User Business Associate Agreement Addendum ("BAA")
This BAA sets forth the basis upon which Wondr Medical complies with the Health Insurance Portability and Accountability Act of 1996 and the security provisions of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act), each as amended and their implementing regulations (collectively, “HIPAA”). User is a covered entity (“Covered Entity” or “CE”) as such term is defined under HIPAA. By providing Services pursuant to the Terms of Service (“Terms”) and receiving Protected Health Information for or on behalf of CE, Wondr Medical shall be a business associate (“Business Associate” or “BA”) of CE, as such term is defined under HIPAA, and will therefore have obligations regarding the confidentiality and privacy of Protected Health Information that BA receives from, creates, maintains, transmits or otherwise processes for or on behalf of CE (‘”Protected Health Information” or “PHI”), as specified herein. All capitalized terms used but not otherwise defined herein will have the meaning ascribed to them by HIPAA.
1. Obligations of Business Associate.
(A) General Compliance with Law.
BA warrants that it, its agents and its subcontractors: (i) shall use or disclose PHI only in connection with fulfilling its duties and obligations under this BAA and the Terms; (ii) shall not use or disclose PHI other than as permitted or required by this BAA or Required by Law; (iii) shall not use or disclose PHI in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by CE; and (iv) shall only use and disclose the minimum necessary PHI for its specific purposes.
(B) Use and Disclosure of Protected Health Information
Subject to the restrictions set forth throughout this BAA, BA may use the information received from CE if necessary for (i) the proper management and administration of BA; (ii) to carry out the legal responsibilities of BA; or (iii) product development purposes. Subject to the restrictions set forth in throughout this BAA, BA may disclose PHI for the proper management and administration of BA, provided that: (i) disclosures are Required by Law, or (ii) BA obtains reasonable assurances from the person or entity to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies BA of any instances of which it is aware in which the confidentiality of the information has been breached.
(C) Assumption of Covered Entity Obligations
To the extent that BA is to carry out any of CE’s obligations that are regulated by HIPAA, BA shall comply with the HIPAA requirements that apply to the CE in the performance of such obligation.
BA shall employ appropriate administrative, technical and physical safeguards, consistent with the size and complexity of BA’s operations, to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this BAA. BA shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this BAA.
(E) Availability of Books and Records
BA shall permit the Secretary of the U.S. Department of Health and Human Services and other regulatory and accreditation authorities to audit BA’s internal practices, books and records at reasonable times as they pertain to the use and disclosure of PHI in order to ensure that CE and/or BA is in compliance with the requirements of HIPAA.
(F) Individuals’ Rights to Their PHI
I. Access to Information
To the extent BA maintains PHI in a Designated Record Set, BA, within ten (10) business days upon receipt of written request by CE, shall make available to CE such PHI. In the event that any Individual requests access to PHI directly from BA, BA shall forward such request to CE within five (5) business days. CE will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and BA will make no such determinations. Except as Required by Law, only CE will be responsible for releasing PHI to an Individual pursuant to such a request. Any denial of access to PHI determined by CE pursuant to 45 CFR Section 164.524, and conveyed to BA by CE, shall be the responsibility of CE, including resolution or reporting of all appeals and/or complaints arising from denials.
II. Amendment of Information
To the extent BA maintains PHI in a Designated Record Set, BA shall, within ten (10) business days upon receipt of a written request by CE, make available to CE such PHI. In the event that any Individual requests amendment of PHI directly from BA, BA shall forward such request to CE within five (5) business days. CE will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment to PHI and BA will make no such determinations. Any denial of amendment to PHI determined by CE pursuant to 45 CFR Section 164.526, and conveyed to BA by CE, shall be the responsibility of CE, including resolution or reporting of all appeals and/or complaints arising from denials. Within ten (10) business days of receipt of a request from CE to amend an Individual’s PHI in the Designated Record Set, BA shall incorporate any approved amendments, statements of disagreement, and/or rebuttals into its Designated Record Set as required by 45 CFR Section 164.526.
III. Accounting of Disclosures
BA shall, within ten (10) business days of a written request by CE for an accounting of disclosures of PHI about an Individual, make available to CE such PHI. BA shall provide CE with the following information: (a) the date of the disclosure; (b) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of such disclosure. In the event that any Individual requests an accounting of disclosures of PHI directly from BA, BA shall forward such request to CE within five (5) business days. CE will be responsible for preparing and delivering an accounting to Individual. BA shall implement an appropriate record keeping process to enable it to comply with the requirements of this BAA.
(G) Disclosure to Subcontractors and Agents
Notwithstanding anything to the contrary in the Terms, BA, subject to the restrictions set forth in this provision, may use subcontractors to fulfill its obligations under this BAA. BA shall obtain and maintain a written agreement with each subcontractor or agent that has or will have access to PHI, which is received from, or created or received by, BA for or on behalf of CE, pursuant to which such subcontractor and agent agrees to be bound by the same restrictions, terms, and conditions that apply to BA under this BAA with respect to such PHI.
(H) Reporting Obligations
In the event of a Breach of any Unsecured PHI that BA accesses, maintains, retains, modifies, records, or otherwise holds or uses on behalf of CE, BA shall report such Breach to CE as soon as practicable, but in no event later than ten (10) business days after the date the Breach is discovered. Notice of a Breach shall include, to the extent such information is available: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach; (ii) the date of the Breach, if known, and the date of discovery of the Breach; (iii) the scope of the Breach; and (iv) the BA’s response to the Breach. In the event of any successful Security Incident, BA shall report such Security Incident in writing to CE within ten (10) business days of the date on which BA becomes aware of such Security Incident. The parties acknowledge that unsuccessful Security Incidents that occur within the normal course of business shall not be reported pursuant to this BAA. Such unsuccessful Security Incidents include, but are not limited to, port scans or “pings” and unsuccessful log-on attempts. In the event of a use or disclosure of PHI that is improper under this BAA but does not constitute a Breach or successful Security Incident, BA shall report such use or disclosure to CE within ten (10) business days after the date on which BA becomes aware of such use or disclosure.
BA will identify and respond internally to any suspected or known Breach of any Unsecured PHI, Security Incident or other improper use or disclosure of PHI, and will mitigate, to the extent practicable, their harmful effects, document their outcomes, and provide documentation of any successful Security Incident and Breach of any Unsecured PHI to CE upon request.
2. Covered Entity Obligations.
CE shall not request BA to use or disclose PHI in any manner that would violate applicable federal and state laws if such use or disclosure were made by CE. CE may request BA to disclose PHI directly to another party only for the purposes allowed by HIPAA. Additionally, CE shall notify BA of any: (i) limitation in any applicable notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect BA’s use or disclosure of PHI; (ii) changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect BA’s use or disclosure of PHI; and (iii) any restriction to the use or disclosure of PHI that CE has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect BA’s use or disclosure of PHI.
3. Term and Termination.
(A) General Term and Termination
This BAA shall become effective on the date on which CE acknowledges and agrees to the terms the Terms and shall terminate upon the termination or expiration of the Terms and when all PHI provided by either party to the other, or created or received by BA on behalf of CE is, in accordance with this Section, destroyed, returned to CE, or protections are extended.
(B) Material Breach
If either party has knowledge of a material breach by the other party of this BAA, the non-breaching party shall provide the breaching party with an opportunity to cure. Where said breach is not cured to the reasonable satisfaction of the non-breaching party within twenty (20) business days of the breaching party’s receipt of notice from the non-breaching party of said breach, the non-breaching party shall, if feasible, terminate this BAA and the portion(s) of the Terms affected by the breach. Where either party has knowledge of a material breach by the other party and cure is not possible, the non-breaching party shall, if feasible, terminate this BAA and the portion(s) of the Terms affected by the breach.
(C) Return or Destruction of PHI
Upon termination of this BAA for any reason, BA shall: (i) if feasible as determined by BA, return or destroy all PHI received from, or created or received by BA for or on behalf of CE that BA or any of its subcontractors and agents, and BA shall retain no copies of such information; or (ii) if BA determines that such return or destruction is not feasible, extend the protections of this BAA to such information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible, in which case BA’s obligations under this Section shall survive the termination of this BAA. Notwithstanding the foregoing, BA may retain a copy of PHI received from, or created or received by BA for or on behalf of CE which is necessary for BA to continue its proper management and administration or to carry out its legal responsibilities, provided that BA extend the protections of this BAA to such information.
If any of the regulations promulgated under HIPAA are amended or interpreted in a manner that renders this BAA inconsistent therewith, the parties shall amend this BAA to the extent necessary to comply with such amendments or interpretations. Any ambiguity in this BAA shall be resolved to permit the parties to comply with HIPAA. In the event that any terms of this BAA conflict with any terms of the Terms, the terms of this BAA shall govern and control. The provisions of this BAA shall be severable, and if any provision of this BAA shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BAA shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
Any notices pertaining to this BAA shall be given in writing and shall be deemed duly given when BA’s notice to CE is given via email and regular mail to CE’s last known address provided by CE to BA. Notice given by the CE to BA shall be send by email to firstname.lastname@example.org with a copy by regular mail to: Finsgate, 5-7 Cranwood Street, London, UK EC1V 9EE.