Business Associate Agreement
This Business Associate AddenDum (“BAA”) is entered into by and between Zenso Inc., dba Lief Therapeutics, a Delaware Corporation, having its principal place of business at 2443 Fillmore St #380-6060, San Francisco, CA 94115 (“Business Associate”) and the undersigned customer (“Customer”) and is effective as of the last date appearing on the signature block below (the “BAA Effective Date”). Business Associate and Customer are referred to herein collectively, as the “Parties” and individually, as a “Party.”
Recitals
(A) Business Associate provides certain software technology devices and services, used by consumers and clinicians, which may involve the creation, receipt, maintenance, access, transmission, Use, or Disclosure of PHI (as defined below) by Business Associate.
(B) The Parties desire to ensure that their respective rights and responsibilities reflect applicable legal requirements relating to the protection of confidentiality and security of PHI:
a. In accordance with federal and state laws, to the extent that state laws are more restrictive, including, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) provisions of the American Recovery and Reinvestment Act of 2009, and Title I of the Genetic Information Nondiscrimination Act of 2008, and any regulations promulgated thereunder, including the Privacy Rule, Security Rule, and Breach Notification Rule, as such laws and regulations may be amended from time to time (collectively, the “HIPAA Rules”); and
b. If the Parties will be processing the personal date of EU data subjects, in accordance with EU General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”) (if applicable, and together with HIPAA and HITECH, the “Privacy Laws”).
(C) To comply with the Privacy Laws, the Parties must enter into an agreement that governs the creation, receipt, maintenance, access, transmission, Use, and Disclosure of the PHI by Business Associate in the course of performing the Services in connection with the Underlying Agreement.
NOW, THEREFORE, the Parties agree as follows:
1. Definitions.
1.1. General Statement.
The following terms used in this BAA will have the same meaning as those terms in the HIPAA Rules: Administrative Safeguards, Availability, Breach, Business Associate, Confidentiality, Covered Entity, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information (“EPHI”), Health Care Operations, Individual, Individually Identifiable Health Information, Integrity, Minimum Necessary, Physical Safeguards, Protected Health Information (“PHI”), Required by Law, Secretary, Security Incident, Subcontractor, Technical Safeguards, Unsecured PHI, Uses and Disclosures, and Workforce. A change to the Privacy Laws which modifies any defined term, or which alters the regulatory citation for the definition will be deemed incorporated into this BAA.
1.2. “Breach Notification Rule”
means Part 2, Subtitle D of HITECH and Notification in the Case of Breach of Unsecured Protected Health Information at 45 C.F.R. Part 164 Subpart D.
1.3. “Privacy Rule”
means the standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Subparts A and E of Part 164.
1.4. “Security Rule”
means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164.
2. Status of Parties.
Business Associate hereby acknowledges and agrees that Customer is either a “Business Associate” of Customer’s client or a “Covered Entity” and that Business Associate is either a “Subcontractor” or “Business Associate” of Customer, as such quoted terms are defined in the HIPAA Rules.
3. Scope.
This BAA is applicable to Business Associate’s creation, receipt, maintenance, access, transmission, Use, or Disclosure of PHI, in any form or medium, including EPHI, in Business Associate’s capacity as a “Business Associate” or “Subcontractor,” as applicable, of Customer. Capitalized terms used in this BAA that are not otherwise defined in this BAA have the meaning set forth in the Underlying Agreement.
4. Business Associate Obligations.
4.1. Data Use and Disclosure.
4.1.1. Limits on Use and Disclosure.
4.1.1.(a) Except as otherwise provided by this BAA, Business Associate may only Use and Disclose the PHI to perform the Services for, or on behalf of, Customer as set forth in the Underlying Agreement, provided that such Use or Disclosure, if made by the Customer, would not violate the HIPAA Rules. Business Associate agrees to make Uses, Disclosures and requests for PHI consistent with the Privacy Rule’s Minimum Necessary requirements. Additionally, Business Associate may:
(a) Use PHI for its own proper management and administration or to carry out its legal responsibilities; and
4.1.1.(b) Disclose PHI for its own proper management and administration or to fulfill any of its legal responsibilities, provided that (i) Disclosures are Required by Law, or (ii) Business Associate obtains reasonable assurances from the third party to whom the information is disclosed that such PHI will be (x) held secure and confidential as provided pursuant to this BAA and will only be used or further disclosed for the purpose which it was disclosed to such third party or as may otherwise be Required by Law, and (y) that such third party agrees to notify Business Associate of any Breach involving Unsecured PHI or Security Incidents which result in a Use or Disclosure of EPHI that becomes known to such third party.
4.1.2. Data Aggregation.
Pursuant to the Underlying Agreement, Business Associate may Use PHI in its possession to provide Data Aggregation services relating to the Health Care Operations of Customer or, if Customer is a Business Associate, for the Covered Entity on whose behalf Customer is acting.
4.1.3. De-Identify PHI.
Customer agrees and understands that Business Associate desires to continually improve its Services and that these improvements are made for the benefit of Customer. Accordingly, Business Associate may de-identify PHI for process and service improvement and management, product development, and other similar business purposes and may, from time to time, work with third-parties that may assist Business Associate in such endeavors. Business Associate agrees that any PHI Used or Disclosed by Business Associate in connection with such endeavors will be in a de-identified form as set forth and prescribed in (a) the standards for statistical and scientific de-identification as set forth in Section 164.514(b)(1) of the Privacy Rule, or (b) the safe harbor de-identification of patient information contained in Section 164.514(b)(2) of the Privacy Rule (collectively with (a), the “De-Identified Data”), prior to such Use or Disclosure
4.2. Safeguards and Third Parties.
Business Associate will use appropriate Administrative, Physical and Technical Safeguards pursuant to the HIPAA Rules to prevent the Use or Disclosure of PHI other than pursuant to the terms and conditions of this BAA, the Underlying Agreement, or as Required by Law and to reasonably and appropriately protect the Confidentiality, Integrity, and Availability of PHI that Business Associate creates, receives, maintains, accesses, or transmits, on behalf of Customer. Business Associate further agrees to ensure that any agent, including a Subcontractor that creates, receives, maintains, accesses, or transmits PHI on behalf of Business Associate agrees in writing to substantially similar restrictions and conditions that apply to Business Associate with respect to such information.
4.3. Reporting Unauthorized Uses, Breaches, and Security Incidents.
Business Associate will notify Customer in writing, within 15 business days after becoming aware of: (a) any Use or Disclosure of PHI that is not authorized by this BAA or the Underlying Agreement; (b) any Breach involving Unsecured PHI; or (c) any Security Incident that results in a Use or Disclosure of EPHI in violation of this BAA or the Underlying Agreement. For Security Incidents that do not result in a Use or Disclosure of EPHI in violation of this BAA or the Underlying Agreement, this Section Reporting Unauthorized Uses, Breaches, and Security Incidents. (Reporting Unauthorized Uses, Breaches, and Security Incidents) will be deemed as notice to Customer that Business Associate periodically receives unsuccessful attempts for unauthorized access, Use, Disclosure, modification or destruction of information or interference with the general operation of Business Associate’s information systems and the Services and, even if such events are defined as a Security Incident under the HIPAA Rules, Business Associate will not provide any further notice regarding such unsuccessful attempts.
4.4. Mitigation.
Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate, its agents or Subcontractors, if any, in violation of the requirements of this BAA, the Underlying Agreement, or the Privacy Laws. Business Associate will further take prompt action to mitigate, to the extent practicable, harmful effects of Security Incidents and Breaches involving Unsecured PHI, provided that such harmful effects are known to Business Associate.
4.5. Sanctions.
Business Associate will apply appropriate sanctions against any Workforce member, agent, or Subcontractor who uses or discloses PHI in violation of the Underlying Agreement, this BAA, or the Privacy Laws.
4.6. Access to PHI.
In the event that the PHI in Business Associate’s possession constitutes a Designated Record Set, Business Associate will promptly, but no more than 15 business days, make available to Customer access to the PHI so that Customer (or, if Customer is a Business Associate, the Covered Entity on whose behalf Customer is acting) may meet the requirements of 45 C.F.R. § 164.524. As between Business Associate and Customer, Customer is responsible for responding to Individuals’ request for access to PHI. In the event any Individual delivers a request for access to PHI directly to Business Associate, Business Associate will promptly forward such request to Customer.
4.7. Amendment of PHI.
In the event that the PHI in Business Associate’s possession constitutes a Designated Record Set, Business Associate will promptly, but no more than 15 business days, make available to Customer access to the PHI so that Business Associate (or, if Customer is a Business Associate, the Covered Entity on whose behalf Customer is acting) may incorporate any amendment(s) to the PHI in accordance with 45 C.F.R. § 164.526. As between Business Associate and Customer, Customer is responsible for responding to Individuals’ request for amendment of PHI. In the event any Individual delivers a request for amendment of PHI directly to Business Associate, Business Associate will promptly forward such request to Customer.
4.8. Accounting of Disclosures of PHI.
Business Associate will document all Disclosures of the PHI and such other information related to the Disclosure of PHI as may reasonably be necessary for Customer (or, if Customer is a Business Associate, the Covered Entity on whose behalf Customer is acting) to respond to any request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528. Within 15 business days of notice by Customer to Business Associate that Customer has received a request for an accounting of Disclosures of PHI regarding an Individual, Business Associate will make available to Customer information to permit Customer (or, if Customer is a Business Associate, the Covered Entity on whose behalf Customer is acting) to respond to the request for an accounting of Disclosures of PHI. In the event any Individual delivers a request for an accounting of Disclosures of PHI directly to Business Associate, Business Associate will promptly forward such request to Customer.
4.9. Restrictions.
Business Associate will comply with any restrictions on Disclosure of PHI requested by an Individual and agreed to by Customer in accordance with 45 C.F.R. § 164.522 and HITECH § 13405(a).
4.10. Availability of Books and Records.
To the extent required by law, and subject to applicable attorney-client privileges, Business Associate will make its internal practices, books, and records available to the Secretary for purposes of determining Customer’s compliance with the Privacy Laws.
5. Obligations of Customer.
5.1. Security of PHI.
Customer agrees and understand that the security of PHI requires the reasonable cooperation of both Parties. Accordingly, Customer will use commercially reasonable efforts to secure the Customer-side environment, by, for example, training Workforce members, securing and using strong passwords, using secure connections, and other similar Customer-side Administrative, Physical, and Technical Safeguards.
5.2. Notice of Privacy Practices.
Customer will notify Business Associate, in writing, of any limitation(s) in the Customer’s (or, if Customer is a Business Associate, the Covered Entity on whose behalf Customer is acting) Notice of Privacy Practices, to the extent that such limitation may affect Business Associate.
5.3. Restrictions.
Customer will notify Business Associate, in writing, of any restriction to the Use or Disclosure of PHI that Customer has agreed to or must comply with in accordance with 45 C.F.R. § 164.522 and HITECH § 13405(a), to the extent that such restriction may affect Business Associate.
5.4. Changes in Authorization.
Customer will notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose of such Individual’s PHI, to the extent that such changes may affect Business Associate.
5.5. Compliance with Laws.
Customer will not request Business Associate to view Customer’s PHI or to Use or Disclose PHI in any manner that would not be permissible under the Privacy Laws if done by Customer.
5.6. End Users.
Customer agrees and understands that Customer and not Business Associate, is responsible for managing whether Customer’s end users are authorized to access, share, Disclose, create, and Use PHI and Business Associate will have no obligations relating thereto.
6. Term and Termination.
6.1. Term.
The term of this BAA will be effective as of the BAA Effective Date and will terminate when all of the PHI is destroyed or returned to Customer, or, if it is not feasible to return or destroy the PHI, protections are extended to such information, in accordance with this BAA.
6.2. Termination.
Either Party may terminate this BAA in the event of a material breach of this BAA by the other Party. The termination will be effective 30 calendar days after a Party provides written notice of the material breach to the other Party and the Party receiving notice of the breach (a) has failed to remedy such breach, or (b) has failed to take substantial steps, to the reasonable satisfaction of the Party that provided notice, to remedy such breach. The termination will be effective immediately upon written notice in the event the Party providing notice reasonably believes that cure of the material breach is not feasible. A Party’s option to have cured a material breach of this BAA will not be cons
6.3. Effect of Termination.
Upon the termination of this BAA or the Underlying Agreement for any reason, Business Associate will return to Customer all PHI created, received or maintained by Business Associate or, at Business Associate’s reasonable direction, destroy all PHI received from Customer that Business Associate maintains in any form, recorded on any medium, or stored in any storage system. This provision will apply to PHI that is in the possession of Business Associate, its agents or Subcontractors, if any. Business Associate and Customer will remain bound by the provisions of this BAA, even after termination of the Underlying Agreement or this BAA, until all PHI has been returned or otherwise destroyed as provided in this Section Effect of Termination. (Effect of Termination). Notwithstanding the foregoing, Customer agrees and understands that the return of PHI stored in backup media is not feasible and that such PHI will be destroyed in the normal course of Business Associate’s data management activities. Business Associate will not retain any copies of PHI, except as permitted herein, permitted by the Underlying Agreement, Required by Law, as may reasonably be necessary to comply with business recordkeeping requirements, or otherwise agreed to by the Parties in writing. Termination of this BAA will not relieve Customer of any monetary obligations set forth in the Underlying Agreement.
6.4. Termination of Underlying Agreement.
Customer will notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose of such Individual’s PHI, to the extent that such changes may affect Business Associate.
7. Representation on Authority of Parties/Signatories. Each person signing this Agreement represents and warrants that he or she is duly authorized and has legal capacity to execute and deliver this Agreement. Each party represents and warrants to the other that the execution and delivery of the Agreement and the performance of such party’s obligations hereunder have been duly authorized and that the Agreement is a valid and legal agreement binding on such party and enforceable in accordance with its terms.
8. General Terms.
8.1. Regulatory References.
A reference in this BAA to a section of the Privacy Laws, or the regulations issued thereunder, means the section or regulation as in effect or as amended, and for which compliance is required.
8.2. Amendment; Waiver.
This BAA may be amended or supplemented only by a writing that refers explicitly to this BAA and that is signed by both Parties. The Parties agree to amend this BAA as required to comply with any changes in laws, rules or regulations that affect the privacy and security of PHI and the Business Associate’s duties under the Underlying Agreement or this BAA. No delay or failure of either Party to exercise any right or remedy available hereunder, at law or in equity, will act as a waiver of such right or remedy, and any waiver will not waive any subsequent right, obligation, or default.
8.3. Entire Agreement.
This BAA, together with the Underlying Agreement, contain the entire understanding between the Parties hereto and will supersede any other oral or written agreements, discussions and understandings of every kind and nature, with respect to the subject matter hereof.
8.4. Order of Precedence.
Any ambiguity in this BAA will be resolved to permit Business Associate to comply with the Privacy Laws. If any express term of this BAA conflicts with the Underlying Agreement, then this BAA, if applicable, will control as to that term, but only to the extent of an express ambiguity. The Underlying Agreement will control in all other instances, including, without limitation, remedies, limitation of liability, limitation of remedies, warranties, disclaimer of warranties, governing law, venue, and relationship of the Parties.
8.5. No Third Party Beneficiaries.
Nothing express or implied in this BAA is intended to confer, nor will anything herein confer, upon any person other than Customer, Business Associate, or their respective successors or permitted assigns, any rights, remedies, obligations or liabilities whatsoever.
8.6. Survival.
The rights and obligations contained in Sections Reporting Unauthorized Uses, Breaches, and Security Incidents. (Reporting Unauthorized Uses, Breaches, and Security Incidents), Mitigation. (Mitigation), Accounting of Disclosures of PHI. (Accounting of Disclosures of PHI), Availability of Books and Records. (Availability of Books and Records), End Users. (End Users), Effect of Termination. (Effect of Termination), and Representation on Authority of Parties/Signatories. Each person signing this Agreement represents and warrants that he or she is duly authorized and has legal capacity to execute and deliver this Agreement. Each party represents and warrants to the other that the execution and delivery of the Agreement and the performance of such party’s obligations hereunder have been duly authorized and that the Agreement is a valid and legal agreement binding on such party and enforceable in accordance with its terms. (General Terms) will survive the termination of this BAA.
8.7. Notices.
All notices that either Party may desire or be required to give to the other will be in writing and will be delivered by overnight courier or by priority mail by a recognized express mail vendor to the other Party at the address set forth in the signature page or such other address as a Party may provide. Notice delivered by facsimile or e-mail will be confirmed by overnight courier or by priority mail.
8.8. Severability.
If any provision of this BAA is determined by a court of competent jurisdiction to be invalid, void, or unenforceable, the remaining provisions hereof will continue in full force and effect.
8.9. Counterparts.
This BAA may be executed in counterparts, each of which will be deemed an original, and all of which will constitute one binding agreement and may be delivered by electronic mail or fax.