This Level Employer Business Associate Agreement (the “Business Associate Agreement”) is entered into by Level Benefits, Inc., a Delaware corporation doing business as Level and Level Administrators (together with its affiliates, “Level”) and the organization agreeing to these terms (“Covered Entity”). This Business Associate Agreement governs the Use and Disclosure of Protected Health Information pursuant to the agreement between the parties (the “Underlying Agreement”) pursuant to which Level performs certain services (“Services”) on behalf of Covered Entity. The parties desire to enter into this Business Associate Agreement in order to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, as amended and in effect.
Capitalized terms not otherwise defined in this Business Associate Agreement will have the same meaning as those terms in the Privacy Rule and the Security Rule.
“Breach” when capitalized, “Breach” will have the meaning set forth in 45 CFR § 164.402 (including all of its subsections); with respect to all other uses of the word “breach” in this Business Associate Agreement, the word will have its ordinary contract meaning.
“Electronic Protected Health Information” or “EPHI” will have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to information that Level creates, accesses or receives on behalf of Covered Entity.
“Protected Health Information” or “PHI” will have the meaning set forth in the Privacy Rule, limited to information that Level creates, accesses or receives on behalf of Covered Entity. PHI includes EPHI.
“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information, codified at 45 CFR parts 160 and 164, Subparts A, D, and E, as currently in effect.
“Security Rule” means the Standards for Security for the Protection of Electronic Protected Health Information, codified at 45 CFR parts 160 and 164, Subpart C.
“Unsecured Protected Health Information” will have the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402, limited to the information created or received by Level from or on behalf of Covered Entity.
Uses and Disclosures. Level will not Use or further disclose PHI other than as permitted or required by this Business Associate Agreement, to perform Services under the Underlying Agreement or as Required By Law, provided that:
Uses and Disclosures Permitted By Law. As permitted by the Privacy Rule, Level may Use or Disclose PHI: (a) as is necessary for the proper management and administration of Level’s organization, (b) to provide data aggregation services relating to the services of the Covered Entity; and (c) to carry out the legal responsibilities of Level; provided, however, any permitted Disclosure of PHI to a third party must be either Required By Law or subject to reasonable assurances obtained by Level from the third party that PHI will be held confidentially, securely, and Used or Disclosed only as Required By Law or for the purposes for which it was disclosed to such third party, and any breaches of confidentiality of PHI which become known to such third party will be immediately reported to Level.
Privacy Rule. To the extent Level carries out one or more of Covered Entity’s obligations under the Privacy Rule, Level will comply with the requirements of HIPAA that apply to Covered Entity in the performance of such obligation(s).
Safeguards. Level will use appropriate and sufficient safeguards to prevent Use or Disclosure of PHI other than the Uses and Disclosures permitted or required by this Business Associate Agreement. Level will comply with the Security Rule with respect to EPHI, including implementing Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of EPHI.
Reporting. Level will report to Covered Entity any Use or Disclosure of PHI not permitted or required by this Business Associate Agreement and any successful Security Incident of which it becomes aware in accordance with HIPAA.
Agents and Subcontractors. Level will ensure that any and all subcontractors that create, receive, maintain or transmit PHI on behalf of Level agree, in writing prior to the subcontractors’ receipt of such PHI, to the same terms and conditions of this Business Associate Agreement with respect to PHI. Each subcontract agreement must contain the same restrictions and conditions applying to Level with respect to PHI, including without limitation the provisions of this Business Associate Agreement. Level will make such agreements with its subcontractors available to Covered Entity upon Covered Entity’s request. In the course of providing the Services, it may be necessary for Level to disclose PHI to other Business Associates of Covered Entity. Level shall have the right and authority to disclose such PHI to such Business Associates based on Covered Entity's representation that such other party is a Business Associate of Covered Entity.
Patient Right to Access. Level will make PHI in a Designated Records Set it maintains available to Covered Entity within ten (10) days or, as directed by Covered Entity, to the subject of the PHI, in compliance with the requirements of 45 C.F.R. §164.524. If any Individual requests access to his or her own PHI from Level, Level will, within two (2) business days, notify Covered Entity of the details of such request.
Patient Right to Amend. Level will incorporate amendment(s) to PHI in a Designated Records Set it maintains within ten (10) days of receipt of Covered Entity’s request and in compliance with 45 C.F.R. §164.526. If any Individual submits to Level a request to amend his or her own PHI, Level will, within two (2) business days, notify Covered Entity of the details of such request.
Patient Right to Request Accounting. Level will document and make available to Covered Entity the information required to provide an accounting of disclosures within ten (10) days of receipt of Covered Entity’s request or, as directed by Covered Entity, to the subject of the PHI, in compliance with the requirements of 45 C.F.R. §164.528. If any Individual requests an accounting from Level, Level will, within two (2) business days, notify Covered Entity of the details of such request.
Audit. Level will make its internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received by Level on behalf of Covered Entity available to the Secretary of Health and Human Services, upon request, for purposes of determining and facilitating Covered Entity’s compliance with HIPAA.
Mitigation. Level will mitigate promptly, to the extent practicable, any harmful effect that is known to Level of a Use or Disclosure of PHI by Level in violation of this Business Associate Agreement, the Privacy Rule, the Security Rule, or other applicable federal or state law.
Breach. If Level has knowledge or a reasonable belief a Breach of Unsecured Protected Health Information has occurred, Level will notify the Covered Entity in accordance with the requirements of 45 CFR § 164.410. Such notification will include, to the extent possible, the identification of each Individual whose PHI has been or is reasonably believed to have been accessed, acquired, Used or Disclosed during the Breach, along with any other information that the Covered Entity will be required to include in its notification to the Individual, the media and/or the Secretary and a description of the Level’s investigation, mitigation, and prevention efforts.
Notice of Privacy Practices. Covered Entity will notify Level of limitation(s) in its notice of privacy practices, to the extent such limitation affects Level’s permitted Uses or Disclosures.
Individual Permission. Covered Entity will notify Level of changes in, or revocation of, permission by an Individual to Use or Disclose PHI, to the extent such changes affects Level’s permitted Uses or Disclosures.
Restrictions. Covered Entity will notify Level of restriction(s) in the Use or Disclosure of PHI that Covered Entity has agreed to, to the extent such restriction affects Level’s permitted Uses or Disclosures.
Term. The Term of this Business Associate Agreement will begin on the Effective Date, and will continue until all PHI provided by Covered Entity to Level is destroyed or returned to Covered Entity. If it is infeasible to return or destroy all PHI, this Business Associate Agreement will continue for so long as PHI is maintained by Level, which maintenance will be in accordance with Section 4.c. herein.
Return on Termination. At termination of this Business Associate Agreement or the Underlying Agreement, to the extent feasible, Level will return or destroy all PHI Level maintains in any form and will retain no copies of PHI. Notwithstanding anything herein to the contrary, if Level determines, in its reasonable discretion, the return or destruction of such PHI is not feasible, Level will extend the protections of this Business Associate Agreement to the remaining information and limit further Uses and Disclosures of PHI to those purposes that make the return or destruction of PHI infeasible.
Survival. The terms of this Section will survive the termination or expiration of this Business Associate Agreement.
Each party’s liability will be limited by the limitation on liability in the Underlying Agreement.
If Level is confronted with legal action to disclose any PHI, Level will, to the extent permitted, promptly notify Covered Entity of such action. Thereafter, upon request by Covered Entity, Level will use reasonable efforts to assist Covered Entity in obtaining a protective order or other similar order, and will disclose only the minimum amount of PHI that is required to be disclosed in order to comply with the legal action, whether or not a protective order or other order has been obtained.
The parties will comply with all applicable federal, state and local laws, rules and regulations.
Except as specifically required to implement the purposes of this Business Associate Agreement, and except to the extent inconsistent with this Business Associate Agreement, all terms of the Underlying Agreement will remain in full force and effect. In the event of a conflict between the terms of the Underlying Agreement and this Business Associate Agreement, this Business Associate Agreement will control. This Business Associate Agreement supersedes any and all other agreements between the parties related to this subject matter.
The parties may amend this Business Associate Agreement from time to time by mutual written agreement in order to keep this Business Associate Agreement consistent with any changes made to the HIPAA laws or regulations in effect as of the Effective Date and with any new regulations promulgated under HIPAA.
Last updated: December 14, 2021