Search
Close this search box.
NovoPath Laboratory Information System

NovoPath™ Business Associate Agreement

THIS BUSINESS ASSOCIATE AGREEMENT (‘Agreement’) is incorporated into the Underlying Contract (as defined below) entered into by and between Customer (“Covered Entity) and NovoPath LLC (‘Business Associate’) (each a ‘Party,’ and, collectively, the ‘Parties’).

RECITALS:

A. The Parties have entered into a Statement of Work or Sales Order Form for the provision of certain products and services by NovoPath LLC to Customer pursuant to the NOVOPATH™ SUBSCRIPTION TERMS OF USE or the NOVOPATH™ LICENSED SOFTWARE TERMS OF USE, as the case may be (the ‘Underlying Contract’) and pursuant to which Business Associate, as a Business Associate of Covered Entity, will perform for Covered Entity the services, including cloud based services (the ‘Services’), as set forth in the Underlying Contract. In connection with Business Associate’s provision of Services for Covered Entity, Business Associate will receive or obtain from Covered Entity, review or create, maintain, use, disclose, or transmit certain Protected Health Information on behalf of Covered Entity (‘PHI’, as further defined in Section 1 below). This Agreement sets forth certain obligations of Business Associate with respect to such PHI to ensure Covered Entity’s compliance with health information privacy and security rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’) and codified at 45 C.F.R. part 160 and part 164, subparts A, C, and E, as amended by the Health Information Technology for Economic and Clinical Health Act, Public Law 111-5 (the ‘Privacy Rule’ and ‘Security Rule’), as amended by the Health Information Technology for Economic and Clinical health Act (‘HITECH’), as incorporated in the American Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued by the Secretary, as applicable, during the initial term and any renewal terms of the Underlying Contract and thereafter.

B. Covered Entity desires to obtain, and Business Associate desires to provide, assurance that Business Associate will: (i) maintain the privacy/confidentiality of all PHI; and (ii) comply with the requirements of HIPAA applicable to Business Associates, all as more fully described below.

C. Business Associate desires to obtain, and Covered Entity desires to provide, assurance that Covered Entity will comply with HIPAA, to the extent that such compliance affects Business Associate’s (i) ability to perform the Services for Covered Entity and/or (ii) ability to meet its obligations to Covered Entity under this Agreement.

In consideration of the promises and mutual agreements contained herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows

1. Definitions.

a. Unless otherwise defined in this Agreement, all capitalized terms used in this Agreement have the meanings ascribed to them in HIPAA and the Privacy Rule, the Security Rule and, if not defined therein, the Underlying Contract; provided, however, that ‘PHI’ shall mean Protected Health Information limited to the information Business Associate receives or received from, or created, maintained, transmitted, or received by Business Associate on behalf of Covered Entity as Covered Entity’s Business Associate. ‘HHS’ shall mean the United States Department of Health and Human Services.

b. “Customer” means the customer of NOVO which is a party to this Agreement and identified in the Order, attached hereto as SCHEDULE A, as the Customer.

c. “Effective Date” means the date this Agreement is first executed by each of the parties hereto.

2. Obligations of Business Associate. Business Associate agrees that it will maintain the privacy/confidentiality of all PHI, and will comply with the requirements of HIPAA applicable to Business Associates, including the following obligations:

a. Use and Disclosure of PHI. Business Associate agrees that it will not use or disclose PHI, other than to perform the Services, as otherwise expressly permitted by the terms, provisions and conditions of this Agreement, as permitted under the Privacy Rule, or as required by law; provided, however, that Business Associate may use and disclose PHI: (i) to manage and administer its business; and (ii) to create de-identified information, subject to the requirements of HIPAA and this Agreement regarding the de-identification of information. Business Associate agrees to comply with any and all restrictions on the use of PHI requested by a patient of Covered Entity and agreed to by Covered Entity; provided, however, that in the event that Business Associate is unable or unwilling to comply with any such restriction, Business Associate shall notify Covered Entity of such fact, in writing, and, upon Covered Entity’s receipt of such notice, Business Associate shall be relieved of any and all further obligation to perform Services for Covered Entity in connection with such patient; and provided further, that Business Associate returns to Covered Entity or destroys any and all PHI in Business Associate’s possession or control regarding such patient. Notwithstanding anything to the contrary in this Subsection (a) or elsewhere in this Agreement, as between Business Associate and Covered Entity, Business Associate acknowledges that Covered Entity is the sole owner of any and all PHI obtained or received by Business Associate or its Workforce, as defined below, hereunder or in connection with the Underlying Contract.

b. Safeguards. Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI for purposes other than as set forth in this Agreement. Business Associate will provide Covered Entity with such information concerning such safeguards as Covered Entity may from time to time request. Without limiting the generality of the foregoing, Business Associate will:

i. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI (‘EPHI’), as required by the Security Rule;

ii. Ensure that any agent, including a subcontractor, that creates, maintains, transmits, uses, or receives EPHI agrees, in writing, to implement reasonable and appropriate safeguards to protect such EPHI; and

iii. Report to Covered Entity any Security Incident of which Business Associate becomes aware.

c. Accounting of Disclosures. Upon request by Covered Entity or an Individual, in fulfillment of its obligations under 45 CFR 164.528, Business Associate will provide to Covered Entity any information which is necessary for Covered Entity to meet its accounting obligations.

In the event an Individual or legal representative of an Individual requests an accounting of disclosures of that Individual’s PHI, Business Associate shall forward that request to Covered Entity.

d. Breach Notification. Business Associate agrees to notify Covered Entity upon discovery of any acquisition, access, use or disclosure of unsecured PHI, which occurs in a manner not permitted by the Privacy Rule, and which compromises the security or privacy of the affected Company PHI (hereinafter referred to as a ‘Breach’). Business Associate shall make notification of any Breach to Covered Entity without unreasonable delay, but in any event, no later than thirty (30) calendar days after discovery of the Breach. In the event Business Associate discovers an acquisition, use or disclosure of unsecured PHI that could be construed as a Breach or as a Security Incident, but concludes that no such Breach or Security Incident occurred, Business Associate shall document such conclusion and shall make such documentation available to Covered Entity upon a request by Covered Entity for such documentation.

Business Associate agrees to mitigate, to the extent commercially practicable, any harmful effects from any such use and/or disclosure of unsecured PHI that Business Associate reports to Covered Entity as provided in this Section (d) or any Security Incident reported pursuant to Section 2(b)(iii) above.
Business Associate and Covered Entity acknowledge and understand that all communications to the media, HHS and/or individuals concerning a Breach shall come from Company and not from Business Associate.

e. Minimum Necessary. Business Associate shall make reasonable efforts to limit any use of, disclosures of, or responses to requests for PHI to the minimum amount of PHI necessary for any such use, disclosure or response to such a request. Business Associate shall comply with any HHS guidance on what constitutes minimum necessary under the Privacy Rule.

f. Disclosures to Workforce and/or Third Parties. Business Associate shall ensure that its employees and agents (‘Workforce’), independent contractors or other third parties, to whom Business Associate provides PHI, agree to adhere to the restrictions and conditions regarding PHI contained in this Agreement.

g. Access to Records by Subject of Records. Business Associate agrees to notify Covered Entity immediately in the event Business Associate receives a request from a person identified in any PHI (‘Individual’), or such Individual’s legal representative (‘Legal Representative’), to review any records in Business Associate’s possession or control regarding the Individual (‘Individual’s PHI’). In fulfillment of its obligations under 45 CFR 164.524, Business Associate agrees to make available to Covered Entity, or at the request of Covered Entity, to an Individual or such Individual’s Legal Representative, for their review, any of the Individual’s PHI in Business Associate’s possession or control. In addition, upon a request by Covered Entity, Business Associate shall make available to Covered Entity within a commercially reasonable time, and in the manner, and form specified by Covered Entity, an Individual’s PHI contained in a Designated Record Set as may be deemed necessary by Covered Entity (i) for it to respond to an Individual’s request for access to the Individual’s PHI pursuant to 45 CFR § 164.524.or (ii) for it to make amendments to such Individual’s PHI. For clarity, if an Individual or Covered Entity is already able to access such PHI directly via Business Associate’s platform solution, then this shall be deemed as sufficient to satisfy the requirements set forth in this section.

h. Amendment to PHI. Business Associate agrees to notify Covered Entity immediately in the event Business Associate receives a request from an Individual to amend or otherwise modify the Individual’s PHI in Business Associate’s possession or control. In fulfillment of its obligations under 45 CFR 164.526, Business Associate agrees that, at the request of Covered Entity, it will make any amendments to an Individual’s PHI that the Covered Entity directs or authorizes pursuant to 45 CFR 164.526. For clarity, if an Individual or Covered Entity is already able to amend such PHI directly via Business Associate’s platform solution, then this shall be deemed as sufficient to satisfy the requirements set forth in this section.

i. Government Access to Records. Subject to subsection (M) below, Business Associate agrees to make its internal practices, policies, books and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services or his or her designee for the purpose of determining whether Covered Entity is in compliance with HIPAA requirements.

j. De-Identification of PHI. Business Associate may, and may permit its Workforce and/or independent contractors, to, de-identify PHI received or obtained from Covered Entity or received or created by Business Associate on behalf of Covered Entity, and may use or disclose, and may permit its Workforce and/or independent contractors to use or disclose, any de-identified information derived from PHI in compliance with the de-identification procedures and requirements set forth in Section 164.514(a)-(c) of the HIPAA Privacy Rule (45 C.F.R. Section 164.514(a)-(c)).

k. Legal Proceedings. Upon receipt of a subpoena, court order, or other demand, order, or request for disclosure of PHI by a third party, Business Associate shall, unless otherwise Required by Law, inform Covered Entity of such subpoena, court order, or other demand, order, or request, and afford Covered Entity the opportunity to quash such subpoena, court order, or other demand, order or request, or take other appropriate protective steps, before Business Associate discloses such PHI.

l. Covered Entity Inspection. Business Associate shall afford Covered Entity the right and opportunity to inspect during normal business hours Business Associate’s facilities, practices, policies, books, and records to the extent necessary to determine whether Business Associate has met its obligations under this Agreement, upon Covered Entity giving Business Associate a reasonable prior written request, no less than fourteen (14) days, for such inspection, for the purpose of determining Business Associate’s compliance herewith.

m. Disposition of Records upon Termination. Business Associate agrees to return to Covered Entity or otherwise destroy all PHI in its possession or control in accordance with established medical records standards, upon termination of this Agreement or as otherwise required by Law. De-identified information obtained in compliance with Section 2.f of this Agreement may be retained by the Business Associate. If such return or destruction of records is not feasible, Business Associate shall continue to extend the protections of this Agreement to such PHI and limit any further use of PHI to those purposes that make the return or destruction of PHI infeasible.

3. Obligations of Covered Entity. Covered Entity agrees that, in connection with the performance of the Services by Business Associate, that:

a. Privacy Notice. Covered Entity shall provide its patients with access to Covered Entity’s Notice of Privacy Practices (‘Privacy Notice’). The Privacy Notice shall identify the potential uses and disclosures of a patient’s PHI that Covered Entity may make, including, without limitation, the disclosure of such PHI to Business Associate or other third-party in connection with Business Associate’s performance of the Services. Covered Entity shall use its good faith efforts to have each patient acknowledge, in writing, its receipt and review of the Privacy Notice.

b. Notification of Restrictions on Use of PHI. Covered Entity shall notify Business Associate immediately of any restrictions on the use of any PHI requested by a patient of Covered Entity and agreed to by Covered Entity. Covered Entity shall provide Business Associate with sufficient information regarding any such restriction to enable Business Associate to determine whether it is able or willing to comply with such restriction. If Business Associate is unable to comply with such restriction, Business Associate shall immediately notify Covered Entity of such inability and the Parties shall determine in a commercially reasonable manner how to resolve such inability.

c. Notification of Disclosure of an Individual’s PHI to Individual. Covered Entity shall notify Business Associate immediately in the event Covered Entity desires Business Associate to disclose any Individual’s PHI in Business Associate’s possession or control to the Individual or the Individual’s Legal Representative.

d. Notification of Amendment to an Individual’s PHI. Covered Entity shall notify Business Associate immediately in the event Covered Entity desires Business Associate to amend or otherwise modify any Individual’s PHI in Business Associate’s possession or control.

4. Term. The parties’ obligations under this Agreement shall continue until such time as the Business Associate ceases to provide Services for Covered Entity or the Underlying Contract is terminated and when all of the PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy such PHI, protections are extended to such information, in accordance with Section 5(c) below.

5. Termination.

a. In the event of a material default by either Party (‘Breaching Party’) of any of its obligations under this Agreement, the other Party (‘Non-Breaching Party’) may terminate its arrangement with the Breaching Party immediately, provided that the Non-Breaching Party has first notified the Breaching Party, in writing, of such default and that the Breaching Party has not cured the default within thirty (30) days after its receipt of such notice; or, provided further, the Non-Breaching Party may not terminate this Agreement when the default is of a nature that it is not curable within said thirty (30) day period, but the breaching party promptly initiates action to cure the default within said thirty (30) day period and diligently pursues such action to completion to the reasonable satisfaction of the non-breaching party. Notwithstanding anything to the contrary in this Agreement, before terminating this Agreement, the non-breaching party shall allow good faith attempts to cure the default. If the default cannot be cured and this Agreement cannot be terminated, the non-breaching party shall report the default to HHS.

NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THIS AGREEMENT, THE RIGHT OF THE NON-BREACHING PARTY TO TERMINATE ITS ARRANGEMENT WITH THE BREACHING PARTY PURSUANT TO THIS SECTION SHALL BE THE NON-BREACHING PARTY’S SOLE AND EXCLUSIVE REMEDY IN THE EVENT OF THE BREACHING PARTY’S BREACH OF ITS OBLIGATIONS UNDER THIS AGREEMENT AND IN NO EVENT SHALL THE BREACHING PARTY BE LIABLE TO THE NON-BREACHING PARTY FOR DAMAGES OF ANY KIND, INCLUDING, WITHOUT LIMITATION, COMPENSATORY DAMAGES, INCIDENTAL DAMAGES, CONSEQUENTIAL DAMAGES OR PUNITIVE DAMAGES, ALLEGED TO HAVE RESULTED FROM SUCH BREACH.

6. Notice. Any notice required or permitted to be given under this Agreement shall be sufficient if in writing and shall be deemed given when personally delivered or four (4) days after deposited in the United States mail, certified mail, return receipt requested, and addressed to the appropriate party at the address listed below the party’s signature block hereto.

7. No Third Party Beneficiaries. There are no intended third party beneficiaries to this Agreement. Without in any way limiting the foregoing, it is the Parties’ intent that nothing contained in this Agreement give rise to any right or cause of action, contractual or otherwise, in or on behalf of any Individual whose PHI is used or disclosed pursuant to this Agreement or any person who qualifies as a Legal Representative of such Individual.

8. Choice of Law. This Agreement shall be governed in all respects whether as to validity, construction, capacity, performance, or otherwise by the law of the state whose law governs the Underlying Contract.

9. Binding Effect. This Agreement shall be binding upon and inure to the benefit of the parties hereto as well as their respective heirs, assigns, and successors in interest.

10. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule.

11. Modification. No amendment or additions to this Agreement shall be binding unless in writing and signed by authorized representatives of both Parties. The Parties agree to amend or modify this Agreement as deemed reasonably necessary by either Party’s legal counsel to comply with any applicable change in law. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. In the event that any term, provision or condition of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the terms, provisions and conditions of this Agreement will remain in full force and effect.

12. Independent Contractor. Nothing contained in this Agreement shall be construed to create an agency or employment relationship between Business Associate and Covered Entity.

13. Headings. All captions and section and item heading contained in this Agreement are for convenience only and shall not affect the meaning, construction or interpretation of any term, provision or condition of this Agreement.

Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimiles of signed copies hereof shall be

NovoPath LLC

100 Somerset Corporate Blvd
2nd Floor, Suite 111
Bridgewater, NJ 08807

Do You Want To Digitalize Your Laboratory?

Start with seeing what's possible.

Contact NovoPath LIS