information without your consent, we do offer extra security options for children 12 and under. This allows parents to consent to the collection and use of personal data on our platform.

 

 

ENFORCEMENT

 

If for some reason you believe AITS Corp. has not adhered to the principles outlined in  this privacy policy, please notify us by email at This email address is being protected from spambots. You need JavaScript enabled to view it.. We will do our best to determine and correct the problem promptly. Add the words “Privacy Policy” to the subject line.

 

 

ELECTRONIC PRODUCT REGISTRATION

 

When you buy and install a new product from us, we may ask you to register your purchase electronically. When you do, we merge your registration information with any information you've already provided as part of your personal profile. If you haven't previously registered with us, we will create a personal profile for you from your product registration information.

 

If you ever want to review or update this information, you can do so on our website. If you haven't already created a registration ID, we will ask you to do so. This ensures that only you can access your information.

 

 

CUSTOMER PROFILES

 

As mentioned above, we create a personal profile for each registered customer. Each profile is assigned a unique personal identification number. This ensures that you are the only one who can access your profile. This PIN is sent back to your hard drive in the form of a cookie, which is a very small amount of code. This code allows you to travel seamlessly across our online platform without having to re-register. Even if you switch devices, you will only have to enter your registration ID and password to log in.

 

 

HOW WE USE YOUR INFORMATION

 

When users register with us, they provide contact information, which includes an email address. We use this information to send updates about products you have ordered, new product announcements, and product satisfaction surveys. When you purchase a product from us, we ask for your credit card number and billing address. We use this information to bill you for the products you order at that time. We do save billing information for your convenience in future orders.

 

We do not share personal data (phone numbers) or consent with third parties, affiliates, or partners.

AITS Corp. will disclose your personal information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on AITS Corp. or the site; (b) protect and defend the rights or property of AITS Corp. and its family of websites, and, (c) act in urgent circumstances to protect the personal safety of users of AITS Corp., its websites, or the public.

  • 1