ZIA | Talent in Motion

Last Updated: January 28, 2025

Business Associate Agreement (BAA)

This Business Associate Agreement (“Agreement”) is entered into as of (the “Effective Date”), by and between (“CLIENT”) and Talent By Zia LLC (“ZIA”), which are collectively referred to hereinafter as the “Parties” and, individually, as the “Party”.

CLIENT is a covered entity as that term is defined under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”). CLIENT has engaged ZIA to perform services under the MSA and related Exhibit(s) of Work which may include the disclosure and use of protected health information (“PHI”) to ZIA, as defined below. The Parties intend to protect the privacy of PHI disclosed to ZIA, in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) and regulations promulgated thereunder, the American Recovery and Reinvestment Act of 2009, Pub.L. 111-5, which includes the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), and other applicable laws, This Agreement supplements the relationship between the Parties as outlined in the MSA and Exhibit and, where: (i) this Agreement is silent, the terms and conditions of the MSA and Exhibit shall govern; and, (ii) this Agreement is in conflict or inconsistent with the MSA and/or the Exhibit, the terms and conditions of this Agreement shall govern.

Considering the mutual promises below and the exchange of information under this Agreement and the MSA, the Parties agree as follows.

Definitions

  1. (Breach. “Breach” for this Agreement and the MSA means the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of PHI.
  2. Designated Record Set. “Designated Record Set” shall mean a group of records maintained by or for a covered entity that is:
    1. the medical records and billing records about individuals maintained by or for a covered health care provider;
    2. the enrolment, payment, claims adjudication, and case or medical management record system maintained by or for a health plan; or
    3. used, in whole or in part, by or for the covered entity to make decisions about individuals.

For purposes of this definition, the term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity as outlined in 45 CFR 164.501.

  1. Electronic Health Record. “Electronic Health Record” means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized healthcare clinicians and staff.
  2. Electronic Protected Health Information. “Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. §160.103.
  3. Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR 160.103 and shall include a person who qualifies as a personal representative following 45 CFR 164.502(g).
  4. Individually Identifiable Health Information. “Individually Identifiable Health Information” is information that is a subset of health information, including demographic information collected from an individual, and:
    1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
    2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
      1. That identifies the individual; or
      2. Concerning this there is a reasonable basis to believe the information can be used to identify the individual.
    3. Limited Data Set. A “Limited Data Set” is Protected Health Information that excludes the following direct identifiers of the individual or relatives, employers, or household members of the individual:
      1. Names;
      2. Postal address information, other than town or city, State, and zip code;
      3. Telephone numbers;
      4. Fax numbers;
      5. Electronic mail addresses;
      6. Social Security numbers;
      7. Medical record numbers;
      8. Health plan beneficiary numbers;
      9. Account numbers;
      10. Certificate/license numbers;
      11. Vehicle identifiers and serial numbers, including license plate numbers;
      12. Device identifiers and serial numbers;
      13. Web Universal Resource Locators (URLs);
      14. Internet Protocol (IP) address numbers;
      15. Biometric identifiers, including finger and voice prints; and
      16. Full-face photographic images and any comparable images.
    4. Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E. Whenever a reference is made to a specific part, subpart, or section of the Privacy Rule, such reference shall be deemed to include any successor part, subpart, or section with the same or a similar purpose.
    5. Protected Health Information or PHI. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR 160.103, limited to the information created or received by ZIA from or on behalf of the Client.
    6. Security Rule. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. parts 160 and 164, Subparts A and C. Whenever a reference is made to a specific part, subpart, or section of the Security Rule, such reference shall be deemed to include any successor part, subpart, or section with the same or a similar purpose.
    7. Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR 164.103.
    8. Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
    9. Unsecured Protected Health Information or Unsecured PHI. “Unsecured Protected Health Information” or “Unsecured PHI” means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary of the Department of Health and Human Services (“HHS”) in the guidance issued under Section 13402(h)(2) of Public Law 111-5 on the HHS website.

Any terms used, but not otherwise defined herein shall have the same meaning as those terms in 45 CFR 160.103 and 164.501 and the HITECH Act.

Termination of Previous Business Associate Agreement

The Parties agree that any Business Associate Agreement previously entered into by CLIENT and ZIA is hereby terminated, and that this Agreement replaces and supersedes any other previous Business Associate Agreement(s) executed between the Parties.

Obligations and Activities

  1. ZIA may use or disclose PHI only if such use or disclosure is following the terms of this Agreement and 42 CFR §164.504(e) of the Privacy Rule. If ZIA violates any of these provisions, ZIA will be subject to civil and/or criminal penalties as specified in Sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6).
  2. ZIA agrees to not use or further disclose PHI other than as permitted or required by the Agreement or as required by law.
  3. ZIA agrees to use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement.
  4. ZIA agrees to mitigate, to the extent practicable, any harmful effect that is known to ZIA of a use or disclosure of PHI by ZIA in violation of the requirements of this Agreement.
  5. ZIA agrees to report to CLIENT any use or disclosure of PHI not provided for by this Agreement of which it becomes aware.
  6. ZIA agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from or created or received by ZIA on behalf of CLIENT, agrees to the same restrictions and conditions that apply through this Agreement to ZIA concerning such information. To the extent that ZIA uses one or more subcontractors or agents and such subcontractors or agents receive or are intended to have access to Client’s PHI, each such subcontractor or agent shall sign an agreement containing substantially the same provisions as this Business Associate Agreement.
  7. ZIA agrees to provide access, at the request of CLIENT, and in a reasonable time and manner, to any PHI in a Designated Record Set held by ZIA, to CLIENT or, as directed by CLIENT, to an Individual to meet the requirements under 45 CFR 164.524.
  8. ZIA agrees to make, within a reasonable time and manner, any amendment(s) to any PHI in a Designated Record Set held by ZIA that the CLIENT directs or agrees to according to 45 CFR 164.526 at the request of CLIENT or an Individual.
  9. ZIA agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by ZIA on behalf of, CLIENT available to the CLIENT, or, to the Secretary, in a reasonable time and manner or as designated by the Secretary, for purposes of the Secretary determining the CLIENTS’ compliance with the Privacy Rule.
  10. ZIA agrees to document such disclosures of PHI and information related to such disclosures as would be required for CLIENT to respond to a request by an Individual for an accounting of disclosures of PHI following 45 CFR 164.528.
  11. ZIA agrees to provide to CLIENT, in a reasonable time and manner, information collected following Section 3(i) of this Agreement, to permit CLIENT to respond to a request by an Individual for an accounting of disclosures of PHI following 45 CFR 164.528.
  12. ZIA agrees to obtain and maintain during the term of the Agreement, technology capable of securely encrypting EPHI in a manner consistent with HIPAA encryption requirements as may be amended from time to time.

Permitted Uses and Disclosures

Except as otherwise limited in this Agreement, ZIA may use or disclose PHI to perform functions, activities, or services for, or on behalf of, CLIENT as specified in the MSA, provided that such use or disclosure would not violate HIPAA, the Privacy Rule, or the Security Rule if done by CLIENT or the minimum necessary policies and procedures of CLIENT.

Specific Use and Disclosure Provisions

  1. Except as otherwise limited in this Agreement, ZIA may use PHI for the proper management and administration of ZIA or to carry out the legal responsibilities of ZIA.
  2. Except as otherwise limited in this Agreement, ZIA may disclose PHI for the proper management and administration of ZIA, provided that disclosures are Required By Law, or ZIA obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies ZIA of any instances of which it is aware in which the confidentiality of the information has been breached.
  3. Except as otherwise limited in this Agreement, ZIA may use PHI to provide Data Aggregation services to CLIENT as permitted by 42 CFR §164.504(e)(2)(i)(B) of the Privacy Rule.

Provisions for Client to Inform ZIA of Privacy Practices and Restrictions

  1. CLIENT shall notify ZIA of any limitation(s) in its notice of privacy practices following 45 CFR 164.520, to the extent that such limitation may affect ZIA’s use or disclosure of PHI.
  2. CLIENT shall notify ZIA of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect ZIA’s use or disclosure of PHI.
  3. CLIENT shall notify ZIA of any restriction to the use or disclosure of PHI that CLIENT has agreed to follow 45 CFR 164.522, to the extent that such restriction may affect ZIA’s use or disclosure of PHI.

Term and Termination

  1. Term. The Term of this Agreement shall be effective as of the Effective Date and shall terminate when all of the PHI provided by CLIENT to ZIA or created or received by ZIA on behalf of CLIENT, is destroyed or returned to CLIENT, or, if it is infeasible to return or destroy PHI, protections are extended to such information, following the termination provisions in this Section.
  2. Termination for Cause. Upon CLIENT’s knowledge of a material breach by ZIA, CLIENT shall either:
    1. Provide an opportunity for ZIA to cure the breach or end the violation and terminate this Agreement if ZIA does not cure the breach or end the violation within the time specified by CLIENT;
    2. Immediately terminate this Agreement if ZIA has breached a material term of this Agreement and cure is not possible; or
    3. If neither termination nor cure is feasible, CLIENT shall report the violation to the Secretary.
  3. Effect of Termination.
    1. Except as provided in paragraph (2) of this Section, upon termination of this Agreement, for any reason, ZIA shall return or destroy all PHI received from CLIENT or created or received by ZIA on behalf of CLIENT. This provision shall apply to PHI that is in the possession of subcontractors or agents of ZIA. ZIA shall retain no copies of the PHI.
    2. If ZIA determines that returning or destroying the PHI is infeasible, ZIA shall provide to CLIENT notification of the conditions that make return or destruction infeasible. Upon CLIENT’s written acknowledgment that the return or destruction of PHI is infeasible, ZIA shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as ZIA maintains such PHI.

Miscellaneous

  1. Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section is in effect or as amended.
  2. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for CLIENT to comply with the requirements of HIPAA, the Privacy Rule, and the Security Rule.
  3. Survival. The respective rights and obligations of ZIA under Section 7(c) of this Agreement shall survive the termination of this Agreement.
  4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit CLIENT to comply with HIPAA, the Privacy Rule, and the Security Rule.
  5. No Third-Party Beneficiaries. Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
  6. Notices. Any notice to be given under this Agreement shall be made via U.S. Mail or express courier to the addresses given below and/or via facsimile to the facsimile telephone numbers listed below. Notice shall be deemed given when deposited in the U.S. Mail or with an express courier with postage prepaid. If sent by facsimile, notice shall be deemed given when electronically confirmed.
  7. Governing Law. This Agreement shall be governed by the laws of the State of California, exclusive of conflict of law rules.

Acknowledgment

IN WITNESS WHEREOF, the Parties hereto have executed this Agreement as of the Effective Date.

CONTACT US

If you have questions or comments about this BAA, please contact us at:

Talent By Zia, LLC
San Diego, CA 92108
Email: [email protected]