Subcontractor Business Associate Agreement
Updated July 14, 2025
This Subcontractor Business Associate Agreement (“Agreement”), effective as of the Effective Date of the underlying services agreement between the Parties (the “Services Agreement”), is entered into by and between Customer (“Subcontractor”) and ImageMoverMD, Inc. (“Business Associate”) (each a “Party” and, collectively, the “Parties”).
RECITALS
WHEREAS, Business Associate and Subcontractor have entered into the Services Agreement, pursuant to which Subcontractor is providing certain services (“Services”); for the benefit of Business Associate’s customers under one or more written agreements, and Business Associate wishes to disclose certain information to Subcontractor pursuant to the terms of such Services Agreement, some of which may constitute Protected Health Information (“PHI”) (defined below).
WHEREAS, Business Associate provides services for, and in that capacity, is a business associate (as per 45 C.F.R. § 160.103) of, one or more customers that are covered entities (as defined at 45 C.F.R. § 160.103) (collectively referred to herein as the “Covered Entity”). As a business associate, Business Associate is obligated to protect the privacy and provide for the security of the PHI disclosed to Business Associate by the Covered Entity for which Business Associate provides services. The PHI that Business Associate may disclose to Subcontractor will have been disclosed to Business Associate by the Covered Entity or by a business associate of the Covered Entity.
WHEREAS, Business Associate and Subcontractor intend to protect the privacy and provide for the security of PHI disclosed to Subcontractor pursuant to the Agreement in compliance with (i) the Health Insurance Portability and Accountability Act of 1996, Public Law No. 104-191 (“HIPAA”); (ii) Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), also known as Title XIII of Division A and Title IV of Division B of the
American Recovery and Reinvestment Act of 2009, Public Law No. 111-005; and (iii) regulations promulgated thereunder by the U.S. Department of Health and Human Services (“HHS”), including the HIPAA Omnibus Final Rule, which amended the HIPAA Privacy and Security Rules (as those terms are defined below) and implemented a number of provisions of the HITECH Act (the “HIPAA Final Rule”), extending certain HIPAA obligations to subcontractors and their subcontractors.
WHEREAS, the HIPAA Rules require that Business Associate receive assurances that Subcontractor will comply with applicable obligations under the HIPAA Rules with respect to any PHI created, received, transmitted, or maintained from or on behalf of Covered Entity in the course of providing the Services; and
WHEREAS the purpose of this Agreement is to comply with the requirements of the HIPAA Rules.
NOW, THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
A. Definitions. Capitalized terms used in this Agreement that are not otherwise defined shall have the meanings ascribed by the HIPAA Rules.
1. “Breach” means the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI, subject to the exceptions set forth at 45 C.F.R. 164.402.
2. “Designated Record Set” means a group of records maintained by or for Covered Entity that are: (i) the medical records and billing records about individuals maintained by or for Covered Entity; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for Covered Entity to make decisions about individuals. For purposes of this definition, the term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Covered Entity.
3. “Individual” means the person who is the subject of the PHI.
4. “Protected Health Information” or PHI means Individually Identifiable Health Information created, received, transmitted or maintained by or on behalf of a Covered Entity that is transmitted or maintained in any form or medium. For purposes of this Agreement, “Protected Health Information” or “PHI” is limited to such information that Subcontractor creates, receives, maintains, or transmits as a subcontractor of Business Associate.
5. “Required by Law” means a mandate contained in law that compels a use or disclosure of PHI and as otherwise defined in 45 C.F.R. 164.103.
6. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
7. “Secretary” means the Secretary of the U.S. Department of Health and Human Services or his or her designee.
8. “Unsecured Protected Health Information” or “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary.
B. Obligations of Subcontractor. Subcontractor shall comply with applicable provisions of the HIPAA Rules, including, without limitation:
1. Use and Disclosure of PHI. Except as otherwise permitted by this Agreement or the HIPAA Rules, Subcontractor shall use or disclose PHI only as necessary to provide the Services to or on behalf of Covered Entity under the Services Agreement or as Required by Law. Subcontractor’s use and disclosure of PHI must comply with applicable requirements of 45 C.F.R. § 164.504(e), and Subcontractor may not use or disclose PHI in a manner that would violate the Privacy Rule. Subcontractor may use PHI for its proper management and administration or to carry out its legal responsibilities. Subcontractor also may disclose PHI for its proper management and administration or to carry out its legal obligations if:
(a) the disclosure is Required by Law; or
(b) Subcontractor obtain reasonable assurances from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held confidentially and further used and further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Subcontractor of any instances of which it is aware in which confidentiality of the PHI has been Breached.
2. Data Aggregation. Except as otherwise limited in this Agreement, Subcontractor may use PHI to provide Data Aggregation services for the Health Care Operations of the Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B) provided that such activities are limited to those necessary to meet the Subcontractor’s obligations under the Agreement.
3. Notice to Business Associate of Unauthorized Use or Disclosure or of a Security Incident. Subcontractor shall notify Business Associate promptly, and in no case later than one (1) day after becoming aware of any use or disclosure of PHI that is not provided for or permitted by this Agreement. Subcontractor also shall notify Business Associate promptly, and in no case later than one (1) day after becoming aware of any Security Incident; provided, however, that this Section constitutes notice by Subcontractor to Business Associate of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents, for which no additional notice to Business Associate shall be required, including but not limited to pings and other broadcast attacks on Subcontractor’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access to, or use or disclosure of, PHI.
4. Notice to Business Associate of Breach of Unsecured Protected Health Information. Subcontractor shall notify Business Associate promptly and in no case later than one (1) day after Subcontractor’s Discovery of a Breach of Unsecured PHI. In its notice to Business Associate, Subcontractor shall provide, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Subcontractor to have been, accessed, acquired, used, or disclosed during the Breach. Subcontractor shall provide any other available information that Business Associate is required to include in its notification to the Individual, the Secretary, and the media under the Breach Notification Rule and applicable state data breach laws at the time of the notice or promptly thereafter as information becomes available, including but not limited to: (i) a brief description of what happened, including the date of the Breach and the date of Discovery of the Breach; (ii) a description of the types of Unsecured PHI that were involved in the Breach; and (iii) identification of the individuals whose PHI was affected. Notwithstanding the foregoing, in Business Associate’s sole discretion and in accordance with its directions, and without limiting in any way any other remedy available to Business Associate at law, equity, or contract, Subcontractor (i) shall conduct, or pay the costs of conducting, an investigation of any incident required to be reported under this Section B.4 or Section B.3 of this Agreement, (ii) shall reimburse and pay Business Associate for all expenses and costs incurred by Business Associate that arise from an investigation of any incident required to be reported under this Section B.4 or Section B.3, and (iii) and shall provide, and/or pay the costs of providing, the required notices set forth in this Section.
5. Marketing/Fundraising. Subcontractor shall not perform marketing as per the definition of marketing established under 45 C.F.R. § 164.501.
6. No Sale of Protected Health Information. Subcontractor shall not directly or indirectly receive remuneration in exchange for an Individual’s PHI as provided in 45 C.F.R. § 164.502(a)(5)(ii).
7. Implementation of Safeguards. Subcontractor shall comply with the Security Rule with respect to Electronic PHI and maintain appropriate safeguards to ensure that PHI is not used or disclosed other than as provided by this Agreement or as Required by Law. In accordance with the Security Rule, Subcontractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic PHI and shall comply with the Security Rule with respect to Electronic PHI.
8. Minimum Necessary. When using, requesting, or disclosing PHI, Subcontractor shall comply with the “minimum necessary” requirements of the Privacy Rule found at 45 C.F.R. §§ 164.502(b) and 164.514(d).
9. Disclosure to Subcontractors. If Subcontractor discloses PHI to a subcontractor, Subcontractor shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.308(b)(2) with each subcontractor that creates, receives, maintains, or transmits PHI. Subcontractor shall require that the subcontractor agree to the same restrictions and conditions as apply to Subcontractor under this Agreement including complying with the applicable Security Rule requirements with respect to Electronic PHI and, further, that such subcontractors report any unauthorized uses or disclosures of PHI, Security Incidents, or Breaches to Subcontractor within not more than forty-eight (48) hours of such occurrence.
10. Individual Rights Regarding Designated Record Sets. If Subcontractor maintains a Designated Record Set on behalf of Covered Entity:
(a) Right to Copy or Inspection. Subcontractor shall promptly, and in no case later than five (5) business days after receipt of a request from Business Associate, make available to Business Associate for inspection and duplication all PHI about an Individual in a Designated Record Set that is in Subcontractor’s custody or control, so that Covered Entity may meet its access obligations under 45 C.F.R. § 164.524. If an Individual submits a request for access to Subcontractor, Subcontractor shall promptly forward the request to Business Associate.
(b) Right to Amendment. Subcontractor shall promptly, and in no case later than five (5) business days after receipt of a request from Business Associate, amend PHI or a record about an Individual in a Designated Record Set that is in the custody or control of Subcontractor, so that Covered Entity may meet its amendment obligations under 45 C.F.R. § 164.526. If an Individual submits a request for amendment to Subcontractor, Subcontractor shall promptly forward the request to Business Associate.
11. Accounting of Disclosures.
(a) Subcontractor shall keep records of all disclosures of PHI made by Subcontractor necessary for Subcontractor to provide to Business Associate the disclosure accounting described below (“Disclosure Accounting”) on an ongoing basis for a period of at least six (6) years, except for disclosures that are not subject to the accounting obligation as set forth in 45 C.F.R. § 164.528(a)(1) (“Excepted Disclosures”), including the following Excepted Disclosures:
(i) to carry out Treatment, Payment or Health Care Operations; and
(ii) to an Individual of PHI about the Individual, as provided by the Privacy Rule.
(b) If an Individual submits a request for a Disclosure Accounting to Subcontractor, Subcontractor shall promptly forward a copy of the request to Business Associate.
(c) Subcontractor shall provide the Disclosure Accounting to Business Associate within five (5) business days of receiving a written request therefore. The Disclosure Accounting shall contain the following (or such other information as may be required consistent with 45 C.F.R. § 164.528):
(i) the date of the disclosure;
(ii) the name of the entity or person to whom or which the PHI was provided and, if known, the address of such entity or person;
(iii) a brief description of the PHI disclosed; and
(iv) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure or, in lieu of such statement, a copy of the applicable written request for information to which the disclosure was responsive.
12. Right to Request Restrictions. If Subcontractor has knowledge that an Individual who is the subject of PHI has requested restrictions on the disclosure of PHI, Subcontractor must comply with the requested restriction if (a) the Covered Entity agrees to abide by the restriction; or (b) the disclosure is to a Health Plan for purposes of carrying out Payment or Health Care Operations and the PHI pertains solely to a health care item or service for which Covered Entity has been paid out of pocket in full.
13. Internal Practices, Policies and Procedures. Subcontractor shall make its internal practices, books and records related to use and disclosure of PHI available to the Secretary and Covered Entity, upon request, for the purpose of the Secretary determining Covered Entity’s compliance with the HIPAA Rules or Covered Entity determining Subcontractor’s compliance with this Agreement. Records requested shall be made available in the time and manner specified by the Secretary or Covered Entity, as applicable.
14. Carrying out Covered Entity Obligations. To the extent the Services require Subcontractor to carry out one or more of Covered Entity’s obligations under the Privacy Rule, Subcontractor shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.
C. Term and Termination.
1. Term. This Agreement shall be effective as of the Effective Date and shall be terminated when all PHI is destroyed or returned to Business Associate.
2. Termination for Breach. Business Associate may terminate the Services Agreement and/or this Agreement if it determines that there has been a material breach of Subcontractor’s obligations under this Agreement. At its option, Business Associate may take reasonable steps to cure the breach or end the violation. If the breach or violation continues and termination of the Services Agreement or this Agreement is not feasible, Business Associate may report the problem to the Secretary.
3. Effect of Termination. Upon termination of this Agreement for any reason, Subcontractor shall return or destroy all PHI received from Business Associate, or created or received by Subcontractor or its Subcontractors on behalf of Business Associate, or maintained by Subcontractor or its Subcontractors in any form. If Subcontractor determines that the return or destruction of PHI is not feasible, Subcontractor shall inform Business Associate in writing of the reason therefor, and shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Subcontractor retains the PHI.
4. Mitigation. If Subcontractor violates this Agreement or the HIPAA Rules with respect to PHI governed by this Agreement, Subcontractor shall mitigate any damage caused by such violation.
5. Survival. The respective rights and obligations of Subcontractor under Sections B.3, B. 4, C.3, C.4 and this Section C.5 of this Agreement shall survive the termination of this Agreement.
D. Miscellaneous.
1. Notices. All notices pertaining to this Agreement shall be given in writing and shall be deemed duly given when personally delivered to a Party or a Party's authorized representative as listed below or sent by means of a reputable overnight carrier, or sent by means of certified mail, return receipt requested, postage prepaid. A notice sent by certified mail shall be deemed given on the date of receipt or refusal of receipt. All notices shall be addressed to the appropriate Party as follows:
If to Business Associate:
ImageMoverMD, Inc.
2858 University Ave #265
Madison, WI 53705
Regulatory@imagemovermd.com
If to Subcontractor:
Customer Entity Name:
Customer Address 1:
Customer Address 2:
Customer Email:
2. Amendments. This Agreement may not be changed or modified in any manner except by an instrument in writing signed by a duly authorized officer of each of the Parties hereto. Notwithstanding the foregoing, to the extent that any relevant provision of HIPAA or the HIPAA Rules is amended in a manner that changes the obligations of Subcontractor or Business Associate provided for in this Agreement, Subcontractor and Business Associate agree to take such action as is necessary to amend this Agreement to enable the Parties to comply with the requirements of HIPAA as it may be amended from time to time. If the Parties are unable to agree to necessary amendments in such event to comply with changes in applicable law in the reasonable time period designated by Business Associate, Business Associate may terminate this Agreement.
3. Severability. The provisions of this Agreement shall be severable, and if any provision of this Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
4. No Third-Party Beneficiaries. Nothing in this Agreement shall be considered or construed as conferring any right or benefit on a person not a party to this Agreement nor imposing any obligations on either Party hereto with respect to persons not a party to this Agreement.
5. Entire Agreement. This Agreement, together with all exhibits, riders and amendments, if applicable, that are fully completed and signed by authorized persons on behalf of both Parties from time to time while this Agreement is in effect, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all previous written or oral understandings, agreements, negotiations, commitments, and any other writing or communication by or between the Parties with respect to the subject matter hereof
6. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Business Associate and Subcontractor to comply with the HIPAA Rules. The provisions of this Agreement shall prevail over the provisions of any other agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this Agreement or the HIPAA Rules.
7. No Agency. Subcontractor shall not be deemed to be the common law agent of Business Associate.