This Business Associate Agreement ("Agreement") is made and entered into by and between [Covered Entity Name], a HIPAA-covered entity ("Covered Entity"), and Verisight Analytics, LLC, an Illinois limited liability company with a principal office at 342 N Water St Suite 600, Milwaukee, WI 53202 ("Business Associate"), effective as of the date of last signature below ("Effective Date").
WHEREAS, Covered Entity is a "covered entity" as defined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and the regulations promulgated thereunder at 45 C.F.R. Parts 160, 162, and 164 (the "HIPAA Rules");
WHEREAS, Business Associate provides MDS Genie, a Software-as-a-Service platform that serves as a clinical decision support tool to assist healthcare professionals in analyzing clinical documentation and generating suggested Minimum Data Set (MDS) assessment codes using artificial intelligence;
WHEREAS, in connection with the provision of services, Business Associate may create, receive, maintain, transmit, use, or disclose Protected Health Information ("PHI") on behalf of Covered Entity;
WHEREAS, the parties intend to comply with HIPAA, HITECH, and applicable state privacy laws governing the use and disclosure of PHI;
NOW, THEREFORE, in consideration of the mutual covenants contained herein, the parties agree as follows:
1.1 Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules.
1.2 "Breach" shall have the meaning given to such term under HIPAA, HITECH, and the HIPAA Rules.
1.3 "Business Associate" shall have the meaning given to such term under HIPAA, HITECH, and the HIPAA Rules.
1.4 "Covered Entity" shall have the meaning given to such term under HIPAA, HITECH, and the HIPAA Rules.
1.5 "Data Aggregation" shall have the meaning given to such term under the HIPAA Rules.
1.6 "Designated Record Set" shall have the meaning given to such term under the HIPAA Rules.
1.7 "Electronic Protected Health Information" or "ePHI" means PHI transmitted by or maintained in electronic media.
1.8 "Individual" shall have the meaning given to such term under the HIPAA Rules.
1.9 "Minimum Necessary" means the minimum necessary standard as set forth in 45 C.F.R. § 164.502(b).
1.10 "Protected Health Information" or "PHI" shall have the meaning given to such term under HIPAA, HITECH, and the HIPAA Rules.
1.11 "Required by Law" shall have the meaning given to such term under the HIPAA Rules, including but not limited to: (i) court orders and court-ordered warrants; (ii) subpoenas or summons issued by a court, grand jury, governmental or tribal inspector general, or administrative body authorized to require production; (iii) civil or authorized investigative demands; (iv) Medicare conditions of participation; (v) statutes or regulations requiring production of information.
1.12 "Secretary" means the Secretary of the United States Department of Health and Human Services or the Secretary's designee.
1.13 "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
1.14 "Unsecured PHI" shall have the meaning given to such term under HITECH and the HIPAA Rules.
2.1.1 Business Associate may use or disclose PHI only as necessary to perform services for Covered Entity as specified in the underlying services agreement, or as Required by Law.
2.1.2 Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities.
2.1.3 Business Associate may disclose PHI for its proper management and administration or to carry out its legal responsibilities only if: (i) the disclosure is Required by Law; or (ii) Business Associate obtains reasonable assurances from the recipient that the information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and the recipient notifies Business Associate of any instances of which it is aware that the confidentiality has been breached.
2.1.4 Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by the HIPAA Rules.
2.1.5 Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)-(c).
2.2.1 Business Associate agrees to use, disclose, or request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request.
2.2.2 Business Associate shall implement role-based access controls ensuring workforce members access only the minimum PHI necessary for their job functions.
2.2.3 Business Associate shall maintain and enforce policies defining authorized access levels for different workforce roles.
2.3.1 Business Associate shall use appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as provided by this Agreement.
2.3.2 Business Associate shall comply with Subpart C of 45 C.F.R. Part 164 (Security Rule) with respect to ePHI.
2.3.3 Business Associate shall implement the following specific safeguards:
Administrative Safeguards: - Designation of a Security Officer and Privacy Officer - Workforce training on HIPAA requirements (initial and annual) - Workforce clearance procedures including background checks - Access authorization and modification procedures - Sanction policies for violations - Information system activity review procedures - Risk assessment and management processes (annual) - Contingency planning including data backup, disaster recovery, and emergency mode operations - Business Associate Agreements with subcontractors
Physical Safeguards: - Facility access controls with visitor logs - Workstation use policies requiring locking when unattended - Device and media controls including encryption and disposal procedures - Hardware and electronic media movement tracking
Technical Safeguards: - Unique user identification for each workforce member - Automatic logoff after 15 minutes of inactivity - Encryption of PHI at rest (AES-256) and in transit (TLS 1.3 minimum) - Audit logs capturing all PHI access, retained for seven (7) years - Integrity controls to ensure PHI is not improperly altered - Person or entity authentication including multi-factor authentication - Transmission security for all PHI communications
2.4.1 Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware within ten (10) business days of discovery.
2.4.2 Business Associate shall report to Covered Entity any Security Incident of which it becomes aware within ten (10) business days of discovery. Routine unsuccessful attempts that do not result in unauthorized access (such as pings, port scans, or unsuccessful log-on attempts) need not be reported individually but shall be documented and made available upon request.
2.4.3 Business Associate shall report any Breach of Unsecured PHI to Covered Entity without unreasonable delay and in no case later than ten (10) business days after discovery of the Breach.
2.5.1 Business Associate's notification shall include: - Date and time of the Breach - Date of discovery of the Breach - Description of the types of Unsecured PHI involved (e.g., names, social security numbers, dates of birth, home addresses, account numbers, diagnoses, disability codes) - Identity of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed - Description of what Business Associate is doing to investigate, mitigate harm, and prevent future Breaches - Contact procedures for Individuals to ask questions or obtain additional information
2.5.2 Business Associate shall conduct a risk assessment applying the following factors: 1. Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification 2. Unauthorized person who used the PHI or to whom disclosure was made 3. Whether PHI was actually acquired or viewed 4. Extent to which risk to PHI has been mitigated
2.5.3 Business Associate shall maintain documentation of all Breaches and risk assessments for a minimum of six (6) years.
2.5.4 If delegated by Covered Entity in writing, Business Associate shall: - Notify affected Individuals within sixty (60) days of discovery - Notify HHS within sixty (60) days for Breaches affecting 500+ Individuals - Notify media outlets within sixty (60) days for Breaches affecting 500+ residents of a state - Maintain a log of Breaches affecting fewer than 500 Individuals and submit annually to HHS
2.6.1 To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall: - Make PHI available for access by Individuals within thirty (30) days of request - Make PHI available for amendment and incorporate amendments as directed - Document disclosures of PHI and make accounting available within sixty (60) days
2.6.2 As MDS Genie processes PHI ephemerally without retention, these obligations apply only to any PHI that may be incidentally retained in system logs or backups.
Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with HIPAA Rules.
2.8.1 Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions and conditions that apply to Business Associate.
2.8.2 Business Associate shall obtain satisfactory assurance that subcontractors will appropriately safeguard PHI.
2.8.3 Current authorized subprocessors: - Microsoft Azure (Cloud Infrastructure/AI) - BAA executed - Stripe (Payment Processing) - No PHI access - Google Analytics (Marketing website only) - No PHI access
2.8.4 Business Associate shall provide thirty (30) days advance written notice before engaging new subprocessors with PHI access.
3.1 Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI.
3.2 Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI.
3.3 Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522.
3.4 Covered Entity represents that its use of MDS Genie and provision of PHI to Business Associate complies with Minimum Necessary standards.
This Agreement shall be effective as of the Effective Date and shall terminate when all PHI provided by Covered Entity to Business Associate is destroyed or returned, unless earlier terminated as provided below.
4.2.1 Either party may terminate this Agreement upon thirty (30) days written notice for any reason.
4.2.2 Covered Entity may terminate this Agreement immediately if Business Associate has breached a material term and fails to cure within thirty (30) days of written notice.
4.2.3 Either party may terminate immediately if the other party is subject to bankruptcy proceedings, receivership, or dissolution.
4.3.1 Upon termination, Business Associate shall, if feasible, return or destroy all PHI and retain no copies. Given MDS Genie's ephemeral processing model, no PHI should exist for return or destruction.
4.3.2 If return or destruction is not feasible, Business Associate shall extend protections of this Agreement and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as Business Associate maintains such PHI.
4.3.3 Business Associate shall certify in writing that all PHI has been returned or destroyed, or if not feasible, the conditions that make return or destruction infeasible.
IMPORTANT NOTICE: MDS Genie is intended exclusively as a clinical decision support tool for use by qualified healthcare professionals. It is NOT intended to: - Replace professional clinical judgment - Diagnose, treat, cure, or prevent any disease or condition - Serve as the sole basis for clinical decisions
All suggestions generated by MDS Genie must be independently reviewed, verified, and validated by licensed healthcare professionals before use. The system provides recommendations that healthcare professionals can independently review, with the ability to accept, modify, or reject any suggestions based on their professional judgment and patient-specific factors.
Business Associate implements and maintains: - Encryption: AES-256 at rest, TLS 1.3 in transit - Authentication: Multi-factor authentication required - Session Management: 15-minute automatic timeout - Password Policy: Minimum 12 characters, complexity requirements, 90-day expiration - Account Lockout: After 5 failed attempts - Audit Logs: All PHI access logged, 7-year retention - Access Reviews: Quarterly review of user access rights - Vulnerability Scanning: Monthly automated scans - Penetration Testing: Annual third-party testing - Backup: Daily automated backups, 30-day retention - Disaster Recovery: RPO 24 hours, RTO 4 hours - Incident Response: 2-hour containment, 4-hour escalation
Business Associate maintains logical separation of each Covered Entity's data through: - Unique tenant identifiers - Role-based access controls - Encrypted data partitions - Separate access credentials per Covered Entity
If Covered Entity is located in Illinois: - Breach notification to Illinois Attorney General if 500+ residents affected - Compliance with Illinois Personal Information Protection Act - If biometric data is collected, compliance with Biometric Information Privacy Act (BIPA)
If Covered Entity is located in Wisconsin: - Compliance with Wisconsin medical records retention requirements - Adult records: Minimum 5 years after discharge - Minor records: Age of majority plus 5 years
Business Associate shall comply with applicable state laws that are more stringent than HIPAA, including breach notification, medical records retention, and patient rights provisions.
Business Associate maintains: - Cyber Liability Insurance: Minimum $5,000,000 per occurrence - Professional Liability Insurance: Minimum $1,000,000 per occurrence - General Liability Insurance: Minimum $2,000,000 per occurrence
8.2.1 Business Associate shall indemnify, defend, and hold harmless Covered Entity from and against any claims, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from: - Business Associate's breach of this Agreement - Business Associate's non-compliance with HIPAA Rules - Negligent or wrongful acts or omissions of Business Associate
8.2.2 This indemnification excludes claims arising solely from Covered Entity's negligence or wrongful acts.
Any reference to the HIPAA Rules in this Agreement means the regulations at 45 C.F.R. Parts 160, 162, and 164, as may be amended from time to time.
This Agreement shall be amended automatically to incorporate any changes required by amendments to HIPAA Rules. Other amendments must be in writing and signed by both parties.
Obligations of Business Associate under Sections 2.4, 2.5, 4.3, and 8.2 shall survive termination of this Agreement.
Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA Rules.
This Agreement shall be governed by the laws of the state where Covered Entity is located, without regard to conflict of law principles.
Nothing in this Agreement shall confer upon any person other than the parties any rights or remedies.
All notices shall be in writing and deemed given when delivered personally, sent by certified mail return receipt requested, or sent by confirmed email to the addresses below:
If to Covered Entity: [Name] [Address] [Email]
If to Business Associate: Verisight Analytics, LLC Attn: Privacy Officer 342 N Water St Suite 600 Milwaukee, WI 53202 Email: hipaa@mdsgenie.ai
This Agreement may be executed electronically in compliance with the E-SIGN Act and UETA. Electronic signatures shall be deemed original signatures.
Covered Entity may audit Business Associate's compliance with this Agreement upon thirty (30) days written notice, not more than once annually unless a Breach has occurred.
Neither party shall be liable for delays or failures due to causes beyond its reasonable control, including acts of God, natural disasters, pandemics, war, terrorism, labor disputes, or infrastructure failures.
10.1 Service Fee: $299 per facility per month
10.2 Payment Processing: Via Stripe, PCI-DSS compliant
10.3 Late Payment: Access suspension after 15 days overdue
10.4 No PHI in payment processing
IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the date last written below.
COVERED ENTITY:
Signature: _________
Print Name: _________
Title: _________
Date: _________
Email: _________
Organization: _________
Address: _________
BUSINESS ASSOCIATE:
Verisight Analytics, LLC
Signature: _________
Print Name: _________
Title: _________
Date: _________
Email: hipaa@mdsgenie.ai
| Standard | Implementation | Status |
|---|---|---|
| Security Officer | Designated Privacy/Security Officer | ✓ Implemented |
| Workforce Training | Initial + Annual HIPAA training | ✓ Implemented |
| Access Management | Role-based access controls | ✓ Implemented |
| Workforce Clearance | Background checks required | ✓ Implemented |
| Access Authorization | Documented approval process | ✓ Implemented |
| Access Modification | Quarterly access reviews | ✓ Implemented |
| Sanctions | Progressive discipline policy | ✓ Implemented |
| Information System Review | Daily log review, monthly audits | ✓ Implemented |
| Risk Assessment | Annual assessment + continuous monitoring | ✓ Implemented |
| Risk Management | Risk mitigation plan with tracking | ✓ Implemented |
| Contingency Plan | Documented BCP/DRP | ✓ Implemented |
| Data Backup | Daily automated backups | ✓ Implemented |
| Disaster Recovery | 24-hour RPO, 4-hour RTO | ✓ Implemented |
| Emergency Mode | Documented procedures | ✓ Implemented |
| Testing | Annual DR testing | ✓ Implemented |
| Business Associate Agreements | Executed with all subcontractors | ✓ Implemented |
| Standard | Implementation | Status |
|---|---|---|
| Facility Access | Badge access, visitor logs | ✓ Implemented |
| Contingency Operations | Alternate processing site | ✓ Implemented |
| Facility Security Plan | Documented security procedures | ✓ Implemented |
| Access Control & Validation | Photo ID verification | ✓ Implemented |
| Maintenance Records | Documented repairs/modifications | ✓ Implemented |
| Workstation Use | Clean desk policy, screen locks | ✓ Implemented |
| Workstation Security | Cable locks, encrypted drives | ✓ Implemented |
| Device & Media Controls | Inventory tracking system | ✓ Implemented |
| Disposal | NIST 800-88 compliant | ✓ Implemented |
| Media Re-use | Secure wiping procedures | ✓ Implemented |
| Accountability | Chain of custody logs | ✓ Implemented |
| Data Backup & Storage | Encrypted offsite backups | ✓ Implemented |
| Standard | Implementation | Status |
|---|---|---|
| Unique User ID | Individual accounts, no sharing | ✓ Implemented |
| Automatic Logoff | 15-minute timeout | ✓ Implemented |
| Encryption/Decryption | AES-256 at rest, TLS 1.3 transit | ✓ Implemented |
| Audit Logs | Comprehensive logging, 7-year retention | ✓ Implemented |
| Hardware/Software | Change control procedures | ✓ Implemented |
| Log-in Monitoring | Failed attempt tracking | ✓ Implemented |
| Audit Review | Daily automated + monthly manual | ✓ Implemented |
| Integrity Controls | Hash verification, version control | ✓ Implemented |
| Error Detection | Checksums, parity checks | ✓ Implemented |
| Electronic Signatures | DocuSign integration | ✓ Implemented |
| Person Authentication | MFA required | ✓ Implemented |
| Transmission Security | End-to-end encryption | ✓ Implemented |
| Integrity Controls | Message authentication | ✓ Implemented |
Date of Assessment: _______
Breach Description: _______
1. Nature and Extent of PHI - [ ] Demographics - [ ] Financial information - [ ] Clinical information - [ ] Contact information - Sensitivity Level: [ ] Low [ ] Medium [ ] High
2. Unauthorized Person - Identity: ___ - Relationship to CE/BA: _____ - Obligation to protect PHI: [ ] Yes [ ] No
3. PHI Acquired or Viewed - Evidence of access: [ ] Yes [ ] No [ ] Unknown - Evidence of acquisition: [ ] Yes [ ] No [ ] Unknown - Evidence of viewing: [ ] Yes [ ] No [ ] Unknown
4. Mitigation Efforts - Actions taken: _______ - Effectiveness: [ ] Complete [ ] Partial [ ] None
Risk Level: [ ] Low [ ] Medium [ ] High
Breach Determination: [ ] Breach [ ] No Breach
Notification Required: [ ] Yes [ ] No
Assessor: _______
Date: _______
END OF BUSINESS ASSOCIATE AGREEMENT