Notice of May 2024 Security Incident
Need help with record requests?
Datavant Connect Login

Business Associate Agreement

If Customer is a Covered Entity (“Covered Entity”) or the business associate of one or more Covered Entities and includes Protected Health Information in the data and information Customer provides or makes accessible to Ciox Health, LLC d/b/a Datavant Group (“Business Associate”) and Datavant meets, with respect to Customer, the definition of “business associate” set forth in 45 C.F.R. § 160.103., then the Parties’ execution of the Provider Agreement ("Agreement") to which this Business Associate Agreement ("BAA") is attached will incorporate the terms of this BAA into that Agreement.  If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control to the extent necessary to comply with the HIPAA portions of the BAA.

1. DEFINITIONS.  Unless otherwise defined in this BAA, capitalized terms have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms have the definitions set forth in the Agreement.

1.1. “Breach” has the meaning given to the term “breach” at 45 C.F.R. § 164.402, as applied to Unsecured PHI created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity.

1.2. “Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.

1.3. “Customer,” for this BAA only, means Customer and its Affiliates.

1.4. “HIPAA” means collectively the administrative simplification provision of the Health Insurance Portability and Accountability Act and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as in effect at the time of this agreement, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the Genetic

Information Nondiscrimination Act (“GINA”).

1.5. “Individual” has the meaning given to such term under 45 C.F.R. § 160.103 and includes a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).

1.6. “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.

1.7. “Protected Health Information” or “PHI”, and “ePHI”,  have the meanings given to such terms at 45 C.F.R. § 160.103, as applied to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity. PHI and ePHI are collectively referred to as “PHI.”

1.8. “Security Incident” has the meaning given to the term “security incident” at 45 C.F.R. § 164.304, as applied to PHI under this BAA.

1.9. “Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C.

1.10. “Unsecured PHI” has the meaning given to the term “unsecured protected health information” at 45 C.F.R. § 164.402, as applied to PHI under this BAA.

2. PERMITTED USES AND DISCLOSURES OF PHI.  Except as otherwise limited in this BAA or the Agreement, Business Associate may do any or all of the following:

2.1. Use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity pursuant to the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.  Notwithstanding the foregoing, Business Associate may use and disclose PHI for the purposes identified in Sections 2.2 through 2.4 of this BAA even if Covered Entity could not do so under the Privacy Rule.

2.2. Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

2.3. Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate if the disclosures are required by law, or if Business Associate obtains reasonable assurances from the party to whom the PHI is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed, and that the party notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

2.4. Use PHI to provide data aggregation services relating to the health care operations of Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

2.5. Use and de-identify PHI as permitted by the Agreement.

2.6. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 45 C.F.R. § 164.502(j)(1).

3. OBLIGATIONS OF BUSINESS ASSOCIATE.

3.1. Limitations on Use and Disclosure.  Business Associate may not use or disclose PHI other than as permitted or required by the Agreement or this BAA, as permitted under the Privacy Rule, or as required by law.    

3.2. Safeguards.  Business Associate will use reasonable and appropriate safeguards and, where applicable, comply with the Security Rule with respect to ePHI, to prevent inappropriate use or disclosure of PHI other than as provided for by this BAA and the Agreement.

3.3. Reporting.  

3.3.1. Business Associate agrees to report to Covered Entity any Security Incident respecting electronic Protected Health Information in Business Associate’s possession or control, and any use or disclosure of the Protected Health Information not provided for by the Agreement of which Business Associate becomes aware. Business Associate and Covered Entity acknowledge the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that are trivial in nature, such as pings and other broadcast attacks on Business Associate’s firewall, port scans, malware, denials of service, unsuccessful log-on attempts and any combination of the above (“Unsuccessful Security Incidents”), and notice is hereby deemed given for such Unsuccessful Security Incidents. Covered Entity acknowledges and agrees that no additional notification to Covered Entity is required for Unsuccessful Security Incidents.

3.3.2. Following Business Associate’s discovery of a Breach of Unsecured PHI, Business Associate will notify Covered Entity of such breach as required by 45 C.F.R. §164.410, within five (5) business days from the date upon which Business Associate has actual knowledge of such Breach impacting Covered Entity (unless precluded by a law enforcement delay pursuant to 45 C.F.R. § 164.512). Business Associate’s obligation to report under this Section is not and will not be construed as an acknowledgement of any fault or liability with respect to any use, disclosure, Security Incident, or Breach.

3.4. Mitigation.  Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI in violation of this BAA.

3.5. Subcontractors.  Business Associate will require any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate to agree to substantially similar restrictions and conditions that apply to Business Associate with respect to such information.

3.6. Access.  The Parties do not intend for Business Associate to maintain any PHI in a Designated Record Set for Covered Entity.  To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate will provide access to such PHI to Covered Entity or, as directed by Covered Entity, to an Individual as necessary for Covered Entity to satisfy its obligations under 45 C.F.R. §164.524. If an Individual makes a request for access pursuant to §164.524 directly to Business Associate or inquires about his or her right to access, Business Associate will promptly forward such request to Covered Entity.

3.7. Amendment.  The Parties do not intend for Business Associate to maintain any PHI in a Designated Record Set for Covered Entity.  To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate will make amendments to such PHI that Covered Entity directs as necessary for Covered Entity to satisfy its obligations under 45 C.F.R. § 164.526.

3.8. Accounting of Disclosures.  Business Associate will provide to Covered Entity an accounting of the disclosures of an Individual’s PHI as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528. If an Individual submits a written request for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528 directly to Business Associate regarding his/her rights to an accounting, Business Associate will forward such request to Covered Entity without unreasonable delay.

3.9. Compliance with Privacy Rule.  To the extent Business Associate is responsible for carrying out an obligation of Covered Entity under the Privacy Rule pursuant to this BAA or the Agreement, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in its performance of such obligation.

3.10. Government Access to Records.  Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the United States Department of Health and Human Services for the purpose of determining compliance with HIPAA.

4. OBLIGATIONS OF COVERED ENTITY.

4.1. Notice of Privacy Practices and Applicable State Law.  Covered Entity will promptly notify Business Associate of any limitations in its notice of privacy practices, to the extent that such limitations may affect Business Associate’s use or disclosure of PHI.

4.2. Notification of Revocations.  Covered Entity will notify Business Associate of any changes in, or revocation of, authorization by an Individual to use or disclose PHI, to the extent that such changes or revocation may affect Business Associate’s use or disclosure of PHI.

4.3. Notification of Restrictions.  Covered Entity will notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

4.4. No Impermissible Requests.  Covered Entity will not request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA or other applicable federal or state law if done by Covered Entity.

4.5. Safeguards and Appropriate Use of Protected Health Information.  Covered Entity is responsible for implementing appropriate privacy and security safeguards to protect its PHI in compliance with HIPAA.  It is Covered Entity’s obligation to not store or process in an online service, or otherwise provide to Business Associate for performance of Service, PHI until this BAA is effective as to the applicable Service.

4.6. Unencrypted PHI. Covered Entity will not send unencrypted PHI to Business Associate in any form, including via email or on mobile devices such as USB drives. Should Covered Entity do so, Business Associate is not responsible for any damages arising out of or relating to unencrypted PHI that Covered Entity sends to Business Associate in any form.

5. TERM AND TERMINATION.

5.1. Term. The term of this BAA commence as of the Effective Date, is coterminous with the Agreement, and will continue in full force and effect until any of the following: (a) the Agreement expires or is terminated; (b) this BAA is terminated for cause pursuant to Section 5.2 herein; or (c) this BAA is terminated pursuant to Applicable Law.

5.2. Termination for Breach. Upon a Party’s determination of a breach of a material term of this BAA by the other Party, the non-breaching Party will provide the other Party written notice of that breach in sufficient detail to enable such other Party to understand the specific nature of that breach and afford such other party a reasonable opportunity to cure the material breach or end the violation. If the beaching part does not cure the material breach or end the material violation within a reasonable time, the non-breaching Party may terminate this BAA and the Agreement.

5.3. Effect of Termination.  Upon expiration or termination of this BAA, Business Associate will return or destroy all PHI in Business Associate’s possession.  Notwithstanding the foregoing, if return or destruction of any or all PHI is infeasible, Business Associate will limit further uses and disclosures of such PHI to those purposes that make the return or destruction of the information infeasible, for so long as Business Associate maintain such PHI.  The obligations under Section 5.3 will survive the termination of this BAA.

6. MISCELLANEOUS.

6.1. Changes to HIPAA.   If HIPAA is amended, including by way of anticipated regulations yet to be promulgated, in a manner that would alter the obligations of Business Associate as set forth in this BAA, then the parties agree in good faith to negotiate mutually acceptable changes to the terms set forth in this BAA.

6.2. Relationship of Parties.  The Parties to this BAA are independent contractors.  None of the provisions of this Agreement are intended to create, nor will they be interpreted or construed to create any relationship between Covered Entity and Business Associate other than that of independent contractors.  Except as otherwise expressly set forth herein, neither Party, nor any of its representatives, will be deemed to be the agent, employee, or representative of the other Party.

6.3. No Third-Party Beneficiaries.  This BAA is between the Parties hereto.  Nothing express or implied in this Agreement is intended to confer, nor will anything herein confer, any rights, remedies, obligations, or liabilities whatsoever upon any person other than Covered Entity and Business Associate and any respective successors and assigns.

6.4. Interpretation.  The Parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA and other applicable law.  Except where this BAA conflicts with the Agreement, all other terms and conditions of the Agreement remain unchanged.  If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control to the extent necessary to enable compliance with applicable law. Any captions or headings in this BAA are for the convenience of the Parties and will not affect the interpretation of this BAA.

6.5. Severability and Survival.  In the event that any provision of this BAA is found to be invalid or unenforceable, the remainder of this BAA will not be affected thereby, but rather the remainder of this BAA will be enforced to the greatest extent permitted by law. The respective rights and obligations of Business Associate under Section 5 of this BAA survive the termination of this BAA.

Datavant is a health data platform company. We make the world’s health data secure, accessible, and usable.

Datavant drives data connectivity into action by offering a proprietary platform and network that deliver critical solutions across the healthcare ecosystem. Datavant enables more than 60 million healthcare records to move between thousands of organizations, more than 70,000 hospitals and clinics, 70% of the 100 largest health systems, and an ecosystem of 500+ real-world data partners.

© 2024 Datavant. All Rights Reserved.
Privacy PolicyTerms of UseEEOBusiness Associate Agreement