a good thing!
Terms used in this Business Associate Agreement (this “BAA”) that are defined in the HIPAA Rules shall have the meaning assigned to them in the HIPAA Rules except as set forth below. This BAA is not a standalone agreement, but is rather incorporated into the terms and conditions of any agreement that references and incorporates this BAA into its contents (the “Agreement”). Terms used but not defined herein or in the HIPAA Rules have the meanings assigned to them in the Agreement.
(a) Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to this BAA, shall mean Ping Identity.
(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to this BAA, shall mean Customer.
(c) Electronic Protected Health Information. “Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information” at 45 CFR 160.103 but is limited to that electronic protected health information received, created, transmitted or maintained by Business Associate for or on behalf of Covered Entity in the course of providing services to Covered Entity.
(d) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
(e) Protected Health Information/PHI. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” at 45 CFR 160.103 but is limited to that protected health information received, created, transmitted or maintained by Business Associate for or on behalf of Covered Entity in the course of providing services to Covered Entity.
Obligations and Activities of Business Associate
Business Associate agrees to:
(a) Not use or disclose Protected Health Information other than as permitted or required by the Agreement or as required by law;
(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as provided for by the Agreement;
(c) Report to Covered Entity any use or disclosure of Protected Health Information not provided for by the Agreement of which it becomes aware, including breaches of unsecured Protected Health Information as required at 45 CFR 164.410, and any security incident of which it becomes aware; provided, however, that Covered Entity and Business Associate acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of Electronic Protected Health Information;
(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to the substantially similar restrictions, conditions, and requirements that apply to Business Associate with respect to such information;
(e) To the extent Business Associate maintains PHI in a designated record set, make available Protected Health Information in the designated record set to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;
(f) To the extent Business Associate maintains PHI is a designated record set, make any amendment(s) to Protected Health Information in the designated record set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526;
(g) Maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;
(h) To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s); and
(i) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
Permitted Uses and Disclosures by Business Associate
(a) Business Associate may use or disclose Protected Health Information as necessary to perform the services it provides to Covered Entity and Users and as otherwise set forth in the Agreement.
(b) Business Associate may use or disclose Protected Health Information as required by law.
(c) Business Associate may not use or disclose Protected Health Information in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity except for the specific uses and disclosures set forth below.
(d) Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
(e) Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
(f) If necessary for the performance of services to Covered Entity, Business Associate may use PHI for de-identification under 45 CFR 164.514 or to provide data aggregation and analysis services to Covered Entity as permitted by 45 CFR 164.504.
Permissible Requests by Covered Entity
Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
(a) Termination by Covered Entity. Covered Entity may terminate this Agreement with written notice to Business Associate if it determines that Business Associate has violated a material term of this Agreement. Alternatively, at its election, Covered Entity may provide Business Associate with written notice and afford Business Associate an opportunity to cure the alleged violation within the time specified by Covered Entity.
(b) Obligations of Business Associate Upon Termination.
Upon termination of this Agreement for any reason, Business Associate, with respect to Protected Health Information shall:
1. Return or, if instructed by Covered Entity, destroy all PHI if it is feasible to do so, in a manner consistent with HIPAA, except for PHI that is held by a User as contemplated by the Agreement.
2. If Business Associate determines that it is not feasible to return or destroy PHI, other than with respect to PHI retained by Users, Business Associate will notify Covered Entity in writing, including (1) a statement that Business Associate determined that it is not feasible to return or destroy the PHI in its possession, and (2) the specific reasons for such determination. Thereafter, Business Associate may retain the PHI and shall extend any and all protections, limitations and restrictions contained in the BAA to such PHI and shall limit further uses and/or disclosures of such PHI to the purposes that make its return or destruction not feasible for so long as Business Associate retains the PHI.
3. Recover any PHI in the possession of its subcontractors. If it is not feasible for Business Associate to obtain, from any subcontractor any PHI in possession of the subcontractor, Business Associate must provide a written explanation to Covered Entity and require the subcontractors to agree in writing to extend any and all protections, limitations and restrictions contained in this Agreement, and to limit any further uses and/or disclosures to purposes that make the return or destruction of the PHI infeasible for so long as the subcontractor retains the PHI.
(c) Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.