Business Associate Addendum
The Parties agree that this Business Associate Addendum (“BAA”) is entered into as part of the Master License and Services Agreement (“Agreement”) by and between Customer and Volpara Health, Inc. (“Volpara”) and is incorporated by reference therein. If there is a conflict between a provision in this BAA and a provision in the Agreement, this BAA will control.
Except as otherwise defined in this BAA or the Agreement, capitalized terms will have the definitions or meanings given by HIPAA.
“Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.
“Business Associate” means Volpara.
“Covered Entity” for this BAA only, means Customer and its Affiliates.
“HIPAA” means, collectively, the Health Insurance Portability and Accountability Act, and its implementing regulations, including the Breach Notification Rule, the Privacy Rule, and the Security Rule, in each case as amended from time-to-time, including without limitation, by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information.
“Protected Health Information” or “PHI” means only the protected health information (including electronic protected health information) that Business Associate uses, discloses, accesses, creates, receives, maintains, and/or transmits for or on behalf of Covered Entity to provide the Products and Services.
“Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information.
2. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
2.1 Performance of Business Associate’s Obligations. Except as otherwise limited in this BAA, Business Associate may Use and Disclose Protected Health Information for, or on behalf of, Covered Entity as authorized in the Agreement; provided that any such Use or Disclosure would not violate HIPAA if done by Covered Entity, except as expressly authorized in Section 2.2 below.
2.2 Management, Administration, and Legal Responsibilities. Except as otherwise limited in this BAA, Business Associate may Use and Disclose Protected Health Information for the proper management and administration of Business Associate and/or to carry out the legal responsibilities of Business Associate, provided that any Disclosure may occur only if: (a) Required by Law; or (b) Business Associate obtains written reasonable assurances from the person to whom the Protected Health Information is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person, and the person notifies Business Associate of any instances of which it becomes aware in which the confidentiality of the Protected Health Information has been breached.
3. OBLIGATIONS OF BUSINESS ASSOCIATE
3.1 Limitations on Use and Disclosure. Business Associate will not Use and/or Disclose the Protected Health Information other than as permitted or required by the Agreement and/or this BAA, or as otherwise Required by Law. Business Associate will not disclose, capture, maintain, scan, index, transmit, share, or Use Protected Health Information for any activity not authorized under the Agreement and/or this BAA. Business Associate will not use Protected Health Information for any advertising, marketing, or other commercial purpose of Business Associate or any third party. Business Associate will not violate the HIPAA prohibition on the sale of Protected Health Information.
3.2 Minimum Necessary. Business Associate will make reasonable efforts to Use, Disclose, and/or request the minimum necessary Protected Health Information to accomplish the intended purpose of such Use, Disclosure, or request.
3.3 Safeguards. Business Associate will: (a) use reasonable and appropriate safeguards to prevent inappropriate Use and Disclosure of Protected Health Information other than as provided for in this BAA; and (b) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule.
3.4 Reporting. Business Associate will report to Covered Entity: (a) any Use and/or Disclosure of Protected Health Information that is not permitted or required by this BAA of which Business Associate becomes aware; (b) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents (defined below) and no further notice of such Unsuccessful Security Incidents will be given; and/or (c) any Breach of Covered Entity’s Unsecured Protected Health Information that Business Associate may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than three (3) business days after Business Associate’s determination of a Breach.
For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as such incident does not result in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information.
3.5 Subcontractors. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, Business Associate will require its Subcontractors who create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate to agree in writing to: (a) the same or more stringent restrictions and conditions that apply to Business Associate with respect to such Protected Health Information; (b) appropriately safeguard the Protected Health Information; and (c) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. Business Associate remains responsible for its Subcontractors’ compliance with obligations in this BAA.
3.6 Disclosure to the Secretary. Business Associate will make available its internal practices, records, and books relating to the Use and/or Disclosure of Protected Health Information received from Covered Entity to the Secretary of the Department of Health and Human Services for purposes of determining Covered Entity’s compliance with HIPAA, subject to attorney-client and other applicable legal privileges.
3.7 Access. If Business Associate maintains Protected Health Information in a Designated Record Set for Covered Entity, then Business Associate, at the request of Covered Entity, will, within fifteen (15) days, make access to such Protected Health Information available to Covered Entity in accordance with 45 CFR § 164.524 of the Privacy Rule.
3.8 Amendment. If Business Associate maintains Protected Health Information in a Designated Record Set for Covered Entity, then Business Associate, at the request of Covered Entity, will, within fifteen (15) days, make available such Protected Health Information to Covered Entity for amendment and incorporate any reasonably requested amendment in the Protected Health Information in accordance with 45 CFR § 164.526 of the Privacy Rule.
3.9 Accounting of Disclosure. Business Associate, at the request of Covered Entity, will, within fifteen (15) days, make available to Covered Entity such information relating to Disclosures made by Business Associate as required for Covered Entity to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.
3.10 Performance of a Covered Entity’s Obligations. To the extent Business Associate is to carry out a Covered Entity obligation under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
3.11 De-identification of PHI. Except in order to provide the Products and Services or as otherwise authorized by the Agreement or this BAA, Business Associate will not de-identify Protected Health Information without the prior written consent of Covered Entity. Any de-identification of PHI by Business Associate will be in accordance with 45 CFR § 164.514(b).
4. OBLIGATIONS OF COVERED ENTITY
4.1 Limitations. Covered Entity will inform Business Associate of any changes in, or revocation of, the permission by an individual to access, use, or disclose Protected Health Information, to the extent that such limitation may affect Business Associate’s access, use, or disclosure of Protected Health Information.
4.2 Restrictions. Covered Entity will promptly notify Business Associate of any restriction on the access, use, or disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect the access, use, or disclosure of Protected Health Information by Business Associate.
4.3 No Impermissible Requests. Covered Entity will not request Business Associate to Use or Disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by Covered Entity (unless permitted by HIPAA for a Business Associate).
5. TERM AND TERMINATION
5.1 Term. This BAA shall continue in effect until the earlier of: (a) termination by a Party for breach as set forth in Section 5.2 below; or (b) expiration of the Agreement.
5.2 Termination. Either Party may terminate this BAA and the Agreement if the other Party breaches any material term or condition of this BAA and does not cure such breach within thirty (30) days after written notice of such breach.
5.3 Effect of Termination. Upon termination of this BAA, Business Associate will, if feasible, return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision will also apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate will retain no copies of the PHI except as provided for in this BAA. If return or destruction of PHI is not feasible, Business Associate will: (a) extend the security protections of this BAA to such PHI; and (b) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
6. GENERAL TERMS
6.1 Interpretation. The Parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Except where this BAA conflicts with the Agreement, all other terms and conditions of the Agreement remain unchanged. Any captions or headings in this BAA are for the convenience of the Parties and shall not affect the interpretation of this BAA.
6.2 Entire Agreement; Amendment. This BAA supersedes and replaces any prior agreement terms with Volpara with respect to the terms and obligations relating to HIPAA and PHI. This BAA may not be modified or amended except in a writing duly signed by authorized representatives of the Parties.
6.3 Survival. The respective rights and obligations of Business Associate under this BAA shall survive the termination of this BAA.
6.4 Independent Contractors. It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Covered Entity and Business Associate under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this BAA shall be construed to make or render Business Associate an agent of Covered Entity.
6.5 Designated Record Set. Unless expressly contracted for in the Agreement, Business Associate does not maintain a Designated Record Set for the Covered Entity.
6.6 Notices. Any notices under this BAA shall be in writing and made via recognized national courier sent by overnight service. Notices will be deemed given upon written confirmation of delivery to the respective Party as set forth below:
If to Business Associate:
Attn: Chief Privacy Officer
19000 33rd Ave W, Suite 130
Lynnwood, WA 98036
If to Covered Entity:
To the address listed in the Agreement