This Business Associate Agreement is entered into as of the effective date (“Effective Date”) listed on the Order Forms by and between Innovu, LLC, a Delaware limited liability corporation (“Business Associate” or “Innovu”) and the customer who is named in and who has signed the Order Form ("Contracting Entity").
1.1 The parties desire to comply with federal and Pennsylvania laws regarding the use and disclosure of individually identifiable health information, in particular with the provisions of the federal Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH), and regulations promulgated under these laws.
1.2 In order for Innovu to allow Contracting Entity, its designated agents, contractors and subcontractors access to Contracting Entity Data (as defined below), the parties agree that they must enter into this Business Associate Agreement (“Agreement”).
1.3 The parties have accordingly agreed to enter into the following terms and conditions.
Now therefore, in consideration of the promises set forth herein, the parties agree as follows:
2.1 Definitions. The parties agree that any capitalized terms shall have the same definition as given to them under HIPAA and HITECH and regulations promulgated under these laws.
2.2 Protected Health Information and Customer Data. Business Associate may use or disclose Protected Health Information (“PHI”) to perform functions, activities, or services for or on behalf of, the Contracting Entity subject to the limitations in this Business Associate Agreement. Except as otherwise limited by this Agreement, Business Associate may use PHI to provide data aggregation services to Contracting Entity as permitted by 45 CFR §164.504(e)(2)(i)(B). Data that are entered into Innovu Solutions and/or otherwise provided to Innovu (“Contracting Entity Data”) shall continue to be Contracting Entity’s, subject to the limited rights granted to Innovu in the Agreement, and except to the extent such Contracting Entity Data is transformed into Aggregated Data as described below. At Contracting Entity’s request, Innovu shall delete or return any source data provided to Innovu from Contracting Entity. Innovu will only return source data to Contracting Entity in a secure manner and with a HIPAA compliant method. However, Innovu may retain a reasonable number of archival copies to perform services under this Agreement.
2.3 Obligations of Business Associate. Business Associate shall limit its use and disclosure of PHI: (i) as necessary and appropriate to fulfill its obligations to Contracting Entity, and, (ii) as set forth in Section 2.3.1 below. Business Associate agrees to the following, without limiting the foregoing:
2.3.1 Use of PHI: Business Associate and its agents, employees and subcontractors:
(a) Shall not use or disclose PHI in a manner that would violate applicable law regarding the confidentiality of PHI;
(b) To the extent feasible, shall minimize any Access, Use or Disclosure of PHI while performing obligations under this Agreement;
(c) May use PHI to create a Limited Data Set to perform certain health care operations for any of Business Associate’s customers who are covered entities under HIPAA, or the business associates of covered entities, during and/or subsequent to the term of this Agreement;
(d) May de-identify PHI in accordance with the requirements of 45 C.F.R. §164.514 for use by Business Associate to carry out any of the permissible uses or disclosures under this Agreement and/or to provide services to any of Business Associate’s customers during and/or subsequent to the term of this Agreement.
2.3.2 Safeguards: Business Associate shall implement and use Administrative Safeguards as required by 45 C.F.R. Section 164.308, Physical Safeguards as required by 45 C.F.R. Section 164.310, and Technical Safeguards as required by 45 C.F.R. Section 164.312 that reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI, including Electronic PHI that Business Associate creates, receives, maintains or transmits on behalf of Contracting Entity. Business Associate shall also comply with the policies and procedures and documentation requirements of the HIPAA Security Rule, including, but not limited to, 45 C.F.R. Section 164.316.
2.3.3 Reporting: Business Associate shall report to the President of Contracting Entity any Breach of PHI by Business Associate, its agents or subcontractors within 5 calendar days of discovery. Reports shall include, to the extent possible: A description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; A description of the types of Unsecured PHI that were involved in the Breach; Any steps individuals should take to protect themselves from potential harm resulting from the Breach; and a description of what Business Associate is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breaches. Business Associate shall also promptly report in electronic form to the Security Officer of Contracting Entity any Security Incident relating to Electronic PHI of which Business Associate becomes aware.
2.3.4 Workforce and Agents: Business Associate represents and warrants that it shall not disclose PHI to any member of its workforce, or to any of its agents or subcontractors, unless such person has a need to know the PHI. Business Associate shall also ensure that the requirements of this Agreement are incorporated into each agreement with any agent or subcontractor to whom Business Associate discloses PHI, and that each such agent and/or subcontractor shall agree in writing to be bound to the same terms and conditions that apply to Business Associate with respect to PHI. In addition, Business Associate shall ensure that any agent or subcontractor to whom Business Associate discloses PHI shall implement reasonable and appropriate safeguards to protect the PHI. Business Associate shall not disclose any PHI to any agent or subcontractor that is located outside of the United States of America without the express written consent of Contracting Entity.
2.3.5 Access to PHI: Upon the request by Contracting Entity, Business Associate shall promptly provide PHI to Contracting Entity to permit any individual whose PHI is maintained by Business Associate to have access to and to copy his/her PHI in accordance with 45 C.F.R. §164.524, the HITECH Act and applicable Pennsylvania law. Such PHI shall be produced in the format requested by Contracting Entity, unless it is not readily producible in such format, in which case it shall be produced in hard copy format. If Business Associate maintains an Electronic Health Record, Business Associate shall provide such information in electronic format to enable Contracting Entity to fulfill its obligations under the HITECH Act. If an individual contacts Business Associate directly for such access, Business Associate shall direct the individual to contact the Contracting Entity. This requirement to provide access to the PHI shall only apply if the PHI in Business Associate’s possession is part of the Contracting Entity’s Designated Record Set.
2.3.6 Amendment of PHI: Upon the request of Contracting Entity, Business Associate shall amend PHI and/or make PHI available to Contracting Entity for amendment, in such manner as Contracting Entity may from time to time request, in accordance with 45 C.F.R. §164.526 and applicable Pennsylvania law. If an individual contacts Business Associate directly to amend PHI, Business Associate shall direct the individual to contact the Contracting Entity. This requirement to amend the PHI shall only apply if the PHI in Business Associate’s possession is part of the Contracting Entity’s Designated Record Set.
2.3.7 Accounting of Disclosures of PHI: Upon the request of Contracting Entity, Business Associate shall provide to Contracting Entity an accounting of all disclosures of PHI in order for Contracting Entity to comply with 45 C.F.R. §164.528, the HITECH Act and regulations promulgated thereunder. Business Associate shall provide the date of the disclosure, the name and, if known, the address of the recipient of the PHI, a brief description of the PHI disclosed, and the purpose of the disclosure. If an individual contacts Business Associate directly for such an accounting, Business Associate shall direct the individual to contact the Contracting Entity.
2.3.8 Audits and Inspections: Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI, as defined under this Agreement, available to the Secretary of the United States Department of Health and Human Services (“Secretary”), or the Secretary’s designee, for purposes of determining the Contracting Entity’s and Business Associate’s compliance with the applicable laws and regulations. Business Associate shall make its internal practices, books, and records relating to the Use and Disclosure of PHI available to Contracting Entity for purposes of determining Business Associate’s compliance with this Agreement.
2.3.9 Identity Theft Red Flags: To the extent Business Associate performs a service or activity on behalf of Contracting Entity in connection with a covered account (as defined by 16 C.F.R. Part 681.1(b)(3)), Business Associate will perform the service or activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft (as defined in 16 CFR 681.1).
2.3.10 Mitigation Procedures: Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI in violation of this Agreement.
2.3.11 Insurance: Business Associate shall obtain and maintain all proper and necessary insurance to protect the PHI pursuant to this Agreement in the minimum amounts necessary.
2.4 Legal Process: In the event that Business Associate is served with legal process (e.g. a subpoena) or request from a government agency (e.g. the Secretary) that potentially could require the disclosure of PHI, Business Associate shall provide prompt notice of such legal process to the President of Contracting Entity. In addition, Business Associate shall not disclose the PHI without the express written consent of Contracting Entity unless pursuant to a valid and specific court order or to comply with a request by a governmental regulatory agency under its statutory or regulatory authority.
2.5 Management and Administration. Business Associate and its respective agents, employees and subcontractors are authorized to use or disclose PHI for Business Associate’s own proper management and administration, and to fulfill any of Business Associate’s legal responsibilities; provided, however, that the disclosures are required by law or Business Associate has received from any third party recipient of PHI written assurances that (i) the PHI will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the third party, and (ii) the third party will notify Business Associate of any instances of which the third party becomes aware that the confidentiality of the PHI has been breached.
2.6 Obligations of Contracting Entity.
2.6.1 Authorizations: Contracting Entity shall obtain from organizations any applicable consents, authorizations and other permissions necessary or required by law for Contracting Entity and Business Associate to fulfill their obligations under this Agreement. Contracting Entity shall not require Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA.
2.6.2 Restrictions: Contracting Entity shall promptly notify Business Associate in writing of any restrictions in the use or disclosure of PHI about individuals that Contracting Entity has agreed to that may affect Business Associate’s ability to perform its obligations under this Agreement, such as in a change of its privacy policy.
2.6.3 Revocations: Contracting Entity shall promptly notify Business Associate in writing of any changes in, or revocation of, permission by an Individual or organization relating to the use or disclosure of PHI, if such changes or revocation may affect Business Associate’s ability to perform its obligations under this Agreement.
2.6.4 Auxiliary Vendor Data Access: Contracting Entity gives Business Associate permission to disclose confidential and/or proprietary information, including PHI, (“Confidential Information”) to additional vendors that Contracting Entity has engaged (“Auxiliary Vendor(s)”) by reviewing and executing Appendix I to this Agreement (“Appendix I”). Appendix I and its terms shall hereby be incorporated into this Agreement upon its execution by Contracting Entity.
2.6.5 Existing Data Transfer: Contracting Entity gives Business Associate permission to receive Contracting Entity’s existing Confidential Information from any vendor that may be in possession of any such Confidential Information.
2.7 Termination.
2.7.1 Breach: Without limiting the rights of the parties under this Agreement, if either party breaches its obligations under this Agreement, the non-breaching party may provide the breaching party an opportunity to cure the breach within thirty (30) days. If such cure is not possible within thirty (30) days, the non-breaching party may terminate this Agreement immediately thereafter. If such termination is not feasible, the non-breaching party shall report this breach to the Secretary.
2.7.2 Automatic Termination: This Agreement shall automatically terminate upon the mutual agreement of the parties.
2.7.3 Procedure upon Termination: At the termination of this Agreement, Innovu shall destroy (and/or return upon request) any PHI provided to Business Associate from Contracting Entity. Business Associate will only return PHI to Contracting Entity in a secure manner and with a HIPAA compliant method. However, Business Associate may retain a reasonable number of archival copies. This section shall survive any expiration of this Agreement.
2.8 Amendment. The parties agree to take such action as is necessary to amend this Agreement for Contracting Entity to comply with HIPAA or other applicable law. The parties agree that this Agreement may only be modified by mutual written amendment, signed by both parties, effective on the date set forth in the amendment.
2.9 Third Party Claims. Each party (“Defending Party”) will defend, at its sole expense, the other party and its officers, directors, members, attorneys, agents and employees (collectively the “Protected Party”) against claims by third parties (including claims by law enforcement entities) arising from or related to any breach by the Defending Party of its obligations under this Agreement with respect to PHI (“PHI Claim(s)”). The Defending Party will pay damages finally awarded against the Protected Party (or the amount of any settlement entered into by the Defending Party), any governmental fines and penalties, and reasonable attorney’s fees, and expenses in connection with such defense, up to an aggregate maximum of two million U.S. dollars. The obligations of the Defending Party described in this section are conditioned on: (a) Protected Party providing timely notice to the Defending Party of any PHI Claim; (b) Defending Party have all necessary rights to fully control the defense of the PHI Claim; and, (c) the Protected Party providing reasonable cooperation to the Defending Party in the defense of such PHI Claim. The Defending Party may enter into any settlement of a PHI Claim provided that such settlement does not: (i) contain any admission of liability on the part of the Protected Party; (ii) require any specific performance by the Protected Party (other than compliance with applicable law and this Agreement); and, (iii) does not require any payment obligation on the part of the Protected Party. This section states the sole, exclusive, and entire liability of each party in relation to a PHI Claim. This provision shall survive the termination or expiration of this Agreement.
2.10 Limitation of Liability. Except for any damages or costs due to a party for a cause in the Third Party Claims Section 2.9 in this Business Associate Agreement up to the maximum set forth therein, neither party shall be liable for any damages arising from or in connection with a breach of a party’s other obligations in this Business Associate Agreement in excess of a maximum aggregate of fifty thousand ($50,000) dollars.
NEITHER CONTRACTING ENTITY NOR INNOVU SHALL BE LIABLE TO THE OTHER FOR SPECIAL, PUNITIVE, INDIRECT OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN ANY WAY CONNECTED WITH THIS AGREEMENT, IRRESPECTIVE OF THE CAUSE OR CAUSES, INCLUDING STRICT LIABILITY, BREACH OF WARRANTY OR NEGLIGENCE OF ANY PARTY.
2.11 No Third Party Beneficiaries. Unless otherwise set forth herein, nothing contained herein is intended nor shall be construed to create rights running to the benefit of third parties.
2.12 Waiver. Any failure of a party to insist upon strict compliance with any term, undertaking or condition of this Agreement shall not be deemed to be a waiver of such term, undertaking or condition. To be effective, a waiver must be in writing, signed and dated by the parties to this Agreement.
2.13 Counterparts. This Agreement may be executed in multiple counterparts, each of which shall be deemed an original and all of which together shall be deemed one and the same instrument. Any photocopy of this executed Agreement may be used as if it were the original.
2.14 Governing Law. This Agreement has been executed in the Commonwealth of Pennsylvania and shall be governed by and interpreted in accordance with the laws of the Commonwealth of Pennsylvania without giving effect to any conflict of the law’s provisions.
This Appendix I is an acknowledgement that Contracting Entity would like Business Associate to disclose Confidential Information to one of more Auxiliary Vendors that Contracting Entity has engaged.
Contracting Entity hereby represents the following in regards to such Auxiliary Vendors: that Contracting Entity has entered into a Business Associate Agreement and any other agreements that are necessary to access Confidential Information; that the Confidential Information is the minimum amount of information necessary for the Auxiliary Vendor to perform services on Contracting Entity’s behalf; and, that Auxiliary Entity’s services support Contracting Entity’s group health plan’s treatment, payment, and or healthcare operations as permitted under HIPAA, HITECH and any other applicable laws and/or regulations. In addition, Contracting Entity represents that as directed by Contracting Entity, the Auxiliary Vendor(s) use of any data or information disclosed in accordance with this Appendix I complies with the Americans with Disabilities Act, HITECH, HIPAA, and any other applicable laws and/or regulations.
© 2025 innovu, LLC
Template Version 1.0 | Image Licensing | Made By Deni Bozo
