Skip to content

Clio Business Associate Agreement

This Business Associate Agreement (the “BAA”) between Client and Themis Solutions Inc. also known as “Clio” (“Business Associate”) is effective as of the date this BAA is electronically accepted by Client. In this BAA, Client and Business Associate are each a “Party” and, collectively, are the “Parties”.

BACKGROUND

  1. Client is either a “covered entity” or “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005, and the related regulations promulgated by the U.S. Department of Health and Human Services (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined by the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”));
  2. The Parties have entered into or will enter into one or more agreements under which Business Associate provides or will provide certain specified services to Client (collectively, the “Agreement”).
  3. Client offers two optional features for lawyers practicing in areas of law involving access to Protected Health Information and that require HIPAA compliant services. The first optional feature is designed specifically for lawyers in the personal injury practice area (“Personal Injury Feature”). The second optional feature is designed for lawyers practicing in any area of law that requires access to Protected Health Information (“HIPPA Feature”).
  4. Client must be an active user of either the Personal Injury Feature or the HIPPA Feature for this BAA to be valid and effective.
  5. In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information;
  6. By providing the services pursuant to the Agreement, Business Associate will become a “business associate” of the Client as such term is defined under HIPAA;
  7. Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Privacy Rule; and
  8. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA and other applicable laws.

AGREEMENT

NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of Protected Health Information by Client to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:

Definitions. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in HIPAA or the pertinent law.

1. Use and Disclosure of Protected Health Information.

  1. Except as otherwise provided in this BAA, Business Associate may use or disclose Protected Health Information as reasonably necessary to provide the services described in the Agreement to Client on behalf of its Covered Entity clients, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law.
  2. Except as otherwise limited by this BAA or federal or state law, Client, on behalf of its Covered Entity clients, authorizes Business Associate to use the Protected Health Information in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose Protected Health Information for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the Protected Health Information will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any Breaches of the confidentiality of the Protected Health Information, to the extent it has knowledge of the Breach.
  3. Business Associate will not use or disclose Protected Health Information in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose Protected Health Information, to the extent practicable, as a limited data set or limited to the minimum necessary amount of Protected Health Information to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of Protected Health Information.
  4. Upon request, Business Associate will make available to Client any of the Protected Health Information provided by Client to Business Associate that Business Associate or any of its agents or subcontractors have in their possession.
  5. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).

2. Safeguards Against Misuse of Protected Health Information. Business Associate will use appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as provided by the Agreement or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of Client and its Covered Entity clients. Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.

3. Reporting Disclosures of Protected Health Information and Security Incidents. Business Associate will report to Client in writing any use or disclosure of Client’s Protected Health Information not provided for by this BAA of which it becomes aware, as well as any Security Incident affecting Electronic Protected Health Information of Client of which it becomes aware, within 72 hours.

4. Reporting Breaches of Unsecured Protected Health Information. Business Associate will notify Client in writing within 72 hours of confirming the discovery of any Breach of Unsecured Protected Health Information in accordance with the requirements set forth in 45 CFR §164.410.

5. Mitigation of Disclosures of Protected Health Information. Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of Protected Health Information by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.

6. Agreements with Agents or Subcontractors. Business Associate will, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.

7. Access to Protected Health Information by Individuals.

  1. Upon request, Business Associate agrees to furnish Client, on behalf of its Covered Entity clients, with copies of the Protected Health Information maintained by Business Associate in a Designated Record Set to enable Client’s Covered Entity client’s to respond to an Individual’s request for access to Protected Health Information under 45 CFR §164.524.
  2. In the event any Individual or personal representative requests access to the Individual’s Protected Health Information directly from Business Associate, Business Associate will forward that request to Client. Any disclosure of, or decision not to disclose, the Protected Health Information requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to Protected Health Information shall be the sole responsibility of Client’s Covered Entity clients.

8. Amendment of Protected Health Information.

  1. Upon request and instruction from Client, Business Associate will amend Protected Health Information or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Client in accordance with procedures established by 45 CFR §164.526.
  2. In the event that any Individual requests that Business Associate amend such Individual’s Protected Health Information or record in a Designated Record Set, Business Associate within ten business days will forward this request to Client. Any amendment of, or decision not to amend, the Protected Health Information or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of Protected Health Information will be the sole responsibility of Client.

9. Accounting of Disclosures.

  1. Business Associate will document any disclosures of Protected Health Information made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will without unreasonable delay make available information related to such disclosures as would be required for Client’s Covered Entity clients to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate will furnish Client the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of Protected Health Information; (ii) the name of the entity or person who received Protected Health Information, and, if known, the address of such entity or person; (iii) a brief description of the Protected Health Information disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.
  2. Business Associate will furnish to Client information collected in accordance with this Section 10 after written request by Client to permit Client’s Covered Entity clients to make an accounting of disclosures as required by 45 CFR §164.528.
  3. In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will forward such request to Client without unreasonable delay.

10. Availability of Books and Records. Business Associate will make available its internal practices, books, and records relating to the use and disclosure of Protected Health Information, upon request, to the Secretary of HHS for purposes of determining Client’s and Business Associate’s compliance with HIPAA, and this BAA.

11. Responsibilities of Client. With regard to the use and/or disclosure of Protected Health Information by Business Associate, Client agrees to:

  1. Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
  2. Notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Client has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
  3. Except for Data Aggregation or management and administrative activities of Business Associate, Client shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by Client or a Covered Entity.

12. Term and Termination.

  1. This BAA will continue until the Client no longer has a subscription for either the Personal Injury Feature or the HIPPA Feature pursuant to the Agreement. If this BAA expires or is terminated earlier than the Agreement, Client may continue to use the services in accordance with the Agreement, but must delete any PHI it maintains in connection therewith and cease to further create, receive, maintain, or transmit such PHI to Business Associate.
  2. Client may terminate immediately this BAA, the Agreement, and any other related agreements if Client makes a determination that Business Associate has breached a material term of this BAA and Business Associate has failed to cure that material breach, to Client’s reasonable satisfaction, within 30 days after written notice from Client.
  3. If Business Associate determines that Client has breached a material term of this BAA, then Business Associate will provide Client with written notice of the existence of the breach and shall provide Client with 30 days to cure the breach. Client’s failure to cure the breach within the 30-day period will be grounds for immediate termination of the Agreement and this BAA by Business Associate.
  4. Upon termination of this Agreement for any reason, Business Associate, with respect to Protected Health Information received from Client, or created, maintained, or received by Business Associate on behalf of Client, shall:
  • Retain only that Protected Health Information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
  • Return to Client or, if agreed to by Client, destroy the remaining Protected Health Information that the Business Associate still maintains in any form to the extent feasible;
  • Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information to prevent use or disclosure of the Protected Health Information, other than as provided for in this Section, for as long as business associate retains the Protected Health Information;
  • Not use or disclose the Protected Health Information retained by Business Associate other than for the purposes for which such Protected Health Information was retained and subject to the same conditions which applied prior to termination; and
  • Return to Client or, if agreed to by Client, destroy the Protected Health Information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

13. Indemnification. Business Associate shall defend, indemnify and hold Client harmless against any loss, damage or costs (including reasonable attorneys’ fees) in connection with claims, demands, suits or proceedings made or brought against Client by a third party which results solely from a direct breach by Business Associate of the terms and conditions of this BAA. Business Associate’s indemnification obligations hereunder shall not be subject to any limitations of liability in the Agreement except that Business Associate’s aggregate liability hereunder shall not exceed US$1,000,000.

14. Effect of BAA.

  1. This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will govern.
  2. Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.

15. Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.

16. Notices. All notices, requests and demands or other communications to be given under this BAA to a Party will be made via either first class mail, registered or certified or express courier, or electronic mail to the Party’s address given below:

  1. If to Client, to the address on the signature line at page 6 below.
  2. If to Business Associate, to: Attn: Legal Dept.

T: 1 888 858 2546
E: [email protected]

17. Amendments and Waiver. This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.

18. Survival. Sections 12 (a) and (d) will survive termination or expiration of this BAA.