This HIPAA Business Associate Agreement (this “BAA”) defines the rights and responsibilities of DataMotion, Inc. (“Contractor”) and “Customer” (“Business Associate”) with respect to protected health information (“PHI”) and electronic PHI (“EPHI”) in compliance with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, and the federal HIPAA privacy, security, and transactions and code set regulations promulgated pursuant thereto and codified at 45 C.F.R. parts 160 and 164, (the “Privacy Rule,” “Security Rule,” and “Transactions Rule”) and the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009 and its implementing regulations, (“HITECH Act”), and the Omnibus Rule, all as may be amended from time to time, (collectively referred to herein as the “HIPAA Regulations”).
This BAA is intended to ensure that Contractor and Business Associate will establish and implement appropriate safeguards where Contractor may receive, maintain, use or disclose PHI or EPHI in connection with the functions, activities and services that Contractor performs on behalf of Business Associate solely to perform its duties and responsibilities under the Underlying Agreement.
1. Applicability. This BAA applies only:
1.1. In the event and to the extent Contractor meets, with respect to Business Associate, the definition of a business associate set forth at 45 C.F.R. §160.103, or applicable successor provisions.
1.2. To Services that Business Associate purchases directly from Contractor and only to the extent that Business Associate selects “PHI Account” in the Master Service Agreement, Terms and Conditions, located at https://datamotion.com/master-service-agreement-terms-and-conditions/ (the “Underlying Agreement”) between the parties, which will incorporate the terms of this BAA into that Underlying Agreement.
1.3. Where Business Associate uses the Services to store or transmit any PHI as defined below.
2. Definitions. Capitalized terms used in this BAA and not otherwise defined herein shall have the meanings set forth in the HIPAA Regulations, which definitions are incorporated in this BAA by reference.
2.1. “Business Associate” shall mean “business associate” as defined in 45 C.F.R. § 160.103.
2.2. “Electronic Protected Health Information” or “EPHI” shall mean “electronic protected health information” as defined in 45 C.F.R. § 160.103, limited to the information received by Contractor from or on behalf of Business Associate, in connection with the Underlying Agreement.
2.3. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
2.4. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” as defined in 45 C.F.R. § 160.103, limited to the information received by Contractor from or on behalf of Business Associate, in connection with the Underlying Agreement. For purposes of this BAA, references to the term PHI shall also include EPHI.
2.5. “Required By Law” shall have the same meaning as the term “required by law” in 45 C.F.R. § 164.103.
3. Permitted Uses and Disclosures
3.1. Uses and Disclosures of PHI. Except as otherwise limited in this BAA, Contractor may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Business Associate as specified in the Underlying Agreement, this BAA, or as may be Required By Law; provided, however, Contractor may not use or further disclose PHI in a manner that would not be permissible if done by Business Associate.
3.2. Permitted Uses of PHI by Contractor. Except as otherwise limited in this BAA, Contractor may use PHI for the proper management and administration of Contractor or to carry out the legal responsibilities of Contractor.
3.3. Permitted Disclosures of PHI by Contractor. Except as otherwise limited in this BAA, Contractor may disclose PHI for the proper management and administration of Contractor, or to carry out the legal responsibilities of Contractor if (i) the disclosures are Required by Law; or (ii) Contractor obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and that the person agrees to notify Contractor of any instances of which it is aware in which the confidentiality of the information has been breached. Contractor may use and disclose PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
4. Obligations of Business Associate
4.1. Subcontractors and Agents. Contractor will ensure that any agents, subcontractors and representatives that create, receive, maintain, or transmit PHI on behalf of Contractor agree to restrictions and conditions that are substantially the same as those found in this BAA, and agree to implement reasonable and appropriate safeguards to protect PHI. If Contractor uses its affiliates to provide any of the Services, Contractor is not required to obtain written assurances from such affiliates or its employees.
4.2. Information Safeguards. Contractor will use reasonable and appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA. When Contractor has possession of PHI, is accessing PHI, or is transmitting EPHI, it shall have in place Administrative, Physical and Technical Safeguards that reasonably and appropriately (i) protect the confidentiality, integrity and availability of EPHI that it receives, maintains or transmits on behalf of Business Associate, in accordance with the HIPAA Security Rule and (ii) prevent the use or disclosure of Business Associate’s PHI other than as provided for in the Underlying Agreement, this BAA, or as Required by Law. Contractor also shall comply with any applicable State data security laws and regulations.
4.3. Reporting. For all reporting obligations under this BAA, the parties acknowledge that, because Contractor does not know the details of PHI contained in any Services, there will be no obligation on Contractor to provide information about the identities of the Individuals who may have been affected, or a description of the type of information that may have been subject to a Security Incident, Impermissible Use or Disclosure, or Breach of Unsecured PHI. Contractor will ensure Business Associate access to audit logging to assist Business Associate in addressing Business Associate’s obligations for reporting under the HIPAA Regulations. Business Associate acknowledges that Contractor is under no obligation to provide additional support for Business Associate’s reporting obligations but may choose to provide such additional services at its sole discretion or at Business Associate’s expense.
4.4. Reporting of Impermissible Uses and Disclosures. Contractor will report to Business Associate within thirty (30) calendar days of discovery of any Use or Disclosure of PHI not permitted or required by this BAA of which Contractor becomes aware.
4.5. Reporting of Security Incidents. Contractor will report to Business Associate within ten (10) calendar days of discovery of any Security Incidents involving PHI of which Contractor becomes aware in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Business Associate and Contractor agree that this provision constitutes notice to Business Associate of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined herein), whether occurring now or in the future for which no additional notice to Business Associate shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Contractor’s firewall, port scans, unsuccessful log-on attempts, denials of service, interception of encrypted information where the key is not compromised, or any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Business Associate’s EPHI.
4.6. Reporting of Breaches. Contractor will report to Business Associate any Breach of Business Associate’s Unsecured PHI that Contractor may discover to the extent required by 45 C.F.R. § 164.410. Contractor will make such report without unreasonable delay, and in no case later than sixty (60) calendar days after discovery of such Breach.
4.7. Access to PHI. If Contractor has PHI contained in a Designated Record Set, it agrees to make such information available to Business Associate pursuant to 45 C.F.R. § 164.524 within fifteen (15) business days of Contractor’s receipt of a written request from Business Associate; provided, however, that Contractor is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Business Associate. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Contractor, or inquires about his or her right to access, Contractor shall direct the Individual to Business Associate.
4.8. Amendment of PHI. If Contractor has PHI contained in a Designated Record Set, it agrees to make such information available to Business Associate for amendment pursuant to 45 C.F.R. § 164.526 within fifteen (15) business days of Contractor’s receipt of a written request from Business Associate. If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to Contractor, or inquires about his or her right to amendment, Contractor shall direct the Individual to Business Associate.
4.9. Accounting of Disclosures. Business Associate acknowledges that Contractor is not required by this BAA to make disclosures of PHI to Individuals or any person other than Business Associate, and that Business Associate does not, therefore, expect Contractor to maintain documentation of such disclosures as described in 45 C.F.R. § 164.528. In the event that Contractor does make such a disclosure, it shall document the disclosure as would be required for Business Associate to respond to a request by an Individual for an accounting of disclosures in accordance with 45 C.F.R. § 164.528, and shall provide such documentation to Business Associate within fifteen (15) business days of Business Associate’s request. If an Individual makes a request for an accounting directly to Contractor, or inquires about his or her right to an accounting, Contractor shall direct the Individual to Business Associate.
4.10. Individual Rights. As between Business Associate and Contractor, Business Associate, not Contractor, is responsible for responding to requests for access to or amendment of PHI from individuals pursuant to the HIPAA Privacy Rule, including, but not limited to, 45 C.F.R. §§ 164.524, 164.526, and 164.528, as the same may be amended from time to time.
4.11. Compliance Audits. Contractor shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services, in a time and manner designated by the Secretary, for purposes of the Secretary determining Business Associate’s compliance with HIPAA.
4.12. Mitigation. To the extent practicable, Contractor will cooperate with Business Associate’s efforts to mitigate a harmful effect that is known to Contractor of a use or disclosure of PHI that is not permitted by this BAA.
5. Business Associate’s Obligations.
5.1. Appropriate Use of PHI Accounts. Business Associate is responsible for implementing appropriate privacy and security safeguards in order to protect PHI in compliance with the HIPAA Regulations and this BAA. Without limitation, Business Associate shall: (i) not include unsecured PHI in any Services that are not or cannot be HIPAA compliant, (ii) utilize the highest level of audit logging in connection with its use of all Business Associate applications in the Services, and (iii) maintain the maximum retention of logs in connection with its use of all Services.
5.2. Consent, Authorization, and Permission. Business Associate shall obtain and maintain such consents, authorizations and/or permissions, if any, as may be necessary or required under the HIPAA Regulations, or other local, state or federal laws or regulations prior to using the Services in connection with Business Associate content, including without limitation PHI.
5.3. Restrictions on Disclosures. Business Associate shall not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause Contractor to violate this BAA or any applicable law.
5.4. Compliance with HIPAA Regulations. Business Associate shall not request or cause Contractor to make a Use or Disclosure of PHI in a manner that does not comply with the HIPAA Regulations or this BAA.
6. Term and Termination
6.1. Term. The term of this BAA will commence on the Underlying Agreement Effective Date and will remain in effect until the earlier of the termination of the Underlying Agreement or notification by Business Associate that an account is no longer subject to this BAA.
6.2. Effect of Termination. At termination of this BAA, Contractor, if feasible, will return or destroy all PHI that Contractor still maintains, if any. If return or destruction is not feasible, Contractor will extend the protections of this BAA to the PHI, limit further uses and disclosures to those purposes that make the return of the PHI infeasible, and not make any further uses or disclosures of the PHI.
7. Miscellaneous
7.1. No Agency Relationship. As set forth in the Underlying Agreement, nothing in this BAA is intended to make either party an agent of the other. Nothing in this BAA is intended to confer upon Business Associate the right or authority to control Contractor’s conduct in the course of Contractor complying with the Underlying Agreement and/or the BAA.
7.2. Entire Agreement; Conflict. Except as amended by this BAA, the Underlying Agreement will remain in full force and effect. This BAA, together with the Underlying Agreement as amended by this BAA: (a) is intended by the parties as a final, complete, and exclusive expression of the terms of their agreement; and (b) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof. If there is any conflict between a provision of this BAA and a provision in the Underlying Agreement, this BAA will control.
7.3. Survival. Business Associate and Contractor’s respective rights and obligations under this BAA shall survive the termination of the Underlying Agreement.
7.4. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Contractor and Business Associate, and their respective successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.
Copyright ©2020 DataMotion, Inc. All rights reserved.