This Business Associate Agreement (this “BAA”) supplements the terms and conditions of the agreement entered into between you (“Covered Entity”) and Calyx Health, Inc. d/b/a Mabel (“Business Associate”). Covered Entity and Business Associate are sometimes referred to collectively as the “Parties” and individually as a “Party.”
1. Definitions
Terms used in this BAA — including “Breach,” “Electronic Protected Health Information,” “HIPAA,” “HITECH Standards,” “Individually Identifiable Health Information,” “Privacy Rule,” “Protected Health Information” (“PHI”), “Security Rule,” “Security Incident,” and “Unsecured Protected Health Information” — carry the meanings given to them under HIPAA, the Privacy Rule, the Security Rule, and the HITECH Standards, as those terms may be updated from time to time.
2. Status of Parties
The Parties acknowledge and agree that Covered Entity is a “Covered Entity” and that Business Associate is a “Business Associate” of Covered Entity, as those terms are defined in HIPAA and the Privacy and Security Rule.
3. Permitted Uses and Disclosures
Performance of Services. Business Associate may access, use, and/or disclose Covered Entity’s PHI and/or ePHI in connection with the performance of its obligations under the underlying services agreement, consistent with HIPAA, the Privacy Rule, and the HITECH Standards.
Minimum Necessary. Business Associate shall limit its use, access, or disclosure of PHI to the minimum necessary to accomplish the intended purpose, in accordance with HIPAA and applicable guidance.
Documentation of Disclosures. Business Associate shall document any permitted disclosures of PHI, including the date, recipient, description of the PHI disclosed, and purpose of the disclosure.
Modification of PHI. Business Associate shall not modify existing data other than to correct errors or derive new data, and shall record and retain any such modifications for seven (7) years.
Other Permitted Uses. Business Associate may use PHI for the proper management and administration of its business, to provide data aggregation or de-identification services relating to Covered Entity’s health care operations, or to carry out its legal responsibilities, subject to the limitations below.
Nondisclosure. Business Associate is not authorized to use or further disclose PHI other than as permitted or required under this BAA, or as required by law.
Disclosures Required by Law; Legal Process. Business Associate shall notify Covered Entity in advance of any disclosure required by law where possible, and within five (5) business days of receiving any legal process or governmental request that may require disclosure of PHI, so Covered Entity may object or seek relief.
State Law; Subcontractors. Business Associate shall comply with applicable state law requirements that are more stringent than HIPAA, and shall ensure that any subcontractor that creates, receives, transmits, or stores PHI agrees in writing to the same restrictions that apply to Business Associate.
Notification of Investigation or Lawsuit. Business Associate shall notify Covered Entity immediately upon receipt of notice of an investigation or lawsuit related to its use or disclosure of PHI.
4. Safeguards, Reporting, Mitigation, and Enforcement
Safeguards. Business Associate shall use appropriate administrative, physical, and technical safeguards — including policies, procedures, and employee training — to protect the confidentiality, integrity, and availability of PHI and ePHI in accordance with the Security Rule and HITECH Standards.
Notification. Business Associate shall notify Covered Entity in writing as soon as possible, and in no event more than ten (10) calendar days, after becoming aware of any Breach or Security Incident involving Covered Entity’s PHI, and shall cooperate in good faith in any related investigation.
Corrective Action. Business Associate shall take prompt corrective action to remedy any Breach or Security Incident, mitigate any harmful effects, and provide Covered Entity with a written report — including the nature, scope, and timeline of the incident and the corrective action taken — no later than thirty (30) calendar days following the initial report.
Cooperation; Inspection. Business Associate shall cooperate with Covered Entity to investigate, remediate, and report any Breach, and shall make its facilities, systems, books, and records available to Covered Entity or HHS to confirm compliance with this BAA, HIPAA, the Privacy Rule, the Security Rule, and the HITECH Standards.
Costs; Sanctions. Business Associate shall bear the costs associated with any Breach or Security Incident resulting from its failure to adhere to this BAA, and shall apply appropriate sanctions against any employee, subcontractor, or agent who violates this BAA or applicable law.
5. Access, Amendment, and Accounting of PHI
Business Associate shall make available to Covered Entity such information as is necessary for Covered Entity to fulfill its obligations to provide individuals with access to, amendment of, and an accounting of disclosures of PHI in accordance with HIPAA, the Privacy Rule, and the HITECH Standards. If an individual requests access, amendment, or an accounting directly from Business Associate, Business Associate shall forward the request to Covered Entity within five (5) days.
6. Material Breach, Enforcement, and Termination
This BAA remains effective until termination of the underlying agreement or as otherwise provided herein. Covered Entity may terminate this BAA immediately if Business Associate is named as a defendant in a criminal proceeding, or if a finding of a HIPAA violation is made against Business Associate in any administrative or civil proceeding. Upon termination, Business Associate shall return or destroy all PHI in its possession; if return or destruction is not feasible, Business Associate shall continue to extend the protections of this BAA to such information.
7. Miscellaneous Terms
This BAA may be amended as required to ensure compliance with changes in applicable privacy and security laws, and shall be construed in accordance with the laws of the State of California. In the event of a conflict between this BAA and any other agreement between the Parties, this BAA controls with respect to the subject matter herein. Nothing in this BAA confers any rights, obligations, or remedies on any party other than the Parties and their respective successors and assigns.