Patient Login
Forgot Password?

Not a patient? To proceed to physician login instead, click here.

Physician Login
Forgot Password?

Not a physician? To proceed to patient login instead, click here.

Are you a staff member? To proceed to the staff login page, click here.

Don’t have an account? Sign Up

Staff Login
Forgot Password?

Not a staff? To proceed to physician login instead, click here.

Don’t have an account? Contact your physician.

Skin Medicinals
Business Associate Agreement

This Business Associate Agreement (“Agreement”) by and between Skin Medicinals, LLC ( “Business Associate”) and the undersigned physician or physician practice ( “Covered Entity”), is entered into as of ___________ (“Effective Date”), for the purposes of complying with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), Public Law 111-005, and the regulations promulgated thereunder; 45 C.F.R. Parts 160 and Part 164, Subparts A, C, D and E (Subpart E, together with the definitions in Subpart A is known as the “Standards for Privacy of Individually Identifiable Health Information” (the “Privacy Rule”) and Subpart C, together with the definitions in Subpart A, is known as the “Security Standards for the Protection of Electronic Protected Health Information” (the “Security Rule”) Subpart D, together with the definitions in Subpart A is known as the “Breach Notification Rule” (“Breach Notification Rule”) (the Privacy Rule, Breach Notification Rule and the Security Rule are collectively called the “HIPAA Rules”) Business Associate and Covered Entity are collectively referred to as the “Parties.”

WHEREAS, the undersigned physician or physician practice is a “Covered Entity” as that term is defined under HIPAA, which requires Covered Entities and certain of their service providers to enter into confidentiality agreements;

WHEREAS, in connection with the certain services agreement(s) between Covered Entity and Business Associate for Business Associate to provide services for and on behalf of Covered Entity (collectively, the “Services Agreement”), Business Associate may create on behalf of, or receive from, the Covered Entity or the Covered Entity’s other service providers protected health information (“PHI”); and

WHEREAS, upon creation or receipt of such PHI, Business Associate would be a “Business Associate” in relation to the Covered Entity, as that term is defined under HIPAA.

NOW, THEREFORE, in consideration of the premises and the mutual promises contained herein, Covered Entity and Business Associate hereby agree as follows:

  1. Capitalized Terms. All capitalized terms herein not otherwise defined shall have the meaning ascribed to such terms under HIPAA, the HITECH Act and the HIPAA Rules, as may be amended from time to time.
  2. Business Associate’s Responsibilities with Respect to Use and Disclosure of PHI. Business Associate hereby agrees, with regard to its Use and/or Disclosure of the PHI, to do the following:
    1. to Use and/or Disclose the PHI only:
      1. to perform functions, activities or services for, or on behalf of Covered Entity, as specified in the Services Agreement;
      2. for Business Associate’s proper management and administration or to carry out any present or future legal responsibilities, provided (1) the disclosure is Required by Law, or (2) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed (“Person”) that it will be held confidentially and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the Person, and that the Person agrees to immediately notify Business Associate in writing of any instances of which it becomes aware in which the confidentiality of the information has been breached or is suspected to have been breached;
      3. to provide Data Aggregation services to Covered Entity as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B);
      4. to de-identify PHI in accordance with 45 C.F.R. § 164.514(b) and use de-identified information for any purpose;
      5. to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1);

      6. as otherwise permitted or required by this Agreement; or
      7. as otherwise permitted or Required by Law.
    2. to not use or disclose PHI other than as permitted or required by this Agreement, the Services Agreement, or as Required by Law.
    3. to not use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity, unless expressly permitted to do so pursuant to the Privacy Rule;
    4. consistent with the size and complexity of Business Associate’s operations, to use appropriate safeguards, and comply with the applicable provisions of the Security Rule with respect to the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, to prevent the use or disclosure of PHI other than as provided by this Agreement or the Services Agreement;
    5. to report to Covered Entity any material Use and/or Disclosure of PHI by Business Associate that is not permitted or required by this Agreement of which Business Associate becomes aware;
    6. to report to Covered Entity any successful Security Incident of which Business Associate becomes aware. For purposes of this Agreement, an “unsuccessful” Security Incident is an unsuccessful attempt to breach the security of Business Associate’s systems that Business Associate determines was targeted at Business Associate’s systems storing Covered Entity’s Electronic PHI, and includes general “pinging” or “denial of service” attacks that are not determined to have been directed at such Electronic PHI, and such unsuccessful Security Incidents shall be deemed as having been reported;
    7. to report to Covered Entity any Breach of Unsecured PHI in accordance with 45 C.F.R. § 164.410;
    8. to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of HIPAA, this Agreement, or the Services Agreement;
    9. to require all of Business Associate’s subcontractors utilized in providing the Services which Use and/or Disclose the PHI, to agree, in writing, to adhere to equivalent restrictions and conditions on the Use and/or Disclosure of the PHI that apply to Business Associate pursuant to this Agreement and comply with applicable provisions of the Security Rule; and
    10. to the extent Business Associate carries out an obligation for which Covered Entity is responsible under the Privacy Rule, to comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
  3. Access Requests. Business Associate shall, upon Covered Entity’s written request, provide Covered Entity with access to PHI in the Designated Record Set so that Covered Entity can comply with 45 C.F.R. § 164.524.
  4. Amendment Requests. Business Associate shall, upon Covered Entity’s written request, make any PHI contained in a Designated Record Set available to Covered Entity for purposes of amendment pursuant to 45 C.F.R. § 164.526.
  5. Accounting of Disclosures. To the extent applicable, Business Associate shall track and keep a record of all Disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the Privacy Rule at 45 C.F.R. § 164.528. Business Associate shall provide Covered Entity with such documentation upon the written request of Covered Entity.
  6. Requests from Secretary of Health and Human Services. If Business Associate receives a request, made by or on behalf of the Secretary of the United States Department of Health and Human Services (the “Secretary”), requiring Business Associate to make its internal practices, books, and records relating to the Use and Disclosure of the PHI created or received by Business Associate on behalf of Covered Entity available to the Secretary for the purpose of determining Covered Entity’s and/or Business Associate’s compliance with HIPAA, then Business Associate shall make its internal practices, books and records available to the Secretary or the Secretary’s authorized representative.
  7. Minimum Necessary. Covered Entity shall provide, and Business Associate shall request, Use and Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure.
  8. Responsibilities of Covered Entity. With regard to the Use and/or Disclosure of the PHI by Business Associate, Covered Entity hereby agrees:
    1. that the Uses and Disclosures of the PHI by Business Associate pursuant to this Agreement are, at the time of execution and throughout the term of this Agreement will be, consistent with the form of notice of privacy practices that Covered Entity provides to individuals pursuant to 45 C.F.R. § 164.520.
    2. to notify Business Associate, in writing and in a timely manner, of any arrangements permitted or required of Covered Entity under the Privacy Rule that may impact in any manner the Use and/or Disclosure of the PHI by Business Associate under this Agreement including, but not limited to, restrictions on Use and/or Disclosure of the PHI as provided for in 45 C.F.R. § 164.522 agreed to by Covered Entity, and to hold Business Associate harmless from the financial impact of any such agreement by Covered Entity;
    3. to obtain any consent or authorization that may be required under HIPAA or state law prior to furnishing the PHI to Business Associate; and
    4. not to request Business Associate use or disclose PHI in any manner that would violate the Privacy Rule.
  9. Term. The term of this BAA shall commence as of the Effective Date, and shall automatically terminate (a) upon the later of (i) termination of the Services Agreement or (ii) discontinuation of Business Associate’s provision of services to Company involving the use, disclosure or receipt of Company PHI, and (b) when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the provisions of Section 11.
  10. Termination
    1. If either Party determines that the other Party has engaged in a pattern of activity that constitutes a material breach of the other Party’s obligations under this Agreement, the non-breaching Party shall, notify the breaching Party and the breaching Party shall have thirty (30) days from receipt of that notice to cure the breach or end the violation. If the breaching Party fails to take reasonable steps to effect such a cure within such a time period, the non-breaching Party may terminate all or part of the service relationship. In no event shall such termination have any effect on sums due from Covered Entity for any services provided by Business Associate under the engagement.
    2. Where either Party has knowledge of a material breach by the other Party, and cure is not possible, the non-breaching Party shall terminate the portion of the arrangement for Services affected by the breach.
  11. Effect of Termination. Upon the event of termination of this Agreement, Business Associate agrees, where feasible, to return or destroy the PHI, which Business Associate still maintains in any form. Prior to doing so, Business Associate further agrees, to the extent feasible, to request the return or destruction of the PHI that is in the possession of its subcontractors or agents. If in Business Associate’s opinion, it is not feasible for Business Associate or any subcontractors to return or destroy portions of the PHI, Business Associate shall, upon Covered Entity’s written request, inform Covered Entity as to the specific reasons that make such return or destruction infeasible. Business Associate shall limit any further use or disclosures to the purposes that make the return or destruction of those portions of the PHI infeasible and provide the protections described herein to that PHI.
  12. Independent Contractors. Covered Entity and Business Associate shall be independent contractors and nothing in this Agreement is intended nor shall be construed to create an agency, partnership, employer-employee, or joint venture relationship between them.
  13. Third Party Beneficiaries. Nothing in this Agreement shall be construed to create any third party beneficiary rights in any person.
  14. Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies thereof shall be deemed to be originals.
  15. Informal Resolution. If any controversy, dispute or claim arises between the Parties with respect to this Agreement, the Parties shall make good faith efforts to resolve such matters informally.
  16. Limitation on Liability. Neither Party shall be liable to the other party for any incidental, consequential or punitive damages of any kind or nature, whether such liability is asserted on the basis of contract, tort (including negligence or strict liability), or otherwise, even if the other Party has been advised of the possibility of such loss or damages.
  17. Notices. All notices, requests, approvals, demands and other communications required or permitted to be given under this Agreement shall be in writing and delivered either personally, or by certified mail with postage prepaid and return receipt requested, or by overnight courier to the party to be notified. All communications will be deemed given when received.
  18. Interpretation. The provisions of this Agreement shall prevail over any provisions in any other agreements between Business Associate and Covered Entity that may conflict or appear inconsistent with any provision of this Agreement. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA and the HITECH Act. The Parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies with and is consistent with HIPAA and the HITECH Act.
  19. Entire Agreement; Amendment. This Agreement constitutes the entire agreement between the parties hereto relating to the subject matter hereof and supersedes any prior or contemporaneous verbal or written agreements, communications and representations relating to the subject matter hereof. This Agreement may be modified or amended only upon mutual written consent of the parties.
  20. Governing Law. This Agreement shall be governed by and construed in accordance with the same internal laws as that of the Services Agreement.
  21. Scope. This Agreement applies to all present and future agreements and relationships, whether written, oral or implied, between Covered Entity and Business Associate, pursuant to which Covered Entity provides PHI to Business Associate in any form or medium whatsoever. This Agreement shall automatically be incorporated into all subsequent agreements between Covered Entity and Business Associate involving access to or Use or Disclosure of PHI, whether or not expressly referenced therein. This Agreement shall not apply to the extent that the services provided by Business Associate relates to relates to a function of Covered Entity that is not subject to HIPAA. For example, if Covered Entity is a hybrid entity under HIPAA and Business Associate provides services for the non-covered part of the Covered Entity, this Agreement shall not apply.
  22. Survival. Sections 11, 16, 21 and 22 shall survive the termination of this Agreement.