Secure Messaging

Learning Center

Back to top

Search Results

BAA

BUSINESS ASSOCIATE AGREEMENT (BAA) / ADDENDUM

This business associate agreement/addendum (the “Agreement”) is made and entered into between the Business Associate and the Customer pursuant to the EULA (as such terms are defined below). The EULA will incorporate the terms of this Agreement. If there is any conflict between a provision in this Agreement and the EULA, this Agreement will prevail.

RECITALS

A. The Customer and the Business Associate have entered into an end user license agreement (the “EULA”) under which the Customer will be using the secure email, products, software, services and websites (collectively defined as “Services”) provided by the Business Associate, and the parties may in the future, enter into one or more underlying contracts or purchase orders related to the EULA, that will require the Business Associate to perform the Services pursuant to the terms and conditions set out in the EULA.

B. The Customer is a Covered Entity, as defined in HIPPA (defined below).

C. The Business Associate, in fulfilling its obligations for and on behalf of the Customer, may create or receive and maintain certain Protected Health Information and other forms of personal information from time to time that is the property of the Customer.

D. The Customer and the Business Associate desire to enter into this Agreement which shall supplement the EULA, as required by HIPPA, in order to provide satisfactory assurances to the Customer that the Business Associate shall maintain appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of the Protected Health Information in accordance with HIPPA.

E. The Customer and the Business Associate agree that this Agreement forms a legally binding agreement in relation to the Business Associate’s HIPPA obligations.

1. Definitions

Except as otherwise defined in this Agreement, capitalized terms shall the meaning assigned to them in the EULA. If such terms are not otherwise defined in this Agreement or in the EULA, they shall have the same meanings as defined by HIPPA.

a) “Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.
b) “Business Associate” shall have the same meaning as the term “business associate” in 45 CFR § 160.103 of HIPPA and for the purposes of the EULA and this Agreement, is Cirius Messaging, Inc.
c) “Covered Entity” shall have the same meaning as the term “covered entity” in 45 CFR § 160.103 of HIPPA.
d) “Customer” shall the same meaning given to it in the EULA.
e) “HIPPA” collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITEC and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.
f) “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information.
g) “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103 of HIPPA, provided that it is limited to such protected health information that is received by the Business Associate from, or created, received, maintained, or transmitted by the Business Associate on behalf of, the Customer.

2. Permitted Uses and Disclosures of Protected Health Information

a) Performance of the Agreement for the Services. Except as otherwise limited in this Agreement, the Business Associate may Use and Disclose Protected Health Information for, or on behalf of, Customer as specified in the Agreement; provided that any such Use or Disclosure would not violate HIPAA if done by Customer, unless expressly permitted under paragraph b of this Section.
b) Management, Administration, and Legal Responsibilities. Except as otherwise limited in this Agreement, the Business Associate may Use and Disclose Protected Health Information for the proper management and administration of the Business Associate and/or to carry out the legal responsibilities of the Business Associate, provided that any Disclosure may occur only if: (1) Required by Law; or (2) the Business Associate obtains written reasonable assurances from the person to whom the Protected Health Information is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose authorized by this Agreement, and the person notifies the Business Associate of any instances of which it becomes aware in which the confidentiality of the Protected Health Information has been breached.

3. Responsibilities of the Business Associate with Respect to the Protected Health Information

To the extent of fulfilling its obligations as a business associate under HIPPA, the Business Associate agrees to the following:

a) Limitations on Use and Disclosure. The Business Associate shall not Use and/or Disclose the Protected Health Information other than as permitted or required by the EULA and/or this Agreement or as otherwise Required by Law; the Business Associate shall not disclose, capture, maintain, scan, index, transmit, share or Use Protected Health Information for any activity not authorized under the EULA and/or this Agreement. The Services shall not use Protected Health Information for any advertising, marketing or other commercial purpose of the Business Associate or any third party. The Business Associate shall not violate the HIPAA prohibition on the sale of Protected Health Information. The Business Associate shall make reasonable efforts to Use, Disclose, and/or request the minimum necessary Protected Health Information to accomplish the intended purpose of such Use, Disclosure, or request.
b) Safeguards. The Business Associate shall: (1) use commercially reasonable and appropriate safeguards to prevent inappropriate Use and Disclosure of Protected Health Information other than as provided for in this Agreement; and (2) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule.
c) Reporting. The Business Associate shall report to Customer: (1) any Use and/or Disclosure of Protected Health Information that is not permitted or required by this Agreement of which Business Associate becomes aware; (2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (3) any Breach of Customer’s Unsecured Protected Health Information that the Business Associate may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than thirty (30) calendar days after discovery of a Breach. Taking into account the level of risk reasonably likely to be presented by the Use, Disclosure, Security Incident, or Breach, the timing of other reporting will be made consistent with Business Associate’s and Customer’s legal obligations.

For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on the Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information. Notification(s) under this Section, if any, will be delivered to contacts identified by Customer pursuant to Section 4b (Contact Information for Notices) of this Agreement by any means the Business Associate selects, including through email. The Business Associate’s obligation to report under this Section is not and will not be construed as an acknowledgement by the Business Associate of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.

d) Subcontractors. In accordance with the applicable provisions of HIPPA, the Business Associate shall require its Subcontractors who create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate to agree in writing to: (1) the same or more stringent restrictions and conditions that apply to Business Associate with respect to such Protected Health Information; (2) appropriately safeguard the Protected Health Information; and (3) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. The Business Associate remains responsible for its subcontractors’ compliance with obligations in this Agreement.
e) Disclosure to the Secretary. The Business Associate shall make available its internal practices, records, and books relating to the Use and/or Disclosure of Protected Health Information received from Customer to the Secretary of the Department of Health and Human Services for purposes of determining Customer’s compliance with HIPAA, subject to attorney-client and other applicable legal privileges as well as subject to the Business Associate’s professional obligations with respect to such practices, books and records. The Business Associate shall respond to any such request from the Secretary in accordance with the Section titled “Disclosure of Customer Data” in the Agreement. For purposes of clarity, this provision does not obligate the Business Associate to provide any information unrelated to the services provided to the Customer by the Business Associate pursuant to the EULA.
f) Access. If the Business Associate maintains Protected Health Information in a Designated Record Set for Customer, then the Business Associate, at the request of Customer, shall within fifteen (15) days make access to such Protected Health Information available to Customer in accordance with 45 CFR § 164.524 of the Privacy Rule.
g) Amendment. If the Business Associate maintains Protected Health Information in a Designated Record Set for Customer, then the Business Associate, at the request of Customer, shall make available such Protected Health Information to Customer for amendment and incorporate any reasonably requested amendment in the Protected Health Information in accordance with 45 CFR § 164.526 of the Privacy Rule.
h) Accounting of Disclosure. The Business Associate, at the request of Customer, shall within fifteen (15) days make available to Customer such information relating to Disclosures made by the Business Associate as required for Customer to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.
i) Performance of a Covered Entity’s Obligations. To the extent the Business Associate is to carry out a Covered Entity obligation under the Privacy Rule, the Business Associate shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligation.
j) Legal Obligations. If the Business Associate believes it has a legal obligation to further Disclose any Protected Health Information in the Business Associate’s possession, including, but not limited to, obligations that arise from the issuance of a third party discovery request, subpoena or court order, and also including, but not limited to, an obligation to contact law enforcement pursuant to the EULA, the Business Associate shall notify the Customer (unless prohibited by law) as soon as reasonably practicable after it learns of such obligation, and in any event (unless prohibited by law) within a time sufficiently in advance of the proposed release date such that the Customer’s rights and interests would not be prejudiced, as to the legal requirement pursuant to which the Business Associate believes the Protected Health Information must be released. If the Customer objects to the release of such Protected Health Information, the Business Associate shall allow the Customer, at the Customer’s expense, to exercise any legal rights or remedies which either the Customer or the Business Associate might have with respect to the further Disclosure of Protected Health Information.

4. Responsibilities of the Customer with Respect to the Protected Health Information

a) No Impermissible Requests. Customer shall not request the Business Associate to Use or Disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a Business Associate).
b) Contact Information for Notices. Customer hereby agrees that any reports, notification, or other notice by the Business Associate pursuant to this Agreement may be made electronically. Customer shall provide contact information to support@secure-messaging.com or such other location or method of updating contact information as the Business Associate may specify from time to time and shall ensure that Customer’s contact information remains up to date during the term of this Agreement. Contact information must include name of individual(s) to be contacted, title of individuals(s) to be contacted, e-mail address of individual(s) to be contacted, name of Customer organization, and, if available, either contract number or subscriber identification number.
c) Safeguards and Appropriate Use of Protected Health Information. Customer is responsible for implementing appropriate privacy and security safeguards to protect its Protected Health Information in compliance with HIPAA. Without limitation, it is Customer’s obligation to:

i. Not include Protected Health Information in: (1) information Customer submits to technical support personnel through a technical support request or to community support forums; and (2) Customer’s address book or directory information. In addition, the Customer does not act as, or have the obligations of, a Business Associate under HIPAA with respect to Customer Data once it is sent to or from Customer outside the Services over the public Internet.
ii. Implement privacy and security safeguards in the systems, applications, and software Customer controls, configures, and uploads into the Services.

5. Applicability of the Agreement

This Agreement is applicable to the Services. The Business Associate may, from time to time, update the definition of the Services in this Agreement to include additional online services. Any such updated definitions will apply to Customer without additional action by Customer. It is Customer’s obligation to not store or process Protected Health Information in a Business Associate’s online service until this Agreement is effective as to the applicable service.

6. Term and Termination.

a. Term. This Agreement shall continue in effect until the earlier of (1) termination by a party for breach as set forth in Section 6b, below, or (2) expiration of Customer’s Agreement.
b. Termination for Breach. Upon written notice, either party immediately may terminate the EULA and this Agreement if the other party is in material breach or default of any obligation in this Agreement. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice.
c. Return, Destruction, or Retention of Protected Health Information Upon Termination. Upon expiration or termination of this Agreement, the Business Associate shall return or destroy all Protected Health Information in its possession, if it is feasible to do so and subject to any professional responsibilities of the Business Associate to maintain such information, in which event the Business Associate shall maintain all such Protected Health Information in accordance with its custom and practice with respect thereto. If it is not feasible to return or destroy any portions of the Protected Health Information upon termination of this Agreement, then the Business Associate shall extend the protections of this Agreement, without limitation, to such Protected Health Information and limit any further Use or Disclosure of the Protected Health Information to those purposes that make the return or destruction infeasible for the duration of the retention of the Protected Health Information. Notwithstanding the foregoing, the Customer acknowledges and agrees that, to the extent that Protected Health Information is stored in electronic form, the Business Associate’s obligation to destroy same shall be limited to executing commercially reasonable, application- or operating system-level “delete” functionality thereupon, notwithstanding that such information may remain (subject to the obligations in respect of the Protected Health Information herein) in the Business Associate’s e-mail or archival systems or may be forensically recoverable.

7. Miscellaneous

a. Interpretation. The parties intend that this Agreement be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Except where this Agreement conflicts with the EULA, all other terms and conditions of the EULA remain unchanged. Any captions or headings in this Agreement are for the convenience of the Parties and shall not affect the interpretation of this Agreement.
b. Amendment; Waiver. This Agreement may not be modified or amended except in a writing duly signed by authorized representatives of the parties. A waiver with respect to one event shall not be construed as continuing, as a bar to, or as a waiver of any right or remedy as to subsequent events.
c. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything in this Agreement confer, upon any person other than the parties, and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
d. Severability. In the event that any provision of this Agreement is found to be invalid or unenforceable, the remainder of this Agreement shall not be affected thereby, but rather the remainder of this Agreement shall be enforced to the greatest extent permitted by law.
e. No Agency Relationship. It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Customer and the Business Associate under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this Agreement shall be construed to make or render the Business Associate an agent of Customer.
f. Entire Agreement/Addendum. This Agreement/Addendum, together with the EULA, sets forth the entire agreement and understanding between the parties as to the matters contained in them, and supersedes all prior discussions, agreements, and understandings of every kind and nature between them. To the extent that there arises any necessary inconsistency or conflict between this Agreement/Addendum and the EULA, this Agreement/Addendum shall prevail to the extent strictly necessary to resolve such inconsistency or conflict.
g. Governing Law. This Agreement/Addendum will be governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein, as provided in Section 17.8 of the EULA, except to the extent expressly provided herein or pursuant to the Customer’s local laws, and then only to the extent strictly required by such local laws.
h. Conflicting Laws and Obligations. If the Business Associate believes that it is unable to comply with any of its obligations under this Agreement/Addendum due to any conflicting laws, regulations, pronouncements, or ethical obligations, it may seek a determination, or judgment, from a court of competent jurisdiction regarding its ability to comply with such obligations, and may take such actions set out in such determination or judgment and will notify the Customer thereof. When the Business Associate arrives at such belief, it shall consult with the Customer to the extent permitted by law so that the Customer can determine whether to participate in such court proceedings, at its expense.

Last Updated: October 16, 2015