HIPAA Business Agreement (subcontractor)
Version 2.3. Last updated 7 May 2024
-
Introduction
- This OnceHub Subcontractor Agreement Amendment (“Amendment”) is by and between OnceHub Inc., an incorporated company organized under the laws of the State of Delaware and having its principal place of business at 2093 Philadelphia Pike #5585, Claymont, DE 19703, USA “(“Subcontractor”), and the Client (“Client”) named in the Order Form under the applicable Agreement (as defined below).
- The parties desire through this Amendment to amend the applicable Agreement consistent with the requirements of the Health Insurance Portability and Accountability Act of 1996, as it may be amended from time to time (“HIPAA”), including the regulatory revisions implemented pursuant to the Health Information Technology for Economic and Clinical Health Act (the “HITECH ACT”).
- This Amendment becomes effective on the date that this Amendment is signed by the last of the two parties to sign it (as indicated by the date associated with that party’s signature) (“Effective Date”).
- This Amendment replaces any earlier Business Associate Agreement Amendment(s) entered into between the parties.
WHEREAS, Client and Subcontractor are parties to a subscription agreement (the “Agreement,” as further defined below) pursuant to which Subcontractor provides to Client access to and use of certain software applications, as ordered by Client from time to time under the Agreement (the “Services” as further defined below);
WHEREAS, the parties desire to ensure that their respective rights and responsibilities under the Agreement reflect applicable federal statutory and regulatory requirements relating to the access, use, and disclosure of health information, including without limitation, the Standards for Privacy of Individually Identifiable Health Information, and the Security Standards, collectively codified at 45 CFR Parts 160, 162, and 164 (respectively the “Privacy Standards” and “Security Standards”) under HIPAA;
WHEREAS, Client has agreed to perform certain activities or functions for Client customers that are covered entities (each a “Covered Entity”) under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-05, and regulations promulgated thereunder (collectively, “HIPAA”);
WHEREAS, the Parties acknowledge and agree that OnceHub Inc is a “Subcontractor” of Client as that term is defined by HIPAA. Subcontractor recognizes and agrees that it is obligated by law to meet the requirements of HIPAA that are applicable to Subcontractors. The Parties hereby agree that the terms of this Agreement are specifically incorporated by reference into the Services Agreement;
WHEREAS, the Services offered by Subcontractor may be used by Client to store certain PHI (though typically not electronic medical records or Designated Record Sets); and
WHEREAS, Subcontractor and Client agree to the terms set forth below, in order to facilitate Client’s access and transmission of information to and from the Subcontractor application(s) provided as part of the Services, as authorized by, and under certain other conditions described in the Agreement.
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereby amend their Agreement by agreement to the following:
- Definitions
- General. Capitalized terms used in this Amendment and not otherwise defined herein shall have the same meanings as defined in the Privacy Standards or Security Standards and corresponding official materials published, issued, or promulgated by the Secretary of the Department of Health and Human Services (“the Secretary”). “Protected Health Information” (or “PHI”) shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information actually received by Subcontractor from or on behalf of Client in connection with the Agreement.
- Specific Definitions, as used herein:
- “Agreement” means the Master Services Agreement (“MSA”), the applicable Order Form, the OnceHub Acceptable Use Policy, all Data Protection Addendums, and any other documents expressly incorporated by reference, that govern Client’s use of OnceHub’s Services.
- “Services” means the SaaS products and other activities to be supplied to or carried out by OnceHub for Client pursuant to the MSA, such as a purchased subscription, a Free Trial or the use of Beta Services. For clarification, such Services do not include:
- Any general obligation to supervise, oversee, or consult with Client for the purposes of advising Client on, or ensuring Client’s compliance with, HIPAA, the HITECH Act, and HIPAA Regulations;
- OnceHub’s AI Features;
- Submission of support tickets containing PHI to the Subcontractor online support portal, hosted by atlassian.com (a third party); or
- Any sending of SMS messages containing PHI.
- Obligations and activities of Subcontractor
- Use and Disclosure
- To the extent (if any) that Subcontractor creates, transmits, maintains, or receives any PHI on behalf of Client, including any Electronic PHI, Subcontractor agrees to:
- Maintain the privacy and security of such PHI and not to use or disclose PHI other than as permitted or required to satisfy its obligations under the Agreement, or as permitted herein, or as Required by Law;
- Use appropriate safeguards, consistent with the requirements of Subpart C of 45 CFR Part 164 (with respect to Electronic PHI), to prevent the use or disclosure of the PHI other than as permitted under this Amendment;
- Implement or maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI; and
- Report to Client any use or disclosure of PHI not permitted by this Amendment of which Subcontractor becomes aware (including Breaches of Unsecured PHI as required by 45 CFR § 164.410) and any Security Incident that Subcontractor becomes aware of in accordance with the incident reporting provisions of the Agreement ; provided, however, that the parties acknowledge and agree that this Section 2(a)(iv) constitutes notice by Subcontractor to Client of the ongoing existence of, occurrence of, and attempts by third parties that constitute Unsuccessful Security Incidents for which no additional notice to Client shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Subcontractor’s firewall(s), port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI.
- To the extent (if any) that Subcontractor creates, transmits, maintains, or receives any PHI on behalf of Client, including any Electronic PHI, Subcontractor agrees to:
- Agents
- Subcontractor shall obtain and maintain an agreement with each agent or subcontractor that has or will have access to PHI. That agreement will require each such agent or subcontractor to be bound by restrictions, terms, and conditions that are at least as stringent as those that apply to Subcontractor with respect to such PHI. Furthermore, each agent or subcontractor will agree to report to Subcontractor any instances of violation of the agreement with respect to PHI of which it becomes aware.
- Access to Designated Record Sets
- To the extent (if any) that Subcontractor possesses and maintains a Designated Record Set for Client or Client’s Covered Entity, Subcontractor agrees to:
- provide access, at the request of Client, and in the time and manner mutually agreed between Subcontractor and Client, to PHI in a Designated Record Set, to Client or, as directed by Client, to an Individual in order to satisfy Client’s or Client’s Covered Entities obligations under 45 CFR § 164.524; and
- to make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Client pursuant to 45 CFR § 164.526, and in the time and manner mutually agreed between Subcontractor and Client (provided that the amendment of an Individual’s PHI and all decisions related thereto shall be the sole responsibility of Client).
- To the extent (if any) that Subcontractor possesses and maintains a Designated Record Set for Client or Client’s Covered Entity, Subcontractor agrees to:
- Accounting
- Subcontractor agrees to make available to Client information regarding disclosures made by Subcontractor for which an accounting is required under 45 CFR § 164.528 so Client or Client’s Covered Entities can meet their requirements to provide an accounting to an individual in accordance with 45 CFR § 164.528.
- Access to Books and Records
- Subcontractor agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules.
- Use and Disclosure
- Permitted uses and disclosures by Subcontractor
- Agreement
- Except as otherwise limited by this Amendment, Subcontractor may use or disclose PHI as necessary to perform the Services for Client as specified in the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Client or Client’s Covered Entities and complies with the principle of “minimum necessary use and disclosure” consistent with 45 CFR § 164.514(d).
- Disclosure for Administration of Subcontractor
- Except as otherwise limited by this Amendment, Subcontractor may disclose PHI for the proper management and administration of the Subcontractor, provided that
- Disclosures are Required by Law, or
- Subcontractor obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Subcontractor of any instances of which it is aware in which the confidentiality of the information has been breached.
- Except as otherwise limited by this Amendment, Subcontractor may disclose PHI for the proper management and administration of the Subcontractor, provided that
- Reporting Violations
- Subcontractor may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).
- Agreement
- Obligations of Client
- Limitations in Notice of Privacy Practices
- Client shall notify Subcontractor of any limitation(s) in the notice of privacy practices of Client’s Covered Entities under 45 CFR § 164.520, to the extent that such limitation may affect Subcontractor’s use or disclosure of PHI. Granted, however, Client or Client’s Covered Entities shall not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause Subcontractor to violate this Amendment or any applicable law.
- Restrictions to the Use or Disclosure of PHI
- Client shall notify Subcontractor of any restriction to the use or disclosure of PHI that Client’s Covered Entities have agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Subcontractor’s use or disclosure of PHI.
- Permissible Use Requests
- Except for the permitted uses set forth in Section 3, Client will not request Subcontractor to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Client’s Covered Entities.
- Access Requests from Data Subjects
- Subcontractor will, if legally permitted, notify Client of any request received from a data subject for access to, or correction, erasure, blocking or amendment of, the data subject’s PHI. Subcontractor will ask the data subject to submit its request to Client. Client is responsible for responding to the request.
- HIPAA Security Configuration
- Client agrees to enable all security features of the Service that are necessary in order for the Client to comply with its obligations under HIPAA, which may include, inter alia, configuring a custom password policy in the Service, and enabling the short sessions feature. Furthermore, the Client agrees to keep all of its non-hosted applications in the Services up to date.
- Excluded Information Systems
- The Client agrees to not submit any PHI to any information system or software application excluded from the scope of the Services provided herein, including but not limited to those listed in Section 2.2(b), above.
- Limitations in Notice of Privacy Practices
- Term and termination
- Term and Termination
- The term of this Amendment shall begin on the Effective Date, and shall terminate on the date that the Agreement expires or is otherwise terminated for any reason, or the date Client terminates this Amendment for cause as authorized in this Section, whichever is earliest.
- Termination in Kind
- Notwithstanding any contrary language in the Agreement, termination of this Amendment shall also constitute termination of the Agreement itself. If this Amendment is terminated for cause pursuant to Section 5(c), below, the Agreement shall also be deemed terminated for cause, which termination shall be governed by the appropriate termination for cause provisions contained in the Agreement.
- Termination for Cause
- Upon Client’s knowledge of a material breach of this Amendment by Subcontractor, Client shall notify Subcontractor of the breach in writing, and shall provide an opportunity for Subcontractor to cure the breach or end the violation within thirty (30) business days of such notification; provided that if Subcontractor fails to cure the breach or end the violation within such time period to the satisfaction of Client, Client shall have the right to immediately terminate this Amendment and the Agreement upon written notice to Subcontractor. In the event that termination of this Amendment is not feasible as mutually agreed to by Subcontractor and Client, Subcontractor hereby acknowledges that Client shall have the right to report the breach to the Secretary.
- Effect of Termination
- Following the termination or expiration of this Amendment for any reason, Subcontractor shall comply with the request(s) of the Client that Subcontractor return or destroy all PHI received from Client, or received by Subcontractor on behalf of Client. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Subcontractor. Subcontractor shall retain no copies of the PHI. Notwithstanding the foregoing, in the event that Subcontractor determines that returning or destroying the PHI is infeasible, Subcontractor shall provide to Client notification of the conditions that make return or destruction infeasible. Further, in consideration of the fact that Subcontractor maintains a procedure for replicating or backing up Client data to help ensure the integrity and availability of PHI, the parties agree that Subcontractor is not obligated to destroy PHI until the one hundred and eighty-first (181st) day from the date of the termination of the Agreement. Where return or destruction of PHI is infeasible, Subcontractor shall extend the protections of this Amendment to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Subcontractor maintains such PHI. If any provision of this paragraph (d) conflicts with any provision of Section 7 on Ownership and Use of Client Data of the Subcontractor Master Service Agreement, the Subcontractor Master Service Agreement shall control and govern the rights and obligations of the parties.
- Survival
- The obligations of Subcontractor under this Section shall survive the termination of this Amendment.
- Term and Termination
- Miscellaneous
- Regulatory References
- A reference in this Amendment to a section in the HIPAA Rules means the section as in effect or as amended or modified from time to time.
- Amendment
- No alteration, amendment, or modification of the terms of this Amendment shall be valid or effective unless in writing and signed by Subcontractor and Client. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
- Interpretation
- The terms of this Amendment are hereby incorporated into the Agreement. In the event of a conflict between the terms of this Amendment and the terms of the Agreement, the terms of this Amendment will prevail. Any ambiguity in this Amendment shall be interpreted to permit compliance with the HIPAA Rules.
- Severability
- In the event that any provision of this Amendment is found to be invalid or unenforceable, the remainder of this Amendment shall not be affected thereby, but rather the remainder of this Amendment shall be enforced to the greatest extent permitted by law.
- No Agency Relationship
- It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Client or Client’s Covered Entities and Subcontractor under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this Amendment shall be construed to make or render Subcontractor an agent of Client or Client’s Covered Entities.
- No Third Party Beneficiaries
- Nothing express or implied in this Amendment is intended to confer, nor shall anything in this Amendment confer, upon any person other than the parties, and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
- Regulatory References