Business Associate Agreement

Business Associate Agreement

This Business Associate Agreement (“BAA”) is an addendum to the Master Cloud and Managed Services Agreement (or equivalent) (the “Agreement”) between Contour Data Solutions LLC (“Contour” or “Business Associate”) and Customer. Any capitalized terms that are not defined in this BAA shall have the meanings set forth in the Agreement, the Security, Privacy, and Data Processing Addendum (the “Security Addendum”), or HIPAA (as defined in the Definitions section below), respectively. For purposes of this BAA, Customer also means “Covered Entity.” The parties acknowledge that Customer may be a covered entity (as defined by HIPAA) or a business associate (as defined by HIPAA) acting on behalf of a covered entity. Covered Entity and Business Associate mutually agree to the terms of this BAA to comply with the HIPAA Rules (as defined below).

1. This BAA will be applicable only:

a. To the extent Contour meets, with respect to Customer and Customer’s use of the Services, the definition of a business associate under HIPAA.
b. To information received by Contour from or on behalf of Customer that constitute Protected Health Information (as defined in the Definitions section below).
c. To Protected Health Information directly processed (as defined in the Security Addendum) directly in the Contour Infrastructure (as defined in the Security Addendum).

Definitions

Term Definition
Breach “Breach” has the same meaning as the term “Breach” in 45 CFR 164.402.
HIPAA “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5) (the “HITECH Act”) and the federal regulations (“HIPAA Rules”) published at 45 CFR parts 160 and 164.
Individual “Individual” has the same meaning as the term “Individual” in 45 CFR 160.103 and includes a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g) or other applicable law.
Protected Health Information “Protected Health Information” has the same meaning as that term as defined in 45 CFR 160.103, but limited to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
Secure “Secure” means to render unusable, unreadable, or indecipherable to unauthorized individuals using a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of the HITECH Act.
Successful Security Incident “Successful Security Incident” means any Security Incident (as defined in 45 CFR 164.304) that results in the unauthorized use, unauthorized access, unauthorized disclosure, unauthorized modification or unauthorized destruction of electronic Protected Health Information Processed directly in the Contour Infrastructure.

2. Obligations of Business Associate with respect to Use and Disclosure of Protected Health Information

a. Business Associate will satisfy and comply with the HIPAA Rules concerning the confidentiality, privacy, and security of Protected Health Information that apply to business associates.
b. Business Associate will not use or disclose Protected Health Information except as permitted or required by this BAA or as Required by Law.
c. Business Associate may use and disclose Protected Health Information if it’s use or disclosure is in compliance with the applicable requirement of 45 CFR 164.504(e).
d. Business Associate will mitigate to the extent practicable any harmful effect resulting from a Successful Security Incident involving Protected Health Information Processed directly in the Contour Infrastructure or any use or disclosure of Protected Health Information in violation of the requirements of this BAA, the HIPAA Rules, or other applicable law.
e. Business Associate will ensure that any agent, including a subcontractor, to whom it provides Protected Health Information agrees in writing to comply with the HIPAA Rules through a business associate or similar agreement with respect to that information.
f. Business Associate will not request from Covered Entity, nor disclose to its affiliates, subsidiaries, agents, and subcontractors or other third parties, more than the minimum necessary Protected Health Information to perform or fulfill a specific function required or permitted hereunder.
g. Business Associate will provide written notice of any use or disclosure of Protected Health Information not permitted by this BAA and any Successful Security Incident of Protected Health Information Processed directly in the Contour Environment (each a “Potential Breach”) to Covered Entity promptly, but in no event later than within ten (10) business days, after it is discovered (within the meaning of 45 CFR 164.410(a)(2)). Business Associate shall provide the information concerning the Potential Breach as required by 45 CFR 164.410(c) to determine whether a Breach has occurred, including Business Associate’s own risk assessment to determine whether a Breach has occurred. If that information is not available to Business Associate at the time the Potential Breach is required to be reported to Covered Entity, Business Associate will provide that information to Covered Entity promptly as it becomes available. Covered Entity and Business Associate will mutually determine whether a Breach has occurred. Business Associate will maintain complete records regarding the Potential or actual Breach for the period required by 45 CFR 164.530(j). Business Associate will not be required to report unsuccessful Security Incidents. Both parties acknowledge that there are likely to be a significant number of unsuccessful attempts to access the systems and services utilized by Business Associate, which make real-time reporting or reporting of unsuccessful attempts impractical for both parties.
h. Business Associate will make accessible to Covered Entity, within ten (10) business days of receipt of a request from Covered Entity, such Protected Health Information relating to an Individual Processed directly in the Contour Infrastructure or in the possession of Contour’s agents or subcontractors in a Designated Record Set in accordance with 45 CFR 164.524. In the event any Individual requests access to his or her Protected Health Information directly from Business Associate, Business Associate will, within five (5) business days of receipt of that request, forward the request to Covered Entity.
i. Business Associate will make accessible to Covered Entity, within ten (10) business days of receipt of a request from Covered Entity, such Protected Health Information as is covered by such request so that Covered Entity may make any requested amendment(s) to Protected Health Information Processed directly in the Contour Infrastructure or in the possession of Contour’s agents or subcontractors in a Designated Record Set in accordance with 45 CFR 164.526. In the event any Individual requests an amendment to his or her Protected Health Information directly from Business Associate, Business Associate will within five (5) business days of receipt thereof, notify Covered Entity of the request.
j. Within ten (10) business days after Business Associate, its agents or subcontractors makes any disclosure of Protected Health Information for which an accounting may be required under 45 CFR 164.528, Business Associate will provide in writing to Covered Entity the information related to that disclosure as would be required to respond to a request by an Individual for an accounting in accordance with 45 CFR 164.528. In the event any Individual requests an accounting of disclosures under 45 CFR 164.528(a) directly from Business Associate, Business Associate will, within ten (10) business days of receipt of that request, forward the request to Covered Entity.
k. Business Associate will make its internal practices, books, and records relating to the use and disclosure of Protected Health Information available to the Secretary of Health and Human Services or her/his designees in a time and manner mutually agreed upon or as required by the Secretary of Health and Human Services or her/his designees, for purposes of determining compliance with the HIPAA Rules.
l. Business Associate will maintain documentation of its obligations hereunder to the extent and for the period required by the HIPAA Rules, including 45 CFR 164.530(j).

3. Covered Entity Obligations

a. Covered Entity is responsible for all Processing of Protected Health Information in the Customer Infrastructure (as defined in the Security Addendum). Covered Entity will limit disclosure and access to the minimum amount of Protected Health Information, to the minimum number of personnel for the minimum of amount of time necessary for Business Associate to accomplish the intended purpose of that use, disclosure, or request, respectively.
b. Covered Entity will notify Business Associate of any restriction on the use or disclosure of Protected Health Information that Covered Entity has agreed to or must comply with in accordance with 45 C.F.R. § 164.522, to the extent that the restriction may affect Business Associate’s use or disclosure of Protected Health Information.
c. Covered Entity will provide Business Associate with notice of any changes to or revocation of permission by an Individual to use or disclose Protected Health Information, if those changes may affect Business Associate's permitted uses or disclosures, within a reasonable period of time after Covered Entity becomes aware of those changes to or revocation of permission.
d. Covered Entity will maintain and comply with policies and procedures to avoid the unauthorized or otherwise improper disclosure of Protected Health Information to Business Associate.
e. Covered Entity will implement appropriate administrative, physical, and technical safeguards to prevent the unauthorized use and disclosure of Protected Health Information, and to protect the confidentiality, integrity, and availability of Electronic Protected Health Information, as required by the HIPAA Rules. Without limiting the foregoing, Covered Entity will comply with the requirements of 45 CFR 164.308, 164.310, 164.312, and 164.316, as may be amended and interpreted in guidance from time to time. Furthermore, Covered Entity will protect all Protected Health Information stored in or transmitted using the Business Associate services in accordance with the Secretary of HHS’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html as it may be updated from time to time, and as may be made available on any successor or related site designated by HHS.

4. Security of Protected Health Information

a. Business Associate will implement appropriate administrative, physical, and technical safeguards to prevent the unauthorized use and disclosure of Protected Health Information, and to protect the confidentiality, integrity, and availability of Electronic Protected Health Information Processed directly in the Contour Infrastructure, as required by the HIPAA Rules. Without limiting the foregoing, Business Associate will comply with the requirements of 45 CFR 164.308, 164.310, 164.312, and 164.316, as may be amended and interpreted in guidance from time to time.
b. Business Associate will conduct periodic reviews of its security safeguards to ensure they are appropriate and operating as intended.
c. Documentation of Business Associate’s security assessments will be retained by Business Associate for the period required by law.

5. Permitted Uses and Disclosures of Protected Health Information.

a. Business Associate will not use or disclose Protected Health Information other than as permitted or required by this BAA or as Required by Law. Subject to those limitations set forth in this BAA, Business Associate may use and disclose Protected Health Information as necessary in order to provide its Services as contemplated by the Agreement, including all Service Orders (as defined in the Agreement), exhibits and attachments and any documents directly or indirectly referenced therein, and all user documentation made available to Customer.
b. Subject to the limitations set forth in this BAA, Business Associate may use Protected Health Information if necessary, for its proper management and administration or to carry out its legal responsibilities. In addition, Business Associate may disclose Protected Health Information as necessary for its proper management and administration or to carry out its legal responsibilities provided that:
c. Disclosure is Required By Law; or
d. Business Associate obtains reasonable assurances, in the form of a written agreement, from the person to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person; and (2) the person will immediately notify Business Associate (which will immediately notify Covered Entity in accordance with Section 2 above) of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached.

6. Term and Termination

a. The term of this BAA will continue for so long as Business Associate Processes Protected Health Information on behalf of Covered Entity, except that (i) Section 6c will survive after the termination of the Agreement for as long as Business Associate retains any Protected Health Information; and (ii) any provision that by its nature survives termination will so survive.
b. Effect of Termination. Except as provided in Section 6c, upon termination of the Agreement for any reason, the effect of such termination on Confidential Information (as defined in the Agreement) in Business Associate’s possession will be governed by the Agreement to the extent such effect is in accordance with HIPAA.
c. If returning or destroying the Protected Health Information is impractical upon termination, Covered Entity will bear the cost of storage of that Protected Health Information for as long as storage by Business Associate is required. This Section 6c does not require Business Associate to segregate any Protected Health Information from other information maintained by Covered Entity on Business Associate’s servers and Business Associate may comply with this requirement by returning or destroying all of the information maintained on its servers by Covered Entity.

7. Miscellaneous

a. The parties will take action as is necessary to amend this BAA from time to time to comply with the requirements of any HIPAA Rules; provided, however, that if any amendment of the HIPAA Rules or guideline from the Department of Health and Human Services would materially increase the cost of Business Associate providing service under the Agreement, then Business Associate will have the option to terminate the Agreement or any applicable Service Orders on thirty (30) days prior written notice to Customer. In the event of that termination, Business Associate will refund any applicable unused prepaid fees.
b. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended, and as of its effective date.
c. Any ambiguity in this BAA shall be resolved to permit compliance with the HIPAA Rules.
d. The terms and conditions of this BAA shall override and control any conflicting term or condition of the Agreement or any Service Order Signed (as defined in the Agreement) thereunder. All non-conflicting terms and conditions of the Agreement remain in full force and effect.
e. Within 15 business days of a written request by Covered Entity, Business Associate will provide Covered Entity with detailed information as may be reasonably requested by Covered Entity from time to time regarding Business Associate’s compliance with its use or disclosure of Protected Health Information pursuant to this BAA for the purpose of determining whether Business Associate has complied with this BAA, HIPAA, and HITECH; provided, however, that (i) disclosure of that information would not violate Business Associate’s reasonable privacy or data security policies and, (ii) Covered Entity will make these requests no more than annually unless it is in response to a specific security incident.

Thanks for your patience while we make loading your app a Cinch!