For Business Associates & Vendors
This page contains a template Business Associate Agreement ("BAA") that Golden Life (GLC) Wellness Center requires from any third-party vendor, contractor, or service provider ("Business Associate") that creates, receives, maintains, or transmits Protected Health Information ("PHI") on our behalf. This is not a contract between GLC and our clients. A fully executed BAA is required before any PHI is shared. To request an executable copy, contact our Privacy Officer at privacy@glcwellness.com.
Business Associate Agreement
This Business Associate Agreement ("Agreement") is entered into by and between Golden Life (GLC) Wellness Center, LLC, a mental and behavioral health organization with operations in Illinois, Nevada, Texas, and Florida ("Covered Entity" or "GLC"), and the undersigned organization ("Business Associate"), effective as of the date last signed below ("Effective Date").
1. Purpose
The parties enter into this Agreement to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations (45 C.F.R. Parts 160 and 164), collectively the "HIPAA Rules." This Agreement governs the use and disclosure of Protected Health Information ("PHI") that Business Associate may create, receive, maintain, or transmit on behalf of GLC in connection with services described in an underlying Services Agreement.
2. Definitions
Capitalized terms used but not defined in this Agreement have the meanings assigned to them in the HIPAA Rules. The following terms have the meanings below:
- Breach has the meaning set forth in 45 C.F.R. § 164.402.
- Business Associate has the meaning set forth in 45 C.F.R. § 160.103 and refers to the party signing this Agreement other than GLC.
- Covered Entity refers to GLC Wellness Center.
- Protected Health Information (PHI) has the meaning set forth in 45 C.F.R. § 160.103, limited to PHI created, received, maintained, or transmitted by Business Associate on behalf of GLC.
- Required by Law has the meaning set forth in 45 C.F.R. § 164.103.
- Security Incident has the meaning set forth in 45 C.F.R. § 164.304.
- Unsecured PHI has the meaning set forth in 45 C.F.R. § 164.402.
3. Permitted Uses and Disclosures by Business Associate
Business Associate may use or disclose PHI:
- To perform the services set forth in the underlying Services Agreement with GLC.
- As Required by Law.
- For the proper management and administration of Business Associate, or to carry out its legal responsibilities, provided that any disclosure is Required by Law or Business Associate obtains reasonable written assurances that the information will remain confidential and used or disclosed only as Required by Law or for the purpose for which it was disclosed, and that the recipient will notify Business Associate of any breach.
- To provide data aggregation services to GLC as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
- To de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c), provided such use is permitted under the Services Agreement.
Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law.
4. Obligations of Business Associate
Business Associate agrees to:
- Limit use and disclosure. Use or disclose PHI only as permitted by this Agreement, the Services Agreement, or as Required by Law.
- Implement safeguards. Implement administrative, physical, and technical safeguards (including, as applicable, those required by Subpart C of 45 C.F.R. Part 164) that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI ("ePHI").
- Report breaches and security incidents. Report to GLC any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, any Security Incident, and any Breach of Unsecured PHI, without unreasonable delay and in no event later than ten (10) business days after discovery. Reports shall include, to the extent known, the information required by 45 C.F.R. § 164.410.
- Mitigate. Mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI in violation of this Agreement.
- Bind subcontractors. Ensure that any subcontractor that creates, receives, maintains, or transmits PHI on Business Associate's behalf agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement.
- Provide access. Provide access to PHI in a Designated Record Set, at the request of GLC or the Individual, within ten (10) business days, as required by 45 C.F.R. § 164.524.
- Make amendments. Make amendments to PHI in a Designated Record Set as directed by GLC, in accordance with 45 C.F.R. § 164.526.
- Maintain accountings. Maintain and provide an accounting of disclosures of PHI as required by 45 C.F.R. § 164.528. Provide such accountings to GLC or the Individual within thirty (30) days of request.
- Make books and records available. Make its internal practices, books, and records available to the U.S. Department of Health and Human Services for purposes of determining GLC's compliance with the HIPAA Rules.
- Comply with applicable HIPAA Rules. To the extent Business Associate carries out one or more of GLC's obligations under the HIPAA Privacy Rule, comply with the requirements that apply to GLC in performing such obligations.
- Return or destroy PHI. Upon termination of this Agreement, return or destroy all PHI received from or created on behalf of GLC that Business Associate still maintains, and retain no copies. If return or destruction is infeasible, extend the protections of this Agreement to the PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
5. Obligations of GLC (Covered Entity)
GLC shall:
- Notify Business Associate of any limitation in GLC's Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI.
- Notify Business Associate of any changes in, or revocation of, an Individual's authorization to use or disclose PHI.
- Notify Business Associate of any restriction on the use or disclosure of PHI that GLC has agreed to or is required to abide by under 45 C.F.R. § 164.522.
- Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by GLC, except as permitted by 45 C.F.R. § 164.504(e).
6. Term and Termination
Term. This Agreement is effective as of the Effective Date and shall remain in effect until terminated as provided herein, or until all PHI in Business Associate's possession has been returned or destroyed.
Termination for Breach. GLC may terminate this Agreement and the underlying Services Agreement, without penalty, if GLC determines that Business Associate has materially breached this Agreement and Business Associate fails to cure the breach within thirty (30) days of written notice. If cure is not feasible, GLC may terminate immediately and report the breach to the U.S. Department of Health and Human Services.
Effect of Termination. Upon termination, Business Associate shall return or destroy all PHI as provided in Section 4(11). The obligations of Business Associate under this Agreement that by their nature continue after termination shall survive.
7. Miscellaneous
Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as necessary for GLC to comply with the HIPAA Rules and other applicable law.
Survival. The obligations of Business Associate under Sections 4(4), 4(11), and 6 survive the termination of this Agreement.
Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits GLC to comply with the HIPAA Rules.
Severability. If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
No Third-Party Beneficiaries. Nothing in this Agreement is intended to create, nor shall be construed to create, any rights in any third party.
Governing Law. This Agreement is governed by the federal HIPAA Rules and, to the extent not preempted, the laws of the State of Illinois.
Notices. Notices under this Agreement shall be in writing and delivered to the addresses set forth in the underlying Services Agreement, or to GLC's Privacy Officer at privacy@glcwellness.com.
8. Signatures
By signing below, the parties acknowledge and agree to be bound by the terms of this Business Associate Agreement.
| Covered Entity | Business Associate |
|---|
Golden Life (GLC) Wellness Center, LLC
By: ____________________________
Name: __________________________
Title: __________________________
Date: __________________________
|
[Business Associate Legal Name]
By: ____________________________
Name: __________________________
Title: __________________________
Date: __________________________
|
Locations Covered
This Agreement covers PHI created, received, maintained, or transmitted in connection with services provided to GLC across all of its locations:
- Chicago, IL — 7118 S. Jeffery Blvd., Chicago, IL 60649
- Las Vegas, NV — 1530 E Charleston Blvd., Las Vegas, NV 89104
- Houston, TX — 708 Main St., Houston, TX 77002
- Fort Lauderdale, FL
Request an Executable Copy
To request a signature-ready PDF copy of this Agreement for execution, or to update an existing BAA, contact:
GLC Wellness Center — Privacy Officer
Phone: 877.767.1692
Email: privacy@glcwellness.com
