BUSINESS ASSOCIATE AGREEMENT
Last updated: April 15, 2019
Ovation.io, Inc. (Ovation or Business Associate) owns and operates the websites *.ovation.io, and *.labtests.io (collectively, the Site) , Platform and Service, which are accessed and used by its Customers and their Users to (among other things) organize, track and share scientific, technical and/or clinical data.
The following business associate agreement (BAA) explains Ovation's obligations as a "business associate" under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) (45 CFR Part 160 and Subparts A and E of Part 164) and the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) (45 CFR Part 160 and Subparts A and C of Part 164), and the Health Information Technology for Economic and Clinical Health Act (Title XIII, Subtitle D) and its implementing regulations (HITECH) (together HIPAA), if applicable. This BAA supplements the other terms and conditions that apply between Customer and Ovation, which are detailed or referenced in the Terms of Service for Ovation Diagnostic (OvDx).
This BAA is intended to ensure that Business Associate and Customer will establish and implement appropriate safeguards where Business Associate may receive, create, maintain, use or disclose electronic or other "protected health information" as such term is defined under HIPAA (PHI), provided PHI is understood to mean only the PHI that Business Associate creates, receives, maintains or transmits in connection with the functions, activities and services that Business Associate performs on behalf of Customer solely to perform its duties and responsibilities under the Services Agreement (the OvDx Services).
Customer and Business Associate agree that this BAA applies solely with respect to PHI that Business Associate creates, receives, accesses, uses, maintains or discloses in connection with performing the OvDx Services; it does not apply to other information, including information that would meet the definition of PHI, that Business Associate may create, receive, access, use, maintain or disclose outside of performing the OvDx Services.
- Analytics means statistics, metrics, abstractions, rules, models, collections, combinations and other analyses that are based on or derived from the OvDx Services or Service Data (including without limitation, measurements of OvDx Service usage and performance), which are developed in a manner that does not disclose the identity of Customer, any User or any individual identified in the Service Data and that does not disclose any Service Data except in a de-identified (in accordance with 45 CFR §164.514(a)-(c)) or aggregated form (combined with other data, results or measurements).
- Individual shall have the same meaning as the term "individual" in 45 CFR §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
- Required By Law shall have the same meaning as the term "required by law" in 45 CFR §164.103.
- Services Agreement shall mean the Contract between Ovation and Customer, taken together with the Terms of Service.
- User means each of the named individuals who is specifically identified by Customer for onboarding and use of the OvDx Services under Customer's Account.
- Capitalized terms used but not defined herein have the meanings assigned to them in the Terms of Service or HIPAA, as the case may be.
4. PERMITTED AND REQUIRED USES AND DISCLOSURES.
a. Service Offerings. Business Associate may use or disclose PHI in connection with the performance of the OvDx Services if such use or disclosure of PHI would not violate HIPAA if done by Customer or if such use or disclosure is expressly permitted under this BAA or the Services Agreement.
b. Administration and Management of OvDx Services. Business Associate may use or disclose PHI received by Business Associate in its capacity as "business associate" of Customer for the proper management and administration of Business Associate. Any such disclosure of PHI shall only be made if Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (1) the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; (2) Business Associate will be notified by such person of any instances of which it becomes aware in which the confidentiality of the PHI has been breached; and (3) the person will provide Business Associate appropriate notice and opportunity to object before disclosing PHI on the basis that such disclosure is required by law.
c. Disclosures Required By Law. Business Associate may only use or disclose PHI on the basis that such disclosure is required by law after notifying Customer's Privacy Officer or his/her designee to allow an opportunity to object to the disclosure and to seek appropriate relief. If Customer objects to such disclosure, Business Associate shall, to the extent legally permitted, refrain from disclosing the PHI until Customer has exhausted all alternatives for relief. However, if Business Associate is unable to notify Customer for reasons beyond Business Associate's control, Business Associate may disclose PHI on the basis that such disclosure is required by law so long as Business Associate provides immediate notice to Customer's Privacy Officer or his/her designee following the disclosure.
d. Disclosure to Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in a writing that complies with the requirements of 45 CFR §164.504(e)(2) through (e)(4), to be bound by the same restrictions and conditions that apply to Business Associate under this BAA with respect to such PHI, including, without limitation, implementing reasonable and appropriate safeguards to protect it.
e. Data Aggregation. To the extent permitted by the Services Agreement, or as otherwise expressly agreed to in writing by Customer, Business Associate may use and disclose PHI for data aggregation purposes, however, only in order to analyze data for permitted health care operations of Customer, and only to the extent that such use is permitted under HIPAA.
5. OBLIGATIONS OF BUSINESS ASSOCIATE.
a. Limit on Uses and Disclosures. Business Associate will use and disclose PHI only as permitted by this BAA or as Required By Law. If Customer notifies Business Associate that Customer has agreed to be bound by additional restrictions on the uses or disclosures of PHI pursuant to HIPAA, Business Associate and Customer shall mutually agree on the extent to which Business Associate will be bound by such additional restrictions and Business Associate shall not disclose PHI in violation of such additional mutually agreed upon restrictions.
b. Safeguards. Business Associate will use reasonable and appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA, consistent with the requirements of Subpart C of 45 CFR Part 164 (with respect to Electronic PHI) as determined by Business Associate.
c. Reporting of Impermissible Uses and Disclosures. Business Associate will report to Customer any Use or Disclosure of PHI not permitted or required by this BAA of which Business Associate becomes aware.
d. Reporting of Security Incidents. Business Associate will report to Customer no less than fourteen (14) business days from the date Business Associate becomes aware of any Security Incidents involving PHI in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
e. Reporting of Breaches. Business Associate will report to Customer any Breach of Customer's Unsecured PHI that Business Associate may discover to the extent required by 45 CFR §164.410. Business Associate will make such report without unreasonable delay, and in no case later than four (4) hours after discovery by Business Associate of such Breach. Business Associate undertakes no obligation to report network security related incidents which occur on its managed network but do not directly involve Customer's use of the OvDx Services.
f. Accounting of Disclosures. Business Associate will make available to Customer the information required to provide an accounting of Disclosures in accordance with 45 CFR §164.528 of which Business Associate is aware, if requested by Customer.
g. Internal Records. Business Associate will make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Customer compliance with HIPAA. Nothing in this section will waive any applicable privilege or protection, including with respect to trade secrets and confidential commercial information.
6. CUSTOMER'S OBLIGATIONS.
a. Appropriate Use of HIPAA Accounts. At all times, Customer will comply with the Privacy Rules, Security Rules and other applicable laws and regulations. By way of illustration and not limitation, Customer is responsible for implementing appropriate privacy and security safeguards in order to protect PHI in compliance with HIPAA and this BAA and Customer shall not include PHI in any OvDx Services that are not or cannot be HIPAA compliant.
b. Necessary Consents. Customer warrants that it has obtained all necessary authorizations, consents, and other permissions from the Individuals (or their personal representatives), in the form and to the extent required by the Privacy Rules, that may be required under applicable law for Business Associate to use and disclose their PHI in the manner and for the purposes described in this BAA and the Services Agreement. Customer will promptly notify Business Associate of any changes in, or withdrawal of, such written permission provided to Customer by Individuals or their personal representatives, including without limitation revocations of authorizations pursuant to 45 CFR §164.508. Customer will also promptly notify Business Associate of any restrictions to the use and disclosure of PHI that Customer has agreed to in accordance with 45 CFR §164.522, to the extent that such restrictions affect Business Associate's use or disclosure of PHI.
c. Restrictions on Disclosures. Customer shall not agree to any request for restrictions or place any restrictions in any notice of its privacy practices that would cause Business Associate to violate this BAA, the Services Agreement or any applicable law.
d. Compliance with HIPAA. Customer shall not request or cause Business Associate to make a Use or Disclosure of PHI in a manner that does not comply with this BAA, the Services Agreement, HIPAA or any other applicable law.
e. Privacy Practices. Customer will provide Business Associate with a copy of the notice of privacy practices that it provides to Individuals (or their personal representatives) who are the subject of the PHI.
f. Identity of Users. The OvDx Services include means by which Customer's Users may be permitted to import, export, review and exchange PHI. Therefore, Customer shall implement and comply with reasonable policies and methods to confirm and verify the actual identity of Users that will be registered to access and use the OvDx Services under its Account.
7. TERM AND TERMINATION.
a. Term. The term of this BAA will commence on the BAA Effective Date and will remain in effect until the termination of the Contract.
b. Effect of Termination. At termination of this BAA, Business Associate, if feasible, will return or destroy all PHI that Business Associate still maintains in its role as Business Associate for the purposes of carrying out the OvDx Services, if any. If return or destruction is not feasible, Business Associate will extend the protections of this BAA to the PHI, limit further uses and disclosures to those purposes that make the return of the PHI infeasible, and make no further use or disclosure of PHI.
c. Account Access. If Customer requests contemporaneously with any termination event or notice, Business Associate will allow Customer to have access to Customer's Account for a reasonable period of time following termination as necessary for Customer to retrieve or delete any PHI at its then current monthly recurring rate; provided, however, that if the security of Customer's servers has been compromised, or the Services Agreement was terminated by Customer's failure to use reasonable security precautions, Business Associate may: (i) provide Customer with restricted access via a dedicated or private link or tunnel to Customer Account or (ii) refuse to allow Customer to have access to Customer's Account but will use reasonable efforts to copy Service Data onto media Customer provides to Business Associate, and will ship the media to Customer at Customer's risk and expense. Business Associate's efforts to copy Service Data onto Customer-supplied media shall be billable as an Additional Service at Business Associate's then current hourly rates.
d. De-identification. Customer owns all rights, title and interests in and to its Service Data, including, without limitation, PHI. Notwithstanding anything to the contrary herein, Business Associate may de-identify PHI, such that any resulting information does not disclose any individually identifiable information, except in de-identified (in accordance 45 CFR § 164.514(a)-(c)) or aggregated form (combined with other data, results or measurements) (Converted Data). Customer shall own all rights, title and interests in and to such Converted Data.
Upon de-identification (as described in the immediately preceding paragraph), Business Associate shall deliver Converted Data to Customer, and Customer shall own all rights, title, and interests in and to Converted Data, subject to the license granted by Customer and each of its Users to Business Associate hereunder.
Business Associate may use Converted Data under the following license, which is granted by Customer to Business Associate. Customer and each User hereby grants and agrees to grant an exclusive, irrevocable, perpetual, worldwide, royalty-free, right and license: (i) to freely access, copy, store, process, distribute, transmit, display Converted Data; (ii) use and disclose Converted Data for Business Associate's business purposes; (iii) to copy, store, process and use such Converted Data to develop, improve, extend and test the Platform and OvDx Services; and (iv) to copy, store, process and use Converted Data to design, develop, distribute, commercialize and use Analytics.
Business Associate's rights and license to use Converted Data shall be exclusive, except that Customer may use Converted Data solely for its internal business purposes. Unless and only to the extent expressly agreed otherwise by Business Associate and Customer in writing, Customer shall not be entitled to any revenue, royalties, or other compensation for Business Associate's own use or disclosure of such Converted Data.
For the avoidance of doubt, Analytics shall not be understood to be the same as or overlap with Converted Data; Customer owns all rights, title and interests in and to Converted Data, and Business Associate owns and retains all rights, title and interests (including without limitation, patent rights, copyright rights, trade secret rights and trademark rights) in and to the Analytics.
a. Amendment. Customer and Business Associate agrees to take such action as is reasonably necessary to amend this BAA from time to time as is necessary for either party to comply with the requirements of the Privacy Rule and related laws and regulations.
b. Survival. Customer and Business Associate's respective rights and obligations under Sections 7(b) - (d) of this BAA shall survive the termination of the Services Agreement.
c. Interpretation. Any ambiguity in the Services Agreement shall be resolved to permit Business Associate and the Customer to comply with HIPAA and the Privacy Rule.
d. Entire Agreement. This BAA constitutes the entire agreement, and supersedes all prior negotiations, understandings or agreements (oral or written), between the parties regarding the subject matter hereof. All notices under this BAA will be in writing and delivered to the parties at their respective addresses as provided in the Services Agreement. Neither party shall be liable for any delay or failure in performing its obligations hereunder that arises out of any cause, condition or circumstance beyond its reasonable control. Nothing in this BAA confers upon any person other than the parties (and their respective successors and permitted assigns) any rights, remedies, obligations or liabilities whatsoever.