Business Associate Agreement
IMPORTANT-READ CAREFULLY: Prior to acknowledging your acceptance, be sure to carefully read and understand all of the rights and restrictions described in this Business Associate Agreement (“BAA”). This BAA is a legal agreement between you (“Covered Entity”) and Imprivata, Inc. (“Business Associate”) (each a “Party” and collectively the “Parties”). By installing any Imprivata software, Covered Entity represents and agree that it has the capacity and authority to bind itself to the terms of this BAA and agrees to be bound by the terms of this BAA. If Covered Entity does not agree to the terms of this BAA, it may not install the Imprivata software. This BAA is effective as of the date Covered Entity installs any Imprivata software (“Effective Date”). Any terms and conditions in a purchase order (or in any similar document) which are in addition to, or conflict or are inconsistent with these terms are hereby rejected and superseded by the terms contained herein.
In the course of performing services (“Services”) for Covered Entity, pursuant to certain agreements (collectively referred to as the “Agreement”), Covered Entity may at its sole election grant access to or provide to Business Associate certain personal medical information subject to protection under the Federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (“HITECH Act”), and related regulations promulgated by the Secretary (the “HIPAA Regulations”) (collectively referred to as the “Laws”). Both the Business Associate and Covered Entity are committed to complying with the requirements and regulations of the Laws. Business Associate must have an existing Agreement in place for this BAA to be valid and effective. The purpose of this BAA is to amend and supplement the Agreement solely to the extent necessary to allow for both the Business Associate’s and Covered Entity’s compliance with the Laws with respect to the Agreement.
Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. §§ 160 and 164: Breach, Business Associate, Covered Entity Designated Record Set, Protected Health Information (“PHI”), Electronic Protected Health Information (“ePHI”), Security Incident, Individual, and Minimum Necessary. In reference to the parties to this BAA, the Business Associate and Covered Entity shall be as indicated above. For the purposes of this BAA, “Protected Health Information” or “PHI” shall also include “Electronic Protected Health Information” or “ePHI”.
This BAA is limited to PHI, which may be accessed, used, disclosed, modified, destroyed and/or received by Business Associate, its employees, affiliates, or representatives from Covered Entity or is received by Business Associate on behalf of Covered Entity, and the Parties acknowledge that Business Associate shall not maintain any Designated Record Sets for or on behalf of Covered Entity pursuant to the Agreement.
Business Associate Responsibilities Regarding PHI
Except as otherwise specified in this BAA, Business Associate may make all uses and disclosures of PHI necessary to perform its obligations under the Agreement, and all other uses or disclosures of PHI not authorized by this BAA are prohibited. Without limiting the foregoing, Business Associate agrees to the following:
- To use or disclose PHI only as permitted or required by this BAA, or as required by law, or as otherwise authorized by the Covered Entity in writing;
- To use and maintain reasonable and appropriate safeguards consistent with the principles set out in the Laws to protect the confidentiality, integrity, and availability of PHI and to prevent the use or disclosure of PHI other than as provided for in this BAA or as provided by law;
- To report to the Covered Entity (i) unauthorized access, use, disclosure, modification, or destruction of the PHI not provided for by this BAA of which it becomes aware of and (ii) any Breach of Unsecured PHI, including the identification (if known) of each individual whose PHI has been, or is reasonably believed by Business Associate to have been accessed, used, disclosed, modified, destroyed and/or acquired during such Breach within five (5) business days of discovery;
- For Breaches and Security Incidents that do not result in access to, use, disclosure, modification, or destruction of PHI in violation of this BAA, this Section 1(d) will be deemed as notice to Covered Entity that Business Associate periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification, or destruction of information or interference with the general operation of Business Associate’s information systems and the Services, including pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, and denial-of-service attacks, and, even if such events are defined as a Security Incident under the Laws, Business Associate will not provide any further notice regarding such unsuccessful attempts;
- To make available its internal practices, books, and records relating to the use and disclosure of PHI to the Secretary of the Department of Health and Human Services for purposes of determining the Covered Entity’s compliance with the Laws;
- To make available information necessary to enable the Covered Entity to make an accounting of disclosures of PHI about an individual within thirty (30) days of receiving a written request from the Covered Entity;
- To mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA; and
- With respect to PHI, (i) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that it receives, maintains, or transmits on behalf of the Covered Entity, as required by the Laws; (ii) ensure that any agent, including a subcontractor, to whom it provides PHI agrees to implement reasonable and appropriate safeguards to protect it; and (iii) report to the Covered Entity any successful Security Incident of which it becomes aware. If Business Associate knows of a pattern of activity or practice of a subcontractor that constitutes a material breach of the subcontractor’s obligations under its agreement with Business Associate set forth in this Section 1(h) and Section 2 below, Business Associate will notify the subcontractor and require it to cure the breach or end the violation in accordance with the agreement, and if such steps are unsuccessful, terminate the applicable agreement with the subcontractor in relation to its use of PHI on Business Associate's behalf. Business Associate’s obligation to report under this Section is not and will not be construed as an acknowledgement by Business Associate of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.
Permitted Uses and Disclosures of PHI
Business Associate may (a) use and disclose PHI to perform its obligations as set forth in the Agreement; (b) use PHI for proper management and administration of Business Associate or to carry out its legal responsibilities, and/or (c) disclose PHI to a third party for the proper management and administration of Business Associate or to carry out its legal responsibilities, if such disclosure is required by law or if Business Associate obtains reasonable assurances from recipient that the PHI will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the recipient and the recipient notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; provided, however, that Business Associate has required the third party comply with the same level of restrictions and conditions that apply through this BAA to Business Associate with respect to such information. All other uses or disclosures of PHI not authorized by this BAA are prohibited.
Rights of Ownership
Business Associate acknowledges and agrees that as between the parties, Covered Entity owns all right, title, and interest in and to all its PHI, and that such right, title, and interest will be vested in the Covered Entity. Neither Business Associate nor any of its employees, affiliates, or representatives will have any rights in any of the PHI, or right to use the PHI in any form, except for deidentified or aggregated PHI, or statistical information derived from or in connection with the PHI necessary to optimize the Services, except as expressly set forth above.
Covered Entity Responsibilities Regarding PHI
Covered Entity shall (a) notify Business Associate of any limitations in its notice of privacy and security practices of Covered Entity in accordance with the Laws to the extent that such limitation may affect Business Associate’s use or disclosure of PHI; (b) notify Business Associate of any changes in, or revocation of, permission by any individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI; (c) notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with the Laws to the extent that such restriction may affect Business Associate’s use or disclosure of PHI; (d) not request Business Associate to use or disclose PHI in any manner that would not be permissible if done by the Covered Entity; and (e) otherwise comply with the Laws; provided that changes and restrictions required pursuant to (a) – (c) shall not be binding on Business Associate until agreed to in writing by Business Associate, where such agreement may require changes to the Services and/or additional fees. The only PHI that Covered Entity may disclose to Business Associate is Electronic PHI or ePHI. Covered Entity may not disclose any PHI to Business Associate that is not electronic and not provided through the Services. Covered Entity is solely responsible for the form and content of PHI provided to Business Associate, including whether Covered Entity maintains such PHI in a Designated Record Set. Covered Entity shall make reasonable efforts to limit the disclosure of PHI to Business Associate to the Minimum Necessary to accomplish the intended purpose of the use, disclosure, or request.
Termination
This BAA shall be effective as of the Effective Date. Either Party may terminate this BAA with written notice. At the end of the Services or upon Covered Entity's termination of the Services or the Agreement, if feasible and at Covered Entity's written request, Business Associate will return in its native form or destroy any PHI then in its possession and retain no copies of such PHI or, if such return or destruction is not feasible, extend the protections of the BAA to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. This BAA shall terminate once PHI is returned and/or deleted as per the written instructions by Covered Entity.
Miscellaneous
- Agreement. This BAA constitutes the entire BAA between the Parties hereto with respect to the subject matter hereof and supersedes all previous written or oral understandings, agreements, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof. The terms of this BAA shall prevail in the case of any conflict with the terms of the Agreement solely to the extent and only to the extent necessary to allow the Covered Entity to comply with the Laws.
- No Waiver. Failure or delay on the part of either Party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof. No provision of this BAA may be waived by either Party except by a writing signed by an authorized representative of the Party making the waiver.
- Indemnification, Limitation of Liability. A Party (“Indemnifying Party”) agrees to defend the other Party (“Indemnified Party”) from any and all third party claims arising from a breach of the Indemnifying Party’s obligations under this BAA and indemnify the Indemnified Party from any resulting judgment by a court of competent jurisdiction or governmental agency for any penalties, fines, costs, liabilities or direct damages incurred by the Indemnified Party. NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR LOST PROFITS OR REVENUE OR FOR INCIDENTAL, CONSEQUENTIAL, PUNITIVE, COVER, SPECIAL, RELIANCE OR EXEMPLARY DAMAGES, OR INDIRECT DAMAGES OF ANY TYPE OR KIND HOWEVER CAUSED, WHETHER FROM BREACH OF WARRANTY, BREACH OR REPUDIATION OF CONTRACT, NEGLIGENCE, GROSS NEGLIGENCE, WILLFUL MISCONDUCT OR ANY OTHER LEGAL CAUSE OF ACTION FROM OR IN CONNECTION WITH THIS BAA (AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) TO THE MAXIMUM EXTENT PERMITTED BY LAW. BUSINESS ASSOCIATE’S MAXIMUM LIABILITY TO COVERED ENTITY, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, WILL NOT EXCEED THE FEES PAID AND PAYABLE BY COVERED ENTITY UNDER THE APPLICABLE AGREEMENT DURING THE PRECEDING TWELVE MONTH PERIOD.
- Mitigation. Business Associate shall use commercially reasonable efforts to mitigate any harmful effect from any unauthorized access, use, disclosure, modification, or destruction of PHI by Business Associate in violation of this BAA or as provided by law.
- Changes in Law. The Parties agree to take such action as is necessary to amend this BAA from time to time for both the Business Associate and Covered Entity to comply with the requirements of the Laws. If the Parties are unable to mutually agree on an amendment within thirty (30) days after written notice from the other Party that such Party reasonably believes an amendment to be necessary, either Party may terminate this BAA on not less than thirty (30) days’ written notice to the other and, on any such termination, Covered Entity may, within thirty (30) days of such termination, terminate the Agreement by written notice to Business Associate.
- No Third Party Rights/Independent Contractors. The Parties to this BAA do not intend to create any rights in any third parties and agree that they are independent contractors and not agents of each other.
- Notice. All notices required or permitted under this BAA shall be in writing and shall be deemed given as set forth in the Agreement.
- To the extent permitted by applicable law, Covered Entity shall have the sole right to determine, with respect to any use or disclosure of PHI in violation of this BAA or the Agreement, any Breaches, or any Security Incidents: (i) whether notice is to be provided to Individuals or third parties and (ii) the contents of any such notices, provided Covered Entity shall work together in good faith with Business Associate regarding the content of the notice and provided no such notice may refer to Business Associate by name or implication without Business Associate’s prior written consent.