HIPAA Policy / Business Associate Agreement
This Business Associate Agreement (“Agreement”) shall be an addendum to the End User License Agreement between Sprout Marketing Group (“Business Associate”) and Covered Entity, collectively referred to as “Parties”.
WHEREAS, Business Associate is engaged in the business of providing online reputation management service called Sprout Marketing Group that facilitates generation of online reviews; and
WHEREAS, Covered Entity subject the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 (“HIPAA Rules”) and wishes to utilize the Sprout Marketing Group service provided by Business Associate;
NOW, THEREFORE, Covered Entity and Business Associate agree as follows:
The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
- Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Sprout Marketing Group.
- Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Customer of the Sprout Marketing Group service.
- HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
1. Obligations and Activities of Business Associate.
Business Associate agrees to:
- Not use or disclose Protected Health Information other than as permitted to provide the Sprout Marketing Group service or as required by law;
- Use appropriate administrative, technical, and physical safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as provided for by this Agreement;
- Business Associate agrees to mitigate, whenever practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement;
- Report to Covered Entity any use or disclosure of Protected Health Information not provided for by this Agreement of which it becomes aware, including breaches of unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware;
- In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information; and
- Make its internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
2. Sprout Marketing Group Restrictions.
- Sprout Marketing Group is an online reputation management service that was not explicitly designed for storing or working with Protected Health Information. Covered Entity must ensure that its use of Sprout Marketing Group is consistent with the HIPAA Rules.
- The parties agree that, due to the nature of the technology utilized by Business Associate, Business Associate cannot make Protected Health Information available (i) to the extent and in the manner required by Section 164.524 of the Privacy Rule, (ii) for amendment or incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the Privacy Rule, or (iii) for purposes of accounting of disclosures, as required by Section 164.528 of the Privacy Rule. Rather, Covered Entity will be solely responsible for compliance with each of the foregoing.
- Because Business Associate does not know the nature of Protected Health Information contained in Covered Entity’s Sprout Marketing Group account, it will not be possible for Business Associate to provide information about the identities of the Individuals who may have been affected or a description of the type of information that may have been subject to a Security Incident, Impermissible Use or Disclosure, or Breach.
3. Obligations and Activities of Covered Entity.
Covered Entity agrees to:
- Not request that Business Associate use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity;
- Not provide Business Associate with Protected Health Information by any means other than through normal operation of the Sprout Marketing Group service; and
- Comply with all HIPAA Rules, including Subpart C of 45 CFR Part 164, with respect to all uses of the Sprout Marketing Group service.
4. Term and Termination.
- Termination of Covered Entity’s business relationship with Business Associate shall be under the terms set forth in the End User License Agreement. Notwithstanding anything in this BAA or in the End User License Agreement to the contrary, Covered Entity has the right to terminate this Agreement immediately if Covered Entity determines that Business Associate has violated any of its material terms.
- Upon the termination of this Agreement for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. Business Associate shall retain no copies of the Protected Health Information.
5. Miscellaneous Terms.
- By reference, this Agreement incorporates, but does not supersede or replace, the End User License Agreement of the Sprout Marketing Group service.
- This Agreement may be amended from time to time by Business Associate, by notifying Covered Entity of such amendments and posting amendments to its website.
- Except as expressly stated herein or in the Privacy Rule, the parties to this Agreement do not intend to create any rights in any third parties. The obligations of Business Associate under this Section survive the expiration, termination, or cancellation of this Agreement until such time as all Protected Health Information stored or copied by Business Associate has been returned to Covered Entity or destroyed.
- Parties will not assign this Agreement, in whole or in part, except in the event that Business Associate sells the majority of its Sprout Marketing Group service, in which case Business Associate may assign this Agreement to the new owner of the Sprout Marketing Group service.
- Neither party will be held responsible for any delay or failure in performance of any part of this Agreement to the extent that such delay is caused by events or circumstances beyond the other party’s reasonable control.
- In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect.
If you have further questions about this Agreement or in general, please contact firstname.lastname@example.org