This BUSINESS ASSOCIATE AGREEMENT (“BAA” or this “Agreement”) isentered into by and between the user on behalf of user’s business entity (“Covered Entity” or “Client”) as designated on theTabulera 90 Day Free Trial Period web form (“Order Form”) andTabulera, Inc., (“BusinessAssociate” or“Tabulera”),effective as of the date the user clicks on the “Accept” check box on the OrderForm.
RECITALS
A. Covered Entity has engagedBusiness Associate to evaluate the Tabulera Portal software platform and forsoftware platform to perform, or assist in the performance of a function oractivity that may or will involve the use or disclosure of protected healthinformation and/or any other function or activity subject to the businessassociate agreement requirements of the Health Insurance Portability andAccountability Act of 1996, as amended by the Health Information Technology forEconomic and Clinical Health Act, as incorporated in the American Recovery andReinvestment Act of 2009 (“HITECH”), and all applicableimplementing regulations, including without limitation, the Standards forPrivacy of Individually Identifiable Health Information (the “Privacy Rule”), Notification in the Case ofBreach of Unsecured Protected Health Information (“Breach Notification Rule”), and the Security Standardsfor the Protection of Electronic Protected Health Information (the “Security Rule”), set forth in Title 45,Parts 160 and 164 of the Code of Federal Regulations, dealing with thesecurity, confidentiality, integrity and availability of protected health orhealth-related information as well as related data breach notifications (suchlaws and regulations collectively referred to herein as “HIPAA”).
B. Tabulera Portalsoftware platform is provided pursuant to the Tabulera Privacy Policy andTabulera Terms and Conditions as posted website at www.tabulera.com (togetherwith any successor agreements).
C. The parties are enteringinto this BAA to satisfy the requirements of Sections 164.502(e) and 164.504(e)of the Privacy Rule and164.308(b) and 164.314(a) of the Security Rule and to otherwise facilitate implementation of HIPAA by bothparties, all on the terms and conditions hereinafter set forth.
D. Unless otherwisedefined in this BAA, all capitalized terms used herein shall have the meaningsascribed in the HIPAA Regulations, provided, however, that “PHI” and “ePHI” shall mean “ProtectedHealth Information” and “Electronic Protected Health Information” respectively,each as defined in 45 C.F.R. § 160.103, limited to the information BusinessAssociate received from or created or received on behalf of Covered Entity. “Administrative Safeguards” shall have the same meaningas the term “administrativesafeguards” in45 C.F.R. § 164.304, with the exception that it shall apply to the managementof the conduct of Business Associate’sworkforce, not Covered Entity’sworkforce, in relation to the protection of that information.
E. Capitalized wordsused in this Agreement but not otherwise defined herein shall have the meaningsin Schedule A or Schedule C.
AGREEMENT
1. Permitted Uses and Disclosures by Business Associate
1.1 General.Except as otherwise specified in this BAA, Business Associate may use ordisclose PHI to evaluate or perform its proposed obligations or its obligationsfor, or on behalf of, Covered Entity as set forth in the Subscription Agreement, provided that Business Associate uses and discloses PHI in thefollowing manner:
1.1.1. consistent with theminimum necessary policies and procedures of Covered Entity; and
1.1.2. would not violate 45C.F.R. Subpart E if done by Covered Entity, except as specified in Sections1.2.2 and1.2.3.
1.2 Other Permitted Uses. Except as otherwise limited by this BAA,Business Associate may use PHI it receives or creates in its capacity as abusiness associate of Covered Entity, if necessary:
1.2.1 for the evaluation,proper management and administration of Business Associate;
1.2.2 to carry out thelegal responsibilities of Business Associate; or
1.2.3 to provide DataAggregation to Covered Entity which relate to the health care operations ofCovered Entity in accordance with the HIPAA Privacy Regulations.
1.3 Other PermittedDisclosures.Except as otherwise limited by this BAA, Business Associate may disclose to athird party PHI it receives or creates in its capacity as a business associateof Covered Entity for the evaluation, proper management and administration ofBusiness Associate, provided that:
1.3.1 the disclosure is required by law; or
1.3.2 Business Associateobtains reasonable assurances from the third party to whom the information isdisclosed that (i) the PHI will remain confidential and used or furtherdisclosed only as required by law or for the purpose for which it was disclosedto the third party, and (ii) the third party notifies Business Associate of anyinstances of which it is aware in which the confidentiality of the informationhas been breached.
1.4 De-IdentifiedInformation. Health information that has been de-identified in accordancewith the requirements of 45 C.F.R. §§ 164.514 and 164.502(d) and is thereforenot Individually Identifiable Health Information (“De-Identified Information”) is not subject to theprovisions of this BAA. Covered Entity may disclose PHI to Business Associateto use for the purpose of creating De-Identified Information, whether or notthe De-Identified Information is to be used by Covered Entity.
2. Obligations and Activities of Business Associate Regarding PHI.
2.1 Limitations on Usesand Disclosures. Business Associate shall not use or further disclose PHI otherthan as permitted or required by this BAA or as required by law.
2.2 Safeguards.Business Associate will use appropriate safeguards and comply with Subpart C of45 CFR Part 164 with respect to ePHI to prevent use or disclosure of the PHIother than as provided for by this BAA.
2.3 Mitigation.Business Associate will mitigate, to the extent practicable, any harmful effectthat is known to Business Associate of a use or disclosure of PHI by BusinessAssociate or subcontractor or agent of a Business Associate in violation of therequirements of this BAA.
2.4 Reporting.Business Associate will report to Covered Entity any use or disclosure of thePHI not provided for by this BAA of which it becomes aware.
2.5 Agents andSubcontractors. Business Associate will ensure that any agent, including anysubcontractor, to whom Business Associate provides PHI that was created for orreceived from or on behalf of Covered Entity, has executed an agreementcontaining the same restrictions and conditions that apply through this BAA toBusiness Associate with respect to such information. Business Associate willensure only those who reasonably need to know such information receive suchinformation and, in such case, only the minimum amount of such PHI is disclosedas is necessary for such performance.
2.6 Access.Where PHI held by Business Associate is contained in a Designated Record Set,within fifteen (15) days of receiving a written request from Covered Entity,Business Associate will make such PHI available to Covered Entity or, asdirected by Covered Entity to an Individual, that is necessary for CoveredEntity to respond to Individuals’requests for access to PHI in accordance with 45 C.F.R. § 164.524. BusinessAssociate will provide such PHI in an electronic format upon request by CoveredEntity unless it is not readily producible in such format in which caseBusiness Associate will provide Covered Entity a readable electronic format asagreed to by Covered Entity and Individual.
2.7 Compliance withRequirements. To the extent Business Associate is to carry out Covered Entity’s obligation under HIPAA,Business Associate will comply with the requirements applicable to suchobligation.
2.8 Amendment of PHI.Where PHI held by Business Associate is contained in a Designated Record Set,within fifteen (15) days of receiving a written request from Covered Entity oran Individual, Business Associate will make any requested amendment(s) orcorrection(s) to PHI in accordance with 45 C.F.R. § 164.526.
2.9 DisclosureDocumentation. Business Associate will document its disclosures of PHI andinformation related to such disclosures as would be required for Covered Entityto respond to a request by an Individual for an accounting of disclosures ofPHI in accordance with 45 C.F.R. § 164.528.
2.10 Accounting ofDisclosures. Within thirty (30) days of receiving a request from CoveredEntity, Business Associate will provide to Covered Entity information collectedin accordance with this BAA, as necessary to permit Covered Entity to make anaccounting of disclosures of PHI about an Individual in accordance with 45C.F.R. § 164.528.
2.11 Access to Business Associate’sInternal Practices. Except to the extent that it violates or interferes withattorney-client privilege, the duty of client confidentiality, or theapplicable rules of professional responsibility, Business Associate will makeits internal practices, books, and records, including policies and proceduresand PHI, relating to the use and disclosure of (a) PHI, including ePHI,created, used, disclosed, received, maintained, or transmitted by BusinessAssociate on behalf of Covered Entity, available to the Secretary, in a timeand manner designated by the Secretary, for purposes of the Secretarydetermining Business Associate or Covered Entity’s compliance with the HIPAA Privacy Regulations and HIPAASecurity Regulations.
2.12 Breach Notification. Business Associate, following thediscovery of a Breach of Unsecured Protected Health Information, shall notifyCovered Entity of such Breach. Except as otherwise required by law, BusinessAssociate shall provide such notice without unreasonable delay, and in no caselater than sixty (60) calendar days after discovery of the Breach.
2.12.1 Notice to CoveredEntity required by this Section 2.12shall include: (i) to the extent possible, the names of the individual(s) whoseUnsecured Protected Health Information has been, or is reasonably believed byBusiness Associate to have been accessed, acquired, used or disclosed duringthe Breach; (ii) a brief description of what happened including the date of theBreach and the date of the discovery of the Breach, if known; (iii) adescription of the types of Unsecured Protected Health Information that wereinvolved in the Breach; (iv) a brief description of what Business Associate isdoing or will be doing to investigate the Breach to mitigate harm to theindividual(s) and to protect against further Breaches; and (v) any otherinformation required to be provided in accordance 45 C.F.R. § 164.404(c).
2.13 Remuneration inExchange for PHI. Business Associate shall not directly or indirectly receiveremuneration in exchange for any PHI unless Covered Entity notifies BusinessAssociate that it obtained a valid authorization from the Individual specifyingthat the Individual's PHI may be exchanged for remuneration by the entityreceiving such Individual’sPHI.
2.14 Marketing.Business Associate must obtain or confirm that Covered Entity has obtained anauthorization for any use or disclosure of PHI for marketing, as defined in 45C.F.R. § 164.501.
3. Obligations of Covered Entity.
3.1 Limited DisclosureObligations. Covered Entity will limit the PHI provided to BusinessAssociate to only that necessary to the representation of Covered Entity. Priorto the transmission of PHI to Business Associate, Covered Entity shall notifyBusiness Associate of the need to transmit PHI and will arrange with BusinessAssociate for the proper and secure transmission of such PHI.
3.2 RequestedRestrictions. Covered Entity shall notify Business Associate, in writing, ofany restriction on the use or disclosure of PHI that Covered Entity has agreedto in accordance with 45 C.F.R. § 164.522, which permits an Individual torequest certain restrictions of uses and disclosures, to the extent that suchrestriction may affect Business Associate's use or disclosure of PHI.
3.3 Changes in orRevocation of Permission. Covered Entity shall notify BusinessAssociate in writing of any changes in, or revocation of, permission by anIndividual to use or disclose PHI, to the extent that such changes orrevocation may affect Business Associate's use or disclosure of PHI.
3.4 Permissible Requestsby Covered Entity. Covered Entity shall not request Business Associate use ordisclose PHI in any manner that would not be permissible under the HIPAAPrivacy Regulations and HIPAA Security Regulations if done by Covered Entity,except to the extent that Business Associate will use or disclose PHI for DataAggregation or management and administrative activities and legalresponsibilities of Business Associate.
3.5 Notice of PrivacyPractices. Covered entity shall notify Business Associate of anylimitation(s) in the notice of privacy practices of covered entity under 45 CFR164.520, to the extent that such limitation may affect business associate’s useor disclosure of protected health information.
4. Security Restrictions on Business Associate.
4.1 General.Business Associate shall implement administrative, physical and technicalsafeguards that reasonably and appropriately protect the confidentiality,integrity and availability of the ePHI that Business Associate creates,receives, maintains, or transmits on behalf of Covered Entity as required bythe HIPAA Security Regulations.
4.2 Agents;Subcontractors. Business Associate will ensure that any agent, including asubcontractor, to whom Business Associate provides ePHI, agrees to implementadministrative, physical and technical safeguards that reasonably andappropriately protect the confidentiality, integrity, and availability of suchePHI.
4.3 Reporting of SecurityIncidents. Business Associate shall report to Covered Entity any SecurityIncident affecting ePHI created, received, maintained, or transmitted byBusiness Associate on behalf of Covered Entity, of which Business Associatebecomes aware. This Section constitutes notice to Covered Entity of routine andongoing attempts to gain unauthorized access to Business Associate'sinformation systems (each an "Unsuccessful Attack"), includingwithout limitation, pings, port scans, and denial of service attacks, for whichno additional notice shall be required provided that no such incident resultsin unauthorized access to ePHI.
4.4 HIPAA SecurityRegulations Compliance. Business Associate agrees to complywith Sections 164.306, 164.308, 164.310, 164.312, and 164.316 of Title 45, Codeof Federal Regulations with respect to all ePHI.
5. Term and Termination.
5.1 Term. ThisBAA shall take effect on the acceptance of this agreement by the user, andshall terminate when all of the PHI disclosed to Business Associate by CoveredEntity or created, or received by Business Associate on behalf of CoveredEntity, is destroyed or returned to Covered Entity, or, if it is infeasible toreturn or destroy PHI, protections are extended to such information, inaccordance with the termination provisions in this Section 5.
5.2 Termination for Cause. IfCovered Entity determines that Business Associate has breached a material termof this BAA, Covered Entity will provide written notice to Business Associatewhich sets forth Covered Entity's determination that Business Associatebreached a material term of this BAA, and Covered Entity may:
5.2.1 Provide written notice to Business Associate which provides an opportunity for BusinessAssociate to cure the breach or end the violation, as applicable. If BusinessAssociate does not cure the breach or end the violation within the timespecified by Covered Entity, then Covered Entity may immediately thereafterterminate this BAA; or
5.2.2 Immediately terminatethis BAA if Business Associate has breached a material term of this BAA andcure is not possible; and
5.2.3 If neithertermination nor cure is feasible as provided in Sections 5.2.1 and5.2.2 of thisBAA, Covered Entity may report the violation to the Secretary.
5.3 Effect of Termination. Upon termination of this BAA forany reason, Business Associate, with respect to protected health informationreceived from Covered Entity, or created, maintained, or received by BusinessAssociate on behalf of Covered Entity, shall:
5.3.1 Retain only thatprotected health information which is necessary for business associate to continue itsproper management and administration or to carry out its legalresponsibilities;
5.3.2 Return to CoveredEntity or destroy the remaining protected health information that the Business Associate stillmaintains in any form;
5.3.3 Continue to useappropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect toelectronic protected health information to prevent use or disclosure of theprotected health information, other than as provided for in this Section, foras long as Business Associate retains the protected health information;
5.3.4 Not use or disclosethe protected health information retained by Business Associate other than for the purposesfor which such protected health information was retained and subject to thesame conditions set out at Sections 1.2 and1.3, above, which applied priorto termination; and
5.3.5 Return to Covered Entity or destroy the protected health informationretained by BusinessAssociate when it is no longer needed by business associate for its propermanagement and administration or to carry out its legal responsibilities.
6. Penalties
6.1 Business Associateshall be responsible for the full cost of all civil and criminal penaltiesassessed upon Business Associate as a result of the failure of BusinessAssociate, its officers, directors, employees, contractors or agents to complywith this BAA. This obligation shall survive the expiration or termination of thisBAA.
6.2 Covered Entity shallbe responsible for the full cost of all civil and criminal penalties assessedupon Covered Entity as a result of the failure of Covered Entity, its officers,directors, employees, contractors or agents to comply with this BAA. Thisobligation shall survive the expiration or termination of this BAA.
7. Miscellaneous
7.1 Regulatory References. Areference in this BAA to a section in HIPAA means the section as in effect oras amended.
7.2 Changes in Law. Ifany new state or federal law, rule, regulation, or policy, or any judicial oradministrative decision affecting the use or disclosure of PHI is enacted orissued, including without limitation, any law or regulation affectingcompliance with the requirements of HIPAA, the parties agree to take suchaction in a timely manner and as is necessary for Covered Entity and BusinessAssociate to comply with such law, rule, regulation, policy or decision. If theparties are not able to agree on the terms of such an amendment, either partymay terminate this BAA on at least thirty (30) days’ prior written notice to the other party.
7.3 Survival.The respective rights and obligations of Business Associate under Section 5.3 – “Effect of Termination” shallsurvive the termination of this BAA.
7.4 Interpretation.Any ambiguity in this BAA shall be resolved to permit Covered Entity to complywith HIPAA. The section and paragraph headings of this BAA are for theconvenience of the reader only, and are not intended to act as a limitation ofthe scope or meaning of the sections and paragraphs themselves.
7.5 No Third-PartyBeneficiaries. Nothing express or implied in this BAA is intended to confer,nor shall anything herein confer, upon any person other than Business Associateand Covered Entity and their respective successors or assigns, any rights,remedies, obligations or liabilities whatsoever.
7.6 Assignment. NeitherParty may assign this BAA without the prior written consent of the other Partyand an express written assumption by the assignee hereof of all obligations ofthe assignor under this BAA,except in connection with a merger, acquisition, reorganization,reincorporation, or sale of all or substantially all of such Party’s assets.Any assignment to a third party that is deemed to be a competitor of the otherParty shall be subject to prior written approval. Any attempted assignmentin derogation of this subsection shall be null and void.
7.7 Entire Agreement;Amendment. This BAA constitutes the entire agreement between the partiesas to its subject matter hereof and supersedes all prior communications,representations, and agreements, oral or written, of the parties with respectto its subject matter. No modification or amendment of any provision of thisBAA shall be effective unless in writing and signed by authorizedrepresentatives of each party.
7.8 Applicability.Tabulera and Client acknowledge that this BAA is applicable only to the extentTabulera and Client constitute a Business Associate and Covered Entity,respectively, as those terms are defined under HIPAA, and that, to the extentTabulera and Client do not constitute a Business Associate and Covered Entity,respectfully, as those terms are defined under HIPAA, this BAA shall not apply.
7.9 SubscriptionAgreement. This BAA is entered into and is governed by the TabuleraPrivacy Policy and the Tabulera Terms and Conditions policy posted on ourpublic website www.tabulera.com, the terms and conditions of which areincorporated herein by reference and remain in effect. To the extent aterm or condition in these agreements are contrary to a term or condition in thisBAA and the term or condition in this BAA is required to ensure compliance withHIPAA, the term or condition in this BAA shall control.
7.10 Severability andWaiver. The invalidity of any term or provision of this BAA shall notaffect the validity of any other provision. Waiver by any party of strictperformance of any provision of this BAA shall not constitute a waiver of orprejudice any party's right to require strict performance of the same provisionin the future or of any other provision of this BAA.
7.11 Notices. Anynotices permitted or required by this BAA will be addressed as to the partiesreflected on the 90 Day Free Trial Order Form pursuant to the terms of thesection entitled “Notices”.
7.12 Governing Law. ThisBAA shall be governed by the laws of the State of California, without givingeffect to any conflicts of laws principles.