This HIPAA Business Associate Agreement (this “BAA”) is an addendum to the Aiva Software End User License Agreement (the “EULA”; together with each Order Form you enter into in connection therewith and this BAA, collectively, the “Agreement”), between you and Aiva, Inc. (“Aiva”). This BAA defines the rights and responsibilities of you and Aiva, respectively, with respect to Protected Health Information (defined below). This BAA shall be applicable only if and to the extent that Aiva meets, with respect to you and your use of the Services (as defined in the EULA), the definition of a “Business Associate” set forth at 45 C.F.R. §160.103, or applicable successor provisions. If applicable, then as of the date that Aiva becomes your Business Associate, this BAA automatically shall apply and become part of the Agreement.
You should carefully review all of the terms and conditions in this BAA, together with all of the terms and conditions of the EULA and each Order Form, before signing an Order Form and before commencing access and use of the Licensor’s Software. By signing an Order Form and by accessing and using the Licensed Software you are accepting and agreeing to be bound by all of the terms, conditions, restrictions, and requirements of the Agreement, including this BAA.
1. Definitions.
Capitalized terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms in the HIPAA Rules.
(a) “Business Associate” means Aiva, Inc., a Delaware corporation, on its own behalf and on behalf of its affiliates (any entity that is owned or that is under common control with one of its entities).
(b) “Covered Entity” means you.
(c) “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 as amended and the rules promulgated thereunder, as each may be amended from time to time.
(d) “HIPAA Rules” means, collectively, the Privacy Rule, Security Rule, Breach Notification Rule and Enforcement Rule, set forth at 45 C.F.R. Parts 160, 162 and 164, under HIPAA, each as amended.
(e) “Parties” means Business Associate and Covered Entity together; each a “Party”.
(f) “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. §160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity pursuant to this BAA. PHI shall include electronic PHI or “ePHI,” which is a subset of PHI that is maintained or transmitted in electronic media.
(g) “Unsuccessful Security Incident” shall mean pings and other broadcast attacks on a firewall, port scans, unsuccessful log-on attempts, denials of service, or other similar attempted but unsuccessful Security Incident, or a combination thereof, so long as no such incident results in unauthorized access, use or disclosure of PHI.
2. Permitted Uses and Disclosure of PHI.
(a) Business Associate may use or disclose PHI to perform functions, activities or services for, or on behalf of, Covered Entity in accordance with the Services Agreement or as Required by Law.
(b) Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
(c) Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate if the disclosure is Required by Law or Business Associate obtains reasonable assurances from the person to whom information is disclosed that (i) it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed and (ii) such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
(d) Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
(e) Business Associate may de-identify PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and may use or disclose such de-identified data for any purpose.
3. Obligations and Activities of Business Associate. Business Associate agrees to:
(a) not use or disclose PHI other than as permitted by this BAA or as Required by Law, nor use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity, except as otherwise permitted by this BAA or the HIPAA Rules.
(b) request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure, in accordance with 45 C.F.R. § 164.514(d), and any amendments thereto.
(c) use appropriate safeguards and to comply with the Security Rule with respect to ePHI to prevent the use or disclosure of PHI other than as provided for by this BAA.
(d) mitigate, to the extent practicable, any harmful effect that is or becomes known to Business Associate or Covered Entity of a use or disclosure of PHI by Business Associate or any of its employees, agents, contractors, or subcontractors in violation of the requirements of this BAA or in violation of the HIPAA Rules.
(e) report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in any event no more than ten (10) business days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents.
(f) in accordance with 45 C.F.R. §164.308(b)(2) and §164.502(e)(1)(ii), enter into a written contract with subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate. Such contract shall require that the subcontractor agree to substantially the same restrictions and conditions that apply to Business Associate with respect to PHI in this BAA.
(g) to the extent that Business Associate has PHI contained in a Designated Record Set, provide access to the Individual’s PHI in a Designated Record as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. §164.524.
(h) to the extent that Business Associate has PHI contained in a Designated Record Set, respond to requests for amendment(s) to PHI in a Designated Record Set as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. §164.526.
(i) maintain and make available the information required to provide an accounting of disclosures to the Individual as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. §164.528.
(j) make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Rules.
4. Obligations of Covered Entity. Covered Entity agrees to:
(a) notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
(b) obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing Business Associate with PHI. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
(c) notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
(d) not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as otherwise permitted under this BAA and the HIPAA Rules.
5. Term and Termination.
(a) Term. This BAA shall be effective as of the Effective Date and shall terminate upon the first to occur of the following: (i) the termination of the Agreement; or (ii) the termination of this BAA pursuant to Section 5(b) below. The provisions of Section 5(c) shall survive any termination of this BAA.
(b) Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either:
(1) Provide an opportunity for Business Associate to cure the breach and end the violation within a reasonable time designated by Covered Entity, and terminate this BAA and the Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; or
(2) Immediately terminate this BAA and the Agreement if Business Associate has breached a material term of this BAA and Covered Entity has determined that cure is impossible.
(c) Effect of Termination.
(1) Except as provided in Section 5(c)(2) below, upon termination of the Agreement or this BAA for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, and shall retain no copies of the PHI.
(2) In the event that Business Associate reasonably determines that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains the PHI.
6. Miscellaneous.
(a) Independent Contractor. Business Associate shall be considered, for all purposes, an independent contractor, and Business Associate will not, directly or indirectly, act as agent, servant or employee of Covered Entity or make any commitments or incur any liabilities on behalf of Covered Entity without its express written consent. Nothing in this BAA shall be deemed to create an employment, principal-agent or partner relationship between the Parties.
(b) General. This BAA is governed by, and shall be construed in accordance with, the laws of the state that govern the Agreement. Any action relating to this BAA must be commenced within one (1) year after the date upon which the cause of action accrued. Covered Entity shall not assign this BAA without the prior written consent of Business Associate, which shall not be unreasonably withheld. If any part of a provision of this BAA is found illegal or unenforceable, it shall be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this BAA shall not be affected. All notices relating to the Parties’ legal rights and remedies under this BAA shall be provided in writing to a Party, shall be sent to its address set forth in the Agreement, or to such other address as may be designated by that Party by notice to the sending Party, and shall reference this BAA. Nothing in this BAA shall confer any right, remedy, or obligation upon anyone other than Covered Entity and Business Associate. This BAA is the complete and exclusive agreement between the Parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications, and understandings (written and oral) regarding its subject matter.
(c) Amendment. This BAA may be modified, or any rights under it waived, only by a written document executed by the authorized representatives of both Parties. In addition, if any relevant provision of the HIPAA Rules is amended in a manner that changes the obligations of Business Associate or Covered Entity that are embodied in terms of this BAA, then the Parties agree to negotiate in good faith appropriate non-financial terms or amendments to this BAA to give effect to such revised obligations.
(d) Effect of BAA. In the event of any inconsistency between the provisions of this BAA and the Agreement, the provisions of this BAA shall control. In the event that a court or regulatory agency with authority over Business Associate or Covered Entity interprets the mandatory provisions of the HIPAA Rules, in a way that is inconsistent with the provisions of this BAA, such interpretation shall control. Where provisions of this BAA are different from those mandated in the HIPAA Rules, but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this BAA shall control.