This HIPAA Business Associate Addendum ("BAA") is part of our Terms of Use and Sale for Businesses and applies only to the extent that you, as a Covered Entity under HIPAA, share Protected Health Information about your consumers with us and we are deemed to be acting as your Business Associate as a result.
1. Definitions
Words or phrases specified in "quotation marks" have the same meaning in this BAA every time they are used. Any words or phrases described in the Terms of Use and Sale for Businesses (including the Data Processing Agreement) have the same meanings when used in this BAA, unless we specify differently below.
2. Permitted uses and disclosures of PHI: Except as specified stated in this BAA, we will only use or disclose PHI as necessary to execute the Covered Services or as required by law.
3. Invitation data: If the type of review invitation services we provide to you necessitates the receiving or processing of PHI invitation data, we will do so in line with the Data Processing Agreement.
4. Security practices: With respect to the Covered Services, we shall apply adequate controls designed to prevent unauthorized use or disclosure of PHI, as well as as otherwise required by HIPAA. We will apply the same security policies to PHI that we describe in the Security practices section of our Data Processing Agreement.
On your request, we will provide you with enough information to ensure that we are adhering to these security procedures.
5. Reporting: As soon as we become aware of the facts, we shall notify you in writing of any finding of a Security Incident (excluding any unsuccessful attempt) involving PHI, including a Breach of unprotected PHI.
6. Subcontractors: We will take reasonable steps to ensure that any Subcontractors utilized to carry out our obligations under the Terms of Use and Sale for Businesses that involve access to PHI are bound by contractual agreements that provide at least the same significant level of PHI protection as this BAA. We shall be held accountable for any violation of this BAA caused by an act, error, or omission on the part of one or more of our Subcontractors.
7. Access and amendment: We will provide you with access to PHI through the Covered Services so that you can fulfill your HIPAA obligations regarding individuals' rights of access and amendment, but we will have no other obligations to you or any individual regarding HIPAA rights, including rights of access or amendment of PHI.
8. Accounting of disclosures: As required by HIPAA, we shall document our PHI disclosures and make accessible the information needed to give an accounting of disclosures.
9. Access to records: Unless prohibited by applicable laws or regulations, we will make available to the Secretary of the United States Department of Health and Human Services (the "Secretary") our internal practices, books, and records concerning the use and disclosure of PHI received from you for the purpose of the Secretary determining your compliance with HIPAA.
10. Term and termination: If we substantially break this BAA, you may exercise your termination rights in accordance with the Terms of Use and Sale for Businesses.
We shall return or erase (including anonymize) PHI received from you as part of your usage of Covered Services upon termination of the Terms of Use and Sale for Businesses. This will not apply if we are obligated by relevant laws or regulations to keep any or all of the PHI.
We use cookies
Our website uses cookies to improve your browsing experience and to help us understand how users interact with our site. By continuing to use this website, you consent to the use of cookies in accordance with our Cookie Policy.
