Last Updated: August 2024
If Customer is a covered entity (“Covered Entity”) and includes Protected Health Information in the data and information Customer provides or makes accessible to Ciox Health, LLC d/b/a Datavant Group (“Business Associate”) and Datavant meets, with respect to Customer, the definition of “business associate” set forth in 45 C.F.R. § 160.103., then the Parties’ execution of the Provider Agreement ("Agreement") which this Business Associate Agreement ("BAA") is attached will incorporate the terms of this BAA into that Agreement. If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control to the extent necessary to comply with the HIPAA portions of the BAA.
1. DEFINITIONS. Unless otherwise defined in this BAA, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.
1.1. “Breach” shall have the meaning given to the term “breach” at 45 C.F.R. § 164.402, as applied to Unsecured PHI created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity.
1.2. “Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.
1.3. “Business Associate” shall have the same meaning as the term “business associate” in 45 C.F.R. § 160.103.
1.4. “Covered Entity” shall have the same meaning as the term “covered entity” in 45 C.F.R. § 160.103.
1.5. “Customer,” for this BAA only, means Customer and its Affiliates.
1.6. “HIPAA” means collectively the administrative simplification provision of the Health Insurance Portability and Accountability Act and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and by the modifications to the HIPAA privacy, security, enforcement, and breach notification rules under the HITECH and the Genetic Information Nondiscrimination Act (“GINA”); other modifications to the HIPAA rules; final rule.
1.7. “Individual” shall have the meaning given to such term under 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
1.8. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
1.9. “Protected Health Information” or “PHI”, and “ePHI”, shall have the meanings given to such terms at 45 C.F.R. § 160.103, as applied to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity. PHI and ePHI shall be collectively referred to herein as “PHI.”
1.10. “Security Incident” shall have the meaning given to the term “security incident” at 45 C.F.R. § 164.304, as applied to the PHI created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
1.11. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
1.12. “Unsecured PHI” shall have the meaning given to the term “unsecured protected health information” at 45 C.F.R. § 164.402, as applied to the PHI created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
2. PERMITTED USES AND DISCLOSURES OF PHI. Except as otherwise limited in this BAA or the Agreement, Business Associate may do any or all of the following:
2.1. Use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity pursuant to the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity. Notwithstanding the foregoing, Business Associate may use and disclose PHI for the purposes identified in Sections 2.2 through 2.4 of this BAA even if Covered Entity could not do so under the Privacy Rule.
2.2. Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
2.3. Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that: (a) the disclosures are required by law; or (b) Business Associate obtains reasonable assurances from the party to whom the PHI is disclosed that it shall remain confidential and shall be used or further disclosed only as required by law or for the purposes for which it was disclosed, and that the party agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
2.4. Use PHI to provide data aggregation services relating to the health care operations of Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
2.5. Use and de-identify PHI as permitted by the Agreement.
3. OBLIGATIONS OF BUSINESS ASSOCIATE.
3.1. Limitations on Use and Disclosure. Business Associate may not use or disclose PHI other than as permitted or required by the Agreement, this BAA or as required by law. Business Associate shall not disclose, capture, maintain, scan, index, transmit, share or use PHI for any activity not authorized under the Agreement and/or this BAA.
3.2. Safeguards. Business Associate shall use reasonable and appropriate safeguards and, where applicable, comply with the Security Rule with respect to ePHI, to prevent inappropriate use or disclosure of PHI other than as provided for by this BAA and the Agreement.
3.3. Reporting. Business Associate shall report to Covered Entity: (1) any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including any Breach of Unsecured PHI as required by 45 C.F.R. §164.410, and (2) any Security Incident of which it becomes aware. Business Associate and Covered Entity acknowledge the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that are trivial in nature, such as pings and other broadcast attacks on Business Associate’s firewall, port scans, malware, denials of service, unsuccessful log-on attempts and any combination of the above (“Unsuccessful Security Incidents”), and notice is hereby deemed given for such Unsuccessful Security Incidents. Covered Entity acknowledges and agrees that no additional notification to Covered Entity is required for Unsuccessful Security Incidents. Notification(s) under this Section, if any, will be delivered to contacts identified by Customer pursuant to Section 6.6 of this BAA by any means Business Associate selects, including through e mail. Business Associate’s obligation to report under this Section is not and will not be construed as an acknowledgement of any fault or liability with respect to any use, disclosure, Security Incident, or Breach.
3.4. Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI in violation of this BAA.
3.5. Subcontractors. Business Associate shall require any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate to agree to substantially the same restrictions and conditions that apply to Business Associate with respect to such information.
3.6. Access. The Parties do not intend for Business Associate to maintain any PHI in a Designated Record Set for Covered Entity. To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate shall provide access to such PHI to Covered Entity or, as directed by Covered Entity, to an Individual as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. §164.524. If an Individual makes a request for access pursuant to §164.524 directly to Business Associate or inquires about his or her right to access, Business Associate will promptly forward such request to Covered Entity.
3.7. Amendment. The Parties do not intend for Business Associate to maintain any PHI in a Designated Record Set for Covered Entity. To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate shall make amendments to such PHI that Covered Entity directs as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526.
3.8. Accounting of Disclosures. Business Associate shall provide to Covered Entity an accounting of the disclosures of an Individual’s PHI as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528 and, as of the applicable effective date, Section 13405(c) of HITECH and any regulations promulgated thereunder. If an Individual submits a written request for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528 directly to Business Associate regarding his/her rights to an accounting, Business Associate shall promptly forward such request to Covered Entity.
3.9. Compliance with Privacy Rule. To the extent Business Associate is responsible for carrying out an obligation of Covered Entity under the Privacy Rule pursuant to this BAA or the Agreement, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in its performance of such obligation.
3.10. Government Access to Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the United States Department of Health and Human Services for the purpose of determining compliance with HIPAA.
4. OBLIGATIONS OF COVERED ENTITY.
4.1. Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices, to the extent that such limitations may affect Business Associate’s use or disclosure of PHI.
4.2. Notification of Revocations. Covered Entity shall notify Business Associate of any changes in, or revocation of, authorization by an Individual to use or disclose PHI, to the extent that such changes or revocation may affect Business Associate’s use or disclosure of PHI.
4.3. Notification of Restrictions. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
4.4. No Impermissible Requests. Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA or other applicable federal or state law if done by Covered Entity.
4.5. Safeguards and Appropriate Use of Protected Health Information. Covered Entity is responsible for implementing appropriate privacy and security safeguards to protect its PHI in compliance with HIPAA. It is Covered Entity’s obligation to not store or process in an online service, or otherwise provide to Business Associate for performance of Service, PHI until this BAA is effective as to the applicable Service.
5. TERM AND TERMINATION.
5.1. Term. The term of this BAA shall commence as of the Effective Date, be coterminous with the Agreement, and continue in full force and effect from year to year but shall terminate as of the earliest occurrence of any of the following: (a) the Agreement expires or is terminated; (b) this BAA is terminated for cause pursuant to Section 5.2 herein; or (c) this BAA is terminated pursuant to Applicable Law.
5.2. Termination for Breach. Upon a Party’s determination of a breach of a material term of this BAA by the other Party, the non-breaching Party shall provide the other Party written notice of that breach in sufficient detail to enable such other Party to understand the specific nature of that breach and afford such other party an opportunity to cure the breach; provided, however, that if such other Party fails to cure the breach within thirty (30) days of receipt of such notice, the non-breaching Party may terminate this BAA and the Agreement.
5.3. Obligations upon Termination. Upon expiration or termination of this BAA, Business Associate shall return or destroy all PHI in Business Associate’s possession. Notwithstanding the foregoing, if return or destruction of any or all PHI is not feasible, Business Associate shall limit further uses and disclosures of such PHI to those purposes that make the return or destruction of the information infeasible. The obligations under Section 5.3 shall survive the termination of this BAA.
6. MISCELLANEOUS.
6.1. Relationship of Parties. The Parties to this BAA are independent contractors. None of the provisions of this Agreement are intended to create, nor shall they be interpreted or construed to create any relationship between Covered Entity and Business Associate other than that of independent contractors. Except as otherwise expressly set forth herein, neither Party, nor any of its representatives, shall be deemed to be the agent, employee, or representative of the other Party.
6.2. No Third-Party Beneficiaries. This BAA is between the Parties hereto. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, any rights, remedies, obligations, or liabilities whatsoever upon any person other than Covered Entity and Business Associate and any respective successors and assigns.
6.3. Interpretation. The Parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Except where this BAA conflicts with the Agreement, all other terms and conditions of the Agreement remain unchanged. Any captions or headings in this BAA are for the convenience of the Parties and shall not affect the interpretation of this BAA.
6.4. Severability. In the event that any provision of this BAA is found to be invalid or unenforceable, the remainder of this BAA shall not be affected thereby, but rather the remainder of this BAA shall be enforced to the greatest extent permitted by law.
6.5. Governing Law. This BAA shall be construed, administered, and governed by the governing law set forth in the Agreement, except to the extent preempted by applicable federal law.
6.6. Notices. Any notice required to be given hereunder shall be deemed effective when delivered by email (with delivery confirmation) or upon receipt when sent by nationally reputable courier or registered or certified mail (return receipt requested), postage prepaid, to the Party at its respective address as set forth in the Agreement: