Business Associate Agreement

Overjet BAA

This Business Associate Agreement (this “BAA”) is entered into by and between Overjet, Inc. and its affiliates (“Business Associate”) and [INSERT NAME OF CUSTOMER] (“Customer”), and is effective as of the Effective Date of the Master Services Agreement executed by Business Associate and Customer (the “MSA”).  Capitalized terms used but not defined in this BAA have the meanings ascribed to such terms in the MSA.  

  • RECITALS

  1. Business Associate is providing services to Customer pursuant to the MSA, and Customer wishes to disclose certain information to Business Associate pursuant to the terms of such MSA, some of which may constitute Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), and the Privacy Rule, Security Rule, Enforcement Rule and Breach Notification Rule set forth at 45 C.F.R. Parts 160 and 164 (jointly, the “HIPAA Rules”) promulgated thereunder.

  2. Business Associate may create, maintain, access, use, disclose, transmit or receive PHI on behalf of Customer only as set forth in this BAA and to the extent allowed under the HIPAA Rules.

  3. Customer and Business Associate intend to protect the privacy and provide for the security of PHI in compliance with HIPAA.

  4. The purpose of this BAA is to satisfy certain standards and requirements of HIPAA and the HIPAA Rules, including, but not limited to, Title 45, §§ 164.314(a)(2)(i), 164.502(e) and 164.504(e) of the Code of Federal Regulations (“C.F.R.”).

In consideration of the mutual covenants and promises set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereto agree as follows:

  1. DEFINITIONS

  1. Capitalized Terms”.  Capitalized terms used in this BAA and not otherwise defined herein shall have the meanings set forth in the HIPAA Rules, which definitions are incorporated in this BAA by reference.

  2. Protected Health Information or “PHI shall have the same meaning given to such term in 45 C.F.R. § 160.103, as applied to the information created, received, maintained or transmitted by Business Associate from or on behalf of Customer.

  3. Unsuccessful Security Incident” shall mean pings and other broadcast attacks on a firewall, port scans, unsuccessful log-on attempts, denials of service, or other similar attempted but unsuccessful Security Incident, or a combination thereof, so long as no such incident results in unauthorized access, use or disclosure of PHI.

  1. PERMITTED USES AND DISCLOSURES OF PHI

    1. Uses and Disclosures of PHI Pursuant to the MSA.  Business Associate shall not use or disclose PHI other than as permitted or required to perform functions, activities or services for, or on behalf of, Customer as specified in the MSA or as Required by Law, provided that such use or disclosure would not violate the Privacy Rule if done by Customer, except as set forth in Sections 2.2, 2.3 and 2.4.  To the extent Business Associate is carrying out any of Customer’s obligations under the Privacy Rule pursuant to the terms of the MSA or this BAA, Business Associate shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligation(s).

    2. Permitted Uses of PHI by Business Associate.  Except as otherwise limited in this BAA, Business Associate may use PHI for the proper management and administration of Business Associate, including care coordination, training AI/ML algorithms of Business Associate, improving Business Associate’s products and services, and maintaining legal records of Business Associate.

    3. Permitted Disclosures of PHI by Business Associate.  Except as otherwise limited in this BAA, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it shall remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed upon Business Associate pursuant to this BAA), and that the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.  

    4. Data Aggregation.  Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

    5. De-identified Data.  Business Associate may de-identify PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and may use or disclose such de-identified data to train Business Associate’s AI/ML algorithms or for other internal uses to improve Business Associate’s products and services.

  2. OBLIGATIONS OF BUSINESS ASSOCIATE

    1. Appropriate Safeguards.  Business Associate shall use appropriate safeguards and shall comply with the Security Rule with respect to Electronic PHI, to prevent use or disclosure of such information other than as provided for by the MSA and this BAA.

    2. Reporting of Improper Use or Disclosure, Security Incident or Breach.  Business Associate shall report to Customer any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in any event no more than ten (10) business days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Customer of the ongoing existence and occurrence of Unsuccessful Security Incidents.  

    3. Business Associate’s Agents.  In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), as applicable, Business Associate shall enter into a written agreement with any agent or subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate for services provided to Customer, providing that the subcontractor or agent agrees to substantially the same restrictions and conditions that apply to Business Associate through this BAA with respect to such PHI.

    4. Access to PHI.  To the extent Business Associate has PHI contained in a Designated Record Set, Business Associate agrees to make information available to Customer to enable Customer to comply with 45 C.F.R. § 164.524.

    5. Amendment of PHI.  To the extent Business Associate has PHI contained in a Designated Record Set, Business Associate agrees to make such information available to Customer for amendment pursuant to 45 C.F.R. § 164.526.  

    6. Documentation of Disclosures.  Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.  

    7. Accounting of Disclosures.  Business Associate agrees to provide to Customer, upon receipt of a written request from Customer, information collected in accordance with Section 3.6 of this BAA to permit Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

    8. Governmental Access to Records.  Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Customer available to the Secretary for purposes of the Secretary determining Customer’s compliance with the Privacy Rule.

    9. Mitigation.  To the extent practicable, Business Associate will reasonably cooperate with Customer’s efforts to mitigate a harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate that is not permitted by this BAA.

    10. Minimum Necessary.  Business Associate shall request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure, in accordance with 45 C.F.R. § 164.514(d), and any amendments thereto.

  3. OBLIGATIONS OF CUSTOMER

    1. Notice of Privacy Practices.  Customer shall notify Business Associate of any limitation(s) in its, or an applicable, Notice of Privacy Practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

    2. Notification of Changes Regarding Individual Permission.  Customer shall obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing Business Associate with PHI.  Customer shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

    3. Notification of Restrictions to Use or Disclosure of PHI.  Customer shall notify Business Associate of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

    4. Permissible Requests by Customer.  Customer shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Customer, except as permitted pursuant to the provisions of Sections 2.2, 2.3 and 2.4 of this BAA.

  4. TERM AND TERMINATION

    1. Term.  The term of this BAA shall commence as of the BAA Effective Date, and shall terminate when all of the PHI provided by Customer to Business Associate, or created or received by Business Associate on behalf of Customer, is destroyed or returned to Customer.  If it is infeasible to return or destroy PHI, Business Associate shall extend protections to such information in accordance with Section 5.3.

    2. Termination for Cause.  Upon either Party’s knowledge of a material breach by the other Party of this BAA, such Party may terminate this BAA immediately if cure is not possible.  Otherwise, the non-breaching Party shall provide written notice to the breaching Party detailing the nature of the breach and providing an opportunity to cure the breach within thirty (30) business days.  Upon the expiration of such thirty (30) day cure period, the non-breaching Party may terminate this BAA if the breaching Party does not cure the breach or if cure is not possible.

    3. Effect of Termination.

      1. Except as otherwise provided herein, upon termination of the MSA or this BAA for any reason, Business Associate shall return or destroy all PHI received from Customer, or created or received by Business Associate on behalf of Customer, and shall retain no copies of the PHI; provided, however, that Business Associate may maintain copies of PHI for the proper management and administration of Business Associate, including care coordination and maintenance of legal records.

      2. If it is infeasible for Business Associate to return or destroy the PHI upon termination of the MSA or this BAA, Business Associate shall: (a) extend the protections of this BAA to such PHI and (b) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

  5. COOPERATION IN INVESTIGATIONS

The Parties acknowledge that certain breaches or violations of this BAA may result in litigation or investigations pursued by federal or state governmental authorities of the United States resulting in civil liability or criminal penalties.  Each Party shall cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry.

  1. SURVIVAL

The respective rights and obligations of Business Associate under Section 5.3 of this BAA shall survive the termination of this BAA and the MSA.

  1. AMENDMENT

This BAA may be modified, or any rights under it waived, only by a written document executed by the authorized representatives of both Parties.  In addition, if any relevant provision of the HIPAA Rules is amended in a manner that changes the obligations of Business Associate or Customer that are embodied in terms of this BAA, then the Parties agree to negotiate in good faith appropriate non-financial terms or amendments to this BAA to give effect to such revised obligations.

  1. EFFECT OF BAA

In the event of any inconsistency between the provisions of this BAA and the MSA, the provisions of this BAA shall control.  In the event that a court or regulatory agency with authority over Business Associate or Customer interprets the mandatory provisions of the HIPAA Rules, in a way that is inconsistent with the provisions of this BAA, such interpretation shall control.  Where provisions of this BAA are different from those mandated in the HIPAA Rules, but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this BAA shall control.

  1. GENERAL

This BAA is governed by, and shall be construed in accordance with, the laws of the State that govern the MSA.  Customer shall not assign this BAA without the prior written consent of Business Associate, which shall not be unreasonably withheld.  If any part of a provision of this BAA is found illegal or unenforceable, it shall be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this BAA shall not be affected.  All notices relating to the Parties’ legal rights and remedies under this BAA shall be provided in writing to a Party, shall be sent to its address set forth in the MSA, or to such other address as may be designated by that Party by notice to the sending Party, and shall reference this BAA.  Nothing in this BAA shall confer any right, remedy, or obligation upon anyone other than Customer and Business Associate.  This BAA is the complete and exclusive agreement between the Parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications, and understandings (written and oral) regarding its subject matter.

  1. INDEPENDENT CONTRACTOR

Business Associate will be considered, for all purposes, an independent contractor, and Business Associate will not, directly or indirectly, act as agent, servant or employee of Customer or make any commitments or incur any liabilities on behalf of Customer without its express written consent.  Nothing in this BAA shall be deemed to create an employment, principal-agent or partner relationship between the Parties.  Business Associate shall retain sole and absolute discretion in the manner and means of carrying out its activities and responsibilities under this BAA.