This Business Associate Agreement (“BAA”) is entered into between Hatch West, LLC dba Balance (“Balance”) and the company, organization, or other entity agreeing to the terms below ("Client" or “you”), and supplements, amends and is incorporated into the Services Agreement(s) solely with respect to Covered Services. This BAA will be effective as of the date electronically accepted by Client (the "BAA Effective Date"). Client must have an existing Terms of Service Agreement in place for this BAA to be valid and effective. Together with the Terms of Service Agreement, this BAA will govern each party’s respective obligations regarding Protected Health Information (“PHI”). You represent and warrant that (i) you have the full legal authority to bind Client to this BAA, (ii) you have read and understand this BAA, and (iii) you agree, on behalf of Client, to the terms of this BAA. If you do not have legal authority to bind Client, or do not agree to these terms, please do not click to accept the terms of this BAA.
1. Definitions
1. “Business Associate” has the definition given to it under HIPAA and is considered to be Balance.
2. “Breach” has the definition given to it under HIPAA.
3. “Covered Entity” has the definition given to it under HIPAA and is considered to be Client.
4. “Covered Services” means the Balance products and/or services used by Client that may involve the creation, maintenance, use, transmission or disclosure of protected health information (“PHI”) within the meaning of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations, 45 CFR Parts 160 and 164 as they shall be amended (collectively the “HIPAA Rules”).
5. “Designated Record Set” has the definition given to it under HIPAA in 45 CFR § 164.501.
6. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations thereunder, as amended.
7. “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.
8. “Protected Health Information” or “PHI” has the definition given to it under HIPAA and for purposes of this BAA is limited to PHI within Client Data to which Balance has access through the Covered Services in connection with Customer’s permitted use of Covered Services.
9. “Required by Law” has the definition given to it under HIPAA.
10. “Security Incident” has the definition given to it under HIPAA.
11. “Services Agreement(s)” means the written agreement(s) entered into between Balance and Client for provision of the Covered Services, which agreement(s) may be in the form of online terms of service.
2. Applicability
This BAA applies to the extent Client is acting as a Covered Entity to create, receive, maintain, or transmit PHI via a Covered Service and to the extent Balance, as a result, is deemed under HIPAA to be acting as a Business Associate of Client. Client acknowledges that this BAA does not apply to any PHI that Client creates, receives, maintains, or transmits outside of the Covered Services (including Customer’s use of its offline or on-premise storage tools or third-party applications). If Business Associate is not a business associate as defined in the HIPAA Rules, this BAA will be void notwithstanding any other terms to the contrary.
3. Permitted Use and Disclosure of PHI
A. Except as otherwise stated in this BAA, Balance may use and disclose PHI only (i) as permitted or required by the Services Agreements and/or this BAA or (ii) as Required by Law.
B. Balance may use and disclose PHI for its proper management and administration and to carry out its legal responsibilities, provided that any disclosure of PHI for such purposes may only occur if (i) Required by Law; or (ii) Balance obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Balance will be notified of any Breach or Security Incident.
4. Client Obligations
A. Covered Entity represents and warrants that, prior to execution of this BAA and at all times during this BAA, (i) Covered Entity has obtained or will obtain any consent or authorization required by the HIPAA Rules or other law necessary for Business Associate to perform its duties pursuant to this BAA; and (ii) Covered Entity has notified Business Associate of:
○ Any limitation(s) in Covered Entity’s notice of privacy practices, policies, or agreements, or any order or other limitation imposed on Covered Entity, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
○ Any changes in, or revocation of, the permission by an individual to use or disclose PHI, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
○ Any restriction on the use or disclosure of PHI to which Covered Entity has agreed or which Covered Entity is required to abide under 45 CFR 164.522, to the extent that such restriction may impact in any manner Business Associate’s use or disclosure of PHI.
B. Client will not request that Balance or the Covered Services use or disclose PHI in any manner that would not be permissible under HIPAA if done by Client.
5. Appropriate Safeguards
Balance and Client will each use appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI, and as otherwise required under HIPAA, with respect to the Covered Services.
6. Reporting and Related Obligations
A. Balance will promptly notify Client of (i) any Security Incident of which Balance becomes aware, subject to Section 6(c); and (ii) any Breach that Balance discovers, provided that any notice for Breach will be made promptly and without unreasonable delay, and in no case later than 60 calendar days after discovery. Notifications made under this section will describe, to the extent possible, details of a Breach, including steps taken to mitigate the potential risks and steps Balance recommends Client take to address the Breach.
B. Balance will send any applicable notifications to the notification email address provided by Client in the Agreement or via direct communication with Client.
C. Notwithstanding Section 6(a), this Section 6(c) will be deemed as notice to Client that Balance periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification, or destruction of information, or interference with the general operation of Balance’s systems and the Covered Services. Client acknowledges and agrees that even if such events constitute a Security Incident, Balance will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this Section 6(c).
7. Subcontractors
Balance will take appropriate measures to ensure that any Subcontractors used by Balance to perform its obligations under the Services Agreements that require access to PHI on behalf of Balance are bound by written obligations that provide the same material level of protection for PHI as this BAA. To the extent Balance uses Subcontractors in its performance of obligations hereunder, Balance will remain responsible for their performance as if performed by Balance.
8. Access and Amendment
Client acknowledges and agrees that Client is solely responsible for the form and content of PHI maintained by Client within the Covered Services, including whether Client maintains such PHI in a Designated Record Set within the Covered Services. Balance will provide Client with access to Customer’s PHI via the Covered Services so that Client may fulfill its obligations under HIPAA with respect to Individuals’ rights of access and amendment, but will have no other obligations to Client or any Individual with respect to the rights afforded to Individuals by HIPAA with respect to Designated Record Sets, including rights of access or amendment of PHI. Client is responsible for managing its use of the Covered Services to appropriately respond to such individual requests.
9. Accounting of Disclosures
Balance will document disclosures of PHI by Balance and provide an accounting of such disclosures to Client as and to the extent required of a Business Associate under HIPAA and in accordance with the requirements applicable to a Business Associate under HIPAA.
10. Access to Records
To the extent required by law, and subject to all applicable legal privileges, Balance will make its internal practices, books, and records concerning the use and disclosure of PHI received from Client, or created or received by Balance on behalf of Client, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.
11. Expiration and Termination
A. This BAA will terminate on the earlier of (i) a permitted termination in accordance with Section 11(b), or (ii) the expiration or termination of all Services Agreements under which Client has access to a Covered Service.
B. If either party materially breaches this BAA, the non-breaching party may terminate this BAA on 10 days’ written notice to the breaching party unless the breach is cured within the 10-day period. If a cure under this Section 11(b) is not reasonably possible, the non-breaching party may immediately terminate this BAA, or if neither termination nor cure is reasonably possible under this Section 11(b), the non-breaching party may report the violation to the Secretary, subject to all applicable legal privileges.
C. If this BAA is terminated earlier than the Services Agreements, Client may continue to use the Services in accordance with the Services Agreements, but must delete any PHI it maintains in the Covered Services and cease to further create, receive, maintain, or transmit such PHI to Balance.
12. Return/Destruction of Information
On termination of the Services Agreements, Balance will return or destroy all PHI received from Client, or created or received by Balance on behalf of Client; provided, however, that if such return or destruction is not feasible, Balance will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
13. Miscellaneous
A. Survival. Sections 12 (Return/Destruction of Information) and 13 (Miscellaneous) will survive termination or expiration of this BAA.
B. Counterparts. The parties may execute this BAA in counterparts, including facsimile, PDF, or other electronic copies, which taken together will constitute one instrument.
C. Cooperation. The parties agree to cooperate with each other’s efforts to comply with the requirements of the HIPAA Rules and other applicable laws; to assist each other in responding to and mitigating the effects of any breach of protected health information in violation of HIPAA Rules or this BAA; and to assist the other party in responding to any investigation, complaint, or action by any government agency or third party relating to the performance of this BAA.
D. Limitation on Liability. In no event will Business Associate or any of its directors, officers, agents, parents, affiliates, or subsidiaries (collectively “Business Associate”) be liable to Covered Entity or any third party for any special, consequential, incidental, or indirect loss or damages arising out Business Associate’s acts or omissions relating to this BAA or the HIPAA Rules whether or not Covered Entity has been advised of the possibility of such loss or damages. In all cases, Business Associate’s aggregate liability under any legal theory, including contract, tort, or other bases, will not exceed the fees paid by Covered Entity to Business Associate pursuant to the Services Agreement during the six (6) month period prior to the first occurrence upon which liability is based.
E. Effects of Addendum. To the extent this BAA conflicts with the remainder of the Services Agreement(s), this BAA will govern. This BAA is subject to the "Governing Law" section in the Services Agreement(s). Except as expressly modified or amended under this BAA, the terms of the Services Agreement(s) remain in full force and effect.F. Entire Agreement. This BAA contains the entire agreement between the parties as it relates to the use or disclosure of protected health information