top of page

HIPAA Business Associate Agreement - Dental Office & Service Provider

 If a dental care practice (“Covered Entity”) retains a service provider (“Business Associate”) to provide remote dental business services through the outsourced dental service platform (“platform”) provided by Caron Admin Services, LLC. (“Caron Admin Services”), then this HIPAA Business Associate Agreement (“HIPAA Agreement”) applies to enable Covered Entity and Business Associate to comply with privacy standards adopted by the U.S. Department of Health and Human Services and related standards, rules and regulations. 

​

     WHEREAS, Covered Entity has engaged or will engage Business Associate to provide Covered Entity with certain services related to the management and operation of dental practices utilizing the Caron Admin Services platform; 

​

     WHEREAS, Business Associate is willing to perform such services for Covered Entity subject and pursuant to the terms and conditions set forth in all written service agreements between Covered Entity and Business Associate (collectively, “Service Agreement”); and

​

     WHEREAS, the HIPAA Rules (defined below) require that Covered Entities receive adequate assurances that Business Associates will comply with certain obligations with respect to PHI (defined below) received in the course of providing services to or on behalf of a Covered Entity.

​

     NOW, THEREFORE, for good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, the parties agree as follows:

 

A. Definitions

​

     The following terms used in this HIPAA Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

​

HIPAA Rules. “HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

​

PHI. “PHI” means Protected Health Information. 

​

Business Associate.  “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this HIPAA Agreement, shall mean the party so identified above.

​

Covered Entity.  “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this HIPAA Agreement, shall mean the party so identified above.

Any ambiguity in this HIPAA Agreement shall be interpreted to permit compliance with the HIPAA Rules.

​

B. Obligations and Activities of Business Associate

​

Business Associate agrees to:

​

  1. Not use or disclose PHI other than as permitted or required by this HIPAA Agreement or as required by law;

  2. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the HIPAA Agreement;

  3. Report to Covered Entity any use or disclosure of PHI not provided for by the HIPAA Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware;

  4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;

  5. Make available PHI in a designated record set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;

  6. Make any amendment(s) to PHI in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;

  7. Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;

  8. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and

  9. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

​

C. Permitted Uses and Disclosures by Business Associate

​

  1. Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Service Agreement.

  2. Business Associate may use or disclose PHI as required by law.

  3. Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s minimum necessary policies and procedures.

  4. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity except for any specific uses and disclosures set forth below.

  5. Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

  6. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

  7. Business Associate may provide data aggregation services relating to the health care operations of the Covered Entity.

​

D. Obligations and Activities of Covered Entity 

​

  1. Covered Entity must notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

  2. Covered Entity must notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

  3. Covered Entity must notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

  4. Covered Entity understands that by accepting this HIPAA Agreement and requesting the services provided, Business Associate does not guarantee payment for applicable claims. Covered Entity will indemnify and hold Business Associate and its employees and contractors harmless from and against any and all claims, actions, damages, liabilities, costs or expenses, including without limitation, reasonable attorney’s fees, arising out of any act or omission of Covered Entity, its employees, contractors or agents.

  5. Covered Entity represents and warrants that, at all times during the term of this HIPAA Agreement, and in compliance with all HIPAA Rules and applicable laws, Covered Entity’s patients have given written permission for Business Associate to communicate PHI, scheduling, treatment and other information to such patients via phone, email, text, and Covered Entity so authorizes Business Associate to do so.

​

E. Term and Termination

​

  1. Term. The Term of this HIPAA Agreement will begin as described herein and will terminate on the date as authorized in paragraphs 2 and 3 below in this Section E.

  2. Termination for Cause. Business Associate authorizes termination of this HIPAA Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the HIPAA Agreement and Business Associate has not cured the breach or ended the violation within thirty (30) days after receiving notice from Covered Entity.

  3. Automatic Termination.  This HIPAA Agreement will automatically terminate without any further action of the parties upon the termination or expiration of the Service Agreement between the parties.

  4. Obligations of Business Associate Upon Termination. 
    Upon termination of this HIPAA Agreement for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

    • Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;

    • Destroy the remaining PHI that the Business Associate still maintains in any form;

    • Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI;

    • Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at paragraphs 5 and 6 above under “Permitted Uses and Disclosures By Business Associate” which applied prior to termination; and

    • Destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

  5.  Survival. The obligations of Business Associate under this Section shall survive the termination of this HIPAA Agreement.

​

F. Miscellaneous

​

  1. Entire Agreement.  This HIPAA Agreement, together with the Service Agreement, constitute the entire agreement between the parties, superseding any and all other agreements, either oral or in writing, between the parties hereto regarding the subject matter hereof, and contain all of the covenants and agreements between the parties with respect thereto.   Each party to this HIPAA Agreement acknowledges that no representations, inducements, promises, or agreements, orally or otherwise, regarding the subject matter hereof, have been made by any party or anyone acting on behalf of any party hereto, which are not embodied herein or in the Service Agreement.   All words used in this HIPAA Agreement shall be construed to be of such number and gender (including neuter) as the context requires or permits.

  2. Amendments; Modification. To the maximum extent permitted by applicable law, Business Associate may amend, modify and/or restate this HIPAA Agreement at any time and from time to time, as determined in its sole discretion, by posting such amendment or revised version of this HIPAA Agreement on the Caron Admin Services website or platform, or otherwise emailing Covered Entity a copy or notice of the same, and such will become effective and binding on Covered Entity as of the effective date stated therein.  Except as permitted in the prior sentence, any modification or waiver of any portion of this HIPAA Agreement will be effective only if it is in writing and signed by the party to be charged (not including email for purposes of this sentence).  Notwithstanding the foregoing sentence, while the parties are free to amend or modify this HIPAA Agreement, they may not agree to terms that violate, conflict with, expand or narrow Caron Admin Services rights and obligations under any agreements any party has with Caron Admin Services.

  3. Effective Waiver. The failure of either party to insist on strict compliance with any of the terms, covenants, or conditions of this HIPAA Agreement by the other party will not be deemed a waiver of that term, covenant, or condition, nor will any waiver or relinquishment of any right or power any one time or times be deemed a waiver or relinquishment of that right or power for all or any other times.

  4. Governing Law; Mediation; Venue.  This HIPAA Agreement will be governed and construed in accordance with the federal laws of the United States of America and the laws of the State where the Business Associate operates Business Associate’s business, without giving effect to any choice of law provisions thereof. Any and all disputes arising from, or relating to, this HIPAA Agreement shall first be attempted to be resolved through good faith, non-binding mediation pursuant to the following terms: within ten (10) business days after notice of demand for mediation has been made by a party, the parties, or their counsel, shall in good faith discuss the issues involved, discuss a suitable mediator and mediation procedure, and agree on mediation rules particularly tailored to the matter in dispute, with a view to the dispute’s prompt, efficient, and just resolution, and the parties hereto shall conduct not less than four (4) hours of non-binding mediation on each such dispute, with such mediation to occur, unless otherwise required by applicable law, in the State where the Business Associate operates Business Associate’s business within such 10-business-day period. The parties shall timely invite, and permit, Caron Admin Services to participate in such mediation in an effort to help the parties hereto resolve their dispute. Unless otherwise required by applicable law, the mediator’s fees shall be borne equally by Covered Entity and Business Associate. Each of the parties hereto hereby expressly agrees that the mediation of any said dispute is an express precondition for proceeding with further legal action of each such dispute. After such mediation of any dispute, or in the case of a failure by any party to so mediate, any action on any dispute arising from, or relating to, this HIPAA Agreement, shall be brought, and shall be located, only in the State where the Business Associate operates Business Associate’s business, and the applicable state and federal courts located therein shall have exclusive jurisdiction over any such action between the parties and its enforcement. The parties hereto hereby consent to the exclusive jurisdiction of such courts, as applicable.

  5. Severability.  Whenever possible, each provision of this HIPAA Agreement shall be interpreted in such a manner as to be effective and valid under applicable law, but if any provision of this HIPAA Agreement shall be invalid or unenforceable in any jurisdiction, such provision shall be modified to achieve the objective of the parties to the fullest extent permitted and such invalidity or unenforceability shall not affect the validity or enforceability of the remainder of this HIPAA Agreement or the validity or enforceability of this HIPAA Agreement in any other jurisdiction.

  6. Notices.  Any notice required or permitted to be given hereunder shall be in writing and will be effective (a) three (3) business days after deposit in the U.S. Mail, certified, return receipt requested, postage prepaid, (b) one (1) business day after deposit with a reputable express next day courier providing written receipt of delivery, or (c) the business day immediately after receipt via email, in each case addressed to the parties as follows:

​

If to Covered Entity, to:

​

At the address or email previously provided to Business Associate by Covered Entity

​

If to Business Associate, to:

​

At the address or email previously provided to Covered Entity by Business Associate

​

Either party may change its mailing address or email address from time to time by giving notice thereof to the other party, such notice to be given as provided in this Section.

​

  1. Benefit. The terms and conditions of this HIPAA Agreement will inure to the benefit of, and be binding upon, Covered Entity and Business Associate, and each such party’s respective permitted successors and assigns.  Caron Admin Services will be deemed an intended third-party beneficiary of this HIPAA Agreement with authority to enforce all provisions of this HIPAA Agreement that benefit Caron Admin Services.  Other than as stated in this Section, nothing in this Agreement is intended to confer upon any other third party any rights, remedies, obligations, or liabilities.

  2. Counterparts/Facsimiles. This HIPAA Agreement may be executed in one or more counterparts; all of the counterparts shall constitute one and the same agreement; and a facsimile, email or other electronic signature shall be considered as an original.

  3. Authorization to Sign.  The individual agreeing to this HIPAA Agreement for Covered Entity (the “Individual”) represents, warrants and agrees that he or she has authority to bind Covered Entity to the terms and conditions contained in this HIPAA Agreement.  By agreeing to this HIPAA Agreement, the Individual is binding Covered Entity to this HIPAA Agreement, and is also agreeing to personally ensure and guarantee Covered Entity’s timely and complete performance of all provisions of this HIPAA Agreement.

  4. Electronic Signatures and Acceptance. By clicking to accept or otherwise agreeing to a platform user agreement, Business Associate, Covered Entity and the Individual acknowledge and agree to all of the terms and conditions of the foregoing HIPAA Agreement, and will be deemed to have accepted, agreed to and signed this HIPAA Agreement electronically, effective as set forth below, pursuant to the federal Electronic Signatures in Global and National Commerce Act, 15 U.S.C. Sec. 7001, et seq., and all applicable state statutes.  Doing so constitutes an acknowledgement that the Business Associate, Covered Entity and the Individual agree to conduct the transaction electronically, and are able to electronically receive, download and print this HIPAA Agreement and related agreements.  The effective date of this HIPAA Agreement between a Covered Entity and a Business Associate will be the date such Business Associate begins providing services for such Covered Entity, at which point this HIPAA Agreement will be the legally binding HIPAA Business Associate Agreement between each such Covered Entity and Business Associate.

​

bottom of page