HIPAA BAA

HIPAA Business Associate Addendum

This HIPAA Business Associate Addendum (“BAA”) applies between Cairn Insights Technology, LLC (“Cairn”) and the Client identified in the Agreement (defined below), and supplements, amends and is incorporated into the Agreement with respect to PHI processed in connection with the Services (defined below), effective as of the date of the Agreement.

1. Definitions

Except as set forth in this ‘Definitions’ section, capitalized terms used in this BAA are as defined by HIPAA, the HITECH Act and regulations promulgated thereunder.

“Agreement” means the agreement between Cairn and Client incorporating this BAA.

“Business Associate” has the definition given to it under HIPAA. Cairn acts a Business Associate under this BAA.

“Deidentified Data” means, for purposes of this BAA, data:

  • ‘de-identified’ in accordance with 45 C.F.R. § 164.514(b)(2), and without the creation or retention of identifiers or records allowing ‘re-identification’ permitted by 45 C.F.R. § 164.514(c); and
  • rendered incapable of association with a known human being, in accordance with NIST 800-188 principles.

For purposes of this BAA, Deidentified Data and PHI are mutually exclusive.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations thereunder, as amended.

“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.

“Protected Health Information” and “PHI” has the definition given to it under HIPAA and, for purposes of this BAA, is limited to PHI Cairn receives in connection with its provision of the Professional Services or Client’s permitted use of Platform Services.

“Services” has the definition given to it in the Agreement.

2. Applicability

This BAA applies to the extent Client is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI in connection with the Services and to the extent Cairn, as a result, is deemed under HIPAA to be acting as a Business Associate or Subcontractor of Client.

3. Permitted Use and Disclosure of PHI

Generally.

Except as otherwise stated in this BAA, Cairn may use and disclose PHI only (i) as permitted or required by the Agreement and/or this BAA or (ii) as Required by Law.

Processing Standards.

Cairn shall implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI in accordance with 45 C.F.R. Part 164, Subpart C (the Security Rule), including access controls limiting who may combine Deidentified Data with other data sets. Cairn may only deidentify PHI to create Deidentified Data. Cairn shall not attempt to re-identify Deidentified Data, and shall segregate Deidentified Data from PHI in any manner that would reasonably be expected to prevent its ability to identify any individual.

Disclosure.

Cairn may use and disclose PHI for its proper management and administration and to carry out its legal responsibilities, provided that any disclosure of PHI for such purposes may only occur if (i) Required by Law; or (ii) Cairn obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Cairn will be notified of any Breach or Security Incident.

4. Client Obligations

Client will:

  1. Provide Cairn with notice of any limitation in its Notice of Privacy Practices that would affect Cairn’s use or disclosure of PHI;
  2. Notify Cairn of any changes in, or revocation of, authorization by an individual for the use or disclosure of PHI, to the extent such changes affect Cairn’s permitted uses and disclosures;
  3. Notify Cairn of any restriction on the use or disclosure of PHI agreed to by Client that would affect Cairn’s use or disclosure;
  4. Obtain and maintain all authorizations, consents, and permissions required under HIPAA for Cairn to perform the services described in the Services Agreement;
  5. Not request that Cairn use or disclose PHI in any manner that would not be permissible under HIPAA if done by Client (if Client is a Covered Entity) or by the Covered Entity to which Client is a Business Associate (unless expressly permitted under HIPAA for a Business Associate).

5. Appropriate Safeguards

Cairn and Client will each use appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI, and as otherwise required under HIPAA, with respect to the Services.

6. Reporting and Related Obligations

(a) Cairn will promptly notify Client of (i) any Security Incident of which Cairn becomes aware, subject to Section 6(c); and (ii) any Breach that Cairn discovers, provided that any notice for Breach will be made promptly and without unreasonable delay, and in no case later than 60 calendar days after discovery. Notifications made under this section will describe, to the extent possible, details of a Breach, including steps taken to mitigate the potential risks and steps Cairn recommends Client take to address the Breach.

(b) Cairn will send any applicable notifications to the notification email address provided by Client in the Agreement or via direct communication with Client.

(c) Notwithstanding Section 6(a), this Section 6(c) will be deemed as notice to Client that Cairn’s systems and the Platform Services periodically receive unsuccessful attempts for unauthorized access, use, disclosure, modification, or destruction of information, or interference with their general operation. Client acknowledges and agrees that even if such events constitute a Security Incident, Cairn will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this Section 6(c).

7. Subcontractors

Cairn will take appropriate measures to ensure that any Subcontractors used by Cairn to perform its obligations under the Agreement that require access to PHI on behalf of Cairn are bound by written obligations that provide the same material level of protection for PHI as this BAA. To the extent Cairn uses Subcontractors in its performance of obligations hereunder, Cairn will remain responsible for their performance as if performed by Cairn.

8. Designated Record Sets

The parties acknowledge and agree that, unless otherwise expressly provided by an Order, Cairn has not agreed to maintain any PHI in a Designated Record Set and will not maintain any PHI in a Designated Record Set. Cairn will furnish PHI as contemplated by this BAA, but will have no other obligations to Client or any Individual with respect to the rights afforded to Individuals by HIPAA with respect to Designated Record Sets, including rights of access or amendment of PHI.

9. Accounting of Disclosures

Cairn will document disclosures of PHI by Cairn and provide an accounting of such disclosures to Client as and to the extent required of a Business Associate under HIPAA and in accordance with the requirements applicable to a Business Associate under HIPAA.

10. Access to Records

To the extent required by law, and subject to all applicable legal privileges, Cairn will make its internal practices, books, and records concerning the use and disclosure of PHI received from Client, or created or received by Cairn on behalf of Client, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.

11. Expiration and Termination

(a) This BAA will terminate on the earlier of (i) a permitted termination in accordance with Section 11(b), or (ii) the expiration or termination of all Agreement under which Client has access to a Covered Service.

(b) If either party materially breaches this BAA, the non-breaching party may terminate this BAA on 30 days’ written notice to the breaching party unless the breach is cured within the 30-day period. If a cure under this Section 11(b) is not reasonably possible, the non-breaching party may immediately terminate this BAA, or if neither termination nor cure is reasonably possible under this Section 11(b), the non-breaching party may report the violation to the Secretary, subject to all applicable legal privileges.

12. Return/Destruction

Upon termination of the Agreement, Cairn will return or destroy all PHI received from Client, or created or received by Cairn on behalf of Client; provided, however, that if such return or destruction is not feasible, Cairn will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

13. Miscellaneous

Survival.

Sections 12 (Return/Destruction) and 13 (Miscellaneous) survive termination or expiration of this BAA.

Counterparts.

The parties may execute this BAA in counterparts, including facsimile, PDF, or other electronic copies, which taken together will constitute one instrument.

Effects of Addendum.

To the extent this BAA conflicts with the remainder of the Agreement, this BAA will govern. This BAA is subject to the “Governing Law” section in the Agreement. Except as expressly modified or amended under this BAA, the terms of the Agreement remain in full force and effect.