EXTENDED BUSINESS ASSOCIATE TERMS

1. Purpose and Scope

These Extended Business Associate Terms (“Terms”) govern how the Business Associate (“Service Provider”) may use and disclose Protected Health Information (“PHI”) while performing services for LabVisits LLC (“Covered Entity”).
They are required under HIPAA (45 CFR §164.504(e)) and the HITECH Act.

2. Definitions

  • PHI: Individually identifiable health information maintained or transmitted in any form.
  • ePHI: PHI maintained or transmitted electronically.
  • Business Associate: The Service Provider and any subcontractors or agents who access PHI on its behalf.
  • Covered Entity: LabVisits LLC.
  • Subcontractor: Any third party engaged by the Service Provider who will access PHI in connection with services under this Agreement.

3. Permitted and Impermissible Uses

  • The Business Associate may use PHI only to perform contracted services, including patient identification, specimen collection, labeling, and coordination of laboratory logistics.
  • The Business Associate shall not use PHI for marketing, data aggregation, sale, or any purpose not expressly authorized by the Covered Entity or required by law.
  • Any use or disclosure of PHI inconsistent with this Agreement or HIPAA is prohibited.

4. Safeguards and HIPAA Security Compliance

The Business Associate shall:

  • Implement appropriate administrative, technical, and physical safeguards in compliance with 45 CFR §§164.308, 164.310, and 164.312.
  • Encrypt all ePHI in storage and transmission.
  • Restrict PHI access to authorized personnel only.
  • Maintain written HIPAA policies and conduct annual HIPAA training for all staff and subcontractors who access PHI.
  • Provide proof of training upon request.

5. Reporting and Breach Notification

  • Report any unauthorized use, disclosure, or breach of PHI to LabVisits LLC within three (3) business days of discovery.
  • Cooperate fully with LabVisits LLC to investigate, mitigate, and remedy the breach.
  • Maintain documentation of the incident, the number of affected individuals, and corrective actions taken.

6. Subcontractors

The Business Associate must ensure that any subcontractor with access to PHI agrees in writing to the same restrictions and safeguards that apply to the Business Associate under these Terms.

7. Access, Amendment, and Accounting of Disclosures

At the request of LabVisits LLC, the Business Associate shall:

  • Provide access to PHI for review or copying within ten (10) business days;
  • Amend PHI as directed by LabVisits LLC;
  • Maintain and provide records of disclosures to enable LabVisits LLC to meet its obligations under 45 CFR §164.528.

8. Availability of Books and Records

The Business Associate shall make its internal practices, books, and records relating to PHI available to the Secretary of Health and Human Services upon request to verify HIPAA compliance.

9. Responsibilities of Covered Entity

LabVisits LLC shall:

  • Notify the Business Associate of any limitation in its privacy practices that may affect PHI use or disclosure;
  • Inform the Business Associate of any change or revocation of authorization by an individual;
  • Refrain from requesting the Business Associate to use or disclose PHI in ways that would be impermissible under HIPAA.

10. Data Ownership

All PHI and related data remain the exclusive property of LabVisits LLC. The Business Associate obtains no rights or ownership interests in PHI.

11. Liability and Indemnification

The Business Associate is directly liable under HIPAA for impermissible use or disclosure of PHI, failure to maintain safeguards, or other violations.
The Business Associate shall indemnify and hold harmless LabVisits LLC from all claims, penalties, and costs arising from its acts or omissions under this Agreement.

12. Return or Destruction of PHI

Upon termination or at the request of LabVisits LLC, the Business Associate shall promptly return or securely destroy all PHI.

If destruction is infeasible, the Business Associate shall continue to safeguard the PHI in accordance with HIPAA indefinitely.

13. Term and Termination

  • Either Party may terminate with written notice.
  • LabVisits LLC may terminate immediately for any material breach of these Terms or non-compliance with HIPAA.
  • Upon termination, all PHI must be returned or destroyed per Section 12.

14. HITECH Compliance

The Parties agree to comply with all applicable provisions of the HITECH Act and to cooperate in amending this Agreement as needed to ensure continued compliance with evolving regulations.

15. Governing Law and Jurisdiction

This Agreement is governed by the laws of the State of Florida.
Any disputes shall be resolved through binding arbitration in Miami-Dade County, Florida.

16. Updates and Notices

  • LabVisits LLC may update these Terms by posting a new version at www.labvisits.com/ba-terms and notifying the Business Associate by email or dashboard notice.
  • Continued performance of services or handling of PHI after such notice constitutes acceptance of the updated terms.