HIPAA Business Associate Agreement
Effective starting: 1 February, 2022
This HIPAA Business Associate Agreement (“BAA”) applies only if so designated in the Quote, is between Creative Force Ltd. (Malta) and Client, and supplements the Software-as-a-service Terms and Conditions (“Terms”) solely with respect to Covered Services. Capitalized terms in this schedule are defined below or in the Terms.
Together with the Terms, this BAA governs each party’s respective obligations regarding Protected Health Information (PHI) and to Creative Force in its capacity as Business Associate of Client in its capacity as a Covered Entity.
“Business Associate“: as defined under HIPAA, and includes Creative Force Ltd. (Malta).
“Covered Entity“: as defined under HIPAA, and includes Client.
“Covered Services“: the Business Associate services described in the Quote and provided pursuant to the Terms.
“Designated Record Set“: as defined under HIPAA.
“HIPAA“: the US Health Insurance Portability and Accountability Act of 1996 and the rules and regulations thereunder, as amended.
“Protected Health Information” or “PHI“: as defined under HIPAA and for purposes of this BAA is limited to PHI to which Business Associate has access through the Covered Services in connection with Client’s permitted use thereof.
“Security Breach“: any Breach of Unsecured PHI or Security Incident (as those terms are defined under HIPAA) of which Business Associate becomes aware.
“Services Agreement“: the Quote and the Terms entered into between Business Associate and Client for provision of the Covered Services.
2. Use and disclosure of PHI
- Subject to this BAA, Business Associate may use and disclose PHI that it receives pursuant to the provision of Covered Services, solely as permitted or required by the Services Agreement and/or this BAA and as permitted or required by applicable law, and in connection with Business Associate’s provision of Covered Services exclusively for Client’s benefit. All use and disclosure of PHI shall be limited to the minimum extent needed for the intended purpose.
- Business Associate shall comply with the HIPAA Security Rule (as that term is defined under HIPAA) and will use appropriate administrative, technical, and physical safeguards for the protection of the confidentiality, integrity and availability of data that may contain PHI that Business Associate receives, maintains, or transmits on Client’s behalf.
- Business Associate may use and disclose PHI for the proper management and administration of Business Associate’s business and to carry out the legal responsibilities of Business Associate pursuant to the provision of Covered Services, provided that any disclosure of PHI for such purposes may only occur if: (i) required or permitted by applicable law; or (ii) Business Associate obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, and used only for the purpose for which it was disclosed. Business Associate shall limit access to PHI to those Business Associate staff members who require such access because of their role or function, and only pursuant to written confidentiality obligations consistent with this BAA.
- Business Associate may also use PHI to create de-identified information in a manner consistent with the standards stated in HIPAA, and may use or disclose such de-identified PHI for any purpose. Such de-identified PHI is not subject to this BAA.
- Except as otherwise allowed by HIPAA, Business Associate shall not “sell” (as that term is defined in HIPAA) an individual’s PHI unless Client or Business Associate obtains from the individual, to the extent required by HIPAA, a valid authorization that includes a specification of whether the PHI can be further exchanged for remuneration. For clarity, a “sale” does not include transfers of information in connection with a merger, acquisition or sale of business involving Business Associate.
- Business Associate may use and disclose PHI as required by law.
3. Client obligations
- Client is solely responsible for managing whether Client’s employees, agents, contractors, and end users are authorized to share, disclose, create, and/or use PHI within the Covered Services.
- Client shall provide Business Associate with written notice of privacy practices that Client produces in accordance with HIPAA’s Privacy Rule, and any changes or limitations thereof, to the extent that such practices, changes or limitations may affect Business Associate’s use or disclosure of PHI.
- Client will not request that Business Associate or the Covered Services use or disclose PHI in any manner that would not be permissible under HIPAA if done by Client or by the Covered Entity to which Client is a Business Associate (unless expressly permitted under HIPAA).
4. Appropriate safeguards
Business Associate and Client will each use appropriate and reasonable technical and security safeguards designed to prevent against unauthorized use or disclosure of PHI, and as otherwise required under HIPAA, with respect to the Covered Services.
- Subject to section 5.4, Business Associate will promptly notify Client following Business Associate’s discovery of a Security Breach in accordance with HIPAA and in the most expedient time possible under the circumstances, consistent with the legitimate needs of applicable law enforcement and applicable laws, and after taking any measures Business Associate deems necessary to determine the scope of the Security Breach and to restore the integrity of Business Associate’s systems. For purposes of this schedule, a Security Breach will not include an acquisition, access, use, or disclosure of PHI with respect to which Business Associate has determined in accordance with HIPPA that there is a low probability that PHI has been compromised. Client acknowledges that Business Associate’s compliance with reporting obligations under HIPAA or this BAA will not be construed as an admission of Business Associate’s fault or liability under applicable law.
- To the extent practicable, Business Associate will use commercially reasonable efforts to mitigate any further harmful effects of a Security Breach caused by Business Associate. For clarity, mitigation efforts as described by this section do not include payment of compensation for past harm.
- Business Associate will send any applicable Security Breach notifications to the notification email address provided by Client in the Services Agreement or via direct communication with the Client.
- Notwithstanding section 5.1, this section 5.4 will be deemed as notice to Client that Business Associate may periodically receive or be the subject of unsuccessful attempts for unauthorized access, use, disclosure, modification or destruction of information, or interference with the general operation of Business Associate’s information systems. Client acknowledges and agrees that even if such events constitute a Security Incident as that term is defined under HIPAA, Business Associate will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this section 5.4.
- For clarity, the parties agree that this section 5 applies only to discovered incidents, breaches, or unauthorized disclosures that Business Associate knows involves the unauthorized use or disclosure of PHI.
Business Associate will take appropriate measures to ensure that any subcontractors used by Business Associate to perform its obligations under the Services Agreement that require access to PHI on behalf of Business Associate are bound by written obligations that provide a substantially similar level of protection for PHI as this BAA.
7. Access and modification rights
- Client acknowledges that Client is solely responsible for the form and content of PHI maintained by Client within the Covered Services, and for the establishment and/or maintenance of Designated Record Sets. Business Associate will have no obligations to any person with respect to the rights afforded to persons by HIPAA with respect to Designated Record Sets, including rights of access or amendment of PHI. Client is solely responsible for responding to such requests. For access requests that involve more than three person hours of work, Business Associate may charge a reasonable access fee in accordance with HIPAA.
- Within fifteen calendar days following Client’s request, Business Associate shall make available to Client for inspection and copying PHI about any individual that is in a Designated Record Set maintained by the Business Associate, if any, so that Client may meet its access obligations under HIPAA, in the form and format specified by Client if it is readily producible in such format, or, if not readily producible in such format, in an alternative readable electronic format mutually agreed. Any denial of a request by an individual to access PHI maintained by Business Associate requested shall be the sole responsibility of Client.
- Upon receipt of written notice from Client, Business Associate shall promptly amend or permit Client access to amend any portion of an individual’s PHI in a Designated Record Set maintained by Business Associate, if any, so that Client may meet its obligations under HIPAA. Any denial of a request by an individual to amend PHI maintained by Business Associate shall be the sole responsibility of Client.
8. Accounting of disclosures
Business Associate will document disclosures of PHI by Business Associate and provide an accounting of such disclosures to Client as and to the extent required of a Business Associate under HIPAA and in accordance with the requirements applicable to a Business Associate under HIPAA.
9. Access to records
To the extent required by law, and subject to applicable attorney-client privileges, Business Associate will make its practices, books, and records concerning the use and disclosure of PHI created or received by Client available to the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with this BAA.
10. Expiration and termination
- This BAA will terminate on the earlier of (i) a permitted termination in accordance with section 10.2 below, or (ii) the expiration or termination of the Services Agreement, or (iii) the termination of Covered Services for any reason.
- If either party materially breaches this BAA, the non-breaching party may terminate this BAA on 30 days’ written notice to the breaching party unless the breach, if curable, is cured within such 30-day period.
11. Return / destruction of information
On termination of the Services Agreement, Business Associate will if feasible return or destroy all PHI created or received by Client; provided, however, that if such return or destruction is not feasible, Business Associate will extend the protections of this BAA to such PHI not returned or destroyed, and will limit further uses and disclosures for those purposes that make the return or destruction infeasible, or to the extent otherwise permitted or required by HIPAA.
- Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Client and Business Associate to comply with HIPAA.
- Nothing express or implied in the Services Agreement or this BAA is intended to confer, nor will anything therein confer, upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
- This BAA is governed and construed in accordance with the law designated in the Services Agreement. If any controversy, dispute, or claim arises between the parties with respect to this BAA, the parties shall make good faith efforts to resolve such matters informally and in accordance with the dispute resolution terms specified in the Services Agreement.