HIPAA Business Associate Agreement
Last Modified February 15, 2023 / Previous Versions
This HIPAA Business Associate Agreement (this “BAA”) is effective as of the effective date as set forth in Section 8(g) below (the “BAA Effective Date”), and is by and between Nuance Communications, Inc., for itself and on behalf of its direct and indirect subsidiaries or predecessors in interest that are parties to an Underlying Agreement as defined below (“Business Associate”), and the entity entering into an Underlying Agreement as defined below (“Covered Entity”).
WHEREAS, Covered Entity and Business Associate (or their direct or indirect subsidiaries or predecessors in interest) have entered into, or are entering into one or more agreements, amendments, orders or other ordering forms, which in order to be covered by this BAA must link to this BAA via an internet link (each an “Underlying Agreement”), under which, Business Associate may perform certain services on behalf of or for Covered Entity pursuant to the Underlying Agreement that requires Business Associate to access, create and use health information that is subject to the Health Insurance Portability and Accountability Act of 1996, Subtitle D of the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations, as amended (collectively, “HIPAA”);
WHEREAS, Covered Entity may operate a drug and alcohol treatment program that must comply with the Federal Confidentiality of Alcohol and Drug Abuse Patient Records law and regulations, 42 USC §290dd-2 and 42 CFR Part 2 (collectively, “Part 2”);
WHEREAS, Business Associate is also a Qualified Service Organization (“QSO”) under Part 2 and must agree to certain mandatory provisions regarding the use and disclosure of substance abuse treatment information to the extent Covered Entity operates a drug and alcohol treatment program that must comply with Part 2; and
WHEREAS, this BAA serves to establish the responsibilities of both Parties regarding Protected Health Information (“PHI”), and to bring the Underlying Agreement into compliance with HIPAA.
NOW, THEREFORE, the Parties hereto agree to incorporate and make a part of and thereby amend each Underlying Agreement under which Business Associate receives PHI from, or creates or receives PHI on behalf of, Covered Entity while performing services for Covered Entity, the following additional terms and conditions, which terms and conditions shall govern the use and/or disclosure of such PHI received or created by Business Associate as a result of services performed. References to “the Underlying Agreement” are understood to mean each Underlying Agreement as applicable.
AGREEMENT
1. Definitions. Capitalized terms used in this BAA, but not otherwise defined, shall have the same meanings ascribed to them in HIPAA.
2. Permitted Uses and Disclosures. Business Associate may use and/or disclose PHI to perform the functions, activities, or services for or on behalf of Covered Entity as specified in the Underlying Agreement, this BAA or as Required by Law, but shall not otherwise use or disclose PHI. Business Associate will not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity. Except as otherwise limited in this BAA, Business Associate may:
a. use PHI for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate.
b. disclose PHI for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate, provided that the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom PHI is disclosed that the PHI will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person will notify Business Associate of any instances of which it is aware in which the confidentiality of PHI has been breached.
c. use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
d. use PHI to create de-identified health information in accordance with 45 C.F.R. §164.514(b) and may use and disclose de-identified health information for any purpose permitted by law.
e. use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. §164.502(j)(1).
3. Responsibilities of Business Associate. Business Associate agrees:
a. to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of PHI other than as provided for by this BAA.
b. to report to Covered Entity promptly, but in no case longer than fifteen (15) business days, any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware, including a Breach of Unsecured PHI as required by 45 C.F.R. § 164.410, and any successful Security Incident of which it becomes aware. The Parties acknowledge and agree that this section 3.b. constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI. The contact information for the Business Associate and Covered Entity employees to whom reports of unauthorized use or disclosure of PHI, Breaches of Unsecured PHI and successful Security Incidents under this Section shall be made as provided below (as such information may be updated from time to time between the parties). Notification shall be made using the methods as provided in the relevant Underlying Agreement.
Business Associate:
Attn: Privacy Officer
Nuance Communications, Inc.
1 Wayside Road
Burlington MA 01803
Phone: (781) 565-5000
Email: privacy@nuance.com
Covered Entity:
Attn: Data Protection or Privacy Officer
At Company contact information as set forth on the applicable Underlying Agreement
c. to take reasonable steps to mitigate, to the extent practicable, any known harmful effect of a use or disclosure of PHI in violation of the requirements of this BAA. Upon request, Business Associate shall promptly provide Covered Entity with information reasonably related to its discovery, investigation and mitigation activities associated with a Breach that affects Covered Entity.
d. to make PHI about an Individual contained in any Designated Record Set of Covered Entity maintained by Business Associate available to Covered Entity for Covered Entity to comply with an Individual’s right of access to their PHI in compliance with 45 C.F.R. §164.524; provided, however, that unless otherwise expressly set forth in the Underlying Agreement, Covered Entity acknowledges that Business Associate does not maintain any Designated Record Set on behalf of Covered Entity.
e. to make PHI about an Individual contained in any Designated Record Set of Covered Entity maintained by Business Associate available to Covered Entity for amendment and incorporate any amendment(s) to PHI that Covered Entity directs, in accordance with 45 C.F.R. §164.526; provided, however, that unless otherwise expressly set forth in the Underlying Agreement, Covered Entity acknowledges that Business Associate does not maintain any Designated Record Set on behalf of Covered Entity.
f. to make the information required to provide an accounting of disclosures of PHI with respect to an Individual available to Covered Entity in response to a request from an Individual in accordance with 45 C.F.R. §164.528.
g. to the extent the Underlying Agreement requires Business Associate to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).
h. to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of the Department of Health and Human Services or his/her designee (the “Secretary”), in a time and manner designated by the Secretary, for purposes of determining Covered Entity’s compliance with the HIPAA.
i. to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to substantially the same restrictions and conditions that apply to Business Associate with respect to such information in accordance with 45 C.F.R. § 164.502(e)(1)(ii).
j. if Business Associate knows of a pattern of activity or practice of a Subcontractor that constitutes a material breach or violation of HIPAA, to take reasonable steps to cure the breach or end the violation, as applicable, and if such steps are unsuccessful, terminate the contract or arrangement with such entity, if feasible.
k. to the extent required by the “minimum necessary” requirements of HIPAA, Business Associate shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
l. to refrain from receiving any remuneration in exchange for any Individual’s PHI unless such exchange (i) is pursuant to a valid authorization that includes a specification of whether the PHI can be further exchanged for remuneration by the entity receiving PHI of that Individual, or (ii) satisfies one of the exceptions enumerated in the HIPAA regulations and specifically Section 13405(d)(2) of the HITECH Act.
m. to refrain from Marketing activities involving the use or disclosure of PHI that would violate HIPAA and specifically Section 13406 of the HITECH Act.
n. to provide training to applicable employees as required by HIPAA.
4. Qualified Service Organization Agreement Responsibilities. To the extent that in performing its services for or on behalf of Covered Entity, Business Associate uses, discloses, maintains, or transmits PHI that is protected by Part 2, Business Associate acknowledges and agrees that it is a QSO for the purpose of Part 2, acknowledges and agrees that in receiving, storing, processing or otherwise dealing with any such patient records, it is fully bound by the Part 2 regulations, and, if necessary will resist in judicial proceedings any efforts to obtain access to PHI related to substance use disorder diagnosis, treatment, or referral for treatment except as permitted by the Part 2 regulations.
5. Responsibilities of Covered Entity. Covered Entity shall:
a. provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. §164.520, as well as any changes to such notice.
b. provide Business Associate, in writing, with any changes in, or revocation of, permission by Individual to the use or disclosure of PHI, if such changes affect Business Associate’s permitted or required uses or disclosures. Upon receipt by Business Associated of such notice of changes, Business Associate shall cease the use and disclosure of any such Individual’s PHI except to the extent it has relied on such use or disclosure, or where an exception under HIPAA expressly applies.
c. notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. §164.522.
d. not request or require Business Associate to use and/or disclose PHI in a manner not permitted by HIPAA.
6. Termination.
a. Termination. This BAA shall terminate automatically upon termination of all Underlying Agreements. Either party may immediately terminate this BAA and any Underlying Agreement if such party (the “Non-Breaching Party”) determines that the other party (the “Breaching Party”) has breached a material term of this BAA. Alternatively, the Non-Breaching Party may choose to provide the Breaching Party with written notice of the existence of an alleged material breach and afford the Breaching Party an opportunity to cure the alleged breach. Failure to cure the material breach within thirty (30) days of the written notice constitutes grounds for immediate termination of this BAA and the Underlying Agreement.
b. Effect of Termination.
(1) Except as provided in Section 6(b)(2) below, upon termination of this BAA, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This Section 6(b)(1) shall apply to PHI that is in the possession of Business Associate and its Subcontractors or agents. Business Associate, its Subcontractors or agents shall retain no copies of the PHI.
(2) In the event that Business Associate reasonably determines that returning or destroying the PHI is infeasible (as an example, as provided under Business Associate's backup and/or disaster recovery requirements and processes), Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
7. Indemnification. Business Associate shall reimburse, indemnify and hold harmless Covered Entity for all Reasonable Indemnification Amounts (as defined in this paragraph) to the extent resulting from the negligence of the Business Associate that causes a breach of this BAA, a Security Incident or a Breach of PHI maintained by Business Associate or Business Associate’s agent or Subcontractor, subject to the provisions of the Underlying Agreement. “Reasonable Indemnification Amounts” means: fines or settlement amounts owed to a state or federal government agency; the cost of any notifications to individuals or government agencies; credit monitoring for affected individuals; damages or settlement amounts payable to affected individuals; and reasonable attorneys’ fees paid by Covered Entity. Notwithstanding the foregoing or any contrary provisions set forth in any Underlying Agreement, in no event shall Business Associate’s obligations for Reasonable Indemnification Amounts exceed an aggregate amount of five hundred thousand dollars ($500,000.00).
8. Miscellaneous.
a. Survival. The respective rights and obligations of Business Associate under Section 6(b) of this BAA shall survive termination of this BAA and the Underlying Agreement for so long as the Business Associate maintains Covered Entity’s PHI.
b. Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the parties to comply with HIPAA.
c. No Third Party Beneficiary. Nothing in this BAA is intended, nor shall be deemed, to confer any benefits on any third party.
d. Severability. If a court of competent jurisdiction finds any term of this BAA invalid, illegal or unenforceable, that term shall be curtailed, limited or deleted, but only to the extent necessary to remove the invalidity, illegality or unenforceability, and without in any way affecting or impairing the remaining terms.
e. Amendment. The parties agree to negotiate in good faith an amendment to this BAA from time to time as is necessary for the parties to comply with the requirements of applicable privacy and security laws and regulations, including HIPAA. No amendment shall be effective unless in writing and signed by duly authorized representatives of both parties.
f. Disclosures Required by Law. In the event Business Associate is Required by Law to disclose PHI, Business Associate shall, subject to attorney-client privilege and any other applicable legal privileges and if permitted by law, promptly notify Covered Entity of such requirement and reasonably cooperate with Covered Entity in regards to such disclosure. Business Associate shall, to the extent it is permitted, use reasonable efforts to provide advance notice to Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief unless immediate disclosure is Required by Law.
g. Entirety; Applicability. The terms and conditions of this BAA supersede and replace any prior business associate agreements between the parties with respect to an Underlying Agreement as defined above, including any business associate terms and conditions in any such Underlying Agreement. This BAA is made part of and subject to the terms of each Underlying Agreement. In the event of any conflict between this BAA and an Underlying Agreement, this BAA shall control with respect to such conflict. With respect to an Underlying Agreement, this BAA shall cover PHI of Covered Entity used or disclosed by Business Associate on or after the effective date of such Underlying Agreement. Except as specifically amended above, the terms and conditions of each Underlying Agreement shall remain in full force and effect.
Previous Versions