THIS BUSINESS ASSOCIATE ADDENDUM (“Agreement”) is made and entered by and between the customer agreeing to the terms herein (“Covered Entity”), and AURANMEDIA LLC, a Georgia limited liability company d/b/a FULL MEDIA (“Business Associate”) which maintains its principal place of business at 200 Broad Street SW, Suite 206, Gainesville, GA 30501. This Agreement will be effective as of the date electronically accepted by Covered Entity as part of the ReadySites Vitals or ReadySites Catalyst program sign up.
WHEREAS, Covered Entity is an organization providing healthcare or related services, and, as such, maintains certain confidential protected health information and records in written and/or in electronic form, concerning its patients;
WHEREAS, Business Associate is a healthcare digital marketing company and has entered into an agreement to provide certain services to Covered Entity such as web design, search engine optimization, online advertising, online patient experience and analytics (collectively the “Services”);
WHEREAS, Covered Entity and Business Associate have agreed to conduct all of their business in compliance with all applicable federal, state and local statutes, regulations, rules and policies, including but not limited to, the Health Insurance Portability and Accountability Act of 1996, including all amendments to such Act by the Health Information Technology and Clinical Health Act (“HITECH”), part of the American Recovery and Reinvestment Act of 2009, and all related rules and regulations in effect from time to time during the term of this Agreement (collectively “HIPAA”);
WHEREAS, in the course of providing the Services, Business Associate will or may create, receive, maintain or transmit individually identifiable health information, including demographic and other information, which relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care, which information identifies the individual or with respect to which there is a reasonable basis upon which to believe that the information can be used to identify the individual (collectively, “Protected Health Information” or “PHI”);
WHEREAS, Business Associate may also create, receive, maintain or transmit Electronic PHI (“EPHI”) in the course of performing the Services (PHI and EPHI sometimes herein referred to collectively as “PHI”);
WHEREAS, Covered Entity is willing to provide Business Associate with access to PHI and EPHI such that Business Associate can perform the Services, provided Business Associate executes and complies with this Agreement:
NOW, THEREFORE, in consideration of Covered Entity granting Business Associate access to PHI and EPHI, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereby agree as follows:
1. Definitions. Capitalized terms herein shall have the specific meaning assigned to them within this Agreement or, if no such meaning is so assigned, the meaning set forth in HIPAA.
2. Permitted and Required Uses and Disclosures. Business Associate agrees to access, use and/or disclose PHI received from, or created, received, maintained, or transmitted on behalf of, Covered Entity only as is necessary for the purpose of adequately rendering the Services for Covered Entity and as herein otherwise permitted.
3. Obligations and Activities of Business Associate. Business Associate agrees to:
a. Not use or disclose PHI or EPHI other than as permitted herein or as required by law, including HIPAA;
b. Use appropriate safeguards to prevent the use, access or disclosure of PHI other than as provided for herein or as required by law, and to comply with Subpart C of 45 CFR Part 164 with respect to EPHI;
c. Report to Covered Entity any use or disclosure of PHI not permitted or required by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware, provided, however, that the parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents, such as unsuccessful phishing attempts, “pings” and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI or unauthorized access to a Business Associate electronic system;
d. Notify Covered Entity as required by 45 CFR 164.410, in the event Business Associate discovers a Breach of Unsecured PHI as defined in 45 CFR 164.402;
e. Ensure, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, that any Subcontractors of Business Associate that create, receive, maintain or transmit PHI on behalf of Covered Entity or Business Associate agree to comply with all HIPAA requirements applicable to Business Associate by entering into a contract or other arrangement that complies with HIPAA requirements with respect to such information;
f. Make available to Covered Entity PHI in a Designated Record Set as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524, including for electronic transmission as contemplated in HITECH where Covered Entity maintains an Electronic Health Record (“EHR”);
g. Make available to Covered Entity PHI in a Designated Record Set for amendment, and to incorporate any amendments, if appropriate and at Covered Entity’s instruction, in accordance with 45 CFR 164.526;
h. Maintain and make available to Covered Entity information in its possession required to provide an accounting of disclosures to individuals as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528, including accountings of disclosures made through an EHR, as and if applicable, in accordance with relevant rules and regulations;
i. To the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164, to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations;
j. Make Business Associate’s internal practices, books and records relating to the use, access, maintenance and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of Health and Human Services (“HHS”) for purposes of determining Covered Entity’s or Business Associate’s compliance with HIPAA; and
k. Make uses, disclosures, and requests of PHI consistent with the minimum necessary requirements as from time to time defined by HIPAA.
4. Other Uses and Disclosures. Business Associate may not use or disclose PHI in any manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity except for the specific uses and disclosures set forth below:
a. Use of PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate;
b. Disclosure of PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that such disclosures are required by law or that Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the PHI will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to that person; and that the person to which it is disclosed will notify the Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached;
c. Use or disclosure of PHI as required by law; or
d. Use of PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B).
5. Obligations of Covered Entity.
a. Covered Entity shall notify Business Associate of its privacy practices and restrictions as follows:
(i) Notify Business Associate of any limitations in Covered Entity’s Notice of Privacy Practices that Covered Entity produces in accordance with 45 CFR 164.520;
(ii) Provide Business Associate with any changes in or revocation of permission by any individual to use or disclose their PHI if such changes may affect Business Associate’s permitted and required uses and disclosures of PHI under this Agreement; and
(iii) Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity may agree to or is required to abide by in accordance with 45 CFR 164.522, if such agreement may affect Business Associate’s permitted or required uses and disclosures of PHI under this Agreement.
b. Covered Entity shall not request Business Associate to acquire, use, maintain or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164, if done by Covered Entity, except as set forth in Section 5 above.
c. Covered Entity shall be solely responsible for making any final decisions regarding, and for all administrative actions concerning, the exercise of any individual’s rights, under Sections 164.524 through 164.528 of HIPAA.
6. De-Identification. Notwithstanding anything herein to the contrary, Business Associate may store, analyze, access and use components of PHI that have been “De-Identified” in accordance with 45 CFR 164.514(a)-(c).
7. Breach of Agreement; Termination.
a. In the event that either party becomes aware of an act or omission of the other party that constitutes a material breach or violation of the party’s obligations under this Agreement, which breach is not cured within fifteen (15) days after notice is provided to the breaching party, this Agreement may be terminated by the non-breaching party for cause, and any other agreement between the parties related to the provision of the Services shall also be terminated upon the termination of this Agreement. Further, if in the non-breaching party’s discretion, more than one breach occurs which constitutes a pattern or practice of conduct or breach of the Agreement by the breaching party, the non-breaching party may terminate this Agreement immediately without prior notice or cure period, and all other agreements between the parties related to provision of the Services shall also terminate upon termination of this Agreement.
b. If, upon breach of this Agreement by either party, it is not feasible, in the opinion of the non-breaching party to terminate this Agreement, the non-breaching party shall notify HHS of such situation.
c. At the termination of this Agreement, for any reason whatsoever, if feasible, Business Associate shall return or destroy all PHI received from, or created or received by the Business Associate on behalf of Covered Entity that the Business Associate still maintains in any form, and shall retain no copies of such PHI; or, if such return or destruction is not feasible:
(i) Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
(ii) Return to Covered Entity or destroy the remaining PHI that the Business Associate possesses in any form;
(iii) Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to EPHI retained to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI;
(iv) Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained, and subject to the same conditions set out in Sections 4 and 5 above and which applied prior to termination; and
(v) Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities or when it is no longer infeasible to return or destroy.
8. Re-Negotiation. The parties agree to negotiate in good faith such modifications to this Agreement that may be necessary or required to ensure consistency with amendments to and changes in applicable federal and state laws and regulations, including but not limited to, statutes and regulations enacted or promulgated pursuant to or as amendments to HIPAA.
9. Miscellaneous Provisions.
a. This Agreement shall not be assignable by either party without the other’s prior written consent. Notwithstanding the foregoing, this Agreement shall be binding upon and shall inure to the benefit of the parties, and any successor to the operations and business of the parties whether by operation of law or otherwise.
b. All notices given pursuant to this Agreement shall be in writing and shall be delivered by hand or sent by registered or certified mail, return receipt requested, postage pre-paid, addressed to the party for whom it is intended at its address as first set forth above. Any address for the giving of notice may be changed by giving notice to that effect to the other party. Each such notice shall be deemed to have been given on the date of its receipt by the party for whom it was intended.
c. If any provision of this Agreement is or becomes unenforceable, the remainder of this Agreement shall nevertheless remain binding to the fullest extent possible, taking into consideration the purposes and spirit of this Agreement.
d. This Agreement contains the entire understanding of the parties hereto with regard to the subject matter hereof, and supersedes all other agreements and understandings, written and oral, relating to the subject matter hereof. This Agreement may not be amended or modified, nor may any of its provisions be waived, except by a writing executed by both of the parties hereto or, in the case of a waiver, by the party waiving compliance. The waiver of any one breach shall not be construed as a waiver of any rights or remedies with respect to any other breach or subsequent breach.
e. Any provision of this Agreement which by its terms is intended to survive the termination or expiration of this Agreement shall so survive.
f. This Agreement shall be governed by and construed in accordance with the laws of the State of Georgia, without regard to principles of conflicts of law. Any suit, action or proceeding by any Party that arises under or in any way relates to this Agreement or the transactions contemplated hereby may be brought only in the state or federal courts located in Hall County, Georgia, and shall be tried only by a court and not by a jury. Each party hereby consents to the jurisdiction of such courts to decide any and all such suits, actions and proceedings and to such venue, and they hereby expressly waive any right to a trial by jury in any and all such suits, actions and proceedings.
g. This Agreement may be executed by facsimile or electronic signature in one or more counterparts, each of which shall be deemed an original and together shall constitute one and the same Agreement.
FULL MEDIA
Contact: Lauren Pickens
Title: Chief Operations Officer
Phone: (770) 534-2515 x 205
Mailing Address: PO Box 2657, Gainesville, GA 30503
Version 1.0
Published 1/1/2025