MedStack HIPAA Business Associate Agreement

Last updated: August 6, 2019
If you are a Covered Entity or a Business Associate under HIPAA and include Protected Health Information in Your Content, execution of the MedStack Customer Agreement (“Agreement”) will incorporate the terms of this MedStack HIPAA Business Associate Agreement (“BAA”) into that Agreement. If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control.

1. Definitions

a. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

b. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103.

c. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103.

d. “HIPAA” means the Administrative Simplification Subtitle of the Health Insurance Portability and Accountability Act of 1996, as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations.

e. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

f. “PHI” means “protected health information” as defined in 45 CFR 160.103 that is received by MedStack from or on behalf of you.

2. Permitted and Required Uses and Disclosures.

a. Service Offerings. We may Use or Disclose PHI for or on behalf of you as specified in the Agreement.

b. Administration and Management of MedStack. We may use and disclose PHI as necessary for the proper management and administration of MedStack. Any Disclosures under this section will be made only if we obtain reasonable assurances from the recipient of the PHI that (a) the recipient will hold the PHI confidentially and will Use or Disclose the PHI only as required by law or for the purpose for which it was disclosed to the recipient, and (b) the recipient will notify us of any instances of which it is aware in which the confidentiality of the information has been breached.

3. Obligations of MedStack.

a. Limit on Uses and Disclosures. We will use or disclose PHI only as permitted by this BAA or as required by law.

b. Safeguards. We will use reasonable and appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA, consistent with the requirements of Subpart C of 45 C.F.R. Part 164 (with respect to Electronic PHI) as determined by MedStack and as reflected in the Agreement.

c. Reporting. For all reporting obligations under this BAA, the parties acknowledge that, because MedStack does not know the nature of PHI contained in any of your accounts, it will not be possible for MedStack to provide information about the identities of the Individuals who may have been affected, or a description of the type of information that may have been subject to a Security Incident, Impermissible Use or Disclosure, or Breach.

i. Reporting of Impermissible Uses and Disclosures. We will report to you any Use or Disclosure of PHI not permitted or required by this BAA of which we become aware, without unreasonable delay, and in no case later than 5 business days after our discovery of such Use or Disclosure.

ii. Reporting of Breaches. We will report to you any Breach of your Unsecured PHI that we may discover to the extent required by 45 C.F.R. § 164.410. We will make such report without unreasonable delay, and in no case later than 24 hours after discovery of such Breach.

iii. Reporting of Security Incidents that are not Breaches. We will report to you on no less than a quarterly basis any Security Incidents involving PHI of which we become aware in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.

d. Subcontractors. We will ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of us agree to restrictions and conditions at least as stringent as those found in this BAA, and agree to implement reasonable and appropriate safeguards to protect PHI.

e. Access to PHI. We will make PHI in a Designated Record Set available to you so that you can comply with 45 C.F.R. § 164.524. We will provide this data as a backup.

f. Amendment to PHI. We will make PHI in a Designated Record Set available to you for amendment by giving you access to the Services where that data is kept. You shall incorporate any amendments to the PHI in accordance with 45 CFR § 164.526.

g. Accounting of Disclosures. We will make available to you the information required to provide an accounting of Disclosures in accordance with 45 C.F.R. § 164.528 of which we are aware, if requested by you. Because we cannot readily identify which Individuals are identified or what types of PHI are included in Content you or any End User (a) run on the Services, (b) cause to interface with the Services, or (c) upload to the Services under your account or otherwise transfer, process, use or store in connection with your account (“Customer Content”), you will be solely responsible for identifying which Individuals, if any, may have been included in Customer Content that we have disclosed and for providing a brief description of the PHI disclosed.

h. Internal Records. We will make our internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services (“HHS”) for purposes of determining your compliance with HIPAA. Nothing in this section will waive any applicable privilege or protection, including with respect to trade secrets and confidential commercial information.

4. Your Obligations

a. Appropriate Use. You are responsible for implementing appropriate privacy and security safeguards in order to protect your PHI in compliance with HIPAA and this BAA. Without limitation, it is Customer’s obligation to:

i. Implement privacy and security safeguards and audit logging in Your Content.

ii. Not include PHI in information you submit to technical support personnel through a technical support request or to community support forums.

b. Encryption. You must ensure that all PHI is encrypted when stored in or transmitted using the Services in accordance with the Secretary of HHS’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.

c. Data outside our services. We  do not act as, or have the obligations of, a Business Associate under HIPAA with respect to Your Data once it is sent to or from you outside our Services over the public Internet, or if you fail to follow applicable instructions regarding physical media transported by a common carrier.

d. Necessary Consents. You warrant that you have obtained any necessary authorizations, consents, and other permissions that may be required under applicable law prior to placing Customer Content, including without limitation PHI, on the Services.

e. Restrictions on Disclosures. You will not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause us to violate this BAA or any applicable law.

f. Compliance with HIPAA. You will not request or cause us to make a Use or Disclosure of PHI in a manner that does not comply with HIPAA or this BAA.

g. Back up Data Before Termination. You are solely responsible for making and retaining copies of PHI maintained by us before terminating this BAA.

5. Term and Termination

a. Term. This BAA shall continue in effect until the earlier of (1) termination by a Party for breach as set forth in Section 5b, below, or (2) expiration of your Agreement.

b. Termination for Breach. Upon written notice, either Party immediately may terminate the Agreement and this BAA if the other Party is in material breach or default of any obligation in this BAA. Either party may provide the other a 30 calendar day period to cure a material breach or default within such written notice. A material breach of this BAA constitutes a material breach of the Agreement, and may result in termination of your account(s) with us.

c. Return, Destruction, or Retention of PHI Upon Termination. Upon expiration or termination of this BAA, we shall return or destroy all PHI in our possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Agreement. If it is not feasible to return or destroy any portions of the PHI upon termination of this BAA, then we shall extend the protections of this BAA, without limitation, to such PHI and limit any further Use or Disclosure of the PHI to those purposes that make the return or destruction infeasible for the duration of the retention of the PHI.

6. Miscellaneous

a. Interpretation. The Parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Except where this BAA conflicts with the Agreement, all other terms and conditions of the Agreement remain unchanged. Any captions or headings in this BAA are for the convenience of the Parties and shall not affect the interpretation of this BAA.

b. BAAs; Waiver. This BAA may not be modified or amended except in writing, duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, as a bar to, or as a waiver of any right or remedy as to subsequent events.

c. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

d. Severability. In the event that any provision of this BAA is found to be invalid or unenforceable, the remainder of this BAA shall not be affected thereby, but rather the remainder of this BAA shall be enforced to the greatest extent permitted by law.

e. No Agency Relationship. As set forth in the Agreement, nothing in this BAA is intended to make either party an agent of the other. Nothing in this BAA is intended to confer upon you the right or authority to control our conduct in the course of us complying with the Agreement and BAA.