Business Associate Addendum
This addendum is specific to circumstances under which the Health Insurance Portability and Accountability Act (HIPAA) applies. Please get in touch with us if you need these terms to be part of your agreement with us.
This Business Associate Addendum (this “Addendum”) is entered into between the entity identified as “Customer” in the Underlying Agreement (“Covered Entity”), and Zello, Inc., a Delaware corporation (“Business Associate”). Covered Entity and Business Associate may each be referred to herein as a “Party”, or collectively, as the “Parties”. This Addendum supplements, amends, and is incorporated into the Underlying Agreement (defined below). This Addendum is effective as of the date electronically accepted by Covered Entity (the “Effective Date”).
By accepting this Addendum, you represent and warrant that (1) you have full legal authority to bind Covered Entity to this Addendum, (2) you have read and understood this Addendum, and (3) you agreed, on behalf of Covered Entity, to the terms of this Addendum. If you do not have legal authority to bind Covered Entity, or have not read, understood, and agreed to these terms, do not click to accept this Addendum.
1.1 Covered Entity and Business Associate enter into this Addendum to comply with the requirements of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, including the privacy, security, breach notification and enforcement rules at 45 C.F.R. Part 160 and Part 164, as well as the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (“HITECH”), as amended, and other applicable federal and state laws (collectively the “HIPAA Rules”).
1.2 This Addendum is intended to ensure that Business Associate will establish and implement appropriate safeguards for certain individually identifiable Protected Health Information relating to patients of Covered Entity (“PHI” as that term is defined below) that Business Associate may receive, create, maintain, use or disclose in connection with certain functions, activities and services that Business Associate performs for Covered Entity. The functions, activities and services that Business Associate performs and the terms of Covered Entity’s use of and access to those services set forth in that certain Order Form entered into between the Parties (the “Underlying Agreement”).
2.1 Terms used but not otherwise defined in this Addendum shall have the same meaning as those terms in the HIPAA Rules, which definitions are incorporated in this Addendum by reference.
2.2 For purposes of this Addendum:
2.2.1 “Electronic Protected Health Information” or “ePHI” shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. 160.103, as applied to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity.
2.2.2 “Individual” shall have the same meaning given to such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
2.2.3 “Protected Health Information” or “PHI” shall have the meaning given to such term in 45 C.F.R. 160.103, limited to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity
2.2.4 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information published in 45 C.F.R. Parts 160 and 164, Subparts A and E.
2.2.5 “Required by Law” shall have the meaning given to such term in 45 C.F.R. 164.103.
2.2.6 “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
2.2.7 “Security Rule” shall mean the Security Standards at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE
3.1 Use and Disclosure. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Addendum or as Required By Law. To the extent Business Associate is carrying out one or more of Covered Entity’s obligations under the Privacy Rule pursuant to the terms of the Underlying Agreement or this Addendum, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s).
3.2 Appropriate Safeguards. Business Associate shall use appropriate physical, technical and administrative safeguards, and shall comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Addendum or as Required by Law.
3.3 Mitigation. Business Associate agrees to mitigate, to the extent practicable and commercially reasonable, harmful effects known to Business Associate that directly result from a use or disclosure of PHI by Business Associate in knowing violation of this Addendum’s requirements, or that would otherwise cause a Breach of Unsecured PHI.
3.4 Breach Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI, or Security Incident as required at 45 CFR §164.410\. Business Associate’s notification to Covered Entity of a Breach shall include, to the extent reasonably possible: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404©. For unsuccessful Security Incidents, Covered Entity and Business Associate agree that this paragraph constitutes notice of such Unsuccessful Security Incidents.
3.5 Subcontractors. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate shall enter into a written agreement with any subcontractor that creates, receives, maintains or transmits PHI on behalf of the Business Associate for services provided to Covered Entity, which provides that the subcontractor agrees to terms that are consistent with the restrictions, conditions and requirements that apply to the Business Associate with respect to such information.
3.6 Access to PHI. Business Associate agrees to provide access to PHI in a Designated Record Set to the Covered Entity. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Business Associate, or inquires about his or her right to access, Business Associate shall forward it to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
3.7 Minimum Necessary Requirement. Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. § 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
3.8 Amendment of PHI. Business Associate agrees to make PHI contained in a Designated Record Set available to Covered Entity for amendment pursuant to 45 C.F.R. § 164.526\. If an Individual makes a request for amendment pursuant to 45 C.F.R. § 164.526 directly to Business Associate, or inquires about his or her right to access, Business Associate shall forward it to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
3.9 Accounting of Disclosures. Business Associate shall, upon written request, provide to Covered Entity information collected in accordance with Section 3.11 of this Addendum, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528\. If any Individual requests an accounting of disclosures of PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
3.10 Access to Policies and Records. Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, reasonably available to the Secretary for the purpose of Covered Entity or the Secretary determining compliance with the HIPAA Rules.
3.11 Documentation of Disclosures. Business Associate shall document such disclosures of PHI and information related to such disclosures to the extent reasonably necessary to assist Covered Entity in responding to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528\. Business Associate shall document the following information (“Disclosure Information”): (i) the date of the disclosure, (ii) the name and, if known, the address of the recipient of the PHI, (iii) a brief description of the PHI disclosed, and (iv) the purpose of the disclosure.
PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
4.1 General Uses and Disclosures. Business Associate agrees to receive, create, use or disclose PHI only as permitted by this Addendum, the HIPAA Rules, and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule if done by Covered Entity, except as set forth in this Article 4.
4.2 Business Associate may use or disclose PHI as required by applicable law, including as Required by Law. Business Associate may also:
4.2.1 Use PHI for the proper management and administration of Business Associate, or to carry out its legal responsibilities.
4.2.2 Disclose PHI for the proper management and administration of Business Associate or to carry out legal responsibilities of Business Associate, provided that the disclosures are Required by Law, or Business Associate obtains prior written reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached, in accordance with the Breach notification requirements of this Addendum.
4.2.3 Use PHI to provide Data Aggregation Services to Covered Entity as requested by Covered Entity or as generally described in the Underlying Agreement or as otherwise permitted under the HIPAA Rules. Business Associate may also de-identify PHI to the extent permitted under the HIPAA Regulations.
OBLIGATIONS OF COVERED ENTITY
5.1 Covered Entity shall:
5.1.1 Notify Business Associate of any limitation(s) in its Notice of Privacy Practices in accordance with 45 C.F.R. 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
5.1.2 Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
5.1.3 Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose his or her PHI, to the extent that such change or revocation may affect Business Associate’s permitted or required uses and disclosures of PHI.
5.2 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule or the Security Rule if done by Covered Entity, except as provided under Article 4 of this Addendum.
5.3 Covered Entity shall be responsible for providing Breach notifications to the Secretary of the United States Department of Health and Human, and the media, as required by the HIPAA Rules. Any notice to the media under this Section 5.3 shall be approved by Business Associate, such approval not to be unreasonably withheld.
TERM AND TERMINATION
6.1 Term. This Addendum shall be in effect as of the Effective Date and shall terminate on the earlier of the date that:
6.1.1 Either Party terminates this Addendum for cause, as authorized under Section 6.2.
6.1.2 The Underlying Agreement expires or is terminated by either Party in accordance with the terms and conditions set forth therein.
6.2 Termination for Cause. Upon either Party’s knowledge of material breach by the other Party, the breaching Party shall have an opportunity to cure the breach or end the violation. If the breaching Party does not cure the breach or end the violation within thirty (30) days, or if a material term of this Addendum has been breached and a cure is objectively not possible within thirty (30) days, the non-breaching Party may immediately terminate this Addendum.
6.3 Obligations of Business Associate Upon Termination. Upon termination of this Addendum for any reason, Business Associate shall ensure that all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity within forty-five (45) days from the termination date. Termination of this Addendum will automatically terminate the Underlying Agreement. Notwithstanding the foregoing, Business Associate shall retain all PHI necessary to carry out its legal responsibilities or comply with applicable law.
7.1 Amendment. The Parties agree to take such action as is necessary to amend this Addendum to comply with the requirements of the HIPAA Rules and any other applicable law.
7.2 Survival. The respective rights and obligations of Business Associate under Article 6.3 of this Addendum shall survive the termination of this Addendum.
7.3 Regulatory References. A reference in this Addendum to a section of the HIPAA Rules means the section as in effect and/or amended.
7.4 Entire Agreement, Severability. This Addendum constitutes the entire agreement between the Parties related to the subject matter of this Addendum, except to the extent that the Underlying Agreement(s), if any, impose more stringent requirements related to the use and protection of PHI upon Business Associate. This Addendum supersedes all prior negotiations, discussions, representations or proposals, whether oral or written. This Addendum may not be modified unless done so in writing and signed by a duly authorized representative of both Parties. If any provision of this Addendum, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
7.5 Assignment. This Addendum will be binding on the successors and assigns of Covered Entity and Business Associate. However, this Addendum may not be assigned by either Party, in whole or in part, without the written consent of the other Party, except that either Party may assign this Addendum as a whole in connection with any permitted assignment of the Underlying Agreement without such consent. Any attempted assignment in violation of this provision shall be null and void.
7.6 Multiple Counterparts. This Addendum may be executed in two or more counterparts, each of which shall be deemed an original.
7.7 Governing Law. Except to the extent preempted by federal law, this Addendum shall be governed by and construed in accordance with the law governing the Underlying Agreement