This HIPAA Business Associate Addendum (“BAA”) applies between Cairn Insights Technology, LLC (“Cairn”) and the Client identified in the Agreement (defined below), and supplements, amends and is incorporated into the Agreement with respect to PHI processed in connection with the Services (defined below), effective as of the date of the Agreement.
Except as set forth in this ‘Definitions’ section, capitalized terms used in this BAA are as defined by HIPAA, the HITECH Act and regulations promulgated thereunder.
“Agreement” means the agreement between Cairn and Client incorporating this BAA.
“Business Associate” has the definition given to it under HIPAA. Cairn acts a Business Associate under this BAA.
“Deidentified Data” means, for purposes of this BAA, data:
For purposes of this BAA, Deidentified Data and PHI are mutually exclusive.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations thereunder, as amended.
“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.
“Protected Health Information” and “PHI” has the definition given to it under HIPAA and, for purposes of this BAA, is limited to PHI Cairn receives in connection with its provision of the Professional Services or Client’s permitted use of Platform Services.
“Services” has the definition given to it in the Agreement.
This BAA applies to the extent Client is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI in connection with the Services and to the extent Cairn, as a result, is deemed under HIPAA to be acting as a Business Associate or Subcontractor of Client.
Except as otherwise stated in this BAA, Cairn may use and disclose PHI only (i) as permitted or required by the Agreement and/or this BAA or (ii) as Required by Law.
Cairn shall implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI in accordance with 45 C.F.R. Part 164, Subpart C (the Security Rule), including access controls limiting who may combine Deidentified Data with other data sets. Cairn may only deidentify PHI to create Deidentified Data. Cairn shall not attempt to re-identify Deidentified Data, and shall segregate Deidentified Data from PHI in any manner that would reasonably be expected to prevent its ability to identify any individual.
Cairn may use and disclose PHI for its proper management and administration and to carry out its legal responsibilities, provided that any disclosure of PHI for such purposes may only occur if (i) Required by Law; or (ii) Cairn obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Cairn will be notified of any Breach or Security Incident.
Client will:
Cairn and Client will each use appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI, and as otherwise required under HIPAA, with respect to the Services.
(a) Cairn will promptly notify Client of (i) any Security Incident of which Cairn becomes aware, subject to Section 6(c); and (ii) any Breach that Cairn discovers, provided that any notice for Breach will be made promptly and without unreasonable delay, and in no case later than 60 calendar days after discovery. Notifications made under this section will describe, to the extent possible, details of a Breach, including steps taken to mitigate the potential risks and steps Cairn recommends Client take to address the Breach.
(b) Cairn will send any applicable notifications to the notification email address provided by Client in the Agreement or via direct communication with Client.
(c) Notwithstanding Section 6(a), this Section 6(c) will be deemed as notice to Client that Cairn’s systems and the Platform Services periodically receive unsuccessful attempts for unauthorized access, use, disclosure, modification, or destruction of information, or interference with their general operation. Client acknowledges and agrees that even if such events constitute a Security Incident, Cairn will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this Section 6(c).
Cairn will take appropriate measures to ensure that any Subcontractors used by Cairn to perform its obligations under the Agreement that require access to PHI on behalf of Cairn are bound by written obligations that provide the same material level of protection for PHI as this BAA. To the extent Cairn uses Subcontractors in its performance of obligations hereunder, Cairn will remain responsible for their performance as if performed by Cairn.
The parties acknowledge and agree that, unless otherwise expressly provided by an Order, Cairn has not agreed to maintain any PHI in a Designated Record Set and will not maintain any PHI in a Designated Record Set. Cairn will furnish PHI as contemplated by this BAA, but will have no other obligations to Client or any Individual with respect to the rights afforded to Individuals by HIPAA with respect to Designated Record Sets, including rights of access or amendment of PHI.
Cairn will document disclosures of PHI by Cairn and provide an accounting of such disclosures to Client as and to the extent required of a Business Associate under HIPAA and in accordance with the requirements applicable to a Business Associate under HIPAA.
To the extent required by law, and subject to all applicable legal privileges, Cairn will make its internal practices, books, and records concerning the use and disclosure of PHI received from Client, or created or received by Cairn on behalf of Client, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.
(a) This BAA will terminate on the earlier of (i) a permitted termination in accordance with Section 11(b), or (ii) the expiration or termination of all Agreement under which Client has access to a Covered Service.
(b) If either party materially breaches this BAA, the non-breaching party may terminate this BAA on 30 days’ written notice to the breaching party unless the breach is cured within the 30-day period. If a cure under this Section 11(b) is not reasonably possible, the non-breaching party may immediately terminate this BAA, or if neither termination nor cure is reasonably possible under this Section 11(b), the non-breaching party may report the violation to the Secretary, subject to all applicable legal privileges.
Upon termination of the Agreement, Cairn will return or destroy all PHI received from Client, or created or received by Cairn on behalf of Client; provided, however, that if such return or destruction is not feasible, Cairn will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
Sections 12 (Return/Destruction) and 13 (Miscellaneous) survive termination or expiration of this BAA.
The parties may execute this BAA in counterparts, including facsimile, PDF, or other electronic copies, which taken together will constitute one instrument.
To the extent this BAA conflicts with the remainder of the Agreement, this BAA will govern. This BAA is subject to the “Governing Law” section in the Agreement. Except as expressly modified or amended under this BAA, the terms of the Agreement remain in full force and effect.