Business Associates Agreement
Business Associate Agreement for customers enrolled in the Cytracom Business Associates Program.
Business Associates Agreement
Last Modified: February 12, 2025
Last Reviewed: February 12, 2025
Cytracom LLC (“Cytracom”) provides enterprise-grade business communications and security services (“Services”) through a network of third party resellers (“Resellers”), and operates online websites at http://www.cytracom.com, https://controlone.cytracom.net and https://secure.cytracom.net as well as mobile and web applications, integrations, and plugins (collectively, the “Sites”) to provide information about the Services and to identify purchasers of the Services (“Customers”) as well as potential purchasers of the Services and to introduce them to Resellers. Cytracom respects the privacy of others.
This Business Associate Agreement (“Agreement”) applies to customers enrolled in the Cytracom Business Associates Program.
WITNESSETH
WHEREAS, Covered Entity is a “covered entity” as defined in the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (“HIPAA”), and as described in the Health Information Technology for Economic and Clinical Health Act (“HITECH”) provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”); and
WHEREAS, Business Associate provides certain telephone and business communications services (the “Non-Voicemail Services”) for Covered Entity pursuant to an agreement (the “Services Agreement”), which services are conduit services and therefore do not make Business Associate a “business associate” of Covered Entity under HIPAA; and
WHEREAS, Business Associate also provides certain voicemail and voice storage services (the “Voicemail Services”) for Covered Entity pursuant to the Services Agreement, the performance of which involves the creation, receipt, maintenance, or transmission of certain Protected Health Information, as defined in 45 CFR 160.103 and limited to the information created or received by Business Associate from or on behalf of Covered Entity in connection with the Voicemail Services (“PHI”); and
WHEREAS, HIPAA requires that Covered Entity enter into written agreements with its business associates in order to regulate the use and disclosure of certain protected health information of Covered Entity related to the Voicemail Services; and
WHEREAS, Covered Entity and Business Associate agree to enter into this Agreement under the terms and conditions set forth herein to meet the applicable requirements for such business relationships under HIPAA, as related to the Voicemail Services.
NOW THEREFORE, for and in consideration of these premises, the Parties’ other mutual covenants contained herein, and other good and valuable consideration, the receipt and adequacy of which are forever acknowledged and confessed, the Parties hereto acknowledge, covenant, and agree as follows:
1. Obligations of Business Associate
1.1. Permitted Uses and Disclosures of PHI. Business Associate shall use and disclose any PHI it may receive from Covered Entity to perform the Services and carry out the obligations of Business Associate under the Agreement, and in accordance with applicable federal and state laws, including but not limited to HIPAA, and the terms of this Agreement. Unless otherwise limited by this Agreement, Business Associate may also: (i) use the PHI in its possession for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, (ii) disclose the PHI in its possession to a third party for the purpose of Business Associate’s proper management and administration or to carry out the legal responsibilities of Business Associate, provided that such disclosures are Required by Law or that Business Associate has obtained reasonable written assurances (similar in form to this Agreement) from the third party to whom PHI is disclosed that the PHI will be held confidentially and the third party has agreed to notify Business Associate any instances of which it becomes aware in which the confidentiality of the information has been breached; and (iii) provide data aggregation services relating to the Health Care Operations of Covered Entity. Business Associate may de-identify any PHI covered by this Agreement without authorization from Covered Entity, provided that such de-identification is in strict accordance with the requirements of HIPAA, including without limitation 45 CFR § 164.514(b). Business Associate shall not use or further disclose PHI other than permitted or required by this Agreement or as otherwise required by law. To the extent Business Associate is to carry out any obligation of Covered Entity under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity the performance of such obligation. Any such de-identified data will not be considered PHI covered by this Agreement. When using or disclosing PHI, Business Associate will make reasonable efforts to limit PHI to the minimum necessary for the use, disclosure, or request.
1.2 Safeguards. Business Associate will use all appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement or as required by law. Without limiting the foregoing, Business Associate shall implement and use appropriate administrative, physical and technical safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and prevent the use or disclosure of PHI other than as set forth in this Agreement or as permitted or required by law.
1.3 Reporting Disclosures of PHI. In the event Business Associate, its agents, employees or contractors use or disclose PHI in violation of this Agreement, Business Associate shall report such use or disclosure to Covered Entity promptly after Business Associate becomes aware of such violation, including the circumstances surrounding the use or disclosure and a description of the PHI inappropriately used or disclosed. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware, provided that Business Associate shall only be required to report unsuccessful Security Incidents upon request by Covered Entity, and any such report may be in summary form generally describing the types and frequency of such unsuccessful Security Incidents. Business Associate agrees to notify Covered Entity in the event of any breach of unsecured PHI held by or under the control of Business Associate, including the identity of the affected individual(s) and all other relevant information, within three (3) business days of the first day the “breach of unsecured PHI” is known, or reasonably should have been known, to Business Associate. Unless the context of the relationship specifically requires otherwise, the parties disclaim any agency relationship between Covered Entity and Business Associate.
1.4 Mitigation of Harmful Effects. Business Associate shall establish procedures for mitigating harmful effects of any improper use or disclosure of PHI that Business Associate reports to Covered Entity.
1.5 Third Party Agreements. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall require all of its subcontractors and agents that receive, use or have access to PHI to: (i) agree in writing to adhere to the same or substantially similar restrictions and conditions applicable to the use or disclosure of such PHI as required herein, that is, the restrictions and conditions applicable to Business Associate with respect to PHI under the terms of this Agreement, and (ii) implement reasonable and appropriate safeguards to protect PHI.
1.6 Access to Information. Within ten (10) business days of a request by Covered Entity for access to PHI about an individual contained in a Designated Record Set (as defined in 45 C.F.R. 164.501) in Business Associate’s possession, Business Associate shall make available to Covered Entity such PHI for so long as such information is maintained in the Designated Record Set by Business Associate. In the event any individual requests access to his or her own PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity upon receipt of same. Business Associate shall reasonably cooperate with Covered Entity to provide an individual, at Covered Entity’s written direction, with access to the individual’s PHI in Business Associate’s possession within ten (10) business days of Business Associate’s receipt of written instructions for same from Covered Entity. Any denials of access to PHI requested shall be the responsibility of Covered Entity.
1.7 Amendment of PHI. Business Associate agrees to make PHI in a Designated Record Set available for amendment and to incorporate any appropriate amendments at the direction of and in the time and manner designated by Covered Entity. Business Associate further agrees to forward to Covered Entity any request for amendment of PHI made directly by an individual to Business Associate upon receipt of such request, and take no action on such request until directed by Covered Entity.
1.8 Accounting of Disclosures. Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528 and to provide Covered Entity with an accounting of such disclosures in the time and manner designated by Covered Entity. Business Associate further agrees to forward to Covered Entity any request for an accounting of disclosures of PHI made directly by an individual to Business Associate upon receipt of such request. To the extent Business Associate maintains PHI in an electronic health record, Business Associate agrees to account for all disclosures of such PHI upon the request of an individual for a period of at least three (3) years prior to such request (but no earlier than the effective date of this Agreement), as required by HITECH; such accounting shall be directly to the individual if requested by Covered Entity.
1.9 Access to Books and Records. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the requirements of HIPAA.
1.10 Obligations under HITECH. Business Associate acknowledges that it is subject to the security and data breach provisions of HIPAA and agrees to abide thereby. Business Associate also agrees to abide by all of the privacy provisions set forth in HITECH, including, without limitation, all restrictions on marketing, all restrictions on receipt of remuneration in exchange for PHI, and all requirements relating to limited data sets and minimum necessary disclosures.
2. Obligations of Covered Entity
2.1 Notice of Privacy Practices. Covered Entity agrees to provide Business Associate with a copy of Covered Entity’s “Notice of Privacy Practices,” required to be provided to individuals in accordance with 45 CFR 164.520, as well as any subsequent changes to such notice.
2.2 Changes to or Restrictions on Use or Disclosure of PHI. Covered Entity will provide Business Associate with any changes to, or revocation of, permission to use or disclose PHI if such changes affect Business Associate’s permitted or required uses or disclosures. Covered Entity will further notify Business Associate of any restriction to the use or disclosure of PHI agreed to by Covered Entity in accordance with the provisions of 45 CFR 164.522, and any restriction requested by an individual which Covered Entity is required to comply with in accordance with the provisions of HITECH.
2.3 Requested Uses or Disclosures of PHI. Covered Entity shall not request Business Associate to use or disclose PHI in any manner inconsistent with state or federal law.
2.4 PHI. Covered Entity shall use commercially reasonable efforts not to disclose PHI to Business Associate unless such PHI is necessary for Business Associate to perform the Services.
3. Term and Termination
3.1 Term. This Agreement shall be deemed effective on the Effective Date and shall continue in effect until all obligations of the Parties have been met, unless otherwise terminated under the terms and conditions set forth herein.
3.2 Termination for Cause. If a Party breaches a provision of this Agreement, the non-breaching Party shall immediately notify the breaching Party of the nature of the breach. With respect to such breach or violation: (i) the breaching Party shall take reasonable steps to cure such breach or end such violation within thirty (30) days of receiving notice; or (ii) if such steps are unsuccessful or if cure is not possible, promptly, upon written notice, the non-breaching Party may, if feasible, terminate this Agreement and all of the provisions of the Services Agreement that involve the use or disclosure of PHI; or (iii) if such termination is not feasible, the non-breaching Party shall report the Party’s breach or violation to the Secretary of the Department of Health and Human Services. The non-breaching Party shall notify the breaching Party prior to reporting the breach or violation to the Secretary of the Department of Health and Human Services.
3.3 Effect of Termination and Obligations of Business Associate Upon Termination. Upon termination of this Agreement, Business Associate shall return or destroy all PHI created or received by Business Associate, its agents and subcontractors to the extent feasible, without retaining any copies of such PHI. If Business Associate and Covered Entity mutually agree that return or destruction of the PHI is not reasonably feasible, Business Associate agrees to extend the protections of PHI under this Agreement and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible.
The obligations of Business Associate under this Section 3.3 shall survive the termination of this Agreement.
4. Miscellaneous Provisions
4.1 Definitions and Interpretation; Indemnification. All words used herein but not defined herein shall have the meanings set out in HIPAA, and this Agreement shall be interpreted in such a fashion as to cause the parties to be in compliance with HIPAA.
4.2 Assignment. Neither party shall have the right to assign its rights or obligations under this Agreement without the prior written consent of the other party, and any such attempted assignment shall be void.
4.3 Amendment. This Agreement shall not be modified or amended except by a written document executed by each of the parties to this Agreement, and such written modification or amendment shall be attached hereto.
4.4 Waiver of Provisions. Any waiver of any terms and conditions of this Agreement must be in writing, and signed by both Business Associate and Covered Entity. The waiver of any of the terms and conditions of this Agreement shall not be construed as a waiver of any other terms and conditions of the Agreement.
4.5 Parties In Interest; No Third-Party Beneficiaries. Except as otherwise provided in this Agreement, the terms and conditions of this Agreement shall inure to the benefit of and be binding upon the respective heirs, legal representatives, successors and permitted assigns of the parties to this Agreement. Neither this Agreement nor any other agreement contemplated in this Agreement shall be deemed to confer upon any person not a party to this Agreement any rights or remedies contained in this Agreement.
4.6 Governing Law. This Agreement, the rights and obligations of the parties hereto, and the entire relationship between the parties relating hereto shall be governed by and construed and enforced in accordance with the substantive laws (but not the rules governing conflicts of laws) of the state of Texas and with HIPAA.
4.7 Notice. Whenever this Agreement requires or permits any notice, request, or demand from one party to another, the notice, request, or demand must be in writing to be effective and shall be deemed to be delivered and received (i) if personally delivered or if delivered by telex, telegram, facsimile or courier service, when actually received by the party to whom notice is sent or (ii) if delivered by mail (whether actually received or not), at the close of business on the third business day next following the day when placed in the mail, postage prepaid, certified or registered, addressed to the appropriate party, at the address of such party set forth below (or at such other address as such party may designate by written notice to all other parties in accordance herewith):
If to Covered Entity:
Attn: Privacy Officer
If to Business Associate:
Cytracom, LLC
ATTN: Privacy Officer
7300 State Highway 121, Suite 800
McKinney, TX 75070
4.8 Authorization. The Parties executing this Agreement hereby warrant that they have the authority to execute this Agreement and that their execution of this Agreement does not violate any bylaws, rules, or regulations applicable to them.
4.9 Counterparts. This Agreement may be executed in multiple counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument.
IN WITNESS WHEREOF, the Parties hereto have executed this Agreement as of the date the customer is enrolled in the Business Associates Program.