Home > Business Associate Agreement

Business Associate Agreement

Parties:

Mentalyc Inc. Address: 2261 Market Street #4569, San Francisco, CA 94114 ("Mentalyc" herein)

Company The organization identified and entered into Mentalyc’s systems by its representative and set forth on the final page of this agreement ("Company" herein)

Recitals:

• Company is a HIPAA Covered Entity or Business Associate.
• Company and Mentalyc will engage in a business relationship in which Mentalyc provides certain Services to Company.
• In this relationship, Mentalyc may receive, use, maintain, disclose, or otherwise process PHI as a Business Associate for or on behalf of the Company.

1. Definitions

• Affiliate: Any entity that directly or indirectly controls, is controlled by, or is under common control with a party. Control is defined as an economic or voting interest of at least 50% or the power to direct or cause the direction of management and set policies.
• HIPAA Laws: Health Insurance Portability and Accountability Act, Health Information Technology for Economic and Clinical Health ("HITECH") Act, including Privacy Rule and Security Rule as modified, supplemented, and amended.
• PHI: As defined in 45 C.F.R. § 160.103 of HIPAA, PHI includes protected health information that is received or created by Mentalyc on behalf of Company through the use of Services.
• Security Measures: Administrative, physical, and technical safeguards, including documentation requirements specified in the Security Rule.
• Services: Unified communications or other services provided by Mentalyc to Company where Mentalyc creates, receives, maintains, or transmits PHI.

2. Permitted Uses and Disclosures of PHI

2.1. Performance of the Agreement for Mentalyc Services

• Mentalyc shall not use or disclose PHI other than as permitted by this agreement or as required by law.
• Mentalyc may use or disclose PHI to perform services for or on behalf of Company, provided such use or disclosure would not violate HIPAA Laws if done by Company.

2.2. Management, Administration, and Legal Responsibilities

• Mentalyc may use and disclose PHI for management, administration, and legal responsibilities if:
  • (a) Required by Law; or
  • (b) Mentalyc obtains reasonable assurances from the person to whom PHI is disclosed that it will be held confidentially and used or disclosed only as required by law.

3. Responsibilities with Respect to PHI

3.1. Mentalyc’s Responsibilities

3.1.1. Limitations on Use, Disclosure, and Sale

• Mentalyc will only use the minimum necessary PHI for proper management and will not engage in the sale of PHI.

3.1.2. Safeguards

• Mentalyc shall use reasonable safeguards to prevent inappropriate use and disclosure of PHI and comply with applicable requirements of the Security Rule.

3.1.3. Subcontractors

• Mentalyc may use subcontractors to fulfill obligations, provided they agree in writing to:
  • (a) Similar restrictions and conditions as Mentalyc regarding PHI.
  • (b) Appropriate safeguards.
  • (c) Compliance with Security Rule requirements.

3.1.4. Reporting to Company

• Mentalyc shall report:
  • (a) Any unauthorized use or disclosure of PHI.
  • (b) Any Security Incident (with exceptions for Unsuccessful Security Incidents).
  • (c) Any Breach of Company's PHI within ten (10) business days.

3.1.5. Unsuccessful Security Incidents

• Unsuccessful Security Incidents include pings, port scans, unsuccessful login attempts, etc., that do not result in unauthorized access.

3.1.6. Disclosures to the Secretary

• Mentalyc shall make records available to Company or the Secretary for determining compliance with HIPAA Laws.

3.1.7. Access and Amendment

• Services do not include access or maintenance of a Designated Record Set. Company shall directly perform such actions.

3.1.8. Accounting of Disclosures

• Mentalyc shall make available information about disclosures to enable Company to make requested accountings.

3.1.9. Privacy and Security Rule Compliance

• Mentalyc shall comply with the Privacy and Security Rules with respect to PHI.

3.2. Company’s Responsibilities

3.2.1. No Impermissible Requests

• Company shall not request Mentalyc to use or disclose PHI in a manner impermissible under HIPAA Laws.

3.2.2. Contact Information for Notices

• Company agrees that notices may be provided electronically and must ensure current contact information.

3.2.3. Safeguards and Appropriate Use of PHI

• Company shall implement privacy and security safeguards and is responsible for ensuring PHI is legally disclosed to recipients.

3.2.4. Communicating Changes to Mentalyc

• Company shall notify Mentalyc of changes in permission regarding the use or disclosure of PHI.

3.2.5. Communicating Restrictions to Mentalyc

• Company shall notify Mentalyc of any agreed restriction to the use or disclosure of PHI.

3.2.6. Communicating Restrictions in Notices of Privacy Practices

• Company shall notify Mentalyc of any limitations in privacy practices that may affect the use or disclosure of PHI.

4. Term and Termination

4.1. Term

• The term begins on the date of acceptance and terminates upon termination of all services requiring a business associate agreement under HIPAA Laws.

4.2. Termination for Breach

4.2.1. Termination for Breach by Company

• Company may:
  • (a) Allow Mentalyc to cure the breach.
  • (b) Immediately terminate if a material breach cannot be cured.
  • (c) Report the violation to the Secretary if termination is infeasible.

4.2.2. Termination for Breach by Mentalyc

• Mentalyc may:
  • (a) Terminate the agreement.
  • (b) Report the problem to the Secretary if termination is not feasible.

5. Post-Termination Obligations

5.1. Return, Destruction, or Retention of PHI

• Upon termination, Mentalyc shall return or destroy all PHI unless it is necessary to retain for management or legal responsibilities.

5.2. Notice When Return or Destruction is Infeasible

• Mentalyc shall notify Company if PHI cannot be returned or destroyed and extend protections to such PHI.

6. Limitation of Liability

• Mentalyc's total liability is limited to ten thousand dollars ($10,000) for all damages arising from a breach of this agreement.

7. Notices

• Notices must be delivered in writing via electronic mail to specified addresses for both Mentalyc and Company.

8. Miscellaneous

8.1. No Agency Relationship

• This agreement does not create an agency relationship; each party is an independent contractor.

8.2. No Third-Party Rights or Remedies

• This agreement does not confer enforceable rights upon any person other than Mentalyc and Company.

8.3. References

• References to Privacy or Security Rule sections mean those currently in effect.

8.4. Assignment

• No assignment is allowed without prior consent, except to an affiliate or successor by merger.

8.5. Amendments; Waiver

• Amendments must be in writing. No waiver is effective unless in writing.

8.6. Ambiguity

• Any ambiguity will be resolved to comply with HIPAA Laws.

8.7. Merger; Conflicts

• This agreement is the final and complete expression of the parties' agreement.

8.8. Severability

• If any provision is deemed invalid, the remaining provisions remain valid.

8.9. Governing Law

• The laws of the State of Delaware govern all matters arising out of or relating to this agreement.

8.10. Electronic and Digital Signatures

• This agreement may be signed electronically and is as binding as a handwritten signature.

9. Data Ownership

• Company Rights: Company retains all right, title, and interest in and to the raw Data.
• License Granted to Mentalyc: Mentalyc is granted a non-exclusive license to use such Data solely for the purpose of providing the Services, including the development of anonymized datasets for training and improving AI models, algorithms, and other technologies.
• Mentalyc Ownership:
  • Mentalyc exclusively owns all rights, titles, and interests in and to any databases created from such anonymized datasets and uses these databases to enhance our Services.
  • Mentalyc exclusively owns all rights, titles, and interests in and to any applications, technologies, products, or improvements developed using anonymized Data, whether or not provided to Company as part of the Services. This includes, but is not limited to, artificial intelligence models and algorithms derived from the anonymized use of Data.

Mentalyc Inc. Copyright © 2021-2024 Mentalyc Inc. All rights reserved.

Mentalyc Inc.

Copyright © 2021-2023 Mentalyc Inc. All rights reserved.

Company

Meet the team

Product

About our notes

Security

Team plan

Pricing

Feature Request

Legal

Privacy Policy

Terms of Use

Business Associate Agreement

Contact us

LinkedIn

Facebook

Instagram

Affiliate program

Investors

Who we serve

Psychotherapists

Group practice owners

Pre-licensed Clinicians

Join us

Careers

Become a writer

Help

Sign up

Help articles

Blog

FAQs

Client consent template

How to upload a session recording to Mentalyc

How to record sessions on Windows? (For online sessions)

How to record sessions on MacBook? (For online sessions)

Popular Blogs

Why a progress note is called a progress note

The best note-taking software for therapists

Writing therapy notes for insurance

How to keep psychotherapy notes compliant in a HIPAA-compliant manner

The best Mental health progress note generator - Mentalyc