Business Associate Addendum
Last Updated Date:
November 18, 2019
“Agreement” means the Master Solutions Agreement and accompanying Order Form(s) entered into between Business Associate and Customer for the provision of Solutions, which Agreement(s) may be in the form of online terms of service.
This BAA will be effective as of the date Customer accepts the Agreement. Customer must have an existing Agreement in place for this BAA to be valid and effective. Together with the Agreement, this BAA will govern each party’s respective obligations relating to PHI.
The purpose of this BAA is to ensure the Parties satisfy the requirements of the final regulations issued by the U.S. Department of Health and Human Services (“DHHS”) pursuant to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act, enacted as Title XIII, Subtitle D of the American Recovery and Reinvestment Act of 2009, and implementing Regulations and Guidance (“HITECH”), governing the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E, as amended by HITECH (the “Privacy Rules”), and the security of electronic Protected Health Information collected, maintained, used, or transmitted by certain entities, including health care providers (the “Security Standards”). Business Associate and Covered Entity may be referred to individually herein as a “Party” and, collectively, the “Parties”.
WHEREAS, Business Associate and Covered Entity are Parties to the Agreement pursuant to which Business Associate provides Solutions to Covered Entity; and
WHEREAS, Covered Entity’s data, including Protected Health Information (“PHI”), may be used or disclosed to the Business Associate during Business Associate’s performance of the Solutions under the terms of the Agreement; and
WHEREAS, the purpose of this BAA is to satisfy the requirements of HIPAA, as may be amended from time to time;
NOW, THEREFORE, if Business Associate receives PHI from Covered Entity and is considered a “business associate” as that term is defined in HIPAA and regulations promulgated by DHHS to implement certain provisions of HIPAA, the Parties do hereby agree to the terms as set forth below as to such PHI.
All capitalized terms not otherwise defined herein have the meanings ascribed to them under HIPAA, the Privacy Rules and Security Standards, as amended by HITECH.
2. Obligations and Activities of Business Associate
(a) Business Associate agrees to not use or further disclose PHI other than as required by law, the Agreement, or as permitted or required by this BAA.
(b) Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, to prevent use or disclosure of the PHI other than as provided for by this BAA.
(c) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI as required at 45 C.F.R § 164.410, and any Security Incident of which it becomes aware. The Parties agree this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
(d) In the event of a Breach of any Unsecured PHI that Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of Covered Entity, Business Associate shall provide notice of such Breach to Covered Entity immediately, but in any event not more than 7 business days after discovering the Breach or, by exercising reasonable diligence would have discovered the Breach.
Notice of a Breach shall include, to the extent known to Business Associate: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach, if known, (iii) a description of the types of unsecured PHI that were involved in the Breach, (iv) the scope of the Breach, (v) a description of the Business Associate’s response to the Breach, and (vi) and steps Business Associate is taking to protect against any further breaches.
In the event of a Breach, Business Associate shall, in consultation with Covered Entity, mitigate, to the extent practicable, any harmful effect of such Breach that is known to Business Associate.
(e) Business Associate agrees to ensure that any agents and subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to substantially similar restrictions, conditions, and requirements that apply to Business Associate with respect to such information.
(f) Business Associate agrees to make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Regulations.
(g) Business Associate agrees to maintain and make available to Covered Entity, within ten (10) business days following a written request, information necessary to permit Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
(h) If Business Associate maintains information in a Designated Record Set, it agrees to make available to Covered Entity, within ten (10) business days following a written request, PHI in such Designated Record Set, in order for Covered Entity to respond to individuals’ requests for access to information about them in accordance with 45 C.F.R § 164.524. If Business Associate maintains, on behalf of Covered Entity, information in an electronic Designated Record Set, Business Associate shall provide such information in the electronic format to Covered Entity upon request, or, if directed by the Covered Entity, directly to a requesting individual.
(i) If Business Associate maintains information in a Designated Record Set, it agrees to make any amendments or corrections to PHI in such Designated Record Set within ten (10) business days following a written request by the Covered Entity in accordance with 45 C.F.R. § 164.526.
3. Permitted Uses and Disclosures by Business Associate
(a) Business Associate may use and disclose PHI as necessary to perform the Solutions set forth in the Agreement only if such use or disclosure is in compliance with each applicable requirement of Section 164.504(e) of the Privacy Rules, relating to business associate contracts.
(b) Business Associate may use or disclose PHI as required by law.
(c) Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s minimum necessary policies and procedures.
(d) Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity.
(e) Except as otherwise limited in this BAA, Business Associate may use or disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
4. Obligations of Covered Entity
(a) Covered Entity shall provide Business Associate notice of any limitation(s) in the notice of privacy practices of Covered Entity in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
(b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s uses and disclosures of PHI.
(c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
(d) Covered Entity shall use appropriate administrative, technical and physical safeguards to prevent use or
disclosure of PHI other than as provided for by this BAA.
5. Term and Termination
(a) Term. The Term of this BAA shall be effective as of the Effective Date and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.
(b) Termination for Cause. Business Associate authorizes termination of the Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of this BAA and Business Associate has not cured the breach or ended the violation within the time specified by Covered Entity. In the event that Business Associate becomes aware of a pattern of activity or a practice of Covered Entity that constitutes a material violation of the obligations of Covered Entity under this BAA, Business Associate will have the same termination rights and obligations specified as to Covered Entity in this Section 5.
(c) Effect of Termination. Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, in unencrypted form, shall:
(i) Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities or which it is not reasonably feasible for Business Associate to return or destroy.
(ii) Return to Covered Entity or destroy the remaining PHI that Business Associate still maintains in any form.
(iii) Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI.
(iv) Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at Section 2 of this BAA, which applied prior to termination.
(v) Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities or when such return or destruction is reasonably feasible.
(a) Regulatory References. A reference in this BAA to a section in the HIPAA Regulations means the section as in effect or as amended, and for which compliance is required.
(b) Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for Business Associate and Covered Entity to comply with the requirements of the HIPAA Regulations and any other applicable law.
(c) Survival. The obligations of the Parties shall survive the termination of this BAA.
(d) Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Regulations and any other applicable law.
(e) Order of Precedence. In the event of possible conflict or inconsistency between documents, the conflict or inconsistency shall be resolved by giving precedence in the following order: 1) this BAA and 2) the Agreement.
(f) Governing Law. This BAA is subject to the “Governing Law” section in the Agreement. Except as expressly modified or amended under this BAA, the terms of the Agreement remain in full force and effect.