This HIPAA Business Associate Agreement (this “BAA”) defines the rights and responsibilities of DataMotion, Inc. (“Business Associate”) and “Customer” with respect to protected health information (“PHI”) and electronic PHI (“EPHI”) in compliance with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, and the federal HIPAA privacy, security, and transactions and code set regulations promulgated pursuant thereto and codified at 45 C.F.R. parts 160 and 164, (the “Privacy Rule,” “Security Rule,” and “Transactions Rule”) and the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009 and its implementing regulations, (“HITECH Act”), and the Omnibus Rule, all as may be amended from time to time, (collectively referred to herein as the “HIPAA Regulations”).
This BAA is intended to ensure that Business Associate and Customer will establish and implement appropriate safeguards where Business Associate may receive, maintain, use or disclose PHI or EPHI in connection with the functions, activities and services that Business Associate performs on behalf of Customer solely to perform its duties and responsibilities under the Underlying Agreement.
1. Applicability. This BAA applies only:
1.1. In the event and to the extent Business Associate meets, with respect to Customer, the definition of a Business Associate set forth at 45 C.F.R. §160.103, or applicable successor provisions.
1.2. To Services that Customer purchases directly from Business Associate and only to the extent that Customer selects “PHI Account” in the Master Service Agreement, Terms and Conditions, located at https://www.datamotion.com/master-service-agreement-terms-and-conditions/ (the “Underlying Agreement”) between the parties, which will incorporate the terms of this BAA into that Underlying Agreement.
1.3. Where Customer uses the Services to store or transmit any PHI as defined below.
2. Definitions. Capitalized terms used in this BAA and not otherwise defined herein shall have the meanings set forth in the HIPAA Regulations, which definitions are incorporated in this BAA by reference.
2.1. “Business Associate” shall mean “business associate” as defined in 45 C.F.R. § 160.103.
2.2. “Electronic Protected Health Information” or “EPHI” shall mean “electronic protected health information” as defined in 45 C.F.R. § 160.103, limited to the information received by Business Associate from or on behalf of Customer, in connection with the Underlying Agreement.
2.3. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
2.4. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” as defined in 45 C.F.R. § 160.103, limited to the information received by Business Associate from or on behalf of Customer, in connection with the Underlying Agreement. For purposes of this BAA, references to the term PHI shall also include EPHI.
2.5. “Required By Law” shall have the same meaning as the term “required by law” in 45 C.F.R. § 164.103.
3. Permitted Uses and Disclosures
3.1. Uses and Disclosures of PHI. Except as otherwise limited in this BAA, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Customer as specified in the Underlying Agreement, this BAA, or as may be Required By Law; provided, however, Business Associate may not use or further disclose PHI in a manner that would not be permissible if done by Customer.
3.2. Permitted Uses of PHI by Business Associate. Except as otherwise limited in this BAA, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
3.3. Permitted Disclosures of PHI by Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose PHI for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate if (i) the disclosures are Required by Law; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and that the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Business Associate may use and disclose PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
4. Obligations of Business Associate
4.1. Subcontractors and Agents. Business Associate will ensure that any agents, subcontractors and representatives that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to restrictions and conditions that are substantially the same as those found in this BAA, and agree to implement reasonable and appropriate safeguards to protect PHI. If Business Associate uses its affiliates to provide any of the Services, Business Associate is not required to obtain written assurances from such affiliates or its employees.
4.2. Information Safeguards. Business Associate will use reasonable and appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA. When Business Associate has possession of PHI, is accessing PHI, or is transmitting EPHI, it shall have in place Administrative, Physical and Technical Safeguards that reasonably and appropriately (i) protect the confidentiality, integrity and availability of EPHI that it receives, maintains or transmits on behalf of Customer, in accordance with the HIPAA Security Rule and (ii) prevent the use or disclosure of Customer’s PHI other than as provided for in the Underlying Agreement, this BAA, or as Required by Law. Business Associate also shall comply with any applicable State data security laws and regulations.
4.3. Reporting. For all reporting obligations under this BAA, the parties acknowledge that, because Business Associate does not know the details of PHI contained in any Services, there will be no obligation on Business Associate to provide information about the identities of the Individuals who may have been affected, or a description of the type of information that may have been subject to a Security Incident, Impermissible Use or Disclosure, or Breach of Unsecured PHI. Business Associate will ensure Customer access to audit logging to assist Customer in addressing Customer’s obligations for reporting under the HIPAA Regulations. Customer acknowledges that Business Associate is under no obligation to provide additional support for Customer’s reporting obligations but may choose to provide such additional services at its sole discretion or at Customer’s expense.
4.4. Reporting of Impermissible Uses and Disclosures. Business Associate will report to Customer within thirty (30) calendar days of discovery of any Use or Disclosure of PHI not permitted or required by this BAA of which Business Associate becomes aware.
4.5. Reporting of Security Incidents. Business Associate will report to Customer within ten (10) calendar days of discovery of any Security Incidents involving PHI of which Business Associate becomes aware in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Customer and Business Associate agree that this provision constitutes notice to Customer of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined herein), whether occurring now or in the future for which no additional notice to Customer shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service, interception of encrypted information where the key is not compromised, or any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Customer’s EPHI.
4.6. Reporting of Breaches. Business Associate will report to Customer any Breach of Customer’s Unsecured PHI that Business Associate may discover to the extent required by 45 C.F.R. § 164.410. Business Associate will make such report without unreasonable delay, and in no case later than sixty (60) calendar days after discovery of such Breach.
4.7. Access to PHI. If Business Associate has PHI contained in a Designated Record Set, it agrees to make such information available to Customer pursuant to 45 C.F.R. § 164.524 within fifteen (15) business days of Business Associate’s receipt of a written request from Customer; provided, however, that Business Associate is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Customer. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Business Associate, or inquires about his or her right to access, Business Associate shall direct the Individual to Customer.
4.8. Amendment of PHI. If Business Associate has PHI contained in a Designated Record Set, it agrees to make such information available to Customer for amendment pursuant to 45 C.F.R. § 164.526 within fifteen (15) business days of Business Associate’s receipt of a written request from Customer. If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to Business Associate, or inquires about his or her right to amendment, Business Associate shall direct the Individual to Customer.
4.9. Accounting of Disclosures. Customer acknowledges that Business Associate is not required by this BAA to make disclosures of PHI to Individuals or any person other than Customer, and that Customer does not, therefore, expect Business Associate to maintain documentation of such disclosures as described in 45 C.F.R. § 164.528. In the event that Business Associate does make such a disclosure, it shall document the disclosure as would be required for Customer to respond to a request by an Individual for an accounting of disclosures in accordance with 45 C.F.R. § 164.528, and shall provide such documentation to Customer within fifteen (15) business days of Customer’s request. If an Individual makes a request for an accounting directly to Business Associate, or inquires about his or her right to an accounting, Business Associate shall direct the Individual to Customer.
4.10. Individual Rights. As between Customer and Business Associate, Customer, not Business Associate, is responsible for responding to requests for access to or amendment of PHI from Individuals pursuant to the HIPAA Privacy Rule, including, but not limited to, 45 C.F.R. §§ 164.524, 164.526, and 164.528, as the same may be amended from time to time.
4.11. Compliance Audits. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services, in a time and manner designated by the Secretary, for purposes of the Secretary determining Customer’s compliance with HIPAA.
4.12. Mitigation. To the extent practicable, Business Associate will cooperate with Customer’s efforts to mitigate a harmful effect that is known to Business Associate of a use or disclosure of PHI that is not permitted by this BAA.
5. Customer’s Obligations
5.1. Appropriate Use of PHI Accounts. Customer is responsible for implementing appropriate privacy and security safeguards in order to protect PHI in compliance with the HIPAA Regulations and this BAA. Without limitation, Customer shall: (i) not include unsecured PHI in any Services that are not or cannot be HIPAA compliant, (ii) utilize the highest level of audit logging in connection with its use of all Customer applications in the Services, and (iii) maintain the maximum retention of logs in connection with its use of all Services.
5.2. Consent, Authorization, and Permission. Customer shall obtain and maintain such consents, authorizations and/or permissions, if any, as may be necessary or required under the HIPAA Regulations, or other local, state or federal laws or regulations prior to using the Services in connection with Customer content, including without limitation PHI.
5.3. Restrictions on Disclosures. Customer shall not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause Business Associate to violate this BAA or any applicable law.
5.4. Compliance with HIPAA Regulations. Customer shall not request or cause Business Associate to make a Use or Disclosure of PHI in a manner that does not comply with the HIPAA Regulations or this BAA.
6. Term and Termination
6.1. Term. The term of this BAA will commence on the Underlying Agreement Effective Date and will remain in effect until the earlier of the termination of the Underlying Agreement or notification by Customer that an account is no longer subject to this BAA.
6.2. Effect of Termination. At termination of this BAA, Business Associate, if feasible, will return or destroy all PHI that Business Associate still maintains, if any. If return or destruction is not feasible, Business Associate will extend the protections of this BAA to the PHI, limit further uses and disclosures to those purposes that make the return of the PHI infeasible, and not make any further uses or disclosures of the PHI.
7.1. No Agency Relationship. As set forth in the Underlying Agreement, nothing in this BAA is intended to make either party an agent of the other. Nothing in this BAA is intended to confer upon Customer the right or authority to control Business Associate’s conduct in the course of Business Associate complying with the Underlying Agreement and/or the BAA.
7.2. Entire Agreement; Conflict. Except as amended by this BAA, the Underlying Agreement will remain in full force and effect. This BAA, together with the Underlying Agreement as amended by this BAA: (a) is intended by the parties as a final, complete, and exclusive expression of the terms of their agreement; and (b) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof. If there is any conflict between a provision of this BAA and a provision in the Underlying Agreement, this BAA will control.
7.3. Survival. Customer and Business Associate’s respective rights and obligations under this BAA shall survive the termination of the Underlying Agreement.
7.4. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Business Associate and Customer, and their respective successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.
Copyright ©2020 DataMotion, Inc. All rights reserved.