HIPAA Business Agreement (covered entity)
Version 2.3. Last updated 7 May 2024
-
Introduction
- This Business Associate Agreement Amendment (“Amendment”) is by and between OnceHub Inc., an incorporated company organized under the laws of the State of Delaware and having its principal place of business at 2093 Philadelphia Pike #5585, Claymont, DE 19703, USA “OnceHub” or “Business Associate”), and the Client (“Client” or “Covered Entity”) named in the Order Form under the applicable Agreement (as defined below).
- The parties desire through this Amendment to amend the applicable Agreement consistent with the requirements of the Health Insurance Portability and Accountability Act of 1996, as it may be amended from time to time (“HIPAA”), including the regulatory revisions implemented pursuant to the Health Information Technology for Economic and Clinical Health Act (the “HITECH ACT”).
- This Amendment becomes effective on the date that this Amendment is signed by the last of the two parties to sign it (as indicated by the date associated with that party’s signature) (“Effective Date”).
- This Amendment replaces any earlier Business Associate Agreement Amendment(s) entered into between the parties.
WHEREAS, Client and Business Associate are parties to a subscription agreement (the “Agreement” as further defined below) pursuant to which Business Associate provides to Client access to and use of certain software applications, as ordered by Client from time to time under the Agreement (the “Services” as further defined below);
WHEREAS, the parties desire to ensure that their respective rights and responsibilities under the Agreement reflect applicable federal statutory and regulatory requirements relating to the access, use, and disclosure of health information, including without limitation, the Standards for Privacy of Individually Identifiable Health Information, and the Security Standards, collectively codified at 45 CFR Parts 160, 162, and 164 (respectively the “Privacy Standards” and “Security Standards”) under HIPAA;
WHEREAS, because Client is a Covered Entity under HIPAA, the Privacy Standards and Security Standards require the Covered Entity to obtain adequate written assurances from contractors that create, receive, access, maintain, use, or disclose PHI for or on behalf of such Covered Entity; and
WHEREAS, the online Services offered by OnceHub may be used by Client to store certain PHI (though typically not electronic medical records or Designated Record Sets); and
WHEREAS, OnceHub and Client agree to the business associate terms set forth below, in order to facilitate Covered Entity's access and transmission of information to and from the OnceHub application(s) provided as part of the Services, as authorized by, and under certain other conditions described in the Agreement.
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereby amend their Agreement by agreement to the following:
- Definitions
- General. Capitalized terms used in this Amendment and not otherwise defined herein shall have the same meanings as defined in the Privacy Standards or Security Standards and corresponding official materials published, issued, or promulgated by the Secretary of the Department of Health and Human Services (“the Secretary”). “Protected Health Information” (or “PHI”) shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information actually received by OnceHub from or on behalf of Covered Entity in connection with the Agreement.
- Specific Definitions, as used herein:
- “Agreement” means the Master Services Agreement (“MSA”), the applicable Order Form, the OnceHub Acceptable Use Policy, all Data Protection Addendums, and any other documents expressly incorporated by reference, that govern Client’s use of OnceHub’s Services.
- “Services” means the SaaS products and other activities to be supplied to or carried out by OnceHub for Client pursuant to the MSA, such as a purchased subscription, a Free Trial or the use of Beta Services. For clarification, such Services do not include:
- Any general obligation to supervise, oversee, or consult with Client for the purposes of advising Client on, or ensuring Client’s compliance with, HIPAA, the HITECH Act, and HIPAA Regulations;
- OnceHub’s AI Features;
- Submission of support tickets containing PHI to the Subcontractor online support portal, hosted by atlassian.com (a third party); or
- Any sending of SMS messages containing PHI.
- Obligations and activities of Business Associate
- Use and Disclosure
- To the extent (if any) that OnceHub creates, transmits, maintains, or receives any PHI on behalf of Client, including any Electronic PHI, OnceHub agrees to:
- Maintain the privacy and security of such PHI and not to use or disclose PHI other than as permitted or required to satisfy its obligations under the Agreement, or as permitted herein, or as Required by Law;
- Use appropriate safeguards, consistent with the requirements of Subpart C of 45 CFR Part 164 (with respect to Electronic PHI), to prevent the use or disclosure of the PHI other than as permitted under this Amendment;
- Implement or maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI; and
- Promptly report to Client any use or disclosure of PHI not permitted by this Amendment of which Business Associate becomes aware (including Breaches of Unsecured PHI as required by 45 CFR § 164.410) and any Security Incident that OnceHub becomes aware of in accordance with the incident reporting provisions of the Agreement; provided, however, that the parties acknowledge and agree that this Section 2(a)(iv) constitutes notice by OnceHub to Covered Entity of the ongoing existence of, occurrence of, and attempts by third parties that constitute Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on OnceHub’s firewall(s), port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI.
- To the extent (if any) that OnceHub creates, transmits, maintains, or receives any PHI on behalf of Client, including any Electronic PHI, OnceHub agrees to:
- Agents
- OnceHub shall obtain and maintain an agreement with each agent or subcontractor that has or will have access to PHI. That agreement will require each such agent or subcontractor to be bound by restrictions, terms, and conditions that are at least as stringent as those that apply to OnceHub with respect to such PHI. Furthermore, each agent or subcontractor will agree to report to OnceHub any instances of violation of the agreement with respect to PHI of which it becomes aware.
- Access to Designated Record Sets
- To the extent (if any) that Business Associate possesses and maintains a Designated Record Set for Covered Entity, Business Associate agrees to:
- Provide access, at the request of Client, and in the time and manner mutually agreed between Business Associate and Client, to PHI in a Designated Record Set, to Client or, as directed by Client, to an Individual in order to satisfy Client’s obligations under 45 CFR § 164.524; and
- To make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Client pursuant to 45 CFR § 164.526, and in the time and manner mutually agreed between Business Associate and Client (provided that the amendment of an Individual’s PHI and all decisions related thereto shall be the sole responsibility of Client).
- To the extent (if any) that Business Associate possesses and maintains a Designated Record Set for Covered Entity, Business Associate agrees to:
- Accounting
- Business Associate agrees to make available to Client information regarding disclosures made by Business Associate for which an accounting is required under 45 CFR § 164.528 so Client can meet its requirements to provide an accounting to an individual in accordance with 45 CFR § 164.528.
- Access to Books and Records
- Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules.
- Use and Disclosure
- Permitted uses and disclosures by Business Associate
- Agreement
- Except as otherwise limited by this Amendment, Business Associate may use or disclose PHI as necessary to perform the Services for Client as specified in the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Client and complies with the principle of “minimum necessary use and disclosure” consistent with 45 CFR § 164.514(d).
- Disclosure for Administration of Business Associate
- Except as otherwise limited by this Amendment, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that:
- Disclosures are Required by Law; or
- Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Except as otherwise limited by this Amendment, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that:
- Reporting Violations
- Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).
- Agreement
- Obligations of Client
- Limitations in Notice of Privacy Practices
- Client shall notify Business Associate of any limitation(s) in the notice of privacy practices of Client under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. Granted, however, Client shall not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause OnceHub to violate this Amendment or any applicable law.
- Restrictions to the Use or Disclosure of PHI
- Client shall notify Business Associate of any restriction to the use or disclosure of PHI that Client has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Permissible Use Requests
- Except for the permitted uses set forth in Section 3, Client will not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Client.
- Access Requests from Data Subjects
- Business Associate will, if legally permitted, notify Client of any request received from a data subject for access to, or correction, erasure, blocking or amendment of, the data subject’s PHI. Business Associate will ask the data subject to submit its request to Client. Client is responsible for responding to the request.
- HIPAA Security Configuration
- Client agrees to enable all security features of the Service that are necessary in order for the Client to comply with its obligations under HIPAA, which may include, inter alia, configuring a custom password policy in the Service, and enabling the short sessions feature. Furthermore, the Client agrees to keep all of its non-hosted applications in the Services up to date.
- Excluded Information Systems
- The Client agrees to not submit any PHI to any information system or software application excluded from the scope of the Services provided herein, including but not limited to those listed in Section 2.2(b), above.
- Limitations in Notice of Privacy Practices
- Term and termination
- Term and Termination
- The term of this Amendment shall begin on the Effective Date, and shall terminate on the date that the Agreement expires or is otherwise terminated for any reason, or the date Client terminates this Amendment for cause as authorized in this Section, whichever is earliest.
- Termination in Kind
- Notwithstanding any contrary language in the Agreement, termination of this Amendment shall also constitute termination of the Agreement itself. If this Amendment is terminated for cause pursuant to Section 5(c), below, the Agreement shall also be deemed terminated for cause, which termination shall be governed by the appropriate termination for cause provisions contained in the Agreement.
- Termination for Cause
- Upon Client’s knowledge of a material breach of this Amendment by OnceHub, Client shall notify OnceHub of the breach in writing, and shall provide an opportunity for OnceHub to cure the breach or end the violation within thirty (30) business days of such notification; provided that if OnceHub fails to cure the breach or end the violation within such time period to the satisfaction of Client, Client shall have the right to immediately terminate this Amendment and the Agreement upon written notice to OnceHub. In the event that termination of this Amendment is not feasible as mutually agreed to by OnceHub and Client, OnceHub hereby acknowledges that Client shall have the right to report the breach to the Secretary.
- Effect of Termination
- Following the termination or expiration of this Amendment for any reason, Business Associate shall comply with the request(s) of the Client that Business Associate return or destroy all PHI received from Client, or received by Business Associate on behalf of Client. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. Notwithstanding the foregoing, in the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Client notification of the conditions that make return or destruction infeasible. Further, in consideration of the fact that OnceHub maintains a procedure for replicating or backing up Client data to help ensure the integrity and availability of PHI, the parties agree that OnceHub is not obligated to destroy PHI until the one hundred and eighty-first (181st) day from the date of the termination of the Agreement. Where return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Amendment to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. If any provision of this paragraph (d) conflicts with any provision of Section 7 on Ownership and Use of Client Data of the OnceHub MSA, the OnceHub MSA shall control and govern the rights and obligations of the parties.
- Survival
- The obligations of Business Associate under this Section shall survive the termination of this Amendment.
- Term and Termination
- Miscellaneous
- Regulatory References
- A reference in this Amendment to a section in the HIPAA Rules means the section as in effect or as amended or modified from time to time.
- Amendment
- No alteration, amendment, or modification of the terms of this Amendment shall be valid or effective unless in writing and signed by OnceHub and Client. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
- Interpretation
- The terms of this Amendment are hereby incorporated into the Agreement. In the event of a conflict between the terms of this Amendment and the terms of the Agreement, the terms of this Amendment will prevail. Any ambiguity in this Amendment shall be interpreted to permit compliance with the HIPAA Rules.
- Severability
- In the event that any provision of this Amendment is found to be invalid or unenforceable, the remainder of this Amendment shall not be affected thereby, but rather the remainder of this Amendment shall be enforced to the greatest extent permitted by law.
- No Agency Relationship
- It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Client and Business Associate under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this Amendment shall be construed to make or render Business Associate an agent of Client.
- No Third Party Beneficiaries
- Nothing express or implied in this Amendment is intended to confer, nor shall anything in this Amendment confer, upon any person other than the parties, and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
- Regulatory References