HIPAA Business Associate Agreement
Updated: 10 February 2020
This GoReact Business Associate Agreement (“BA Agreement”) is entered into by and between SpeakWorks, Inc., d/b/a GoReact, a Delaware corporation (“GoReact” or “Business Associate”) and the customer (“Covered Entity” or “Customer”) named below or in one or more Order Forms governed by aGoReact Customer Terms Agreement (the “Agreement“), where this BA Agreement is incorporated therein by reference, and forms part of the Agreement between GoReact and Customer relating to the provision of the Service (as defined in the Agreement) to Customer by GoReact.
WHEREAS, pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act, the U.S. Department of Health and Human Services issued Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”), Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”) and Breach Notification Standards for Unsecured Protected Health Information (the “Breach Notification Rule”) at 45 CFR parts 160 and 164;
WHEREAS, the Privacy Rule requires certain entities to have their Business Associates with whom the entities may share Protected Health Information (as such term is defined in the Privacy Rule) to agree to certain provisions related to the use and disclosure of such Protected Health Information (the “Business Associate Contract Provisions”); and
WHEREAS, the Security Rule and the Breach Notification Rule impose obligations on Covered Entities and their Business Associates that must be addressed in the Business Associate Contract Provisions.
Now therefore, the parties hereby agree as follows:
Capitalized terms used, but not otherwise defined, in this BA Agreement shall have the same meaning as those terms in the Privacy Rule, the Security Rule and the Breach Notification Rule, and if no such definition is provided in such rules, then the meaning shall be that given to such capitalized term in the Agreement to which this BA Agreement is incorporated.
2. Obligations and Activities of GoReact.
(a) GoReact agrees to not use or further disclose Protected Health Information received from or on behalf of Customer or created for Customer (collectively, “PHI”) other than as permitted or required by the Agreement or as Required By Law. GoReact further agrees that, when using or disclosing PHI, it shall limit PHI, to the extent practicable, to a limited data set as defined in 45 CFR 164.514(e)(2) or, if a limited data set is not practicable, limit PHI to the minimum amount of PHI reasonably necessary to accomplish the intended purpose of such use or disclosure.
(b) GoReact agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by the Agreement and this BA Agreement, including implementing administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of Customer. GoReact further agrees to comply with the requirements of the Security Rule.
(c) GoReact agrees to report to Customer any use or disclosure of PHI that is not provided for by the Agreement or this BA Agreement of which it becomes aware. GoReact also agrees to notify Customer of any Breach of Unsecured PHI in accordance with 45 C.F.R. 164.410; such notification shall be made in as expeditious a manner as possible and in no event later than thirty (30) calendar days after discovery, as defined in 45 CFR 164.410 (a)(2) and shall comply with the requirements of the Breach Notification Rule. GoReact shall also, without unreasonable delay, but in no event later than five (5) business days after becoming aware of any Security Incident that is not an Unsuccessful Security Incident (as defined herein), report the successful Security Incident to Covered Entity. Covered Entity acknowledges that GoReact experiences Unsuccessful Security Incidents from time to time. Covered Entity acknowledges receipt of this report of Unsuccessful Security Incidents. “Unsuccessful Security Incident” means an immaterial Security Incident that does not involve an unauthorized use or disclosure of Unsecured Protected Health Information.
(d) Customer acknowledges that GoReact may use Subcontractors. GoReact agrees to ensure that any Subcontractor to whom it provides PHI received from, or created or received by GoReact on behalf of, Customer, agrees to protect such PHI in a manner consistent with the terms, restrictions, and conditions of this BA Agreement.
(e) GoReact agrees to provide access, at the request of Customer, to PHI in a Designated Record Set to Customer in order to meet the requirements under 45 CFR 164.524, by making the Service available to Customer under the Agreement.
(f) GoReact agrees to make any amendment(s) to PHI in a Designated Record Set that the Customer directs or agrees to pursuant to 45 CFR 164.526 by making the Service available to Customer under the Agreement.
(g) GoReact agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by GoReact on behalf of, Customer available to the Secretary, in a time and manner designated by the Customer or the Secretary and not materially disruptive of GoReact’s operations or business, for the purposes of the Secretary determining Customer’s or GoReact’s compliance with the Privacy Rule. GoReact shall reasonably cooperate with Customer and Secretary in responding to the Secretary’s requests. All information provided by GoReact pursuant to this provision shall remain “Confidential Information” under the Agreement and subject to the restrictions on disclosure of such information as set forth therein.
(h) GoReact agrees to document such disclosures of PHI and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528 and the regulations adopted pursuant to 42 USC17935(c), and to reasonably cooperate with Customer in responding to such requests.
(i) GoReact agrees to provide to Customer or, at Customer’s direction, to an Individual, in a reasonable time and manner designated by Customer and not materially disruptive of GoReact’s operations or business, information collected in accordance with Section 2(h) of this BA Agreement, to permit Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528 and any regulations adopted pursuant to 42 USC 17935(c). All information provided by GoReact pursuant to this provision shall remain “Confidential Information” under the Agreement and subject to the restrictions on disclosure of such information as set forth therein. If GoReact receives a request directly from an Individual or the Individual’s designee, GoReact shall notify Customer as soon as reasonably practicable in order for the Parties to coordinate a response.
(j) To the extent GoReact carries out any of Customer’s obligations under the Privacy Rule, GoReact shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligations, provided that Customer advises GoReact of any such obligations which are not included in the Service under the Agreement.
(k) If, in the performance of its obligations set forth in Sections 2(g) through 2(j) (inclusive), and Sections 5(a) through 5(c) (inclusive), GoReact expends time and materials in addition to the Service to be provided by GoReact pursuant to the Agreement, GoReact shall provide Customer with an estimate of the fees for such time and materials. Upon the mutual agreement by Customer and GoReact as to the fees to be charged by GoReact for such time and materials, GoReact shall invoice Customer on a time and materials basis at the agreed-upon rate(s), and Customer shall pay GoReact all such fees in accordance with the payment terms of the Agreement.
3. Permitted Uses and Disclosures by GoReact.
Except as otherwise limited in this BA Agreement, GoReact may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Customer as specified in the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Customer or the minimum necessary policies and procedures of the Customer of which GoReact has been informed.
4. Specific Use and Disclosure Provisions.
(a) Except as otherwise limited in this BA Agreement, GoReact may use PHI for the proper management and administration of GoReact or to carry out the legal responsibilities of GoReact.
(b) Except as otherwise limited in this BA Agreement, GoReact may disclose PHI for the proper management and administration of GoReact only to provide the Service contemplated under the Agreement, or as Required by Law.
(c) GoReact may use PHI to create de-identified health information only in accordance with the Privacy Rule’s de-identification standards and may use the de-identified health information as permitted for de-identified PII in the Agreement.
5. Obligations of Customer.
(a) Customer shall provide GoReact with any limitations in its notice of privacy practices of Customer in accordance with 45 CFR 164.520, to the extent that such limitation may affect GoReact’s use or disclosure of PHI.
(b) Customer shall provide GoReact with any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect GoReact’s use or disclosure of PHI.
(c) Customer shall notify GoReact in writing of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect GoReact’s use or disclosure of PHI.
(d) Customer shall not request GoReact to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Customer.
6. Term and Termination.
(a) Term. The Term of this BA Agreement shall be effective as of the Effective Date of the Agreement, and shall terminate as provided for in the Agreement, or in Section 6(b) below.
(b) Termination For Cause. In addition to any termination rights set forth in the Agreement, in the event of a material breach of this BA Agreement, the other party shall either: (i) provide the breaching party with an opportunity to cure the breach or end the violation, and terminate the Agreement (including this BA Agreement) if the breaching party does not cure the breach or end the violation within sixty (60) days, or (ii) immediately terminate the Agreement (and this BA Agreement) if cure is not possible.
(c) Effect of Termination. Upon termination of this Agreement for any reason, GoReact, with respect to PHI received from Customer, or created, maintained, or received by GoReact on behalf of Customer, shall:
(i) Retain only that PHI which is necessary for GoReact to continue its proper management and administration or to carry out its legal responsibilities;
(ii) Continue to use appropriate safeguards and comply with the Privacy Rule with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as GoReact retains the PHI;
(iii) Not use or disclose the PHI retained by GoReact other than for the purposes for which such PHI was retained and subject to the same conditions set out in Sections 3 and 4 above which applied prior to termination; and
(iv) As directed by Customer, return or destroy the PHI retained by GoReact when it is no longer needed by GoReact for its proper management and administration or to carry out its legal responsibilities.
(a) Customer Rights and Remedies Upon Breach By GoReact. In the event GoReact fails to perform its obligations hereunder or otherwise breaches this BA Agreement, Customer may exercise all rights and remedies available to it under the Agreement, subject to applicable limitations of liability set forth in the Agreement or such other conditions as may apply to Customer rights or remedies.
(b) Amendment. The parties agree to take such action as is necessary to amend this BA Agreement from time to time as is necessary for Customer and GoReact to comply with the Privacy Rule and/or HIPAA. If, following good faith negotiations that shall not exceed ninety (90) calendar days from the date of the request for negotiations, the parties are unable to agree on the modifications to the terms of the Agreement that may be necessary or appropriate in order for Customer or GoReact to comply with the Privacy Rule and/or HIPAA, either party shall have the right to terminate the Agreement without cause as of a date specified in a notice of termination, such date to be no less than thirty (30) days following the effective date of such notice.
(c) Survival. The respective rights and obligations of GoReact under Section 6(c) of this BA Agreement shall survive the termination of the Agreement.
(d) Interpretation. Any ambiguity in this BA Agreement shall be resolved in favor of a meaning that permits Customer and GoReact to comply with the Privacy Rule, Security Rule and Breach Notification Rule.
(e) Regulatory References. A reference in this BA Agreement to a section in the Privacy Rule, Security Rule or Breach Notification Rule, as applicable means the section as in effect or as amended.
(f) In the event of any conflict between the terms and conditions of this BA Agreement and the terms and conditions of the other provisions of the Agreement, this BA Agreement shall prevail.