Business Associate Agreement
This Business Associate Agreement (BAA) forms an agreement between Egress Software Technologies, Inc., a Massachusetts corporation (We, Us, Our) and you, the organisation acting as a Covered Entity or a Business Associate under HIPAA during your use of Our Services (you, your). It supplements the Master Subscription Agreement between you and Us (the MSA) and is incorporated by reference into the MSA. If there is any conflict between this BAA and the MSA in respect of the parties’ respective privacy and security obligations in respect of PHI, the terms of this BAA shall control.
- Capitalized words and phrases used in this BAA have the meanings given below or in HIPAA. If not defined below or in HIPAA, they have the meanings given in the MSA.
- Business Associate: the meaning given in 45 CFR § 160.103 of HIPAA.
- Covered Entity: the meaning given in 45 CFR § 160.103 of HIPAA.
- Disclosure: the release, transfer, provision of access to, or divulging in a manner of information outside the entity holding the information, and Disclose shall be interpreted accordingly.
- HIPAA: the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 as amended, by Subtitle D of the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations.
- HIPAA Privacy Rule: the Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Parts 160 and 164.
- PHI: Protected Health Information as defined in 45 CFR § 160.103, provided that it is limited to such Protected Health Information that is actually received by Us or Our Group from, or created, received, maintained, or transmitted by Us or Our Group on your behalf through your use of the Services.
- In this BAA: (a) the terms including, includes or any similar expression shall be construed as illustrative and will not limit the scope of words that follow them; (b) references to writing or written includes email (except that email cannot be used for serving notices connected to legal proceedings); and (c) any obligation on a party not to do something includes an obligation not to allow that thing to be done.
- As part of your use of the Services, you may transfer, store, share, host or Disclose to Us certain information which may constitute PHI.
- In Our role as provider of the Services to you, We may at times perform the role of a Business Associate.
- This BAA ensures that where We act as a Business Associate on your behalf, the privacy and security of your PHI is protected in compliance with the HIPAA Privacy Rule.
- Group companies and Users. If you are an organisation with more than one Group company or User, you are responsible for your own compliance and that of your Group companies’ and Users with this BAA.
3. Our responsibilities and permitted use
- Performance of our agreement. To the extent that We act as a Business Associate on your behalf then, subject to the terms of this BAA, We, Our Group and relevant sub-contractor business associates may Use or Disclose PHI for or on behalf of you in order to perform Our obligations under this BAA and/or the MSA (provided that such Use or Disclosure would not violate HIPAA if done by you). In such circumstances We agree to: (a) not Use or Disclose PHI other than as permitted or required by the MSA, this BAA, or as required by law or agreed to by you; and (b) use reasonable and appropriate safeguards and comply with 45 CFR Part 164 Subpart C with respect to electronic PHI, to prevent Use or Disclosure of PHI other than as provided for in this BAA. We may also use and disclose PHI for Our proper management and administration or to carry out our legal responsibilities, provided that if PHI is disclosed, such disclosure is required by law, or We obtain reasonable assurance from the person to whom the PHI is disclosed that the PHI will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person or entity, and the person or entity agrees to notify Us of any instances in which the confidentiality of the PHI has been compromised of which it becomes aware.
- You acknowledge and agree that the provision by Us of the Services to you, your Group, Users and Recipients does not constitute a prohibited Use or Disclosure under 45 CFR § 164.502(a)(5)(i), and you have obtained any and all necessary consents, authorizations or permissions required by applicable law for Us to provide the Services.
- Reporting. To the extent that We act as a Business Associate on your behalf, We agree to report to you any: (a) Use or Disclosure of PHI not permitted or required by this BAA or the MSA of which We become aware; (b) breaches of unsecured PHI of which We become aware as required at 45 CFR 164.410; and (c) security incidents of which We become aware (provided that notice is hereby deemed given in respect of Unsuccessful Security Incidents and no further notice of such incidents shall be required or given). Notifications in this Section will be made by Us without unreasonable delay. Any notification or response to a breach is not, and will not be construed as, acknowledgement by Us, Our Group or any relevant sub-contractor business associate of any fault or liability in respect to it.
- Sub-contractor Business Associates. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), We will require that relevant sub-contractor business associates who maintain, store or transmit your PHI on behalf of Us or a member of Our Group pursuant to this BAA: (a) agree to substantially similar restrictions and conditions that apply to Us with respect to such PHI; and (b) use reasonable and appropriate safeguards and comply with 45 CFR Part 164 Subpart C with respect to electronic PHI, to prevent Use or Disclosure of PHI other than as provided for in this BAA.
- Disclosure to the Secretary. We agree to make Our internal practices, books, and records relating to the PHI that We receive from you available to the Secretary of the US Department of Health and Human Services for purposes of determining your compliance with the HIPAA Privacy Rule (subject to attorney-client and other applicable legal privileges).
- No marketing. We shall not use PHI for Marketing and shall not violate the HIPAA prohibition on the sale of PHI.
4. Availability of PHI
- Limited access. You acknowledge and agree that since the nature of the Services that We provide to you does not consist of regular access or management of PHI by Us, Our Group or Sub-Processor business associate: (a) We may not be able to make available PHI to the extent and in the manner required by 45 CFR § 164.524; (b) We cannot make PHI available for amendment or incorporate any amendments to PHI in accordance with the requirements of 45 CFR § 164.526; and (c) We cannot make PHI available for purposes of accounting of Disclosures, as required by 45 CFR § 164.528. You expressly acknowledge that these requirements shall be your sole responsibility.
- Restrictions on Disclosures. We agree to comply with any requests for restrictions on certain Disclosures of PHI pursuant to 45 CFR § 164.522 which you have agreed to and which you notify to Us in writing. You agree that the provision of the Services (including the encryption, transmission, or de-encryption of Content and PHI) will not breach the terms of this Section 2 and that compliance with any restrictions on Disclosures of PHI shall be the sole responsibility of you and the entities and individuals to, and with, whom you exchange PHI.
5. Your obligations
- You are responsible for your own compliance with HIPAA including appropriate privacy and security safeguards to protect PHI.
- You must not include PHI in any requests that you make to US THROUGH THE Support.
- You will not ask Us, any member of Our Group or any relevant Sub-Processor to Use or Disclose PHI in any manner that would not be permitted under HIPAA if done by a Covered Entity (unless permitted for a Business Associate under HIPAA).
- We do not act as, and will not have the responsibilities or obligations of, a Business Associate, once the PHI is sent from the Services over the Internet as directed by you.
7. Term and termination
- Term. This BAA is incorporated by reference into the Egress Master Subscription Agreement referenced on your Order Form or signed by you. It comes into force on the date of the first Order Form signed by you for Services that you use to process PHI. It remains in full force until the earlier of: (a) termination in accordance with this Section 7; (b) termination or expiry of the MSA; or (c) Us ceasing to act as a Business Associate on your behalf in the provision of the Services.
- Termination for cause. A party to this BAA may terminate it: (a) immediately by notice to the other if the other is in material breach of this BAA which not remediable; (b) through 30 days written notice to the other of a material breach if that breach remains unremedied at the expiry of that period.
- Consequences of termination or expiry. Following termination or expiry of this BAA We will securely destroy all PHI in your accounts to the fullest extent technically possible in the circumstances and will have no obligation to store it and no liability to you for its destruction and disposal. If such return or destruction is not feasible, then We will extend the protections of this BAA to the relevant PHI and limit further Uses and Disclosures to those purposes that make the destruction of the information not feasible. In addition, the other consequences of termination set out in the MSA shall apply where the MSA is also terminating or expiring.
- Notices. You hereby agree that any reports, notifications or other notices by Us under this BAA may be sent to you electronically. You must provide Us with an appropriate information (including contact name, title, role, email address, contact telephone number, and the name of the organisation(s) for which they are responsible). You will ensure that this information remains up-to-date whilst this BAA is in force. Failure to do so may delay or inhibit Our ability to provide you with information and notifications.
- Third-party rights. There are no third-party beneficiaries under this BAA.
- Interpretation in favor. This BAA and/or the MSA shall be interpreted as broadly as necessary to implement and comply with the mandatory provisions of HIPAA. Both parties agree that this BAA shall be interpreted in favor of their intent to comply with HIPAA and the HIPAA Regulations and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with those laws.
- No change to the MSA. Except where this BAA conflicts with the MSA in which case the terms of this BAA shall control solely with respect to the subject matter herein, all other provisions of the MSA remain unchanged.
- Amendments and variations. Amendments to this BAA may not be made orally. This BAA may be amended by Us from time to time where necessary to comply with changes to applicable law or to reflect how Our Services operate (provided that We may not detract or diminish the protections afforded under the preceding version). Changes will be effective once posted on Our website. This Section shall not apply to any document or information referred to at a URL within the terms of this BAA which may be updated from time to time by Us.
- Liability. Our liability under or in connection with this BAA is subject to the limitations on liability contained in the MSA.
- Ownership of PHI. As between you and Us, any PHI transferred, stored, shared, hosted or otherwise Disclosed under the terms of this BAA shall be deemed to be your and your Group companies’ (as applicable) exclusive property. In no event will We claim any rights with respect to it.
- Governing law and jurisdiction. This BAA shall be governed by and interpreted in accordance with the laws of the State of Delaware (without regard to choice or conflict of law rules), and the Courts Boston, Massachusetts shall have exclusive jurisdiction over any claims, disputes, actions or proceedings arising under or in relation to this BAA.