Subcontractor Business Associate Agreement

This Subcontractor Business Associate Agreement (this “Agreement”) is an addendum to the Cloud Computing Services Agreement that includes a reference to the web page where it is posted (the “Service Agreement”) and is effective as of the effective date of the Service Agreement.  This Agreement is between ClearDATA Networks, Inc. (“ClearDATA” or “Subcontractor Business Associate”) and the ClearDATA customer that is the other party to the Service Agreement and is a Business Associate, as that term is defined in HIPAA. This Agreement is entered into for the purposes of complying with the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder (“HIPAA”) and the security provisions of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”).

WITNESSETH

WHEREAS, Company has entered into or may enter into an agreement or agreements with a Covered Entity, as such term is defined under HIPAA, pursuant to which Company may create and/or receive Protected Health Information for or on behalf of Covered Entity; and

WHEREAS, Company is a Business Associate as such term is defined under HIPAA and as such is required to comply with the requirements thereof regarding the confidentiality and privacy of Protected Health Information; and

WHEREAS, Company has engaged the services of Subcontractor Business Associate through the Service Agreement to assist in the obligations of Company to Covered Entity; and

WHEREAS, by providing services pursuant to the Service Agreement and creating and/or receiving Protected Health Information for or on behalf of Company, Subcontractor Business Associate shall become a Business Associate of Company, as such term is defined under HIPAA, and will therefore have obligations regarding the confidentiality and privacy of Protected Health Information that Subcontractor Business Associate creates for, or receives from or on behalf of, Company.

NOW THEREFORE, in consideration of the mutual covenants, promises, and agreements contained herein, the parties hereto agree as follows:

  1. For the purposes of this Agreement, capitalized terms shall have the meanings ascribed to them below. All capitalized terms used but not otherwise defined herein will have the meaning ascribed to them by HIPAA.
    1. “Protected Health Information” or “PHI” is any information, whether oral or recorded in any form or medium that is created, received, maintained, or transmitted by Subcontractor Business Associate for or on behalf of Company, that identifies an individual or might reasonably be used to identify an individual and relates to: (i) the individual’s past, present or future physical or mental health; (ii) the provision of health care to the individual; or (iii) the past, present or future payment for health care.
    2. “Secretary” shall refer to the Secretary of the U.S. Department of Health and Human Services.
    3. “Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). This definition applies to both hard copy PHI and electronic PHI.
  2. OBLIGATIONS OF SUBCONTRACTOR BUSINESS ASSOCIATE.
    1. Use and Disclosure of PHI.
      1. Subcontractor Business Associate warrants that it, its agents and its subcontractors: (a) shall use or disclose PHI only in connection with fulfilling its duties and obligations under this Agreement and the Service Agreement; (b) shall not use or disclose PHI other than as permitted or required by this Agreement or required by law; (c) shall not use or disclose PHI in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by Company; and (d) shall only use and disclose the minimum necessary PHI for its specific purposes.
      2. Subject to the restrictions set forth throughout this Agreement, Subcontractor Business Associate may use the information received from Company if necessary for (a) the proper management and administration of Subcontractor Business Associate; or (b) to carry out the legal responsibilities of Subcontractor Business Associate.
      3. Subject to the restrictions set forth in throughout this Agreement, Subcontractor Business Associate may disclose PHI for the proper management and administration of Subcontractor Business Associate, provided that:
        1. Disclosures are required by law, or
        2. Subcontractor Business Associate obtains reasonable assurances from the person or entity to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies the Subcontractor Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
      4. Subcontractor Business Associate is permitted, for Data Aggregation purposes to the extent permitted under HIPAA, to use, disclose, and combine PHI created or received on behalf of Company by Subcontractor Business Associate pursuant to this Agreement with PHI, as defined by 45 C.F.R. 160.103, received by Subcontractor Business Associate in its capacity as a Business Associate of other covered entities, to permit data analyses that relate to the Health Care Operations of the respective covered entities and/or Company.
      5. Subcontractor Business Associate may de-identify any and all PHI created or received by Subcontractor Business Associate under this Agreement. Once PHI has been de-identified pursuant to 45 CFR 164.514(b), such information is no longer Protected Health Information and no longer subject to this Agreement.
      6. Subcontractor Business Associate acknowledges that, as between Subcontractor Business Associate and Company, all PHI shall be and remain the sole property of Company, including any and all forms thereof developed by Subcontractor Business Associate in the course of its fulfillment of its obligations pursuant to the Agreement and Service Agreement.
      7. To the extent that Subcontractor Business Associate is to carry out any of Company’s obligations that are regulated by HIPAA, Subcontractor Business Associate shall comply with the HIPAA requirements that apply to the Company in the performance of such obligation.
  • In accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Subcontractor Business Associate agrees to ensure that any of its agents or subcontractors that create, receive, maintain, or transmit PHI on behalf of Company agree, in writing, to materially the same restrictions, conditions, and requirements that apply through this Agreement to Business Associate with respect to such information.
    1. Safeguards. Subcontractor Business Associate shall employ appropriate administrative, technical and physical safeguards, as detailed in the Security Safeguards in the CCSA, to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this Agreement. Subcontractor Business Associate shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this Agreement.
    2. Availability of Books and Records. Subcontractor Business Associate shall permit the Secretary and other regulatory and accreditation authorities to audit Subcontractor Business Associate’s internal practices, books and records at reasonable times as they pertain to the use and disclosure of PHI in order to ensure that Company and/or Subcontractor Business Associate is in compliance with the requirements of HIPAA.
    3. Individuals’ Rights to Their PHI.
      1. To the extent Subcontractor Business Associate maintains PHI in a Designated Record Set, in order to allow the Company to respond to a request by an Individual for access to PHI pursuant to 45 CFR Section 164.524, Subcontractor Business Associate, within ten (10) business days upon receipt of written request by Company, shall make available to Company such PHI.
        1. In the event that any Individual requests access to PHI directly from Subcontractor Business Associate, Subcontractor Business Associate shall forward such request to Company within five (5) business days.
        2. Company will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Subcontractor Business Associate will make no such determinations. Except as Required by Law, only Company will be responsible for releasing PHI to an Individual pursuant to such a request. Any denial of access to PHI determined by Company pursuant to 45 CFR Section 164.524, and conveyed to Subcontractor Business Associate, shall be the responsibility of Company, including resolution or reporting of all appeals and/or complaints arising from denials.
      2. To the extent Subcontractor Business Associate maintains PHI in a Designated Record Set, in order to allow Company to respond to a request by an Individual for an amendment to PHI, Subcontractor Business Associate shall, within ten (10) business days upon receipt of a written request by Company, make available to Company such PHI.
        1. In the event that any Individual requests amendment of PHI directly from Subcontractor Business Associate, Subcontractor Business Associate shall forward such request to Company within five (5) business days.
        2. Company will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment to PHI and Subcontractor Business Associate will make no such determinations. Any denial of amendment to PHI determined by Company pursuant to 45 CFR Section 164.526, and conveyed to Subcontractor Business Associate, shall be the responsibility of Company, including resolution or reporting of all appeals and/or complaints arising from denials.
        3. Within ten (10) business days of receipt of a request from Company to amend an individual’s PHI in the Designated Record Set, Subcontractor Business Associate shall incorporate any approved amendments, statements of disagreement, and/or rebuttals into its Designated Record Set as required by 45 CFR Section 164.526.
      3. In order to allow Company to respond to a request by an Individual for an accounting pursuant to 45 CFR Section 164.528, Subcontractor Business Associate shall, within ten (10) business days of a written request by Company for an accounting of disclosures of PHI about an Individual, make available to Company such PHI. At a minimum, Subcontractor Business Associate shall provide the following information: (i) the date of the disclosure; (ii) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of such disclosure.
        1. In the event that any Individual requests an accounting of disclosures of PHI directly from Subcontractor Business Associate, Subcontractor Business Associate shall forward such request to Company within five (5) business days.
        2. Company will be responsible for preparing and delivering an accounting to Individual.
        3. Subcontractor Business Associate shall implement an appropriate record keeping process to enable it to comply with the requirements of this Agreement.
    4. Disclosure to Third Parties. Subcontractor Business Associate shall obtain and maintain a written agreement with each subcontractor or agent that has or will have access to PHI, which is received from, or created or received by, Subcontractor Business Associate for or on behalf of Company, pursuant to which agreement such subcontractor and agent agrees to be bound by the same restrictions, terms, and conditions that apply to Subcontractor Business Associate pursuant to the Agreement with respect to such PHI.
    5. Reporting Obligations.
      1. In the event of a Breach of any Unsecured PHI that Subcontractor Business Associate accesses, maintains, retains, modifies, records, or otherwise holds or uses on behalf of Company, Subcontractor Business Associate shall report such Breach to Company as soon as practicable, but in no event later than ten (10) business days after the date the Breach is discovered. Notice of a Breach shall include, to the extent such information is available: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach; (ii) the date of the Breach, if known, and the date of discovery of the Breach; (iii) the scope of the Breach; and (iv) the Subcontractor Business Associate’s response to the Breach.
      2. In the event of a use or disclosure of PHI that is improper under this Agreement but does not constitute a Breach, Subcontractor Business Associate shall report such use or disclosure to Company within ten (10) business days after the date on which Subcontractor Business Associate becomes aware of such use or disclosure.
      3. In the event of any successful Security Incident, Subcontractor Business Associate shall report such Security Incident in writing to Company within ten (10) business days of the date on which Subcontractor Business Associate becomes aware of such Security Incident. The parties acknowledge that unsuccessful Security Incidents (e.g., pings) occur within the normal course of business and shall not be reported pursuant to this Agreement.
      4. Unsuccessful Security Incidents. Unsuccessful Security Incidents mean a Security Incident or Breach that does not result in unauthorized access, use, disclosure, modification, or destruction of PHI (including, for example, and not for limitation, pings on Business Associate’s firewall, port scans, attempts to log onto a system or enter a database with an invalid password or username, denial-of-service attacks that do not result in the system being taken off-line, or malware such as worms or viruses). The parties acknowledge and agree that this Agreement constitutes notice of the ongoing existence and occurrence of Unsuccessful Security Incidents.
      5. Non-Breaches.  The following shall not be considered to be a Breach:  (a) any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule; or (b) any inadvertent disclosure by a person who is authorized to access PHI at Subcontractor Business Associate to another person authorized to access PHI at Subcontractor Business Associate, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.
  1. OBLIGATIONS OF COMPANY.
    1. Permissible Requests.
      1. Company shall not request Subcontractor Business Associate to use or disclose PHI in any manner that would violate applicable federal and state laws if such use or disclosure were made by Company.
      2. Company may request Subcontractor Business Associate to disclose PHI directly to another party only for the purposes allowed by HIPAA and the HITECH Act.
    2. Notifications.
      1. Company shall notify Subcontractor Business Associate of any limitation in any applicable notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Subcontractor Business Associate’s use or disclosure of PHI.
      2. Company shall notify Subcontractor Business Associate of any changes in, or revocation of, permission by individual to use or disclose PHI, to the extent that such changes may affect Subcontractor Business Associate’s use or disclosure of PHI.
      3. Company shall notify Subcontractor Business Associate of any restriction to the use or disclosure of PHI that Company is obligated to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Subcontractor Business Associate’s use or disclosure of PHI.
  2. TERM AND TERMINATION.
    1. General Term and Termination. This Agreement shall become effective on the Effective Date set forth above and shall terminate upon the termination or expiration of the Service Agreement and when all PHI provided by either party to the other, or created or received by Subcontractor Business Associate on behalf of Company is, in accordance with this Section, destroyed, returned to Company, or protections are extended.
    2. Material Breach. Where either party has knowledge of a material breach by the other party, the non-breaching party shall provide the breaching party with an opportunity to cure. Where said breach is not cured to the reasonable satisfaction of the non-breaching party within twenty (20) business days of the breaching party’s receipt of notice from the non-breaching party of said breach, the non-breaching party shall, if feasible, terminate this Agreement and the portion(s) of the Service Agreement affected by the breach. Where either party has knowledge of a material breach by the other party and cure is not possible, the non-breaching party shall, if feasible, terminate this Agreement and the portion(s) of the Service Agreement affected by the Breach.
    3. Return or Destruction of PHI. Upon termination of this Agreement for any reason, Subcontractor Business Associate shall:
      1. If feasible as determined by Subcontractor Business Associate, return or destroy all PHI received from, or created or received by Subcontractor Business Associate for or on behalf of Company that Subcontractor Business Associate or any of its subcontractors and agents still maintain in any form, and Subcontractor Business Associate shall retain no copies of such information; or
      2. If Subcontractor Business Associate determines that such return or destruction is not feasible, extend the protections of this Agreement to such information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible, in which case Subcontractor Business Associate’s obligations under this Section shall survive the termination of this Agreement.
  3. MISCELLANEOUS.
    1. Amendment. If any of the regulations promulgated under HIPAA or the HITECH Act are amended or interpreted in a manner that renders this Agreement inconsistent therewith, the parties shall amend this Agreement to the extent necessary to comply with such amendments or interpretations.
    2. Interpretation. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with HIPAA and the HITECH Act.
    3. Conflicting Terms. In the event that any terms of this Agreement conflict with any terms of the Service Agreement, the terms of this Agreement shall govern and control.
    4. Severability. The provisions of this Agreement shall be severable, and if any provision of this Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
    5. Indemnification and Limitation of Liability.  The indemnification and limitation of liability provisions of the CCSA apply to this Agreement.

Revision Date April 1, 2022