Date of Last Revision: October 4, 2021
This Business Associate Agreement (“Agreement”) is an addendum to the services agreement between the Parties (the “Underlying Agreement”) that includes a reference to where this Agreement is posted and is effective as of the effective date of the Underlying Agreement. This Agreement is entered into by and between Dataclay, LLC (“Dataclay”) as Business Associate and the Dataclay customer that is the other party to the Underlying Agreement (“Company”) as Covered Entity, as each of those terms are defined in the Health Insurance Portability and Accountability Act of 1996, as codified at 42 U.S.C. § 1320d (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act of 2009, as codified at 42 U.S.C. § 17901 et seq. (“HITECH Act”), and any applicable current and future regulations promulgated under HIPAA or the HITECH Act (HIPAA, HITECH Act and any applicable current and future regulations promulgated under either are referred to as the “Regulations”)
This Agreement sets forth the terms and conditions with respect to the handling of PHI pursuant to the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A and E (“Privacy Rule”), the HIPAA Security Standards, 45 C.F.R. Part 160 and Part 164, Subparts A and C (“Security Rule”), the HIPAA Breach Notification Regulations, 45 C.F.R. Part 164, Subpart D (“Breach Notification Rule”), and the HITECH Act, all as amended.
Capitalized terms used in this Agreement and not otherwise defined have the meanings set forth in the Privacy Rule, Security Rule, and the Breach Notification Rule, which definitions are incorporated in this Agreement by reference.
“Electronic Protected Health Information” or “Electronic PHI” has the meaning given under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. § 160.103, as applied to the Electronic PHI that Dataclay creates, receives, maintains, or transmits from or on behalf of Company.
“Protected Health Information” or “PHI” has the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, as applied to the PHI created, received, maintained, or transmitted by Dataclay from or on behalf of Company.
- Permitted Uses and Disclosures of PHI
- Uses and Disclosures of PHI Pursuant to the Underlying Agreement. Dataclay may Use or Disclose PHI only as necessary to perform Services, or as otherwise expressly permitted in this Agreement or Required by Law, and will not further Use or Disclose such PHI.
- Dataclay Management, Administration, and Legal Responsibilities. Dataclay may Use PHI for Dataclay’s management and administration, or to carry out Dataclay’s legal responsibilities. Dataclay may Disclose PHI to a third party for such purposes only if: (a) the Disclosure is Required by Law; or (b) Dataclay obtains reasonable assurances from the recipient that the recipient will: (i) hold the PHI confidentially; (ii) Use or Disclose the PHI only as Required by Law or for the purpose for which it was Disclosed to the recipient; and (iii) notify Dataclay of any instances in which it is aware that the confidentiality of the information has been breached.
- Data Aggregation. Dataclay may Use PHI to provide Data Aggregation services for the Health Care Operations of the Company as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
- De-identified Data. Dataclay may de-identify PHI in accordance with 45 C.F.R. § 164.514(b) and may Use or Disclose such de-identified data unless prohibited by applicable law.
- Company Responsibilities. Except as expressly provided in the Underlying Agreement or this Agreement, Dataclay will not assume any obligations of Company under the Privacy Rule. To the extent Dataclay is to carry out Company’s obligations under the Privacy Rule, Dataclay will comply with the requirements of the Privacy Rule that apply to Company’s compliance with such obligations.
- Obligations of Dataclay
- Appropriate Safeguards. Dataclay will implement and maintain appropriate administrative, physical, and technical safeguards to comply with the Security Rule with respect to Electronic PHI, to prevent Use or Disclosure of such information other than as provided for by the Underlying Agreement and this Agreement.
- Reporting of Improper Use or Disclosure, Security Incident or Breach. Dataclay will report to Company any Use or Disclosure of PHI not permitted under this Agreement, Breach of Unsecured PHI or any Security Incident, without unreasonable delay, and in no event more than fifteen (15) business days following Discovery; provided, however, that the parties acknowledge and agree that this Section constitutes notice by Dataclay to Company of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents. “Unsuccessful Security Incidents” will include, but not be limited to, pings and other broadcast attacks on Dataclay’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access to, Use or Disclosure of PHI. Dataclay’s notification to Company of a Breach will comply with the requirements set forth in 45 C.F.R. § 164.404.
- Dataclay’s Subcontractors. If any subcontractor of Dataclay creates, receives, maintains, or transmits PHI on behalf of Dataclay for the Services provided to Company, Dataclay agrees to enter into an agreement with such subcontractor that ensures subcontractor will implement and maintain appropriate administrative, physical, and technical safeguards to comply with the Security Rule with respect to Electronic PHI and to prevent Use or Disclosure of such information other than as provided for by the Underlying Agreement and this Agreement.
- Access to PHI. To the extent Dataclay agrees in the Underlying Agreement to maintain any PHI in a Designated Record Set that is not duplicative of a Designated Record Set maintained by Company, Dataclay will make such PHI available to Company within 15 business days of Dataclay’s receipt of a written request from Company. Company is solely responsible for: (a) making all determinations regarding the grant or denial of an Individual’s request for PHI contained in a Designated Record Set, and Dataclay will make no determinations; (b) releasing PHI contained in a Designated Record Set to an Individual pursuant to a request; and (c) all associated costs and liabilities.
- Amendment of PHI. To the extent Dataclay agrees in the Underlying Agreement to maintain any PHI in a Designated Record Set that is not duplicative of a Designated Record Set maintained by Company, Dataclay agrees to make the information available to Company for amendment within 20 business days of Dataclay’s receipt of a written request from Company.
- Accounting of Disclosures. Dataclay will provide to Company, within 30 business days of Dataclay’s receipt of a written request from Company, an accounting of Disclosures of PHI as is required to permit Company to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528.
- Governmental Access to Records. Dataclay will make its internal practices, books and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of the Secretary determining compliance with the Privacy Rule, the Security Rule, or the Breach Notification Rule.
- Mitigation. To the extent practicable, Dataclay will cooperate with Company’s efforts to mitigate a harmful effect that is known to Dataclay of a Use or Disclosure of PHI by Dataclay that is not permitted by this Agreement.
- Minimum Necessary. To the extent required by the “minimum necessary” requirements under HIPAA, Dataclay will only request, Use, and Disclose the minimum amount of PHI necessary to accomplish the purpose of the request, Use, or Disclosure.
- Company Obligations
Company will notify Dataclay 15 business days, if practicable, prior to the effective date of: (a) any limitations in its notice of privacy practices in accordance with 45 C.F.R. § 164.520; (b) any changes in, or revocation of, permission by an Individual to Use or Disclose PHI; or (c) any restriction to the Use or Disclosure of PHI that Company has agreed to in accordance with 45 C.F.R. § 164.522. Company will make a notification to the extent that the limitation, restriction, or change may affect Dataclay’s Use or Disclosure of PHI in connection with the Services, and, with respect to those changes described in (b) and (c), Company will take all necessary measures to ensure that Dataclay will not receive any PHI following the date of any changes in or revocation of permission described in (b) or any restriction described in (c) and will assume any associated liabilities.
- Term and Termination
- Term. The term of this Agreement commences on the Effective Date and automatically terminates upon the termination of the Underlying Agreement.
- Termination for Cause. Upon either party’s knowledge of a material breach by the other party of this Agreement, the non-breaching party may terminate this Agreement immediately if cure is not possible. Otherwise, the non-breaching party will provide written notice to the breaching party detailing the nature of the breach and providing an opportunity to cure the breach within 20 business days. Upon the expiration of the 20 day cure period, the non-breaching party may terminate this Agreement. Termination under this section will terminate this Agreement solely as it applies to the Services giving rise to the material breach.
- Effect of Termination.
- Except as provided in Section 5.3.2, upon termination of this Agreement for any reason, Dataclay will return or destroy all PHI that Dataclay or its subcontractor maintain in any form or format, at Company’s expense.
- If Dataclay believes that returning or destroying PHI upon termination of this Agreement for any reason is infeasible, Dataclay will: (a) extend the protections of this Agreement to the PHI; and (b) limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Dataclay maintains the PHI.
- The rights and obligations of Dataclay under Section 5.3 of this Agreement will survive the termination of this Agreement.
- Cost Reimbursement
In the event of a Breach caused solely by Dataclay or its employees or subcontractors and notice to Individuals is required pursuant to the Breach Notification Rule, Dataclay agrees to reimburse Company for the reasonable and substantiated costs related to the following: providing notifications to affected individuals, the media, or the Secretary, providing credit monitoring services to the affected individuals, if appropriate, for up to one (1) year, any fines and penalties assessed against Company directly attributable to a Breach by Dataclay or its employees or subcontractors, investigation costs, and mitigation efforts required under the Privacy Rule or Security Rule.
- Cooperation in Investigations
Each party will cooperate in good faith with the other party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry.
- Compliance with Law
The parties are required to comply with federal and state laws regarding the protection of PHI as defined by HIPAA. If this Agreement must be amended to secure such compliance, the parties will meet in good faith to agree upon non-financial terms to amend this Agreement.
- Construction of Terms. The terms of this Agreement will be construed in light of any applicable interpretation or guidance on the Privacy Rule, the Security Rule, or the Breach Notification Rule issued by HHS.
- Governing Law. This Agreement is governed by, and will be construed in accordance with, the laws of the State that govern the Underlying Agreement.
- Assignment. Neither Company nor Dataclay may assign this Agreement without prior written consent from the other party, which will not be unreasonably withheld; provided, however, either party may assign this Agreement to the extent that they are permitted to assign the Underlying Agreement. Nothing in this Agreement will confer any right, remedy, or obligation upon anyone other than Company and Dataclay.
- Notices. All notices relating to the parties’ legal rights and remedies under this Agreement: (a) will be provided in writing to a party; (b) will be sent to its address set forth in the Underlying Agreement, or to such other address as may be designated by that party by notice to the sending party; and (c) will reference this Agreement.
- Incorporation into Underlying Agreement. This Agreement modifies and supplements the terms and conditions of the Underlying Agreement, will be considered an attachment to the Underlying Agreement and is incorporated as though fully set forth within the Underlying Agreement. This Agreement will govern in the event of conflict or inconsistency with any provision of the Underlying Agreement. For the avoidance of doubt, the Parties’ respective liability under this Agreement is subject to the limitations of liability contained in the Underlying Agreement.
- Counterparts. This Agreement may be executed in two or more counterparts, each of which is considered an original and when taken together constitutes one agreement. Facsimile and electronic signatures are considered original signatures for all purposes of this Agreement.
- Relationship of Parties. Each party is an independent contractor of the other party. Neither party can bind the other party or create any right or obligation for the other party.