HIPAA Business Associate AddendumApril 2022
“Business Associate”, “Breach”, “Covered Entity”, “Required by Law”, “Security Incident” and “Subcontractor” have the definitions given under HIPAA.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations made under it, as amended.
“Protected Health Information” or “PHI” has the definition given to it under HIPAA and for purposes of this BAA is limited to PHI which is part of invitation data to which we have access through the Covered Services.
2. Permitted use and disclosure of PHI: Except as otherwise stated in this BAA, we will only use or disclose PHI as necessary to perform the Covered Services, or as Required by Law.
3. Invitation data: If the type of review invitation services we provide to you requires us to receive or process invitation data that is PHI, then we will process that invitation data in accordance with the Data Processing Agreement.
4. Security practices: We will use appropriate safeguards designed to prevent unauthorized use or disclosure of PHI, and as otherwise required under HIPAA, with respect to the Covered Services. The security practices that we apply to PHI, will be the same as those that we describe in the Security practices section of our Data Processing Agreement.
On your request, we will provide you with sufficient information to enable you to check that we are complying with these security practices.
5. Reporting: We will without undue delay after becoming aware of the facts, inform you in writing about any finding of a Security Incident (excluding any unsuccessful attempt) regarding PHI, including a Breach of unsecured PHI.
7. Access and amendment: We will provide you with access to PHI via the Covered Services so that you may fulfill your obligations under HIPAA with respect to individuals’ rights of access and amendment, but will have no other obligations to you or any individual with respect to the rights afforded to individuals by HIPAA, including rights of access or amendment of PHI.
8. Accounting of disclosures: We will document our disclosures of PHI and make available the information required to provide an accounting of disclosures, as necessary to satisfy your obligations under HIPAA.
9. Access to records: Unless we are prohibited under applicable laws or regulations, we will make our internal practices, books, and records concerning the use and disclosure of PHI received from you, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining your compliance with HIPAA.