If Client is a Covered Entity and includes Protected Health Information in the data and information Client provides or makes accessible to Vivlio Health, Inc. (“Business Associate”), then the parties’ execution of a Master Service Agreement, Order, or other underlying contract (“Agreement”) to the HIPAA Business Associate Agreement (“BAA”) will incorporate the terms of this BAA into that Agreement. If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control to the extent necessary to comply with the HIPAA portions of the BAA.
1. DEFINITIONS. Unless otherwise defined in this BAA, capitalized terms shall have the definitions set in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.
- “Breach” shall have the meaning given to the term “breach” at 45 C.F.R. § 164.402, as applied to Unsecured PHI created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity.
- “Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.
- “Business Associate” shall have the same meaning as the term “business associate” in 45 C.F.R. § 160.103.
- “Covered Entity” shall have the same meaning as the term “covered entity” in 45 C.F.R. § 160.103.
1.5 “HIPAA” collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and by the modifications to the HIPAA privacy, security, enforcement, and breach notification rules under the HITECH and the Genetic Information Nondiscrimination Act (“GINA”); other modifications to the HIPAA rules; final rule.
1.6 “Individual” shall have the meaning given to such term under 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
1.7 “Client”, for this BAA only, means Client and its Affiliates.
1.8 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
1.9 “Protected Health Information” or “PHI”, and “ePHI”, shall have the meanings given to such terms at 45 C.F.R. § 160.103, as applied to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity. PHI and ePHI shall be collectively referred to herein as “PHI.”
1.10 “Security Incident” shall have the meaning given to the term “security incident” at 45 C.F.R. § 164.304, as applied to the PHI created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
1.11 “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
1.12 “Unsecured PHI” shall have the meaning given to the term “unsecured protected health information” at 45 C.F.R. § 164.402, as applied to the PHI created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
2. PERMITTED USES AND DISCLOSURES OF PHI Except as otherwise limited in this BAA or the Agreement, Business Associate may do any or all of the following:
2.1 Use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity pursuant to the Services Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity. Notwithstanding the foregoing, Business Associate may use and disclose PHI for the purposes identified in Sections 2.2 through 2.4 of this BAA even if Covered Entity could not do so under the Privacy Rule.
2.2 Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
2.3 Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that: (a) the disclosures are required by law; or (b) Business Associate obtains reasonable assurances from the party to whom the PHI is disclosed that it shall remain confidential and shall be used or further disclosed only as required by law or for the purposes for which it was disclosed, and that the party agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
2.4 Use PHI to provide data aggregation services relating to the health care operations of Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
2.5 Use PHI as permitted by 45 C.F.R. §§ 164.502(d)(1) and 164.514(a)-(c).
2.6 Use PHI received, maintained, used or disclosed under the Agreement to create de-identified health information in accordance with HIPAA: (i) to perform Services and (ii) for any other purpose permitted by applicable law. Business Associate owns all right, title and interest in the de-identified health information created under the Agreement and the compilation of de-identified health information created under the Agreement with de-identified health information that Business Associate receives (or creates from data received) from third-party data sources. This paragraph shall survive the expiration or earlier termination of the Agreement.
3. OBLIGATIONS OF BUSINESS ASSOCIATE
3.1 Limitations on Use and Disclosure. Business Associate may not use or disclose PHI other than as permitted or required by this Agreement or as required by law. Business Associate shall not disclose, capture, maintain, scan, index, transmit, share or use PHI for any activity not authorized under the Agreement and/or this BAA.
3.2 Safeguards. Business Associate shall use reasonable and appropriate safeguards and, where applicable, comply with the Security Rule with respect to ePHI, to prevent inappropriate use or disclosure of PHI other than as provided for by this BAA and the Agreement.
3.3 Reporting. Business Associate shall report to Covered Entity: (1) any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured PHI as required by 45 C.F.R. §164.410, and (2) any Security Incident of which it becomes aware. Business Associate and Covered Entity acknowledge the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that are trivial in nature, such as pings and other broadcast attacks on Business Associate’s firewall, port scans, malware, denials of service, unsuccessful log-on attempts and any combination of the above (“Unsuccessful Security Incidents”), and notice is hereby deemed given for such Unsuccessful Security Incidents. Covered Entity acknowledges and agrees that no additional notification to Covered Entity is required for Unsuccessful Security Incidents.
Notification(s) under this Section, if any, will be delivered to contacts identified by Client pursuant to Section 6.6 of this BAA by any means Business Associate selects, including through e mail. Business Associate’s obligation to report under this Section is not and will not be construed as an acknowledgement of any fault or liability with respect to any use, disclosure, Security Incident, or Breach.
3.4 Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI in violation of this Agreement.
3.5 Subcontractors. Business Associate shall require any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate to agree to substantially the same restrictions and conditions that apply to Business Associate with respect to such information.
3.6 Access. The Parties do not intend for Business Associate to maintain any PHI in a Designated Record Set for Covered Entity. To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate shall provide access to such PHI to Covered Entity or, as directed by Covered Entity, to an Individual as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. §164.524. If an Individual makes a request for access pursuant to §164.524 directly to Business Associate or inquires about his or her right to access, Business Associate will promptly forward such request to Covered Entity.
3.7 Amendment. The Parties do not intend for Business Associate to maintain any PHI in a Designated Record Set for Covered Entity. To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate shall make amendments to such PHI that Covered Entity directs as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526.
3.8 Accounting of Disclosures. Business Associate shall provide to Covered Entity an accounting of the disclosures of an Individual’s PHI as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528 and, as of the applicable effective date, Section 13405(c) of HITECH and any regulations promulgated thereunder. If an Individual submits a written request for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528 directly to Business Associate regarding his/her rights to an accounting, Business Associate shall promptly forward such request to Covered Entity.
3.9 Compliance with Privacy Rule. To the extent Business Associate is responsible for carrying out an obligation of Covered Entity under the Privacy Rule pursuant to this Agreement or the Services Agreement, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in its performance of such obligation.
3.10 Government Access to Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the United States Department of Health and Human Services for the purpose of determining compliance with HIPAA.
4. OBLIGATIONS OF COVERED ENTITY
4.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices, to the extent that such limitations may affect Business Associate’s use or disclosure of PHI.
4.2 Notification of Revocations. Covered Entity shall notify Business Associate of any changes in, or revocation of, authorization by an Individual to use or disclose PHI, to the extent that such changes or revocation may affect Business Associate’s use or disclosure of PHI.
4.3 Notification of Restrictions. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
4.4 No Impermissible Requests. Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA or other applicable federal or state law if done by Covered Entity.
4.5 Safeguards and Appropriate Use of Protected Health Information. Covered Entity is responsible for implementing appropriate privacy and security safeguards to protect its PHI in compliance with HIPAA.
4.5 Consents. Covered Entity represents and warrants that it has obtained any consent, authorization, or permission that may be required by the HIPAA Rules or any other applicable federal, state, or local laws and/or regulations prior to furnishing Business Associate the PHI pertaining to an Individual. Covered Entity represents and warrants that its notice of privacy practices permits Covered Entity to use and disclose Protected Health Information in the manner that Business Associate is authorized to use and disclose Protected Health Information under this Agreement. Business Associate may rely upon configuration parameters, consent tracking guidelines, and other such instructions and disclosures provided by Covered Entity, and provide the Services accordingly. Covered Entity assumes sole responsibility for any liabilities or claims arising out of or relating to such disclosures pursuant to these representations and warranties.
4.6 It is Covered Entity’s obligation to not store or process in an online service, or otherwise provide to Business Associate for performance of Service, PHI until this BAA is effective as to the applicable Service.
5. TERM AND TERMINATION
5.1 Term. The term of this Agreement shall commence as of the Effective Date, be coterminous with the Agreement, and continue in full force and effect from year to year, but shall terminate as of the earliest occurrence of any of the following: (a) the Agreement expires or is terminated; (b) this BAA is terminated for cause pursuant to Section 5.2 herein; or (c) this BAA is terminated pursuant to applicable law.
5.2 Termination for Breach. Upon a party’s determination of a breach of a material term of this Agreement by the other party, the non-breaching party shall provide the other party written notice of that breach in sufficient detail to enable such other party to understand the specific nature of that breach and afford such other party an opportunity to cure the breach; provided, however, that if such other party fails to cure the breach within thirty (30) days of receipt of such notice, the non-breaching party may terminate this Agreement and the Services Agreement.
5.3 Obligations upon Termination. Upon expiration or termination of this BAA, Business Associate shall return or destroy all PHI in Business Associate’s possession. Notwithstanding the foregoing, if return or destruction of any or all PHI is not feasible, Business Associate shall limit further uses and disclosures of such PHI to those purposes that make the return or destruction of the information infeasible. The obligations under this Section 5.3 shall survive the termination of this Agreement.
6.1 Relationship of Parties. The parties to this Agreement are independent contractors. None of the provisions of this Agreement are intended to create, nor shall they be interpreted or construed to create, any relationship between Covered Entity and Business Associate other than that of independent contractors. Except as otherwise expressly set forth herein, neither party, nor any of its representatives, shall be deemed to be the agent, employee, or representative of the other party.
6.2 No Third Party Beneficiaries. This Agreement is between the parties hereto. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, any rights, remedies, obligations, or liabilities whatsoever upon any person other than Covered Entity and Business Associate and any respective successors and assigns.
6.3 Interpretation. The parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Except where this BAA conflicts with the Agreement, all other terms and conditions of the Agreement remain unchanged. Any captions or headings in this BAA are for the convenience of the parties and shall not affect the interpretation of this BAA.
6.4 Severability. In the event that any provision of this BAA is found to be invalid or unenforceable, the remainder of this BAA shall not be affected thereby, but rather the remainder of this BAA shall be enforced to the greatest extent permitted by law.
6.5 Governing Law. This Agreement shall be construed, administered, and governed by the governing law set forth in the Agreement, except to the extent preempted by applicable federal law.
6.6 Notices. All notices hereunder shall be in writing, and delivered by hand, sent by mail, or delivered in such other manner as the parties may agree upon, to the following:
To Covered Entity:
To Business Associate:
Attn: CEO and General Counsel
690 Miami Circle
Atlanta, GA 30319
6.7 Counterparts. This BAA may be executed in separate counterparts, none of which need contain the signatures of both parties, and each of which, when so executed, shall be deemed to be an original, and such counterparts shall together constitute and be one and the same instrument.
Last modified: June 3, 2022.