Business Associate Agreement
This BUSINESS ASSOCIATE AGREEMENT (this “BAA”) is made by and between User Zoom, Inc. (“UserZoom”) and Customer (as defined in the Agreement) and is effective as of the date of electronic acceptance of this BAA by the Customer (“Effective Date”). Capitalized terms used in this BAA without definition shall have the respective meanings assigned to such terms in the Administrative Simplification section of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their implementing regulations as amended from time to time (collectively, “HIPAA”) and/or the Agreement (as appropriate).
BY ACCEPTING THIS BAA OR USING THE SERVICES, AS DEFINED IN THE AGREEMENT, YOU AGREE TO THESE TERMS AND CONDITIONS. IF YOU ARE ENTERING INTO THIS BAA ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS BAA AND MAY NOT USE USERZOOM SERVICES FOR THE STORAGE OR TRANSMISSION OF PROTECTED HEALTH INFORMATION.
WHEREAS, Customer and UserZoom are parties to that certain agreement setting forth certain services that may require UserZoom to have access to Protected Health Information (as defined below) (the “ Agreement”); and
WHEREAS, it is the intent of Customer and UserZoom to amend the Agreement, as described in this BAA, for the parties to comply with HIPAA.
NOW THEREFORE, in consideration of the mutual promises and covenants contained herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Customer and UserZoom agree as follows:
1. General provisions
a. Effect. The provisions of this BAA shall control with respect to Protected Health Information that UserZoom receives from or on behalf of Customer (“PHI”), and in the event of any conflicting or inconsistent terms, the following order of precedence shall apply: this BAA, any data processing agreement agreed between the parties (“DPA”), then the Agreement. Except as set forth in the preceding sentence, this BAA shall not modify or supersede any other provision of the Agreement and for the avoidance of doubt, any restrictions on the collection or processing of personal information or data (including without limitation, PHI) contained in the Agreement and the DPA shall continue to apply and will remain in full force and effect (and shall not be deemed to conflict with the terms of this BAA).
b. No Third Party Beneficiaries. The parties have not created and do not intend to create by this BAA any third party rights, including, but not limited to, third party rights for Customer.
c. HIPAA Amendments. Any future amendments to HIPAA requiring an update to business associate agreements are hereby incorporated by reference into this BAA as if set forth in this BAA in their entirety, effective on the later of the effective date of this BAA or such subsequent date as may be specified by HIPAA.
d. Regulatory References. A reference in this BAA to a section in HIPAA means the section as it may be amended from time to time.
e. Independent Contractor Status. The parties acknowledge and agree that UserZoom is at all times acting as an independent contractor of Customer and not as an agent or employee of Customer under the Agreement.
f. Definitions. Any capitalized term not specifically defined herein shall have the same meaning as is set forth in 45 C.F.R. Parts 160 and 164, where applicable. The terms “required by law,” “use,” “disclose” and “discovery,” or derivations thereof, although not capitalized herein, shall also have the same meanings set forth in HIPAA.
2. Obligations of Company
a. Use and Disclosure of PHI. UserZoom may use and disclose PHI as permitted or required to perform the contracted services under the Agreement, the DPA, this BAA and as required by law, but shall not otherwise use or disclose any PHI. UserZoom shall not use or disclose PHI received from Customer in any manner that would constitute a violation of HIPAA if so used or disclosed by Customer (except as set forth in Sections 2.1(a), (b) and (c) of this BAA). To the extent UserZoom carries out any of Customer’s obligations under the HIPAA privacy standards, UserZoom shall comply with the requirements of the HIPAA privacy standards that apply to Customer in the performance of such obligations. Without limiting the generality of the foregoing, UserZoom is permitted to use or disclose PHI as set forth below:
ⅰ. UserZoom may use PHI internally for UserZoom’s proper management and administration or to carry out its legal responsibilities;
ⅱ. UserZoom may disclose PHI to a third party for UserZoom’s proper management and administration, provided that the disclosure is required by law or UserZoom obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI as required by law or for the purpose for which the PHI was disclosed to the third party and (3) notify Covered Entity of any instances of which the third party is aware in which the confidentiality of the PHI has been breached;
ⅲ. UserZoom may use PHI to provide data aggregation services; and
ⅳ. UserZoom may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. UserZoom may disclose de-identified health information for any purpose permitted by law.
a. Safeguards. UserZoom shall use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted or required by this BAA. In addition, UserZoom shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI transmitted or maintained in Electronic Media (“EPHI”) that it creates, receives, maintains or transmits on behalf of Customer. UserZoom shall comply with the HIPAA Security Rule with respect to EPHI.
b. Minimum Necessary Standard. To the extent required by the “minimum necessary” requirements of HIPAA, UserZoom shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
c. Mitigation. UserZoom shall take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to UserZoom) of a use or disclosure of PHI by UserZoom in violation of this BAA.
d. Subcontractors. To the extent required under HIPAA, UserZoom shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits PHI on behalf of UserZoom, and UserZoom shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that substantially the same as the restrictions and conditions that apply to UserZoom under this BAA.
e. Reporting Requirements.
ⅰ. If UserZoom becomes aware of a use or disclosure of PHI in violation of this BAA by UserZoom or a third party to which UserZoom disclosed PHI, UserZoom shall report any such use or disclosure to Customer without unreasonable delay.
ⅱ. UserZoom shall report any actual, successful Security Incident to Customer in writing without unreasonable delay.
ⅲ. The parties acknowledge and agree that this Section 2.6(c) constitutes notice by UserZoom to Customer of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents for which no additional notice to Customer shall be required. Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on UserZoom’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as such incidents do not result, to the extent UserZoom is aware, in unauthorized access, use or disclosure of EPHI.
ⅳ. UserZoom shall, following the discovery of a Breach of Unsecured PHI, notify Customer of such Breach in accordance with 45 C.F.R. § 164.410 without unreasonable delay and in no case later than 60 days after discovery of the Breach.
a. Access to PHI. UserZoom agrees to make available PHI in a Designated Record Set as necessary for Customer or any Covered Entity client of Customer, as applicable, as applicable, to meet the requirements under 45 C.F.R. §164.524.
b. Availability of PHI for Amendment. UserZoom agrees to make any amendment(s) to the PHI as necessary for Customer or any Covered Entity client of Customer, as applicable, to meet the requirements under 45 C.F.R. §164.526.
c. Accounting of Disclosures. UserZoom agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for Customer or any Covered Entity client of Customer, as applicable, to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. §164.528.
d. Availability of Books and Records. Following reasonable advance written notice, UserZoom shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by UserZoom on behalf of, Customer or any Covered Entity client of Customer, as applicable, available to the Secretary for purposes of determining Covered Entity’s/ compliance with HIPAA.
3. Obligations of Covered Entity
a. Permissible Requests. Customer shall not request UserZoom to use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by Customer (except as provided in Sections 2.1(a), (b) and (c) of this BAA).
b. Minimum Necessary PHI. When Customer discloses PHI to UserZoom, Customer shall provide the minimum amount of PHI necessary for the accomplishment of UserZoom’s purpose.
c. Permissions; Restrictions. Customer represents and warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to and use of PHI by UserZoom in accordance with the Agreement and this BAA. Customer shall notify UserZoom of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect UserZoom’s use or disclosure of PHI. Customer shall not agree to any restriction on the use or disclosure of PHI under 45 C.F.R. § 164.522 that restricts UserZoom’s use or disclosure of PHI under this BAA unless such restriction is required by law or UserZoom grants its written consent, which consent shall not be unreasonably withheld. Customer shall indemnify and hold harmless UserZoom and its directors, officers, employees, agents, servants or independent contractors from and against any and all claims, damages, liability, costs and expenses (including reasonable attorneys’ fees and costs) arising out of Customer’s breach of this Section 3.3.
d. Notice of Privacy Practices. Except as required by law, with UserZoom’s consent or as set forth in the Agreement or this BAA, Customer shall not include any limitation in the Customer’s notice of privacy practices that limits UserZoom’s use or disclosure of PHI under the Agreement. In the event Customer limits UserZoom’s use or disclosure of PHI under the Agreement in any manner, Customer shall notify UserZoom of such restriction of its use or disclosure of PHI as soon as reasonably practicable without undue delay.
4. Termination of Agreement
a. Termination Upon Breach of Provisions Applicable to PHI. Any other provision of the Agreement notwithstanding, the Agreement and this BAA may be terminated by either party (the “Non-Breaching Party”) upon 30 days advance written notice to the other party (the “Breaching Party”) in the event that the Breaching Party breaches any provision contained in this BAA in any material respect and such breach is not cured to the reasonable satisfaction of the Non-Breaching Party within such 30-day period. For the avoidance of doubt, termination of this BAA does not entitle either party to terminate the Agreement or any ordering document thereunder (e.g., an order form or SOW).
b. Return or Destruction of PHI upon Termination. Upon expiration or earlier termination of this BAA, UserZoom shall either return or destroy all PHI received from Customer or created or received by UserZoom on behalf of Customer and which UserZoom still maintains in any form. Notwithstanding the foregoing, to the extent that UserZoom reasonably determines that it is not feasible to return or destroy such PHI, the terms and provisions of this BAA shall survive termination of the Agreement and such PHI shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI.
5. Miscellaneous
This BAA and the documents referred to in it (including the Agreement) constitute the entire understanding and agreement of the parties in relation to the processing of PHI and supersede all prior agreements, discussions, negotiations, arrangements and understandings of the parties and/or their representatives in relation to such processing. This BAA may be executed in two counterparts, each of which shall be deemed an original but both of which together shall constitute one and the same instrument. Copies of signatures sent by facsimile transmission or scanned and sent by email are deemed to be originals for purposes of execution and proof of this BAA.
