Blue Moon Senior Counseling

Business Associate Agreement -VA


This Business Associate agreement effective June 17, 2025 (Effective Date) is entered into by and between BMSC AZ, LLC, the “Covered Entity”, and   , LCSW, the “Business Associate”, each party and collectively, the parties.

 

            The parties are obligated to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA); The American Recovery and Reinvestment Act of 2009 and Associated Health Information Technology of Economic and Clinical Health Act (HITECH); and the Final Omnibus Rule of 2013, collectively referred to herein as HIPAA Regulations. Statutory and regulatory references herein are to the aforementioned laws as currently in effect or a subsequently updated amended or revised upon the date of such update amendment or revision. For the purposes of the agreement, all terms have the meaning set forth under the HIPAA regulations, except as expressly provided herein.

            The Covered Entity has entered into, and may in the future enter into, agreements with the Business Associate pursuant to which the Business Associate uses and/or discloses the Covered Entity's protected health information defined at 45 C.F.R. 164.103 (PHI, which, for the terms of this agreement collectively pertains to PHI in any medium, whether electronic paper or verbal). The Business Associate currently uses and/or discloses Covered Entities PHI in order to provide psychotherapy, geriatric care management, billing, accounting, coding and/or Therapist provider insurance application services as further outlined in any associated agreements or statements of work.

            This agreement supplements, modifies and amends any and all agreements whether written or otherwise between the parties. The provisions of this agreement supersede any conflicting or inconsistent terms of any agreement, including any exhibits and attachments thereto.

            This agreement sets forth the terms and conditions pursuant to which PHI that is provided, created, or received by the Business Associate from or on behalf of the Covered Entity will be handled between the Business Associate and the Covered Entity and with third parties. The parties agree as follows:

Permitted uses and Disclosures

The Business Associate may use and disclose PHI necessary to perform its obligations to the Covered Entity except as otherwise specified or restricted herein. All other uses and disclosures not authorized by this agreement are prohibited. The Business Associate may also:

  • Use PHI if necessary for its proper management and administration or to carry out its legal responsibilities;
  • Disclose PHI to third parties for the same purposes so long as the disclosure is required by law or the Business Associate obtains satisfactory assurances from said third-party that PHI will be held confidentially and used or further disclosed only as required by law or for purpose for which it was disclosed and that the third-party will notify the Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; and
  • Business Associate agrees to make uses and disclosures and request of PHI consistent with covered entities minimum necessary policies and procedures.

Obligations of the Business Associate

Limitation on disclosure. The Business Associate agrees not to use or further disclose PHI other than as permitted or required herein in any agreement or as required by law.

Safeguards. The Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the PHI that it creates, receives, stores, maintains or transmits on behalf of the Covered Entity pursuant to this agreement or any relevant agreement and shall prevent the use or disclosure of covered entities PHI other than as provided for in this agreement or as required by law.

Reporting of Uses/Disclosures not provided for in agreement. The Business Associate agrees to report to the Covered Entity any use or disclosure of PHI not provided for herein or by any written agreement of which it becomes aware.

Mitigation. The Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this agreement.

Use of Agents/Subcontractors. The Business Associate agrees to ensure that any agents, including a subcontractor to whom the Business Associate provides PHI received from, or created or received by, Business Associate on behalf of the Covered Entity agreed to the same restrictions and conditions that apply to the Business Associate with respect to PHI. The Business Associate, as the primary Business Associate, pursuant to its obligations under the HIPPA Regulations and this agreement, is fully responsible for ensuring that it enters into a Business Associate agreement with its subcontractors, and assumes full responsibility and liability for the acts and omissions of its subcontractors related to any PHI that it creates, receives, maintains, stores or transmits on behalf of the Covered Entity. This obligation to safeguard the covered entities PHI is one of the fundamental material representations and obligations of this agreement, the basis upon which the Covered Entity agrees to contract with a Business Associate hereunder.

Access to PHI. Within 15 days of receiving a written request from the Covered Entity for a copy of PHI, the Business Associate agrees to make the requested PHI available to Covered Entity to enable the Covered Entity to respond to an individual who seeks to inspect or copy PHI. (See 45 C.F.R 164.524). Business Associate is required to comply with the security rule with regard to electronic PHI, including but not limited to, making available upon written request, copies of PHI in electronic format, when PHI is stored electronically.

Amendment of PHI. Within 15 days of receiving a written request from the Covered Entity to make an amendment to PHI, the Business Associate will make such amendment and will inform any holder of the PHI that is known to the Business Associate that an amendment has been made. (See 45 C.F.R 164.526).

Accounting of certain disclosures. Within 30 days of receiving a written request from the Covered Entity for an accounting of disclosure of PHI about an individual, the Business Associate shall provide to the Covered Entity a listing of the persons or entitles to which the Business Associate has disclosed PHI about the individual with in the prior six years, along with the dates of, reasons for, and brief descriptions of the disclosures to enable the Covered Entity to respond to an individual seeking an accounting of the disclosures of the individuals PHI. See 45 C.F.R 164.528).

Access to books and records. The Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, created by, or received by the Business Associate on behalf of the Covered Entity available to the US Department of health and human services so that it may evaluate the Covered Entities compliance with the Privacy Rule.

Obligations of Business Associate upon termination. The Business Associate shall, at the termination of any agreement or of that uses and/or disclosures of PHI by the Business Associate, if feasible, return or destroy all PHI received from, created by, or received by the Business Associate on behalf of the Covered Entity that the Business Associates still maintains in any form in connection with this agreement and retains no copies of such information or, if such return or destruction is not feasible, extend the protections of this agreement to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

Reporting of security incident. The Business Associate shall report to the Covered Entity and security incident of which it becomes aware. (Under 45 C.F.R 164.304 a security incident is defined as the attempt or unsuccessful unauthorized access, use, disclosure, modification, or distraction of information or interference with system operations in an information system.)

Breach Notification Procedures.

Reporting of uses/disclosures not provided for in Agreements.

Business Associate agrees to report to Covered Entity uses or disclosures of covered entities PHI not provided for in this agreement, or any security incident including, without limitation, any allegedly unauthorized, impermissible acquisition, access, uses or disclosures of PHI in any form in full compliance with the HIPAA regulations, as any of these rules, regulations and laws may be amended from time to time. Such notification of any allegedly unauthorized uses of disclosures of PHI in any form shall promptly be made to the Covered Entity in writing without unreasonable delay but in no event not later than five business days from the date that the Business Associate became aware of such alleged unauthorized usage or disclosures, or should have known or should have been aware of such alleged unauthorized usage or disclosures. Furthermore, in the event of an unauthorized use or disclosure of PHI, Business Associate shall mitigate to the extent practicable any harmful effects of said use or disclosure that are or should be known to it.

Instructions for reporting a Security Incident. If there is a potential security incident, Business Associate will notify Covered Entity and in such notification the Business Associate shall include, without limitation, the following minimum information: A brief description of what happened including the date of the incident and the date of the discovery of the incident; The identification of each individual whose PHI was compromised or potentially compromised; A description of the types of PHI that were involved in the incident; any steps individuals should take to protect themselves from potential harm resulting from the incident; and a brief description of what Business Associate is doing to investigate the incident to mitigate compromising the PHI and to protect against any further incidents.

Indemnification.

To the maximum extent permitted by law, Business Associate hereby indemnifies Covered Entity, Covered Entity affiliates, officers, directors, employees and agents, and shall defend same against and hold harmless from any and all allegations, claims, actions, suits, loss, damages, fines, penalties and costs, including, but not limited to, attorney fees relating to or arising out of breaches of this agreement and or Business Associates regulatory obligations resulting in losses to Covered Entity or third parties, including covered entities patients. If any settlement requires an affirmative obligation of, results in any ongoing liability to or prejudice or detrimentally impacts Covered Entity in anyway, then such settlement shall require covered entities prior written consent. Covered Entity may elect to have its own counsel in attendance at all proceedings and substantive negotiations relating to such claims.

To the maximum extent permitted by law, Covered Entity, Covered Entity affiliates, officers, directors, employees and agents, hereby indemnifies Business Associate, Business Associate’s affiliates, officers, directors, employees and agents, and shall defend same against and hold harmless from any and all allegations, claims, actions, suits, loss, damages, fines, penalties and costs, including, but not limited to, attorney fees relating to or arising out of breaches of this agreement and or Covered Entities regulatory obligations resulting in losses to Business Associate or third parties, including Covered Entities patients in which the Business Associate rendered services. If any settlement requires an affirmative obligation of, results in any ongoing liability to or prejudice or detrimentally impacts Business Associate in anyway, then such settlement shall require Business Associate prior written consent. Business Associate may elect to have its own counsel in attendance at all proceedings and substantive negotiations relating to such claims.

Notices and Reporting

Any notices or reporting to be given hereunder to a party shall be made via US mail or express courier to such parties address given below and or via facsimile to the facsimile telephone numbers listed below:

If to the Business Associate, to:


  , LCSW

 

 

If to the Covered Entity, to:

BMSC AZ

, LLC
10204 Bode St, Ste B
Plainfield, IL 60585
Attention privacy officer. Fax 954-324-8354

Compliance Related Changes. The parties recognize that the HIPAA regulations may change or maybe clarified from time to time and that the terms of this agreement may need to be revised, on advice of counsel in order to remain in compliance with such changes or clarifications and the parties agreed to negotiate, in good faith, revisions to the term or terms that cause the potential or actual violation or noncompliance. In the event the parties are unable to agree to new or modified terms as required to bring the entire agreement into compliance, either party may terminate this agreement on 30 days written notice to the other party, or earlier if necessary to prevent noncompliance with a deadline or effective date or to protect any PHI at issue, as well as ensure compliance with all obligations under any of these procedures, rules, regulations or laws.

Governing Law and Venue. This agreement shall be governed by the federal laws and regulations of the United States, and Nevada law, where applicable, without regard to conflicts of law's provisions, and any legal action concerning the provisions herein shall be brought in the courts sitting in the state of Nevada, USA. Business Associate agrees that it shall take no action to challenge the law and jurisdiction and shall use its best efforts to ensure that any such claim is adjudicated in Nevada, and further agrees that it has a veiled itself to Nevada courts by entering into Nevada contracts, receiving a copy of entities PHI over the Internet and emailing, negotiating and teleconferencing with Covered Entity over the subject matter of this agreement. Business Associate waives any defenses or objections to Nevada venue, jurisdiction or choice of law.

Terms and Termination.

Term. The term of this agreement shall begin as of the effective date and shall remain in effect so long as Business Associate retains or has access to any PHI created or received on behalf of Covered Entity.

Termination. Notwithstanding any other provision of any agreement, the Covered Entity made immediately terminate this agreement and or any related agreements if the Covered Entity makes the determination that the Business Associate has breached a material term of the associated agreement or this agreement. At the termination of any agreement, or of the uses and/or disclosures of the PHI by the Business Associate, if feasible, return or destroy all PHI received from, created by, or received by the Business Associate on behalf of the Covered Entity that the Business Associate still remains in any form in connection with this agreement and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of this agreement to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

Miscellaneous.

Audits. Business Associate shall provide to Covered Entity and covered entities internal and extra no auditors, inspectors, regulators and other representatives that Covered Entity may designate from time to time access at reasonable hours to Business Associates personnel, and to Business Associates records and other pertinent information, all to the extent relevant to the services and Business Associates obligations under this agreement. Business Associate shall provide any assistance reasonably requested by Covered Entity or it's designee in conducting any such audit.

No Third-Party Beneficiaries. Nothing express or implied in this agreement is intended to confer, nor shall anything here in confer, upon any person other than Covered Entity, Business Associate and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever.

Business Associate agrees to comply with all of the requirements and to incorporate the requirements in its own agreements to the extent required by law. This agreement supersedes any previous HIPAA Business Associate agreement between the parties related to the subject matter herein.

In witness where of the parties have executed this agreement as of the day and year first above written.

Leave this empty:

Signature arrow sign here

Signed by Melanie Donohue
Signed On: August 6, 2020


Signature Certificate
Document name: Business Associate Agreement -VA
lock iconUnique Document ID: 88911c9ddc2ab107b3a3bb96d2536e496c27597f
Timestamp Audit
August 6, 2020 4:08 pm PDTBusiness Associate Agreement -VA Uploaded by Melanie Donohue - new@bluemoonseniorcounseling.com IP 47.149.96.191