HIPAA Business Associate Agreement
The HIPAA Business Associate Agreement (“HIPAA BAA”) is a legal agreement made between you (“Covered Entity”, “you” or “your”) and Oto Analytics, Inc. and its affiliates (“Womply,” “Business Associate”, “we,” “our,” or “us”) for the purpose of implementing the requirements of HIPAA to support the parties’ compliance requirements under HIPAA.
The “Services Agreement” refers to the Womply Terms of Service entered into between you and Womply governing your use of Wombly’s products and services (collectively, the “Services”). Together with the Agreement, this HIPAA BAA will govern each party’s respective obligations regarding PHI (defined below).
You represent and warrant that: (i) you have full legal authority to enter into this HIPAA BAA, (ii) you have read and understand this HIPAA BAA, and (iii) you agree to the terms of this HIPAA BAA.
- Business Associate has entered into Services Agreement with Covered Entity to provide Services in connection with Covered Entity’s Health Care Operations.
- In connection with the Services, Business Associate may create, receive, maintain, or transmit Protected Health Information (“PHI”), including Electronic PHI.
- When disclosing, or arranging for the disclosure of, PHI to Business Associate, Covered Entity is obligated to meet the requirements of the administrative simplification section of the Health Insurance Portability and Accountability Act of 1996, its implementing regulations, and HITECH (as defined in Section 1.4) (collectively, “HIPAA”).
- Business Associate acknowledges that it is serving as a “business associate” (as defined under HIPAA) to Covered Entity when it performs the Services.
- The Parties hereto desire to enter into this HIPAA BAA to memorialize their obligations with respect to PHI in accordance with HIPAA and the Services Agreement.
Section 1.1 Effective Date. This HIPAA BAA is effective as of the effective date of the Services Agreement (the “Effective Date”). Any use or disclosure of PHI occurring prior to the Effective Date, if conducted in compliance with Section 2.1, was and is authorized by Covered Entity.
Section 1.2. Entire Agreement. This HIPAA BAA supplements, modifies, amends, or supersedes the Services Agreement between the Parties with respect to the use and/or disclosure in connection with the Services. All non-conflicting terms and conditions of this BA Agreement and the Services Agreement between the Parties remain in full force and effect.
Section 1.3. Amendment. Business Associate acknowledges and agrees that Subtitle D of the Health Information Technology for Economic Clinical Health Act and its implementing regulations (collectively, “HITECH”) impose new requirements on business associates with respect to privacy, security and breach notification applicable to business associates (collectively, the “HITECH BA Provisions”). The HITECH BA Provisions are hereby incorporated by reference into this HIPAA BAA as if set forth in this HIPAA BAA in their entirety. Notwithstanding anything to the contrary, each of the HITECH BA Provisions is effective on the later of (a) the Effective Date and (b) such subsequent compliance effective date as may be specified in HITECH.
Section 1.4. Definitions. Capitalized terms used herein without definition shall have the meanings assigned under HIPAA or the Services Agreement.
OBLIGATIONS OF THE PARTIES
Section 2.1. Use and Disclosure of Protected Health Information.
(a) Business Associate may use and disclose PHI as permitted under the Services Agreement (to the extent consistent with this HIPAA BAA and Laws) and this HIPAA BAA or as Required By Law but shall not otherwise use or disclose any PHI. Business Associate shall not, and shall assure that its directors, officers, employees, other agents and contractors do not, use or disclose PHI received from, or created or received on behalf of, Covered Entity in any manner that would constitute a violation of HIPAA if so used or disclosed by Covered Entity. To the extent Business Associate carries out any of Covered Entity’s obligations under HIPAA, Business Associate shall comply with the requirements of HIPAA that apply to Covered Entity in the performance of such obligations. Without limiting the generality of the foregoing, Business Associate may:
- (i) use PHI for Business Associate’s proper management and administration, including data analysis necessary to review, improve or validate a product, feature or service offered in connection with the Services Agreement, or to carry out Business Associate’s legal responsibilities;
- (ii) disclose PHI to a third party for Business Associate’s proper management and administration or to satisfy Business Associate’s legal responsibilities, provided that the disclosure is Required by Law or Business Associate makes the disclosure pursuant to a written confidentiality agreement under which the third party is required to (a) protect the confidentiality of the PHI, (b) only use or further disclose the PHI as Required by Law or for the purpose for which it was disclosed to the third party and (c) notify Business Associate of any acquisition, access, use, or disclosure of PHI in a manner not permitted by the confidentiality agreement;
- (iii) Business Associate may use PHI to provide Services that involve Data Aggregation services relating to the Health Care Operations of Covered Entity if required or permitted under the Services Agreement; and
- (iv) Business Associate may use PHI to create De-Identified Data. Business Associate may use and disclose De-Identified Data for any purpose permitted by applicable law.
(b) Covered Entity may only provide access to, disclose, reproduce, distribute, display or otherwise use PHI in a manner consistent with the terms of the Services Agreement and this HIPAA BAA.
Section 2.2. Safeguards Against Misuse of Information. Business Associate shall use reasonable and appropriate safeguards to prevent the use or disclosure of PHI. In addition, Business Associate shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of Electronic PHI that Business Associate creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate shall comply with Subpart C of 45 C.F.R. Part 164 with respect to Electronic PHI.
Section 2.3. Reporting of Unauthorized Disclosures, Breaches and Security Incidents.
(a) Business Associate shall after becoming aware of any acquisition, access, use or disclosure of PHI in violation of this HIPAA BAA by Business Associate, its employees, other agents or contractors or by a third party to which Business Associate disclosed PHI (each, an “Unauthorized Use or Disclosure”), report the acquisition, access, use or disclosure to Covered Entity without unreasonable delay.
(b) Business Associate shall without unreasonable delay report any Security Incident of which Business Associate becomes aware; provided, however, that the Parties acknowledge and agree that this Section 2.3 constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, disclosure, modification or destruction of Electronic PHI or intentional interference with system operations in an information system that contains Electronic PHI.
(a) Business Associate shall after becoming aware of a Breach of Unsecured PHI report such Breach to Covered Entity without unreasonable delay in accordance with 45 C.F.R. § 164.410.
Section 2.4. Subcontractors. Business Associate shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a) with each Subcontractor of Business Associate (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits PHI on behalf of the Business Associate. Business Associate shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions apply to Business Associate under this HIPAA BAA.
Section 2.5. Access to and/or Amendment of PHI. If Business Associate receives a request from an Individual to access or amend PHI, such request shall be forwarded to Covered Entity within ten (10) business days. To the extent that Business Associate maintains a Designated Record Set, Business Associate shall (i) make the PHI from such Designated Record Set available to Covered Entity, who may as it determines under its own discretion, provide such PHI to the requesting Individual, or (ii) incorporate any amendment made by Covered Entity to the PHI, if any, contained in Business Associate’s copy of such Designated Record Set, whichever is appropriate. Any denial of access or amendment to the PHI request shall be the responsibility of Covered Entity.
Section 2.6. Accounting of Disclosures and Tracking Time Periods. Within fifteen (15) business days of notice by Covered Entity to Business Associate that Covered Entity has received a request for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies), Business Associate shall make available to Covered Entity such information as is in Business Associate’s possession and is required for Covered Entity to make the accounting required by 45 C.F.R. §164.528.
Section 2.7. Availability of Books and Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI received from or created or received by Business Associate on behalf of Covered Entity available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA.
Section 2.8. Mitigation. Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this HIPAA BAA or the Services Agreement.
Section 2.9. Minimum Necessary Standard. Both Parties shall only request, use or disclose the Minimum Necessary amount of PHI necessary to accomplish the purpose for which the PHI is sought. To the extent practicable, the Parties shall limit a request, use or disclosure of PHI to a Limited Data Set.
Section 2.10. Restrictions; Limitations in Notice of Privacy Practices. Upon notification by Covered Entity of any reasonable limitation included in Covered Entity’s notice of privacy practices, Business Associate shall comply with such limitation to the extent it may affect Business Associate’s use or disclosure of PHI.
Section 3.1. Term. This HIPAA BAA shall become effective on the Effective Date and shall remain effective until terminated as provided herein.
Section 3.2. Termination Upon Termination of the Services Agreement. Upon the expiration or any earlier termination of the Services Agreement, this HIPAA BAA also shall terminate.
Section 3.3. Termination Upon Breach of Provisions Applicable to Protected Health Information. Any other provision of the Services Agreement notwithstanding, the HIPAA BAA may be terminated by either Party (the “Non-Breaching Party”) upon thirty (30) calendar days’ written notice to the other Party (the “Breaching Party”) if the Breaching Party breaches any material provision contained in this HIPAA BAA and such breach is not cured to the reasonable satisfaction of the Non-Breaching Party within such thirty (30) calendar day period.
Section 3.4. Effect of Termination. Upon termination of this HIPAA BAA, Business Associate shall return or destroy all PHI received from, or created or received on behalf of Covered Entity which Business Associate still maintains in any form. Business Associate shall not retain any copies of such PHI; provided, however, that Business Associate may maintain De-Identified Data post-termination. Notwithstanding the foregoing, to the extent that Business Associate reasonably determines that it is not feasible to return or destroy such PHI, the terms and provisions of this HIPAA BAA shall survive expiraiton or termination of this HIPAA BAA and such PHI shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI. Upon expiration or termination of this HIPAA BAA, the Services Agreement will terminate on the same day.
Section 4.1. No Third-Party Beneficiaries. Nothing express or implied in this HIPAA BAA is intended to confer, nor shall anything herein confer, upon any person other than Business Associate, Covered Entity and their permitted successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
Section 4.2. Independent Contractor Status. The Parties acknowledge and agree that Business Associate is at all times acting as an independent contractor of Covered Entity and not as an agent or employee of Covered Entity under this HIPAA BAA.
Section 4.3. Construction. This HIPAA BAA shall be construed as broadly as necessary to implement and comply with HIPAA. Any ambiguity in this HIPAA BAA shall be resolved in favor of a meaning that complies with HIPAA.
Section 4.4. Notices. All notices required to be given to either Party under this HIPAA BAA will be in writing and either personally delivered or sent via confirmed facsimile, recognized express delivery courier or certified or registered mail, postage prepaid and return receipt requested, or at such other address as such Party may from time to time designate in a notice to the other Party. All notices requests, consents and other communications hereunder shall be in English and shall be deemed to have been received (a) if by hand, at the time of the delivery thereof to the receiving Party at the address of such Party set forth above, (b) if made by email or facsimile transmission, at the time that receipt thereof has been acknowledged by written confirmation or otherwise, (c) if sent by overnight courier, on the next business day following the day such notice is delivered to the courier service, or (d) if sent by registered or certified mail, on the fifth (5th) business day following the day such mailing is made.