Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“Agreement”) is made by and between the referenced covered entity party identified in the signature section herein (hereinafter “Covered Entity”) and  Mental Health Solutions, Inc. d/b/a Nirvana Health (“Business Associate”) and will be in effect  during any such time period that Covered Entity has subscribed to and is using services provided  by Business Associate and upon termination as set forth in Section 5 of this Agreement. Covered Entity and Business Associate are sometimes individually referred to herein as a “Party” or collectively as the “Parties.”  

RECITALS

WHEREAS, Business Associate has been engaged to provide certain services to Covered  Entity pursuant to a separate agreement (“Services Agreement”), and, in connection with those  services, Covered Entity may need to disclose to Business Associate, or Business Associate may  need to create on Covered Entity’s behalf, certain Protected Health Information (as defined below)  that is subject to protection under the Health Insurance Portability and Accountability Act of 1996,  as codified at 42 U.S.C. §1320d, et seq. (“HIPAA”), the Health Information Technology Act of  2009, as codified at 42 U.S.C. §17901, et seq. (“HITECH Act”), and any current and future  regulations promulgated under either HIPAA or HITECH, including the privacy, security, breach  notification, and enforcement rules at 45 CFR Part 160 and Part 164 (collectively referred to herein  as the “HIPAA Regulations”);  

WHEREAS, pursuant to the HIPAA Regulations, all business associates (as defined at 45 C.F.R. § 160.103) of Covered Entity, including Business Associate, as a condition of doing business with Covered Entity, must agree in writing to certain mandatory provisions regarding the privacy and security of PHI; and 

WHEREAS, the Parties desire to comply with the requirements of HIPAA, the HIPAA Regulations, and the HITECH Act. 

NOW THEREFORE, IN CONSIDERATION OF THE FOREGOING, and the mutual promises and covenants contained herein, the Parties hereby agree as follows: 

AGREEMENT

1. Definitions. Capitalized terms used, but not otherwise defined, in this Agreement shall have the meanings set forth in HIPAA, the HIPAA Regulations, and the HITECH Act. 

  1. “Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402, and shall include the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information. 
  1. “Data Aggregation” shall have the meaning given to such phrase under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.501. 
  1. “Designated Record Set” means a group of records maintained by or for  Covered Entity that may include (i) medical records and billing records about Individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims  adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) records used, in whole or in part, by or for Covered Entity to make decisions about  Individuals.
  1. “Electronic Health Record” shall have the meaning given to such phrase in the HITECH Act, including, but not limited to, 42 U.S.C. § 17921(5). 
  1. “Electronic Protected Health Information” (or “ePHI”) means individually identifiable health information that is transmitted by, or maintained in, electronic media. 
  1. “Health Care Operations” shall have the meaning given to such phrase under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.501. 
  1.  “Individual” shall have the meaning given to such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g). 
  1.  “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information codified at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as amended by the HITECH Act and as may otherwise be amended from time to time. 
  1. “Protected Health Information” (or “PHI”) means any information, whether  oral or recorded in any form or medium: (i) that relates to the past, present or future physical or  mental condition of an Individual; the provision of health care to an Individual; or the past, present  or future payment for the provision of health care to an Individual; and (ii) that identifies the  Individual or with respect to which there is a reasonable basis to believe the information can be  used to identify that Individual; and (iii) shall include the definition as set forth in the Privacy Rule  including, but not limited to, 45 C.F.R. § 160.103. PHI excludes individually identifiable health information regarding a person who has been deceased for more than fifty (50) years. For purposes of this Agreement, the term PHI shall include ePHI.  
  1. “Required By Law” shall have the meaning given to such phrase in 45 C.F.R. § 164.103. 
  1. “Secretary” means the Secretary of the U.S. Department of Health and Human Services or his/her designee. 
  1. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.  
  1. “Security Rule” shall mean the HIPAA Regulations that are codified at 45 C.F.R. Part 160 and Part 164, Subparts A and C, as amended by the HITECH Act and as may otherwise be amended from time to time. 
  1. “Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance or as otherwise defined in 45 C.F.R. § 164.402.  
  1. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on SC’s firewall, port scans, unsuccessful log-on attempts, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.

2. Scope of Agreement. This Agreement applies to the PHI received from, or created on behalf of, Covered Entity, as may be required by Business Associate to perform the obligations and functions set forth under the Services Agreement. Business Associate shall abide by HIPAA, the HIPAA Regulations and the HITECH Act with respect to the PHI of Covered Entity, as outlined below. 

3. Obligations and Activities of Business Associate

  1. Permitted Uses and Disclosures. Business Associate shall use or disclose PHI received, accessed, maintained, or created for or on behalf of Covered Entity only as permitted by this Agreement, or as Required By Law. Except as otherwise limited in  this Agreement, Business Associate may use and/or disclose PHI: (i) to perform its obligations and  functions under the Services Agreement; (ii) for the management and administration of Business Associate, including product improvement purposes; (iii) to provide data aggregation services as are set forth in the Agreement; or (iv) to otherwise carry out the legal responsibilities of Business Associate. Business Associate shall not use/disclose PHI in any manner that would constitute a violation of the Privacy Rule or the HITECH Act if so used/disclosed by Covered Entity. Business Associate agrees to limit its use/disclosure of PHI to the minimum amount necessary to accomplish the intended purpose of the use. In addition, if Business Associate discloses PHI to a third party, Business  Associate must obtain, prior to making any such disclosure, (A) satisfactory written assurances  from such third party that the PHI will be held as confidential as provided pursuant to this  Agreement and only disclosed as Required By Law or for the purposes for which it was disclosed  to such third party; and (B) a written agreement (including but not limited to a Subcontractor  Business Associate Agreement) from such third party to immediately notify Business Associate of  any breaches of confidentiality of the PHI, to the extent such third party has obtained knowledge  of such breach. Business Associate agrees to limit its disclosure of PHI to the minimum amount necessary to accomplish the intended purpose of the disclosure.
  1. Prohibited Uses and Disclosures. Business Associate shall not use or disclose PHI for fundraising or marketing purposes. In accordance with 45 C.F.R. § 164.522(a)(1)(B)(6), Business Associate shall not disclose PHI to a health plan for payment or Health Care Operations purposes if an Individual has requested this special restriction, and has paid out of pocket in full for the health care item or service to which the PHI solely relates.  Business Associate shall not sell PHI as provided in 45 C.F.R. § 164.502.  
  1. Other Business Associates. As part of its providing functions, activities, and/or services to Covered Entity, Business Associate may disclose information, including PHI, to other business associates of Covered Entity, and Business Associate may use and disclose information, including PHI, received from other business associates of Covered Entity as if this  information was received from, or originated with, Covered Entity.  
  1. Safeguards. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement and to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. In accordance with 42 U.S.C. § 17931 of the HITECH Act, Business Associate shall be directly responsible for full compliance with the policies and procedures and documentation requirements of the HIPAA Security Rule, including, but not limited to, 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314 and 164.316.  
  1. Reporting of Unauthorized Uses or Disclosures. Business Associate agrees to report to Covered Entity in writing any access, use or disclosure of PHI not provided for or permitted by this Agreement of which Business Associate (or Business Associate’s employee, officer or agent) becomes aware. Business Associate shall so notify Covered Entity pursuant to this Section 3(e) within fifteen (15) days after Business Associate becomes aware of such unauthorized use or disclosure.  
  1. Reporting of Breach of Unsecured PHI. Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI of which Business Associate (or Business Associate’s employee, officer or agent) becomes aware without unreasonable delay and in no case later than fifteen (15) days after Business Associate knows of such Breach, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security.  
  1. Security Incidents. Business Associate agrees to report to Covered Entity its discovery of any unauthorized use or disclosure of PHI not permitted or required by this BAA or of any Security Incident relating to PHI, of which it becomes aware, including (as applicable) breaches of unsecured PHI as required under 45 CFR 164.410, without unreasonable delay and in no event later than fifteen (15) days after discovery of the Security Incident. The Parties acknowledge and agree that this Section constitutes notice by Business Associate of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents, for which no additional notice shall be required. 
  1. Agents and Subcontractors. Business Associate agrees to ensure that any agent, including a subcontractor, to whom Business Associate provides PHI, agrees in writing to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such PHI, and implement the safeguards required by Section 3(d) above with respect to ePHI. If Business Associate knows of a pattern of activity or practice of an agent that constitutes a violation of the agent’s obligations to Business Associate, Business Associate shall take reasonable steps to end the violation, and if such steps are unsuccessful, Business Associate must terminate the arrangement if feasible.  
  1. Mitigation of Unauthorized Uses or Disclosures. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate that is the direct and proximate result of a use or disclosure of PHI by Business Associate or one of its agents or subcontractors in violation of the requirements of this Agreement. 
  1. Authorized Access to PHI.  

  1. Individual Requests for Access. Business Associate shall cooperate with Covered Entity to fulfill all requests by Individuals for access to the Individual’s PHI.  Business Associate shall cooperate with Covered Entity in all respects necessary for Covered Entity to comply with 45 C.F.R. § 164.524. Business Associate agrees to forward any copies requested by Covered Entity within fifteen (15) business days of such request. If Business Associate receives a request from an Individual for access to PHI, Business Associate shall immediately forward such request to Covered Entity. 
  1. Scope of Disclosure. Covered Entity shall be solely responsible for determining the scope of PHI and/or Designated Record Set with respect to each request by an Individual for access to PHI. In the event that Covered Entity decides to charge a reasonable cost based fee for the reproduction and delivery of PHI to an Individual, Covered Entity shall deliver a portion of this fee to Business Associate in the event any such reproduction or delivery is made by Business Associate, and in proportion to the amount of work done by Business Associate in  producing and delivering the PHI.  
  1. Designated Record Set. To the extent that Business Associate maintains PHI in a Designated Record Set, and at the request of Covered Entity, Business Associate agrees to provide access to PHI in such Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If Business Associate maintains PHI in a Designated Record Set, and maintains an Electronic Health Record, then Business Associate shall provide such Designated Record Set in electronic format. 
  1. Individual Right to Amend PHI. An Individual has the right to have Covered Entity amend his/her PHI, or a record in a Designated Record Set for as long as the PHI is maintained in the Designated Record Set, in accordance with 42 C.F.R. § 164.526. To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set at the request of Covered Entity in accordance with 45 C.F.R. § 164.526. Within fifteen (15) business days following Business Associate’s amendment of PHI as directed by Covered Entity, Business Associate shall provide written notice to Covered Entity confirming that Business Associate has made the amendments or addenda to PHI as directed by Covered Entity and containing any other information as may be necessary for Covered Entity to provide adequate notice to the Individual in accordance with 45 C.F.R. § 164.526. 
  1. Accounting of Disclosures. In the event that Business Associate makes any disclosures of PHI that are subject to the accounting requirements of the Privacy Rule, Business Associate shall maintain and make available to Covered Entity the information required for an accounting of disclosures. Business Associate shall maintain a record of each such disclosure that shall include: (i) the date of the disclosure; (ii) the name and, if available, the address of the recipient of the PHI; (iii) a brief description of the PHI disclosed; and (iv) a brief description of the purpose of the disclosure. Business Associate shall maintain this record for a period of six (6) years and make it available to Covered Entity upon request in an electronic format so that Covered Entity may meet its disclosure accounting obligations under 45 C.F.R. § 164.528. 
  1. Secretary’s Right to Audit. Business Associate agrees to keep records, submit compliance reports, and make its internal practices, books, and records relating to the use and disclosure of PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of the Secretary determining Covered Entity’s and/or Business Associate’s compliance with HIPAA, the HIPAA Regulations and the HITECH Act. Business Associate agrees to cooperate with the Secretary if the Secretary undertakes an investigation or compliance review of Covered Entity. Business Associate shall permit the Secretary access to its facilities, books, records, accounts, and other sources of information, including PHI, during normal business hours. No attorney-client, or other legal privilege will be deemed to have been waived by Business Associate by virtue of this provision of the Agreement.  

4. Obligations of Covered Entity. 

  1. Notice of Privacy Practices. Upon written request by Business Associate, Covered Entity shall provide Business Associate with Covered Entity’s then current Notice of Privacy Practices. 
  1.  Revocation of Permitted Use or Disclosure of PHI. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI of Covered Entity, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. 
  1. Restrictions on Use or Disclosure of PHI. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. 
  1. Requested Uses or Disclosures of PHI. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Regulations if done by Covered Entity.  

5. Term and Termination. 

  1. Term. The term of this Agreement shall be coterminous with the Services Agreement. However, Business Associate shall have a continuing obligation to safeguard the confidentiality of PHI received from Covered Entity after the termination of the Services Agreement.  
  1. Termination for Cause. A breach of any provision of this Agreement by Business Associate shall constitute a material breach of this Agreement and shall provide grounds for immediate termination of this Agreement and/or the Services Agreement, any provision in this Agreement or the Services Agreement to the contrary notwithstanding.  
  1. Judicial or Administrative Proceedings. Either Party may terminate the  Services Agreement, effective immediately, if (i) the other Party is named as a defendant in a  criminal proceeding for a violation of HIPAA, the HIPAA Regulations, the HITECH Act, or other  security or privacy laws; or (ii) a finding or stipulation that the other Party has violated any standard or requirement of HIPAA, the HIPAA Regulations, the HITECH Act or other security or  privacy laws is made in any administrative or civil proceeding in which the Party has been joined. 
  1. Effect of Termination

  1. Except as provided in paragraph (d)(2) of this Section, upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall certify in writing to Covered Entity that such PHI has been destroyed. 
  1. In the event that Business Associate determines that returning or destroying the PHI is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI unfeasible, for so long as Business Associate maintains such PHI. 

6. Breach Pattern or Practice. If either Party (the “Non-Breaching Party”) knows of a  pattern of activity or practice of the other Party (the “Breaching Party”) that constitutes a material  breach or violation of the Breaching Party’s obligations under this Agreement, the Non-Breaching  Party shall either (i) terminate this Agreement in accordance with Section 5(b) above; or (ii) take  reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, the Non-Breaching Party must terminate the Agreement if feasible. The Non-Breaching Party shall provide  written notice to the Breaching Party of any pattern of activity or practice of the Breaching Party  that the Non-Breaching Party believes constitutes a material breach or violation of the Breaching  Party’s obligations under this Agreement within three (3) days of discovery and shall meet with  the Breaching Party’s Privacy Coordinator to discuss and attempt to resolve the problem as one of  the reasonable steps to cure the breach or end the violation. 

7. Compliance With State Law. Business Associate acknowledges that Business Associate and Covered Entity may have confidentiality and privacy obligations under state law.  If any provisions of this Agreement or HIPAA, the HIPAA Regulations, or the HITECH Act conflict with applicable state law regarding the degree of protection provided for PHI and patient medical records, then Business Associate shall comply with the more restrictive requirements. 

8. Miscellaneous. 

  1. Amendment. Business Associate and Covered Entity agree to take such action as is necessary to amend this Agreement from time to time to enable the Parties to comply with the requirements of HIPAA, the HIPAA Regulations and the HITECH Act. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed and agreed to by Business Associate and Covered Entity. 
  1. Interpretation. The provisions of this Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HIPAA Regulations, the HITECH Act, the Privacy Rule and the Security Rule. The Parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the HIPAA Regulations, the HITECH Act, the Privacy Rule and the Security Rule.
  1. Entire Agreement. This Agreement contains the agreement of the Parties hereto and supersedes all prior agreements, contracts and understandings, whether written or otherwise, between the Parties relating to the subject matter hereof. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.  
  1. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Business Associate and Covered Entity, and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. 
  1. Notices. All notices or other communications required or permitted  hereunder shall be in writing and shall be deemed given or delivered (i) when delivered personally,  against written receipt; (ii) if sent by registered or certified mail, return receipt requested, postage prepaid, when received; (iii) when received by facsimile or electronic transmission; and (iv) when  delivered by a nationally recognized overnight courier service, prepaid, and shall be sent to the  addresses set forth on the signature page of this Agreement or at such other address as each Party  may designate by written notice to the other by following this notice procedure. 
  1. Regulatory References. A reference in this Agreement to a section in the HIPAA Regulations or the HITECH Act means the section as in effect or as amended, and for which compliance is required. 
  1. Survival. The respective rights and obligations of Business Associate under Section 3 of this Agreement shall survive the termination of this Agreement. In addition, Section 5(d) (Effect of Termination), Section 7 (Compliance with State Law), Section 8(d) (Notices), Section 8(g) (Governing Law), and Section 8(i) (Relationship to Services Agreement) shall survive the termination of this Agreement. 
  1. Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of New York to the extent that the provisions of HIPAA, the HIPAA Regulations or the HITECH Act do not preempt the laws of the State of New York.  
  1. Relationship to Services Agreement. In the event that a provision of this Agreement is contrary to a provision of any agreement with Covered Entity pertaining to Business Associate’s services, including but not limited to the Services Agreement, the provisions of this Agreement shall control.  
  1. Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same document. In making proof of this Agreement, it shall not be necessary to produce or account for more than one such counterpart executed by the Party against whom enforcement of this Agreement is sought. Signatures to this Agreement transmitted by facsimile transmission, by electronic mail in portable document format (“.pdf”) form, or by any other electronic means intended to preserve the original graphic and pictorial appearance of a document, will have the same force and effect as physical execution and delivery of the paper document bearing the original signature. 

IN WITNESS WHEREOF, the authorized representative of the Parties set forth their signatures below.

[COVERED ENTITY]

By: ________________________

Name: _____________________

Title: _______________________

Date: _______________________

 NIRVANA HEALTH

By: __________________________

Name: _______________________

Title: _________________________

Date: _________________________

Products
OneVerifyCoverage APIDiscoverIntegrations
Solutions
By partner
Mental & Behavioral HealthPhysical TherapyIntensive OutpatientDigital HealthEHR/EMROther Healthcare
By use case
Patient IntakeContinuous Coverage MonitoringAnnual Plan Resets
Customer stories
Resources
About UsCareersBlogContact
Looking to help make mental healthcare more accessible? Join Nirvana team.
View job openings
Copyright Meet Nirvana 2025
Cookies PreferencesPrivacy PolicyTerms & Conditions