Business Associate Addendum
Effective Date: August 29, 2024
1. Definitions.
Capitalized terms used, but not otherwise defined, in this BAA or the Agreement shall have the same meaning as is set forth in 45 C.F.R. Parts 160 and 164, where applicable.
1.1 “
Electronic Protected Health Information” or “
ePHI” shall have the same meaning given to such term as 45 C.F.R. § 160.103, limited to the information created, received, or maintained or transmitted from or on behalf of Customer.
1.2 “
Individual” shall have the same meaning as the term “
individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
1.3 “
Protected Health Information” or “
PHI” shall have the same meaning given to such term in 45 C.F.R. §160.103, limited to the protected health information created or received by or on behalf of Customer that is a Covered Entity or business associate (as defined under HIPAA). For avoidance of doubt, PHI shall include ePHI.
1.4 “
Unsecured Protected Health Information” shall mean PHI that is not secured through the use of a technology or methodology specified by the Secretary in regulations or as otherwise defined in 45 C.F.R. § 164.402.
1.5 The terms “
use,” “
disclose” and “
discovery,” or derivations thereof, although not capitalized, shall also have the same meanings set forth in HIPAA.
2. Obligations and Activities of Business Associate
2.1 Business Associate shall Use and Disclose PHI only as permitted or required by this Agreement, the Underlying Agreement, or as Required By Law.
2.2 Business Associate shall use appropriate safeguards to prevent the Use or Disclosure of PHI other than as contemplated by the Underlying Agreement and this Agreement. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI that it creates, receives, maintains or transmits on behalf of Customer, and shall comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI.
2.3 Except to the extent prevented by law enforcement, Business Associate shall notify the Customer in writing of any Security Incident or access, acquisition, Use or Disclosure that is not provided for by this Agreement without unreasonable delay and within ten days of Business Associate’s discovery of the Security Incident or non-permitted access, acquisition, Use or Disclosure. The Parties acknowledge and agree that this Section 2.3 constitutes notice by Business Associate to Customer of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents for which no additional notice to Customer shall be required. Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as such incidents do not result, to the extent Business Associate is aware, in unauthorized access, use or disclosure of Electronic Protected Health Information.
2.4 Business Associate shall require each agent and Business Associate that creates, maintains, receives, or transmits PHI on behalf of Business Associate, to execute a Business Associate Agreement that imposes on such agents and subcontractors the same restrictions, conditions, and requirements that apply through this Agreement to Customer with respect to such information.
2.5 Each party acknowledges that the Business Associate does not create or maintain any Designated Record Set and Business Associate shall not be required to retain any PHI in a Designated Record Set. Business Associate shall provide Customer with information reasonably necessary to satisfy Customer’s obligations under 45 C.F.R. § 164.524 to provide PHI: (a) pursuant to an Individual’s right to obtain a copy of his or her PHI under 45 C.F.R. § 164.524(a); (b) that may be related to an Individual’s right to amend his or her PHI under 45 C.F.R. § 164.526; and (c) that may be required to provide an accounting of disclosures pursuant to 45 C.F.R. § 164.528. If any Individual requests an accounting directly from Business Associate or inquires about his or her right to an accounting, to the extent Business Associate is able to associate such request with Customer, Business Associate shall forward such request to Customer. Business Associate shall also, as directed by Customer, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate.
2.6 Business Associate agrees to make available to the Secretary as necessary for the purposes of the Secretary determining Customer’s or Customer’s clients’ compliance with the Privacy Rule. Except to the extent prohibited by law or prevented by the Secretary, Business Associate shall notify Customer of such requests served upon Business Associate for information or documentation by or on behalf of the Secretary.
3. Permitted Uses and Disclosures by Business Associate
3.1 Business Associate agrees to Use and Disclose PHI only for the purpose of performing Business Associate’s obligations under the applicable Underlying Agreement and as permitted by this Agreement or as Required by Law.
3.2 Business Associate may not Use or Disclose PHI in a manner that would violate the Privacy Rule, except that Business Associate may Use or Disclose PHI: (i) for the proper management and administration of Business Associate; (ii) to carry out the legal responsibilities of Business Associate, provided that with respect to any Disclosure by the Business Associate for such purposes, either: (a) the Disclosure is Required by Law or (b) Business Associate obtains a written agreement from the person to whom the PHI is to be Disclosed that such person shall hold the PHI in confidence and shall not Use and further Disclose such PHI except as Required by Law or for the purpose(s) for which it was Disclosed by Business Associate to such person, and that such person shall notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
3.3 Business Associate shall limit its Use, Disclosure or request for PHI to the Limited Data Set or, if needed, to the minimum necessary to accomplish the intended Use, Disclosure or request, in accordance with 45 C.F.R. § 164.502(b)(l) or any other guidance issued thereunder.
3.4 Business Associate may use PHI in its possession to provide Data Aggregation services relating to the Health Care Operations of Customer.
3.5 Business Associate is authorized to use PHI to de-identify the PHI in accordance with 45 C.F.R. 164.502(d) and 164.514(a)-(c). For the avoidance of doubt, such de-identified data will no longer be considered PHI.
3.6 Business Associate agrees that it shall not, directly or indirectly, receive remuneration in exchange for any PHI, consistent with 42 U.S.C. § 17935(d)(2) and 45 C.F.R. § 164.502(a)(5)(ii), except with the prior written consent of the individual in accordance with 45 C.F.R. § 164.508(a)(4).
4. Obligations of Customer:
Customer covenants and agrees that it shall:
4.1 Notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 C.F.R. 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
4.2 Notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
4.3 Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
4.4 Except with respect to uses and disclosures by Business Associate of PHI under Sections 3(e), 3(f) and 3(g), above, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by Covered Entity.
5. Term & Termination
5.1 Term. This BAA shall become effective as of the date of execution of the Underlying Agreement by Business Associate and Customer and shall terminate as of the termination date of the Underlying Agreement or on the date described in Section 5.2, whichever is sooner.
5.2 Termination. Either party may terminate the Underlying Agreement if the other party breaches in any material respect any term or condition of this BAA and fails to cure such breach within 30 days of receiving written notice from the non-breaching party specifying the breach in detail or, if such a breach is incurable, immediately upon written notice.
5.3 Effect of Termination. Upon termination of this Agreement, Business Associate shall either return or destroy, at its election, all PHI received from, or created or received by the Business Associate on behalf of the Customer that the Business Associate still maintains in any form; provided however that Customer acknowledges that Business Associate may be required to retain portions of PHI to meet its legal obligations or to comply with applicable law. If Business Associate is required to retain portions of PHI for any reason, or if such return or destruction is infeasible for any reason, Business Associate shall (a) retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities; (b) continue to extend the protections of this Agreement to the PHI for as long as Business Associate retains the PHI; (c) limit any further Uses and Disclosures of such PHI to those purposes that make the return or destruction of the information infeasible and subject to the same conditions set out in Section 3 above, which applied prior to termination; and (d) return to Customer or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
6. Miscellaneous
6.1 Regulatory References. A reference in this Agreement to a section in the Privacy, Breach Notification, or Security Rules means the section as in effect or as amended, and for which compliance is required.
6.2 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Parties to comply with the requirements of HIPAA.
6.3 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Business Associate to comply with HIPAA.
6.4 Conflicts. In the event that any terms of this Agreement conflict with any terms of the Underlying Agreement, the terms of this Agreement shall govern and control, except to the extent that the Underlying Agreement imposes more stringent requirements related to the use and protection of PHI upon Business Associate or the Underlying Agreements specify additional permitted uses of PHI.
6.5 Survival. The respective rights and obligations of Business Associate shall survive the termination of this Agreement as long as Business Associate and its subcontractors or agents are in possession of any PHI.
6.6 Assignment. This Agreement will be binding on the successors and assigns of Business Associate and Business Associate. However, this Agreement may not be assigned by either Party except to the extent the Underlying Agreement is capable of assignment.
6.7 No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
6.8 Notices. Any notice, consent, request or other communication required or permitted under this Agreement shall be delivered in the manner as set forth in the Underlying Agreement.
6.9 Governing Law, Venue, and Disputes. The governing law, venue, and dispute resolution provisions in the Underlying Agreement shall apply to this Agreement.