This LICENSEE BUSINESS ASSOCIATE AGREEMENT ADDENDUM (“Addendum”) is incorporated into the Information Sharing Terms and, as relevant, attached to a License or Support Agreement (“Agreement”) between InterSystems Corporation, a Massachusetts Corporation with a principal place of business at 1 Memorial Drive, Cambridge, MA 02142 USA (“InterSystems”), and Licensee, as noted in the Agreement (“Licensee”). InterSystems and Licensee are parties to this Addendum (each separately “a Party”, altogether “Parties”). In consideration of the mutual covenants and promises contained herein and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged by the Parties hereto, the Parties agree as follows:
All capitalized terms used in this Addendum and not defined elsewhere herein or in the Agreement shall have the same meaning as those terms as used or defined in HIPAA. The terms of this Addendum supersede any conflicting terms of the Services Agreement.
The Parties acknowledge that Licensee, under certain circumstances, may be required to comply with the HIPAA Rules, as defined below and that InterSystems may provide certain services from time to time to Licensee pursuant to the Agreement, which may cause InterSystems to have access to Protected Health Information, as defined below. The Parties acknowledge that the services provided by InterSystems are not intended to result in InterSystems creating, receiving, maintaining, transmitting, using or disclosing health information related to an Individual that constitutes Protected Health Information; however, the Parties acknowledge that Licensee requires its service providers that come into contact with Protected Health Information to enter into a business associate agreement with Licensee, and InterSystems is willing to enter into such an agreement in the unlikely event that InterSystems does come into contact with Protected Health Information and without conceding that InterSystems is generally a business associate as defined by the HIPAA Rules.
1.1. Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR § 160.103, and, when used as a reference in this Addendum, shall refer to InterSystems when (1) InterSystems and Licensee mutually agree that InterSystems is a Business Associate of Licensee for a specific and identified service as defined in a specific and individual Rules of Engagement document (a template is linked below in this Addendum) accepted by InterSystems and Licensee and (2) InterSystems is not otherwise acting as a service provider or third party vendor to the Licensee.
1.2. HIPAA Rules. “HIPAA Rules” shall mean the requirements under the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164, implementing the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104 191 (“HIPAA”) and as amended by Health Information Technology for Economic and Clinical Health Act, enacted under Title XIII of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5 (“HITECH Act”), in each case only as of the applicable compliance date for such requirements.
1.3. Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.
1.4. Protected Health Information (PHI) and Electronic Protected Health Information (EPHI). PHI and EPHI shall have the same meaning as such terms as defined in 45 CFR § 160.103, but limited to such information created or received by InterSystems when acting in a capacity as a Business Associate of Licensee and not otherwise acting as a service provider or third party vendor to the Licensee. For the avoidance of doubt, PHI and EPHI shall not include any information that is not in identifiable form.
1.5. Security Rule. “Security Rule” shall mean the Standards for Security of Electronic Protected Health Information at 45 CFR parts 160 and 164, subpart C.
- Obligations and Activities of Business Associate.
2.1. Business Associate agrees not to use or disclose PHI other than as permitted or required by the Agreement or this Addendum, or as permitted or Required By Law.
2.2. Business Associate agrees to use appropriate safeguards to protect against any use or disclosure of PHI not provided for herein and to comply, where applicable, with Subpart C of 45 CFR Part 164 with respect to EPHI. Without limiting the foregoing, Business Associate agrees to implement appropriate administrative, physical, and technical safeguards designed to, to prevent the unauthorized use and disclosure of Protected Health Information, and to protect the confidentiality, integrity, and availability of Electronic Protected Health Information, including maintaining an incident response process to investigate and respond to unauthorized uses and disclosures of PHI upon learning thereof, as required by 45 CFR § 164.308, 164.310, 164.312, and 164.316, as may be amended from time to time.
2.3. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Addendum.
2.4. In accordance with 45 CFR § 164.502 (e)(1)(ii) and § 164.308(b)(2), Business Associate agrees to require that any Subcontractor, to whom it delegates any function or activity it has undertaken to perform on behalf of Licensee, and to whom it provides PHI received from the Licensee, agrees to substantially the same restrictions and conditions on the use or disclosure of PHI as apply through this Addendum to Business Associate through a Business Associate Agreement between such Subcontractor and Business Associate.
2.5. Business Associate agrees to make its internal practices, policies, procedures, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Licensee, available for inspection and copying by the Secretary upon the Secretary’s written request for same for purposes of the Secretary determining the Licensee’s compliance with the HIPAA Rules.
2.6. The Parties do not intend for Business Associate to maintain any PHI in a Designated Record Set (“DRS”) for Licensee. To the extent Business Associate possesses PHI in a DRS, Business Associate agrees to make such information available to Licensee pursuant to 45 CFR § 164.524, within five (5) business days of Business Associate’s receipt of a written request from Licensee; provided, however, that Business Associate is not required to provide such access where the PHI contained in a DRS is duplicative of the PHI contained in a DRS possessed by Licensee. If an Individual makes a request for access pursuant to 45 CFR § 164.524, § 164.526, or § 164.528 directly to Business Associate, or inquires about his or her rights under HIPAA, Business Associate will promptly direct such Individual to Licensee to the extent the individual or InterSystems can identify Licensee as the appropriate party for the inquiry.
2.7. Business Associate agrees to document disclosures of PHI made by it, and information related to such disclosures, as would be required for Licensee to respond to a request by an Individual for an accounting of disclosures of PHI under 45 CFR § 164.528. Upon written request by Licensee, and in a reasonable time and manner, Business Associate agrees to provide to Licensee such information for Licensee to provide an accounting under 45 CFR § 164.528.
2.8. Following the discovery by Business Associate of any Breach of Unsecured PHI (a “Data Breach”) by Business Associate or its Subcontractors, Business Associate agrees to notify Licensee of such Breach without unreasonable delay, but no later than within five (5) business days after the Business Associate ascertains that there is a Data Breach. Such notification shall include, to the extent available, the identity of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Data Breach. At the time of notification or promptly thereafter as such information becomes available, Business Associate shall also provide Licensee with such other available information as is required for Licensee to notify an Individual of the Breach as required by 45 CFR § 164.404(c). Business Associate agrees that to the extent the Data Breach is solely as a result of Business Associate’s negligent acts or omissions, Business Associate shall pay the reasonable cost for Licensee to provide the notifications required under 45 CFR § 164.404, 45 CFR § 164.406 and § 164.408(b). Notwithstanding the above, if a law enforcement official provides Business Associate with a statement that the notification required under this paragraph would impede a criminal investigation or cause damage to national security, Business Associate may delay the notification for the period of time set forth in the statement as permitted under 45 CFR § 164.412.
- Permitted Uses and Disclosures by Business Associate.
3.1. Business Associate may use or disclose PHI to perform functions, activities and services for or on behalf of, Licensee as provided in the Services Agreement. Such uses and disclosures shall be limited to those that would not violate the Privacy Rule if done by the Licensee except that Business Associate may use and disclose PHI for the proper management and administration of the Business Associate or to carry out its legal responsibilities; provided that, in the case of any disclosures for this purpose, the disclosure is Required by Law or Business Associate obtains reasonable assurances in writing from the person to whom the information is disclosed, that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and that the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3.2. Business Associate may also use and disclose PHI as authorized in writing by the Licensee.
3.3. Business Associate agrees to request, use and disclose PHI in compliance with the Minimum Necessary standard of the HIPAA Rule.
- Obligations of Licensee.
4.1. Licensee shall only provide PHI to InterSystems when strictly required for the purposes of the Agreement and services to be provided by InterSystems and in full compliance with the Minimum Necessary standard of the Privacy Rule. Licensee shall not ask or require Business Associate to use or disclose PHI in a manner in which Licensee could not do as a Covered Entity or a Business Associate for a Covered Entity.
4.2. Licensee represents and warrants that its (or in the case that Licensee is a Business Associate, the relevant Covered Entity’s) Notice of Privacy Practices complies with 45 CFR § 164.520 and permits Licensee to use and disclose PHI in the manner that Business Associate is authorized to use and disclose PHI under this Addendum.
4.3. To the extent that the Licensee honors a request to restrict the use or disclosure of PHI pursuant to 45 CFR § 164.522(a), Licensee agrees not to provide such PHI to Business Associate unless Licensee notifies Business Associate of the restriction and Business Associate advises Licensee that it is able to accommodate the restriction. Licensee agrees to reimburse Business Associate for any increase in costs required to accommodate such restriction.
4.4 Licensee shall be responsible for using administrative, physical and technical safeguards at all times to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate in accordance with the standards and requirements of the HIPAA Rules, until such PHI is received by Business Associate.
4.5. Licensee shall obtain any consent or authorization that may be required by applicable federal or state laws in order for Business Associate to provide its services under the Agreement.
4.6. Licensee shall provide to Business Associate a written list of the names of those individuals in its Workforce that are authorized to receive or access PHI on its behalf, and to provide reasonable prior written notice to Business Associate of any changes to such list. In the absence of Licensee providing such list, Business Associate may assume that those individuals that are members of the Workforce of the Licensee or, if applicable, the relevant Covered Entity, who request or receive PHI from Business Associate are performing on behalf of Licensee, and are authorized to receive or access PHI on its behalf.
- Term and Termination.
5.1. This Addendum is effective during the term of the Agreement and shall terminate upon termination of the Agreement, except to the extent provided in Section 5.3.
5.2. Termination for Cause. Upon a material breach of this Addendum by a Party, the Other Party shall notify the Breaching Party of the nature of the material breach in writing, and shall allow the Breaching Party sixty (60) calendar days from its receipt of such notification to cure the breach. If the Breaching Party fails to cure the breach or end the violation within the sixty (60) calendar-day cure period, the Other Party may, at its discretion, then terminate this Addendum and the Agreement by written notice to the Breaching Party.
5.3. Effect of Termination.
5.3.1. Except as provided in paragraph 5.2 of this section, upon termination of the Agreement for any reason, Business Associate shall, if feasible, return, destroy, or require the destruction of all PHI received from Licensee, or created or received by Business Associate on behalf of Licensee.
5.3.2. In the event Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this Addendum to such PHI, and shall limit further uses and disclosures of such PHI, to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
6.1. Regulatory References. A reference in this Addendum to a section in the HIPAA Rules means the section as in effect or as amended, and as of its applicable compliance date.
6.2. Changes to this Addendum. The Parties agree to negotiate in good faith to amend this Addendum or the Services Agreement as necessary to comply with any changes in the HIPAA Rules. If, within sixty (60) calendar days after Business Associate receives a proposed amendment for this purpose from Licensee, the Parties are unable in good faith to reach agreement on its terms, either Party may terminate this Addendum and the Agreement by written notice to the other Party.
6.3. The respective rights and obligations of Business Associate under Section 5.3. shall survive termination for so long as Business Associate maintains any PHI.
6.4. Any ambiguity in this Addendum shall be resolved to permit the Parties to comply with the HIPAA Rules.
6.5. Remedies. The Parties agree that the remedies at law for a violation of the terms of this Addendum may be inadequate and that monetary damages resulting from such violation may not be readily measured. Accordingly, in the event of a violation by either Party of the terms of this Addendum, the other Party shall be entitled to immediate injunctive relief. Nothing herein shall prohibit either Party from pursuing any other remedies that may be available to either of them for such violation.
6.6. Relationship of Parties. It is expressly agreed that InterSystems and its affiliates, including its employees and Subcontractors, are performing the services under this Addendum as independent contractors for Licensee. Neither InterSystems nor its affiliates, officers, directors, employees or Subcontractors is an employee or agent of Licensee. Nothing in this Addendum shall be construed to create (i) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, or (ii) an agency relationship for purposes of the HITECH Act.
The Parties agree this Addendum is in force during the term of the Agreement.
Attachment: Rules of Engagement