This HIPAA Business Association Addendum (this “HIPAA Addendum”) is an addendum to your End User License Agreement (and incorporated therein by reference). This HIPAA Addendum defines the rights and responsibilities of each of us with respect to Protected Health Information as defined in the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, including the HITECH Act and Omnibus Rule, as each may be amended from time to time (collectively, “HIPAA”). This Agreement shall be applicable only in the event and to the extent Savii, Inc., meets, with respect to you, the definition of a Business Associate set forth at 45 C.F.R. §160.103, or applicable successor provisions.
1. Defined Terms. For the purposes of this HIPAA Addendum, capitalized terms shall have the following meanings:
“Agreement” shall have the same meaning as given in the General Terms and Conditions.
“Business Associate” shall mean the Savii, Inc. (Savii) entity from which you purchase Services.
“CFR” shall mean the Code of Federal Regulations.
“Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.
“Protected Health Information” or “PHI”shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information received by Business Associate from or on behalf of Customer.
“Required By Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.103.
“Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, located at 45 CFR Part 160 and Subparts A and C of Part 164.
“Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
2. Obligations and Activities of Business Associate.
(a) Business Associate shall not use or disclose Protected Health Information other than as permitted or required by this HIPAA Addendum or as permitted or Required by Law.
(b) Business Associate agrees to provide those physical, technical, and administrative safeguards described in the General Terms and Conditions and the other parts of the Agreement including those safeguards and Services selected by you and described in the Service Description. If Business Associate agrees as part of this HIPAA Addendum to carry out an obligation of yours under the Privacy Rule, then Business Associate will comply with the requirements of the Privacy Rule applicable to such obligation.
(c) Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate or its agents or subcontractors in violation of the requirements of this HIPAA Addendum.
(d) Within five Business Days of becoming aware, Business Associate agrees to report to you (i) Security Incidents (as defined in 45 C.F.R. §164.304 and as further described below), (ii) the Breach of unsecured PHI (as defined in 45 CFR §164.402), or (iii) an access, acquisition, use or disclosure of PHI in violation of this HIPAA Addendum.
(e) Business Associate agrees to ensure that any of our agents or subcontractors to whom we provide Your Health Information for purposes of assisting us in providing the Programs or the Services, agrees to the same restrictions and conditions that apply to us with respect to such information, including the obligation to implement reasonable and appropriate safeguards to protect it (it being understood that other Users of the System are not our agents or subcontractors);
(f) All Protected Health Information maintained by Business Associate for you will be available to you in a time and manner that reasonably allows you to comply with the requirements under 45 CFR § 164.524. Business Associate shall not be obligated to provide any such information directly to any Individual or person other than you.
(g) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with ¤164.526 of the Privacy Rule;
(h) Business Associate agrees to make internal practices, books, and records available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary’s determining your compliance with the Privacy Rule; provided, however, that time incurred by Business Associate in complying with any such request that exceeds its normal customer service parameters shall be charged to you at Business Associate’s then current standard hourly rate for Supplemental Services.
(i) You acknowledge that Business Associate is not required by this HIPAA Agreement to make disclosures of Protected Health Information to Individuals or any person other than you, and that Business Associate does not, therefore, expect to maintain documentation of such disclosure as described in 45 CFR § 164.528. In the event that Business Associate does make such disclosure, it shall document the disclosure as would be required for you to respond to a request by an Individual for an accounting of disclosures in accordance with 45 CFR §164.504(e)(2)(ii)(G) and §164.528, and shall provide such documentation to you promptly on your request. In the event that a request for an accounting is made directly to Business Associate, Business Associate shall, within 2 Business Days, forward such request to Customer.
(j) Business Associate shall, for the duration of the Agreement, obtain an SSAE16 audit report (or equivalent successor report) from independent auditors on an annual basis, and make such report available to you.
3. Permitted Uses and Disclosures by Business Associate. Except as otherwise limited in this HIPAA Addendum or other portion of the Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, you as specified in the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by you.
4. Specific Use and Disclosure Provisions. Except as otherwise limited in this HIPAA Addendum or other portion of the Agreement, Business Associate may:
(a) use Protected Health Information for the proper management and administration of Business Associate or to carry out its legal responsibilities;
(b) disclose Protected Health Information for the proper management and administration of Business Associate, provided that disclosures are (i) Required By Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and
(c) use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
5. Your Obligations. You shall notify Business Associate of:
(a) any limitations(s) in your notice of privacy practices in accordance with 45 CFR § 164.520 to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information;
(b) any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information; and
(c) any restriction to the use or disclosure of Protected Health Information that you have agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
You agree that you will not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by you.
You agree to comply with those security obligations identified in the General and Product Terms, and to implement, purchase, or maintain appropriate safeguards (including security appliances, services, and practices) as required for you to comply with the Security and Privacy rules as applicable to you.
6. Term and Termination
(a) The term of this HIPAA Agreement shall continue following termination of such Subscription until all Protected Health Information is destroyed or returned to you or your designee.
(b) If Business Associate materially breaches the terms of this HIPAA Addendum, then you may terminate any related Subscription or Services Agreement(s).
(c) Upon termination of the Agreement for any reason Business Associate shall destroy all Protected Health Information which remains on your System or otherwise in Business Associates possession. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate as well as Business Associate itself. Business Associate shall retain no copies of the Protected Health Information. In the event that Business Associate determines that destroying the Protected Health Information is infeasible, Business Associate shall promptly provide you notification of the conditions that make destruction infeasible. Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the destruction infeasible, for so long as Business Associate maintains such Protected Health Information. You shall bear the cost of storage of such Protected Health Information for as long as storage by Business Associate is required. This Section does not require Business Associate to segregate any Protected Health Information from other information maintained by you on Business Associate’s servers and Business Associate may comply with this requirement by returning or destroying all of the information maintained on its servers by you. By default, Savii, Inc. will zero-fill (meaning to format a hard disk by filling available sectors with zeroes) any hard disk drive space dedicated to your use upon termination of the Service(s). Upon your written request Savii, Inc. shall either physically destroy or multi-pass wipe any hard disk space dedicated to your use, provided that Savii, Inc. may charge you an additional fee at its then current rates for such additional services.
(d) If you request contemporaneously with any termination event or notice, Business Associate will allow you to have access to your Subscription for a reasonable period of time following termination as necessary for you to retrieve or delete any Protected Health Information at your then current monthly recurring rate; provided, however, that if the security of your servers has been compromised, or the Agreement was terminated for your failure to use reasonable security precautions, Savii may: (i) provide you with restricted access to your Subscription or (ii) refuse to allow you to have access to your Subscription but will use reasonable efforts to copy your data on to media you provide to Savii, and will ship the media to you at your expense. Savii's efforts to copy your data onto your media shall be billable as a Supplemental Service at Savii's then current hourly rates.
7. Miscellaneous.
(a) Amendment. Each of us agrees to take such action as is reasonably necessary to amend this HIPAA Agreement from time to time as is necessary for you to comply with the requirements of HIPAA as they may be amended from time to time; provided, however, that if such an amendment would materially increase the cost of Business Associate providing service under the Agreement, Business Associate shall have the option to terminate the Agreement on thirty (30) days advance notice.
(b) Survival. Our respective rights and obligations under this HIPAA Addendum shall survive the termination of the Agreement.
(c) Interpretation. Any ambiguity in the Agreement shall be resolved to permit you to comply with HIPAA and the Privacy Rule.
© 2016 Savii, Inc.