Business Associate Agreement
This Business Associate Agreement (the “Agreement”) is an addendum to the Cloud Computing Services Agreement that includes a reference to the web page where it is posted (the “CCSA”) and is effective as of the effective date of the CCSA. This Agreement is between ClearDATA Networks, Inc., having its principal office at 101 W. 6th Street, Suite 310, Austin, Texas 78701 (“ClearDATA” or “Business Associate”) and the ClearDATA customer that is the other party to the CCSA and is a Covered Entity, that term is defined in HIPAA (“Covered Entity”) (each a “Party” and collectively the “Parties”) to comply with the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), and their respective implementing regulations, including the Privacy Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160 and 164, subparts A and E (the “Privacy Rule”), the Security Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160, 162 and 164, subpart C (the “Security Rule”), the Breach Notification Standards adopted by the U.S. Department of Health and Human Services, as they may be amended from time to time, at 45 C.F.R. part 164, subpart D (the “Breach Notification Rule”), as well as related state laws and/or regulations (collectively, the “HIPAA Rules”).
WHEREAS, Business Associate provides certain services to Covered Entity, including the services set forth in the CCSA; any accompanying schedules, exhibits, attachments and addenda (including any applicable Service Description(s), as defined in the CCSA); and the applicable Service Level Agreement (“Services”);
WHEREAS, in connection with these Services, Covered Entity may disclose to Business Associate certain Protected Health Information in electronic format (“PHI”) (as defined below) that is subject to protection under the HIPAA Rules;
WHEREAS, if Business Associate performs or assists in performing certain functions or activities for or on behalf of Covered Entity that involve the use or disclosure of PHI, the HIPAA Rules require that Covered Entity receive adequate assurances that Business Associate will comply with certain obligations with respect to the PHI received in the course of providing services to or on behalf of Covered Entity; and
WHEREAS, the Parties agree that the terms of this Agreement will have no effect unless and until Business Associate performs or assists in performing certain functions or activities for or on behalf of Covered Entity that involve the use or disclosure of PHI.
NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
- Unless otherwise provided, all capitalized terms in the Agreement will have the same meaning as provided under the HIPAA Rules.
- Protected Health Information or PHI: Protected Health Information or PHI, as defined by the Privacy Rule, for this Agreement means PHI that is created, received, maintained, or transmitted on behalf of Covered Entity by Business Associate pursuant to the Agreement.
- Purposes for which PHI May Be Disclosed to Business Associate.
In connection with the Services provided by Business Associate to or on behalf of Covered Entity, Covered Entity may disclose PHI to Business Associate during the performance of service and support activities in compliance with HIPAA.
- Obligations of Business Associate.
- Compliance with Laws. Business Associate agrees to comply with the provisions of the HIPAA Rules that are applicable to Business Associate.
- Use and Disclosure of PHI. Business Associate may use or disclose PHI as Required by Law. Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if used or disclosed by Covered Entity, provided, however, that Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, for the specific uses and disclosures set forth herein, and to carry out its legal responsibilities. Business Associate agrees, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, to comply with the requirements of Subpart E of 45 C.F.R. Part 164 that apply to Covered Entity in the performance of such obligation(s).
- Safeguards. Business Associate shall maintain appropriate safeguards, as detailed in the Security Safeguards in the CCSA, to ensure that PHI is not used or disclosed in violation of this Agreement or applicable law. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity and shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to such electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this Agreement.
- Disclosure to Agents and Subcontractors. If Business Associate discloses PHI received from Covered Entity, or created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, to agents, including a subcontractor, Business Associate shall, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any agents or subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement with respect to such information. Business Associate shall ensure that any such agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of Business Associate or Covered Entity.
- Minimum Necessary. Business Associate agrees to make reasonable efforts to limit use and disclosure of PHI to the minimum necessary to accomplish the intended purposes, consistent with Business Associate’s policies and procedures.
- Individual Rights. Business Associate agrees as follows:
- Individual Right to Copy or Inspection. To the extent Business Associate or its agents or subcontractors maintains PHI in a Designated Record Set, if an Individual makes a request for access directly to Business Associate, Business Associate will within fifteen (15) business days forward such request in writing to Covered Entity. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Except as Required by Law, only Covered Entity will release and be responsible for releasing PHI to an Individual pursuant to such a request.
- Amendment of an Individual’s PHI or Record. To the extent Business Associate or its agents or subcontractors maintains PHI in a Designated Record Set, if an Individual makes a request for an amendment of his or her PHI or record directly to Business Associate, Business Associate will within fifteen (15) business days forward such request in writing to Covered Entity, and Business Associate will incorporate any such amendment upon written request from Covered Entity. As between the parties, Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment, and except as Required by Law Business Associate will not make or be responsible for making any such determinations.
- Accounting of Disclosures. Business Associate agrees to maintain documentation of the information required to provide an Accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528, and to make this information available to Covered Entity upon Covered Entity’s request, in order to allow Covered Entity to respond to an Individual’s request for Accounting of Disclosures. Such accounting is limited to disclosures that were made in the six (6) years prior to the request (not including disclosures prior to the compliance date of the Privacy Rule). Such accounting is further limited to disclosures that were made in the three (3) years prior to the request (not including disclosures prior to the compliance date of the Privacy Rule) to the extent that the purpose of such accounting is to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI through an Electronic Health Record, as the term is defined in section 13400 of HITECH, made to carry out Treatment, Payment and Health Care Operations as provided in 45 C.F.R. §164.506. Notwithstanding the above, any such accounting shall be provided only for as long as Business Associate maintains the PHI. If an Individual requests an Accounting of Disclosures directly from Business Associate, Business Associate will forward the request and its Disclosure record to Covered Entity within fifteen (15) business days of Business Associate’s receipt of the Individual’s request. As between the parties, Covered Entity will be responsible for preparing and delivering the Accounting to the Individual. Except as required by law, Business Associate will not provide or be responsible for providing an Accounting of its Disclosures directly to any Individual.
- Internal Practices, Policies and Procedures. Except as otherwise specified herein, Business Associate shall make available its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received on behalf of, Covered Entity to the Secretary or his or her agents or authorized designees for the purpose of determining Covered Entity’s compliance with the HIPAA Rules.
- Withdrawal of Authorization. If the use or disclosure of PHI in this Agreement is based upon an Individual’s specific authorization for the use or disclosure of his or her PHI, and the Individual revokes such authorization, the effective date of such authorization has expired, or such authorization is found to be defective in any manner that renders it invalid, Business Associate shall, if it has received notice from Covered Entity pursuant to Section E.1. herein of such revocation, expiration, or invalidity, cease the use and disclosure of the Individual’s PHI except to the extent it has relied on such use or disclosure, or if an exception under the HIPAA Rules expressly applies.
- Security Incident. Business Associate agrees to report to Covered Entity any Security Incident of which Business Associate becomes aware.
- Use of Disclosure of PHI Not Provided for by this Agreement. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware.
- Breaches of Unsecured PHI. Business Associate will report in writing to Covered Entity any Breach of Unsecured Protected Health Information, as required at 45 C.F.R. § 164.410 of which it becomes aware, within fifteen (15) business days of the date Business Associate learns of the incident giving rise to the Breach.
- Unsuccessful Security Incidents. Unsuccessful Security Incidents mean a Security Incident or Breach that does not result in unauthorized access, use, disclosure, modification, or destruction of PHI (including, for example, and not for limitation, pings on Business Associate’s firewall, port scans, attempts to log onto a system or enter a database with an invalid password or username, denial-of-service attacks that do not result in the system being taken off-line, or malware such as worms or viruses). The parties acknowledge and agree that this Agreement constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents.
- Non-Breaches.The following shall not be considered to be a Breach: (a) any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule; or (b) any inadvertent disclosure by a person who is authorized to access PHI at Business Associate to another person authorized to access PHI at Business Associate, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.
- Rights of Business Associate.
- Management and Administration. Except as otherwise limited in this Agreement, Business Associate may use and disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
- Data Aggregation. Business Associate is permitted, for Data Aggregation purposes to the extent permitted under the HIPAA Rules, to use, disclose, and combine PHI created or received on behalf of Covered Entity by Business Associate pursuant to this Agreement with Protected Health Information, as defined by 45 C.F.R. 160.103, received by Business Associate in its capacity as a business associate of other covered entities, to permit data analyses that relate to the Health Care Operations of the respective covered entities and/or Covered Entity, where “business associate” and “covered entities” have the meanings given to them in 45 C.F.R. 160.103.
- De-identified Information. Business Associate may de-identify any and all PHI created or received by Business Associate under this Agreement at any location and use all such de-identified data in accordance with the de-identification requirements of the HIPAA Rules.
- Subcontractors and Agents. In accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any of its agents or subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree, in writing, to materially the same restrictions, conditions, and requirements that apply through this Agreement to Business Associate with respect to such information.
- Reporting Violations of Law. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. 164.502(j)(1).
- Limited Data Set. Business Associate may create a Limited Data Set and use such Limited Data Set pursuant to a Data Use Agreement that meets the requirements of the Privacy Rule.
- Obligations of Covered Entity.
- Changes in Authorization. Covered Entity shall inform Business Associate, in writing and in a timely manner, of any changes in, or withdrawal of, any authorization provided to Covered Entity by any Individual pursuant to 45 CFR § 164.508, to the extent that such changes or withdrawal may affect Business Associate’s use or disclosure of PHI. In addition, Covered Entity shall notify Business Associate, in writing and in a timely manner, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. Covered Entity shall promptly notify Business Associate of any breach by Covered Entity of any obligation under the HIPAA Rules as such breach relates to PHI as defined herein. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, and Business Associate is not required to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
- Minimum Necessary. Covered Entity shall disclose to Business Associate only the “Minimum Necessary” amount of PHI for Business Associate to perform the Services and its rights and obligations under this Agreement, and only in compliance with the HIPAA Rules.
- Necessary Consents. Covered Entity warrants that it has obtained any necessary authorizations, consents, and other permissions that may be required under applicable law prior to placing PHI on the ClearDATA Network.
- Disclosure Restrictions. Covered Entity will not agree to any restriction requests or place any notice of privacy practices that would cause ClearDATA to violate this Agreement or any applicable law.
- Term and Termination.
- Term. The term of this Agreement shall be effective as of the date last executed below and shall continue until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or this Agreement is terminated pursuant to this Article F.
- Termination for Breach. Either party may terminate this Agreement upon written notice to the other party if the non-breaching party determines that the other party or its subcontractors or agents has breached a material term of this Agreement, provided that the non-breaching party will first provide the other party with written notice of the breach of this Agreement and afford the other party the opportunity to cure the breach within forty-five (45) days of the date of such notice. If the other party or any of its subcontractors or agents fails to timely cure the breach, the non-breaching party may terminate this Agreement.
- Effect of Termination. Upon termination of this Agreement for any reason, Business Associate agrees to return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, maintained by Business Associate in any form and to retain no copies. If Business Associate determines that the return or destruction of PHI is not feasible, Business Associate shall inform Covered Entity in writing of the reason thereof, and the Parties shall agree to extend the protections of this Agreement to such PHI and Business Associate shall limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Business Associate retains the PHI.
- Survival. The respective rights and obligations of the Parties under Article G. of this Agreement shall survive the termination of this Agreement.
- Amendments. This Agreement may not be changed or modified in any manner except by an instrument in writing signed by a duly authorized officer of each of the Parties hereto. The Parties, however, agree to amend this Agreement from time to time as necessary, in order to allow the Parties to comply with the requirements of the HIPAA Rules.
- Nature of Agreement. Nothing in this Agreement shall be construed to create (i) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates, (ii) any fiduciary duty owed by one Party to another Party or any of its affiliates, or (iii) a relationship of employer and employee between the Parties.
- No Waiver. Failure or delay on the part of either Party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof. No provision of this Agreement may be waived by either Party except by a writing signed by an authorized representative of the Party making the waiver.
- Severability. The provisions of this Agreement shall be severable, and if any provision of this Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
- No Third Party Beneficiaries. Nothing in this Agreement shall be considered or construed as conferring any right or benefit on a person not party to this Agreement nor imposing any obligations on either Party hereto to persons not a party to this Agreement.
- Headings. The descriptive headings of the articles, sections, subsections, exhibits and schedules of this Agreement are inserted for convenience only, do not constitute a part of this Agreement and shall not affect in any way the meaning or interpretation of this Agreement.
- Entire Agreement. This Agreement, together with the CCSA, all exhibits, riders and amendments, if applicable, which are fully completed and signed by authorized persons on behalf of both Parties from time to time while this Agreement is in effect, constitutes the entire Agreement between the Parties hereto with respect to the subject matter hereof and supersedes all previous written or oral understandings, addendums, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof. In the event of any inconsistencies between any provisions of this Agreement and any provisions of any exhibits, riders, or amendments, the provisions of this Agreement shall control.
- Indemnification and Limitation of Liability. The indemnification and limitation of liability provisions of the CCSA apply to this Agreement.
- Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Rules. The provisions of this Agreement shall prevail over the provisions of any other prior agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this Agreement or the HIPAA Rules, unless otherwise explicitly set forth in such agreement.
- Regulatory References. A citation in this Agreement to the Code of Federal Regulations shall mean the cited section as that section may be amended from time to time.
© ClearDATA Networks, Inc. 2022
Revision Date April 1, 2022
In the news
10 Tips to Shrink Attack Surface by Prioritizing Digital Hygiene
ClearDATA’s founder and Chief Privacy & Security Officer Chris Bowen gives his take on digital threats associated with the pandemic and the risks and mitigation efforts.
5 ways IT vendors put customers’ PHI at risk
Warning to technology vendors that service the healthcare industry: nearly half of serious data breaches occur in the healthcare sector and the majority are caused by a third party. There are five common ways technology vendors set themselves up – and their healthcare customers – for a data breach that could be catastrophic to patients’ privacy and the vendor’s reputation.