HIPAA

HIPAA Business Associate Agreement

Curato Health Team Business Associate Agreement for “Covered Entity” Customers

The following Standard HIPAA Business Associate Agreement Terms and Conditions (“HIPAA Addendum”) shall be incorporated into the Master Service Agreement for Customers that are Covered Entities (see ‘definitions’) which provide Protected Health Information (“PHI”)(see ‘definitions’) to Curato Health Team in connection with the Curato Health Team For Local Business and Enterprise services they have purchased. These terms supplement the purchase agreement between Curato Health Team and Customers (“Underlying Agreement”) in order to comply with the federal Standards for Privacy of Individually Identifiable Health Information, located at 45 C.F.R. Part 160 and Part 164, Subparts A through E (“Privacy Rule”) and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (the “HITECH Act”).

The following terms used in this Agreement shall have the same meaning as the terms in the HIPAA Rules: PHI (Protected Health Information), Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy PrActices, Required By Law, Secretary, Security Incident, SubcontrActor, Unsecured Protected Health Information, and Use.

1. SPECIFIC DEFINITIONS: All terms used and not defined in this HIPAA Addendum shall have the same meaning as those in the Privacy Rule or the HITECH Act.

1.1 “Breach” shall have the same meaning given to such term under 42 U.S.0 § 17921.

1.2 “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Curato Health Team.

1.3 “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Covered Entity].

1.4 “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

1.5 “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. §160.103 and shall include a person(s) designated as a personal representative in accordance with 45 C.F.R. § 164.502(g).

1.6 “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of the Covered Entity.

1.7 “Required by Law” shall have the same meaning as the term “required by law” in 45 C.F.R. §160.103.

1.8 “Unsecured PHI” shall have the same meaning given to such term under the HITECH Act and any guidance issued pursuant to said HITECH Act.

Independent Contractor: The Business Associate’s status shall hereto be that of an Independent Contractor

Obligations And Activities Of Business Associate

Curato Health Team agrees to the following:

Use and Disclosure of PHI: Curato Health Team shall not use or disclose PHI other than as permitted or required by this HIPAA Addendum or as Required by Law. Curato Health Team shall not use or disclose PHI for fundraising or marketing purposes. Curato Health Team shall not directly or indirectly receive remuneration in exchange for PHI, except with the prior written consent of Covered Entity and as permitted by the HITECH Act; however, this prohibition shall not affect payment by Covered Entity to Curato Health Team for services provided pursuant to the Underlying Agreement.

Safeguards: Curato Health Team shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement.

Mitigation: Curato Health Team shall mitigate, to the extent practicable, any harmful effect that is known to Curato Health Team of a use or disclosure of PHI by Curato Health Team in violation of the requirements of this HIPAA Addendum.

Reporting: Curato Health Team shall report to Covered Entity any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware:

Business Associate will notify Covered Entity of the breach within a previously agreed upon timeline, not to exceed 30 calendar days
Business Associate will notify patient of the breach
Business Associate will notify HHS Office for Civil Rights of breach

Disclosure to Agents and Subcontractors: In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Curato Health Team agree to the same restrictions, conditions, and requirements that apply to the Curato Health Team with respect to such information

Designated Record Set: Curato Health Team shall provide access, at the request of Covered Entity, to PHI in a Designated Record Set to meet the requirements under 45 C.F.R. § 164.524. Business Associate will forward request for access of the designated record set to Covered Entity within 30 days OR Business associate will respond to request for access of the designated record set within 30 days. If Business Associate is unable to respond to request for access, the Business Associate will notify the requesting party.

Internal Policy and Procedure: Curato Health Team shall make available its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Curato Health Team on behalf of, Covered Entity available to the Covered Entity and to the Secretary of Health and Human Services (“Secretary”) for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and the HITECH Act.

Disclosures: Curato Health Team agrees to maintain the information required to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and to make this information available to the Covered Entity upon the Covered Entity’s request in order to allow the Covered Entity to respond to an Individual’s request for accounting of disclosures.

Security Obligations: Curato Health Team shall implement appropriate safeguards as are necessary to prevent the use or disclosure of PHI otherwise than as permitted by the Underlying Agreement or this HIPAA Addendum including, but not limited to, administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Covered Entity’s electronic PHI as required by 45 C.F.R. Sections 164.308, 164.310, and 164.312, as amended from time to time. Curato Health Team shall ensure that any agent, including a subcontractor, to whom it provides such electronic PHI, agrees to implement reasonable and appropriate safeguards to protect it. Curato Health Team shall comply with the policies and procedures and document requirements of the Privacy Rule including, but not limited to, 45 C.F.R. Section 164.316. Curato Health Team agrees to report promptly to the Covered Entity any security incident of which it becomes aware.

Breach Pattern or Practice by Covered Entity: If Curato Health Team knows of a pattern of Activity or practice of the Covered Entity that constitutes a material breach or violation of the Covered Entity’s obligations under the HIPAA policy set forth here, Curato Health Team shall take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, Curato Health Team must terminate the Underlying Agreement, if feasible, or if termination is not feasible, report the problem to the Secretary.

Permitted Uses And Disclosures By Curato Health Team

Permitted Uses and Disclosures: Except as otherwise limited in this HIPAA Addendum, Curato Health Team may use or disclose PHI to perform functions, activities, or services for or on behalf of the Covered Entity as specified in the Underlying Agreement provided. Such use or disclosure would not violate the Privacy Rule including, but not limited to, each applicable requirement of 45 C.F.R. § 164.504(e) and the HITECH Act if done by the Covered Entity.

Use for Management and Administration: Except as otherwise limited in this HIPAA Addendum, Curato Health Team may use PHI for the proper management and administration of Curato Health Team or to carry out the legal responsibilities of Curato Health Team.
Disclosure for Management and Administration: Except as otherwise limited in this HIPAA Addendum, Curato Health Team may disclose PHI for the proper management and administration of the Curato Health Team, provided that disclosures are Required by Law or Curato Health Team obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential, and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Curato Health Team of any instances of which it is aware in which the confidentiality of the information has been breached.
Minimum Necessary: Curato Health Team (and its agents or subcontractors) shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure. Curato Health Team understands and agrees that the definition of “minimum necessary” is subject to change from time to time and shall keep itself informed of guidance issued by the Secretary with respect to what constitutes “minimum necessary.”
Data Aggregation: Except as otherwise limited in this HIPAA Addendum, Curato Health Team may use PHI to provide Data Aggregation services related to health care operations to the Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
Report Violations of Law: Curato Health Team may use PHI to report violations of law to appropriate Federal and State authorities consistent with 45 C.F.R. §164.502(j)(1).

Provisions For Covered Entity To Inform Business Associate Of Privacy Practices And Restrictions

The Covered Entity shall notify Curato Health Team of any limitation(s) in the notice of privacy practices of the Covered Entity under 45 C.F.R. § 164.520, to the extent that such limitations may affect Curato Health Team’s use or disclosure of PHI.

Changes in Permission: The Covered Entity shall notify Curato Health Team of any changes in, or revocation of, permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Curato Health Team’s use or disclosure of PHI.

Notification of Restrictions: The Covered Entity shall notify Curato Health Team of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Curato Health Team’s use or disclosure of PHI.

Permissible Requests by Covered Entity: The Covered Entity shall not request Curato Health Team to use or disclose PHI in any manner that would not be permissible under the Privacy Rule and the HITECH Act if done by Covered Entity. Exceptions if certain provisions are made; Data aggregation, Management and administration and Legal responsibilities of Curato Health Team (one or more may apply).

Term And Termination

Term: The Term of this HIPAA Addendum shall be effective as of the first day that the Covered Entity provides PHI to Curato Health Team and shall terminate when all of the PHI provided by the Covered Entity to Curato Health Team, or created or received by Curato Health Team on behalf of the Covered Entity, is destroyed or returned to the Covered Entity, or if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions set forth here.

Termination with Cause: Curato Health Team authorizes termination of this Agreement by the Covered Entity, if the Covered Entity determines Curato Health Team has violated a material term of the Agreement:

Provide 30 days advance written notice specifying the nature of the breach or violation to Curato Health Team. Curato Health Team shall have 60 days from the date of the notice in which to remedy the breach or violation. If such corrective Action is not taken within the time specified, this HIPAA Addendum and the Underlying Agreement shall terminate at the end of the 30 days.
Immediately terminate this HIPAA Addendum and the Underlying Agreement if Curato Health Team has breached a material term of this HIPAA Addendum and cure is not possible.
Report the violation to the Secretary if neither cure of the breach nor termination of this HIPAA Addendum and the Underlying Agreement are feasible.

Obligation of Curato Health Team Upon Termination:

Upon termination of this HIPAA Addendum or the Underlying Agreement, for any reason, Curato Health Team shall return or destroy all PHI received from Covered Entity, or created,maintains or received by Curato Health Team on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Curato Health Team. Curato Health Team shall retain zero copies of the PHI
Upon termination of this Agreement for any reason, Curato Health Team, with respect to PHI received from Covered Entity, or created, maintained, or received by Curato Health Team on behalf of the Covered Entity, shall:
- Retain only that PHI which is necessary for Curato Health Team to continue its proper management and administration or to carry out its legal responsibilities;
- Return to the Covered Entity (or destroy at request of the covered entity) the remaining PHI that the Curato Health Team still maintains in any form
- Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI in order to prevent use or disclosure of PHI, other than as provided for in this Section, for as long as Curato Health Team retains the PHI
- Not use or disclose the PHI retained by Curato Health Team other than for the purposes for which such PHI was retained and subject to the same conditions set out at which applied prior to termination
- Return to Covered Entity (or destroy at request of the covered entity) the PHI which is kept by Curato Health Team when it is no longer needed by Curato Health Team for its proper management and administration or to carry out its legal responsibilities
In the event that Curato Health Team determines that returning or destroying PHI is not feasible, Curato Health Team shall notify Covered Entity in writing of the conditions that make return or destruction infeasible. If return or destruction of the PHI is not possible, Curato Health Team shall extend the protections of this HIPAA Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Curato Health Team maintains such PHI

Regulatory References: A reference in this HIPAA Addendum to a section in the Privacy Rule or the HITECH Act means the section as in effect or as amended.

Amendments: Curato Health Team reserves the right to change the terms and conditions of this HIPAA Addendum at any time. Curato Health Team will notify the Covered Entity of any material changes to this HIPAA Addendum by sending the Covered Entity an e-mail to the last e-mail address the Covered Entity provided to Curato Health Team or by prominently posting notice of the changes on Curato Health Team’s website. Any material changes to this HIPAA Addendum will be effective upon the earlier of thirty (30) calendar days following Curato Health Team’s dispatch of an e-mail notice to the Covered Entity or thirty (30) calendar days following Curato Health Team’s posting of notice of the changes on its website. These changes will be effective immediately for new Curato Health Team Clients. Please note that at all times the Covered Entity is responsible for providing Curato Health Team with its most current e-mail address. In the event that the last e-mail address that the Covered Entity has provided Curato Health Team is not valid, or for any reason is not capable of delivering to the Covered Entity the notice described above, Curato Health Team’s dispatch of the e-mail containing such notice will nonetheless constitute effective notice of the changes described in the notice. If the Covered Entity does not agree with the changes to this HIPAA Addendum, the Covered Entity must notify Curato Health Team prior to the effective date of the changes that the Covered Entity wishes to terminate its subscription to the applicable Curato Health Team services. Continued use of the Curato Health Team services following notice of such changes shall indicate the Covered Entity’s acknowledgement of such changes and agreement to be bound by the terms and conditions of such changes.

Interpretation: The provisions of this HIPAA Addendum shall prevail over the provisions of any other agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this HIPAA Addendum, the Privacy Rule or the HITECH Act.

Curato Health helped us scale our ENT practice into a multi-site, multi-disciplinary medical center. We were initially skeptical about the need for digital marketing since we were already busy, but we decided to take a chance with Curato... best ROI decision! These guys know medical practices inside-and-out! And they know exactly how to get you more patients that book appointments online and ACTUALLY SHOW UP FOR THEIR VISIT!

Tremendous work! We had no website, no online presence, and just relied on our decades of good community work. This worked great for us until a competitor opened a few miles away with nearly the same name as our practice! And they had a very powerful online presence and got busy very quickly. My practice became stagnant, especially my sleep study centers, and I realized that I had to make a change... I hired Curato and BOOM! We're busier than ever!

The guys at Curato seriously know what they're doing. We had a digital marketing company before that made us a lackluster website, minimal communication, and their 'social media posting' was just cookie-cutter holiday messages. We got rid of them, and we decided to partner with Curato Health. Totally different experience! We were already busy, but now thanks to Curato, we scaled up the practice to hire more docs and PAs, multiplying ROI!

We couldn't be happier! My partner and I dove into starting an independent internal medicine practice. We sought vendors that could help us get off the ground. Hands-down, our best decision was partnering with Curato. They understand all the challenges private practices face and launched digital marketing strategies tailored for our needs. As a startup, we needed to grow our brand, and Curato Health did an amazing job helping us!

I've been running my pain practice for 8 years now with an average website, no social media, no SEO, no asking for reviews, no ads, and no medical blogs. And I was doing just fine! But seeing my peers boost growth with digital marketing led me to explore. I found Curato Health and they've been amazing. I signed-up, and all my marketing is set with zero burden on me or my staff! I'm getting noticeably more appointment requests! Highly recommend!