Business Associate Addendum
This Business Associate Addendum (the “Addendum”) is incorporated into the User Agreement and applies in respect of the provision of the Services to the User if the User is subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), only to the extent the User (the “Covered Entity”) is using the Services provided by FDNA (the “Business Associate”) to process certain protected health information of individuals residing in the United States of America.
I. WHEREAS, United States Congress enacted HIPAA, which protects the confidentiality of health information;
II. WHEREAS, pursuant to HIPAA, the United States Department of Health and Human Services (the “HHS”) promulgated Privacy Standards and Security Standards, each as defined below, governing confidential health information;
III. WHEREAS, Business Associate performs services through its provision of the FDNA service (the “Service”) under the User Agreement on behalf of the Covered Entity;
IV. WHEREAS, Business Associate’s provision of the Service requires Covered Entity to provide Business Associate with access to confidential health information; and
V. WHEREAS, in order to comply with the business associate requirements of HIPAA and its implementing regulations, Business Associate and Covered Entity must enter into an agreement that governs the uses and disclosures of such confidential health information by the Business Associate.
NOW, THEREFORE, in consideration of the foregoing recitals, the mutual promises and covenants set forth herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
The following terms used in this Addendum shall have the same meaning as those terms in the HIPAA Rules: Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Minimum Necessary, Notice of Privacy Practices, Security Incident, Subcontractor, and Use.
For purposes of this Addendum, when capitalized, the following terms shall mean:
“Aggregated Data” shall mean any data assembled as the result of “data aggregation” as that term is defined in 45 CFR § 164.501.
“Breach” shall have the meaning set forth in 45 C.F.R. 164.402 (including all of its subsections); with respect to all other uses of the word “breach” in this Addendum, the word shall have its ordinary contract meaning.
“Business Associate” shall generally have the same meaning as the term “business associate” at 45 C.F.R. § 160.103.
“Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 C.F.R. § 160.103.
“De-Identified Data” shall mean any data meeting the specifications set out in 45 CFR § 164.514(a) and §164.514(a) or (b)(1) or (2).
“Electronic Media” shall have the meaning set forth in 45 C.F.R. 160.103, which is defined as electronic storage media (including memory devices in computers, hard drives, any removable or transportable digital memory medium, such as magnetic tape or disk, optical disk or digital memory card) or transmission media used to exchange information already in electronic storage media (including the Internet, extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media). Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged does not exist in electronic form before the transmission.
“Electronic Protected Health Information” or “EPHI” shall mean Individually Identifiable Health Information that is (i) transmitted by Electronic Media or (ii) maintained in any medium constituting Electronic Media. For instance, EPHI includes information contained in a patient’s electronic medical records and billing records. EPHI shall not include (i) education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (iii) employment records held by a Covered Entity in its role as employer.
“HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
“HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009, effective February 17, 2009.
“Individual” shall have the same meaning as set forth in 45 C.F.R. 160.103, defined as the person who is the subject of PHI, and shall include a personal representative in accordance with 45 C.F.R. 164.502(g).
“Individually Identifiable Health Information” shall mean information that is a subset of health information, including demographic information collected from an individual, and
(i) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(ii) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (a) identifies the individual, or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
“Privacy Standards” shall mean the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164, Subparts A, D, and E, as currently in effect.
“Protected Health Information” or “PHI” shall mean Individually Identifiable Health Information that is (i) transmitted by Electronic Media, (ii) maintained in any medium constituting Electronic Media; or (iii) transmitted or maintained in any other form or medium. For instance, PHI includes information contained in a patient’s medical records and billing records. “Protected Health Information” shall not include (i) education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (iii) employment records held by a Covered Entity in its role as employer.
“Required by Law” shall have the same meaning as the term “Required by law” in 45 C.F.R. 164.103.
“Secretary” shall mean the Secretary of the U.S. Department of Health and Human Services or any office or person within the U.S. Department of Health and Human Services to which/whom the Secretary has delegated his or her authority to administer the Privacy Standards and the Security Standards, such as the Director of the Office for Civil Rights.
“Security Standards” shall mean Security Standards for the Protection of Electronic Protected Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A and C.
“Subsequent Business Associate” shall mean any agent, including subcontractors, of Business Associate to whom Business Associate discloses Protected Health Information or Electronic Protected Health Information.
“Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 C.F.R. 164.402, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
All references to “days” in this Addendum shall mean calendar days. Capitalized terms used not defined herein or in the Agreement shall have the meanings ascribed to them in the Privacy Standards or the Security Standards.
2. Business Associate Obligations.
Business Associate acknowledges and agrees that it is considered a “business associate” as defined by HIPAA and by regulations promulgated thereunder. As a business associate of Covered Entity, Business Associate shall comply with the following terms of this Addendum, as required pursuant to 45 C.F.R. § 164.504.
2.1 Permitted Uses and Disclosures. Business Associate agrees that it shall use and disclose Protected Health Information received from Covered Entity for the purposes of providing the Service, as otherwise permitted under this Addendum, or as Required by Law and not for other purposes. Business Associate is authorized to use Protected Health Information to de-identify or aggregate any such data received hereunder in accordance with 45 C.F.R. § 164.514(a)-(c) and Business Associate shall have a non-exclusive, perpetual and unlimited royalty-free license to use and disclose the De-Identified or Aggregated Data collected or created from PHI received under this Addendum, including without limitations, for purposes of continuing to develop its Services and the underlying technologies, through research and development activities. Business Associate shall limit its use or disclosure of PHI and EPHI, to the extent practicable, to the limited data set (as defined in 45 C.F.R. 164.514(e)(2)), or to the minimum necessary to accomplish the intended purpose of such use, disclosure or request, respectively.
2.2 Disclosures to Subsequent Business Associates. Business Associate shall not disclose any PHI to any Subsequent Business Associate, unless and until Business Associate and the Subsequent Business Associate have entered into an agreement containing the same terms and conditions as set forth in this Addendum.
2.2.1 Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2), if applicable, Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.
2.3 Reporting Violations of Law. Consistent with the requirements of 45 C.F.R. 164.502(j)(1), Business Associate may disclose Protected Health Information to report violations of law to appropriate Federal and State authorities.
2.4 Appropriate Safeguards. Business Associate shall implement appropriate administrative, technical, and physical safeguards to prevent any use or disclosure of Protected Health Information not authorized by this Addendum. Specifically, Business Associate agrees to comply with the requirements of 45 C.F.R. 164.308, 164.310,164.312 and 164.316 to the same extent such requirements apply to Covered Entity.
2.5 Reporting of Illegal, Unauthorized or Improper Uses or Disclosures and Remedial Actions. Business Associate shall report to Covered Entity any illegal, unauthorized, or improper use or disclosure of Protected Health Information, Security Incident or any Breach (collectively, “Known Misuse”) by it or a Subsequent Business Associate without unreasonable delay and within ten (10) business days of obtaining knowledge of such Known Misuse. Additionally, if the Known Misuse is a Breach of Unsecured Protected Health Information, Business Associate shall comply with the requirements of 45 C.F.R. 164.410. Business Associate shall take, or, in the event that the acts or omissions of a Subsequent Business Associate gave rise to the Known Misuse, shall require a Subsequent Business Associate to take, commercially reasonable actions to mitigate the negative impact of any Known Misuse and adopt additional or improve existing safeguards to prevent recurrence. The parties acknowledge and agree that this section 2.5 constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of unsuccessful security incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful security incidents” mean, without limitation, pings, and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI or EPHI.
2.6 Internal Practices, Books and Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary, or their designees, for purposes of determining and facilitating Business Associate’s and Covered Entity’s compliance with the Privacy Standards and Security Standards.
2.7 Access to Protected Health Information.
2.7.1 Within ten (10) days of a request by Covered Entity, Business Associate shall provide Protected Health Information in its possession or in the possession of a Subsequent Business Associate to Covered Entity in order for Covered Entity to comply with its obligations under 45 C.F.R. 164.524 to provide Individuals with access to their Protected Health Information.
2.7.2 Business Associate shall notify Covered Entity within five (5) days of receiving a request from an Individual to access Protected Health Information. Following receipt of such notice from Business Associate, Covered Entity shall handle such request from the Individual.
2.8 Amendments to Protected Health Information.
2.8.1 Within ten (10) days of a request by Covered Entity, Business Associate shall provide Protected Health Information in its possession or in the possession of a Subsequent Business Associate to Covered Entity in order for Covered Entity to comply with its obligations under 45 C.F.R. 164.526 to provide Individuals the right to amend their Protected Health Information.
2.8.2 Business Associate shall notify Covered Entity within five (5) days of receiving a request from an Individual to amend Protected Health Information. Following receipt of such notice from Business Associate, Covered Entity shall handle such request from the Individual.
2.9 Accounting of Disclosures.
2.9.1 Within twenty (20) days of a request by Covered Entity, Business Associate shall provide Covered Entity with an accounting of all disclosures of Protected Health Information, other than disclosures excepted from the Privacy Standards accounting requirement under 45 C.F.R. 164.528(a)(1)(i)-(ix), made by Business Associate or by a Subsequent Business Associate in the previous six (6) years (but in no event prior to April 14, 2003) in order for Covered Entity to comply with its obligations under 45 C.F.R. 164.528 to provide Individuals with an accounting of disclosures of their Protected Health Information.
2.9.2 Such accounting shall include, with respect to each disclosure: the date of the disclosure; the name (and address, if known) of the entity or person receiving the Protected Health Information; a description of the Protected Health Information disclosed; a statement of the purpose of the disclosure; and any other information the Secretary may require under 45 C.F.R. 164.528 (collectively, “Disclosure Information”).
2.9.3 Notwithstanding Section 2.11.2, for repetitive disclosures of Protected Health Information that Business Associate makes for a single purpose to the same person or entity, Business Associate may record: (a) the Disclosure Information for the first of these repetitive disclosures; (b) the frequency, periodicity or number of these repetitive disclosures made during the accounting period; and the date of the last of these repetitive disclosures.
2.9.4 Business Associate shall notify Covered Entity within ten (10) days of receiving a request from an Individual for an accounting of disclosures of Protected Health Information. Following receipt of such notice from Business Associate, Covered Entity shall handle such request from the Individual.
2.9.5 In accordance with the HITECH Act, the parties acknowledge that the Secretary shall promulgate regulations regarding the right of Individuals to receive an accounting of disclosures made for treatment, payment and healthcare operations during the previous three (3) years if such disclosures are made through the use of an electronic health record. The parties agree to comply with such regulations promulgated by the Secretary as of the effective date of those regulations.
2.10 Subpoenas, Court Orders, and Governmental Requests. If Business Associate receives a court order, subpoena, or governmental request for documents or other information containing Protected Health Information, Business Associate will use reasonable efforts to notify Covered Entity of the receipt of the request within ten (10) business days to provide Covered Entity an opportunity to respond. Business Associate may comply with such order, subpoena, or request as Required by Law or permitted by law.
2.11 Remuneration in Exchange for PHI. Except as permitted by the HITECH Act or regulations promulgated by the Secretary in accordance with the HITECH Act, and as of the effective date of such regulations, Business Associate shall not directly or indirectly receive remuneration in exchange for PHI unless Covered Entity notifies Business Associate that it obtained a valid authorization from the Individual specifying that the Individual’s PHI may be exchanged for remuneration by the entity receiving such Individual’s PHI.
3. Covered Entity Obligations.
3.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of limitation(s) in its notice of privacy practices, to the extent such limitation affects Business Associate’s permitted Uses or Disclosures.
3.2 Individual Permission. Covered Entity shall notify Business Associate of changes in, revocation of, permission by an Individual to use or disclose PHI, to the extent such changes affect Business Associate’s permitted Uses or Disclosures.
3.3 Restrictions. Covered Entity shall notify Business Associate of restriction(s) in the Use or Disclosure of PHI that Covered Entity has agreed to, to the extent such restriction affects Business Associate’s permitted Uses or Disclosures.
3.4 Consents and Authorizations. Covered Entity represents and warrants that any and all consents, authorizations, or other permissions necessary under the Privacy Standards or other applicable law (including state law) to transmit information through the Service and/or under this Addendum have been properly secured.
3.5 Marketing. Covered Entity represents and warrants that it has obtained any and all authorizations from Individual for any use or disclosure of PHI for marketing, unless the marketing communication is made without any form of remuneration (i) to describe medical services or products provided by either party; (ii) for treatment of the Individual; or (iii) for case management or care coordination for the Individual or to direct or recommend alternate treatments, therapies, providers or settings.
3.6 Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164.
4. Term and Termination.
4.1 Term. The Term of this Addendum shall commence on and this Addendum shall be effective as of the date on which Covered Entity electronically registers for the Service, and shall continue in effect for as long as Covered Entity is registered for the Service.
4.2 Termination for Cause. In the event either party determines that the other has engaged in a pattern of activity or practice that constitutes a material breach of a term of this Addendum and such violation continues for thirty (30) days after written notice of such breach has been provided, the party claiming a breach shall have the right to terminate Covered Entity’s participation on the Service or, if termination is not feasible, to report the breach to the Secretary.
4.3 Effect of Termination.
4.3.1 Return or Destruction of Protected Health Information; Disposition When Return or Destruction Not Feasible. Upon termination of this Addendum, the parties hereby acknowledge that the return or destruction of PHI received by the Business Associate from Covered Entity is not feasible, and that, therefore, Business Associate may retain a copy of such PHI provided that: (i) the provisions of this Addendum shall continue to apply to any such information retained following cancellation, termination, expiration, or other conclusion of Covered Entity’s participation on the Service; and (ii) Business Associate shall limit Uses and Disclosures of such PHI to those purposes that make the return or destruction thereof not feasible, for as long as Business Associate maintains such PHI. Furthermore, Business Associate may de-identify or aggregate any PHI received under this Addendum and Business Associate shall have a non-exclusive, perpetual and unlimited royalty-free license to use and disclose the De-Identified or Aggregated Data collected or created from PHI received under this Addendum.
4.3.2 Reasonable Fees. All reasonable fees incurred to cause the return, destruction, or storage of Protected Health Information under this Section 4.3 shall be borne by the Covered Entity.
5.1 Regulatory References. A reference in this Addendum to a section in HIPAA, the HITECH Act, the Privacy Standards, or the Security Standards means the section as in effect or as amended at the time.
5.2 Survival. The respective rights and obligations of the parties under Section 4.3 of this Addendum shall survive the termination of this Addendum.
5.3 Interpretation. Any ambiguity in this Addendum shall be resolved in favor of a meaning that permits the parties to comply with the Privacy Standards and Security Standards. Except to the extent specified by this Addendum, all of the terms and conditions governing Covered Entity’s participation on the Service shall be and remain in full force and effect. In the event of any inconsistency or conflict between this Addendum and the terms and conditions governing Covered Entity’s participation on the Service, the terms and provisions and conditions of this Addendum shall govern and control.
5.4 Amendment. The parties shall work together through reasonable negotiations to amend this Addendum as necessary to comply with any changes in law, including, but not limited to, the promulgation of amendments to the Privacy Standards or Security Standards required by the HITECH Act or any other future laws, applicable to or affecting the rights, duties, and obligations of the parties under this Addendum or the terms and conditions governing Covered Entity’s participation on the Service.
5.5 Independent Relationship. None of the provisions of this Addendum are intended to create, nor will they be deemed to create, any relationship between the parties other than that of independent parties contracting with each other as independent contractors solely for the purposes of effecting the provisions of this Addendum and the terms and conditions governing Covered Entity’s participation on the Service.
5.6 Notices. All notices and notifications under this Addendum shall be sent in writing by traceable carrier to the listed persons on behalf of Business Associate and Covered Entity at the following electronic addresses:
Covered Entity: email provided when registering to the Services; and
Business Associate: email@example.com;
or such other address as a party may indicate by at least ten (10) days’ prior written notice to the other party. Notices will be effective upon receipt.
5.7 Construction and Jurisdiction. This Addendum shall be governed by and construed in accordance with the laws of the State of Delaware (excepting any conflict of laws provisions which would serve to defeat application of the State of Delaware law). Each of the parties hereto submits to the exclusive jurisdiction of the competent courts located within the State of Delaware for any suit, hearing or other legal proceeding of every nature, kind and description whatsoever in the event of any dispute or controversy arising hereunder or relating hereto, or in the event any ruling, finding or other legal determination is required or desired hereunder.
Last Updated: January 1, 2023