This Business Associate Addendum (the “Addendum”) supplements the underlying agreement, including the Terms of Service (collectively “Underlying Agreement”), between Reach LLC. (“Reach”) and its client (“Client”), and is intended to and shall be interpreted to ensure the parties’ compliance with the Health Insurance Portability and Accountability Act and its implementing regulations, 45 C.F.R. Part 164 (collectively “HIPAA Rules”). The terms in the Underlying Agreement shall also apply to the parties’ performance under this Addendum to the extent not inconsistent with the terms of this Addendum.
1. Definitions. Terms used, but not otherwise defined in this Addendum, shall have the same meaning as those terms are used in the HIPAA Rules.
2. Obligations and Activities of Reach.
a. Reach agrees to not use or disclose Protected Health Information other than as permitted or required by this Addendum, the Underlying Addendum or as Required By Law.
b. Reach agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of the Protected Health Information other than as provided for by this Addendum.
c. Reach agrees to report to Client any use or disclosure of the Protected Health Information not provided for by this Addendum of which it becomes aware, including breaches of Unsecured Protected Health Information as required by 45 C.F.R. §164.410. Reach also agrees to report to Client any security incident, including all data breaches, related to Protected Health Information of which Reach becomes aware; provided that the reporting requirement shall not apply to routine, unsuccessful security incidents such as port scans, pings, etc., that do not pose a material threat to the Protected Health Information.
d. Reach agrees to ensure that any subcontractor, to whom it provides Protected Health Information received from, or created or received by Reach on behalf of, Client agrees to the same restrictions and conditions that apply through this Addendum to Reach with respect to such information.
e. Reach agrees to provide access, at the request of Client and during normal business hours, to Protected Health Information in a Designated Record Set to Client or, as directed by Client, to an Individual in order to meet the requirements under 45 C.F.R. §164.524, provided that Client delivers to Reach a written notice at least five (5) business days in advance of requesting such access.
f. Reach agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Client directs or agrees to pursuant to 45 C.F.R. §164.526, at the request of Client or an Individual.
g. Unless otherwise protected or prohibited from discovery or disclosure by law, Reach agrees to make internal practices, books and records, relating to the use or disclosure of Protected Health Information received from, or created or received by Reach on behalf of, Client available to the Secretary for purposes of the Secretary determining Client’s compliance with the HIPAA Rules.
h. Reach agrees to maintain and, on request of Client, provide to Client documentation necessary to permit Client to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. §164.528.
i. To the extent Reach carries out one or more of Client’s obligations under Subpart E of 45 C.F.R. Part 164, Reach agrees to comply with the requirements of Subpart E that apply to Client in the performance of such obligations.
3. Permitted Uses and Disclosures by Reach.
a. Except as otherwise limited by this Addendum, Reach may make any uses and disclosures of Protected Health Information necessary to perform the Services for and on behalf of Client in accordance with the terms of the Underlying Agreement and to otherwise meet its obligations under this Addendum, if such uses or disclosures would not violate the Privacy Rule if done by Client.
b. Except as otherwise limited in this Addendum, Reach may use Protected Health Information for the proper management and administration of the Reach, including internal analytics for Reach’s own product development, or to carry out the legal responsibilities of the Reach.
c. Except as otherwise limited in this Addendum, Reach may disclose Protected Health Information for the proper management and administration of the Reach or to carry out the legal responsibilities of Reach, provided the disclosures are Required By Law or Reach obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Reach of any instances of which it is aware in which the confidentiality of the information has been breached.
c. Except as otherwise limited in this Addendum, Reach may use Protected Health Information: (i) to provide Data Aggregation services relating to the health care operations of Client as permitted by 45 C.F.R. §164.504(e)(2)(i)(B), and (ii) to de identify such Protected Health Information in accordance with 45 C.F.R. 164.514(a) – (c).
4. Obligations of Client.
a. If and to the extent that Client has imposed or agreed to any limitation on the use or disclosure of Protected Health Information that is more restrictive than HIPAA, Client shall notify Reach of any such limitation(s) that Client has imposed.
b. Client shall immediately notify Reach of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Reach’s use or disclosure of Protected Health Information.
c. Client shall not request Reach to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Rules if done by the Client, except as permitted by Section 3.
5. Term and Termination.
a. The Term of this Addendum shall be effective upon execution of the Underlying Agreement and shall remain in effect until (i) this Addendum is terminated, and (ii) all Protected Health Information is either returned or destroyed in accordance with this Section 5.
b. This Addendum shall terminate: (i) upon termination of the Underlying Agreement; (ii) upon 30 days’ prior written notice to the breaching party if either party breaches a material term of this Addendum and the breaching party fails to cure the breach by the end of the 30-day notice period; or (iii) the HIPAA Rules are amended or Client agrees to restrictions on the use or disclosure of Protected Health Information such that Reach determines that performance of this Agreement may cause Reach to incur unanticipated costs to comply or face adverse regulatory action.
c. Effect of Termination. Upon termination of this Addendum for any reason, Reach, with respect to Protected Health Information received from Client or created, maintained, or received by Reach on behalf of Client, shall:
i. Retain only that Protected Health Information which is necessary for Reach to continue its proper management and administration or to carry out its legal responsibilities;
ii. Return to Client or destroy the remaining Protected Health Information that Reach still maintains in any form; and
iii. If and to the extent that such return or destruction is impractical, continue to use appropriate safeguards and comply with the HIPAA Rules as to any Protected Health Information that Reach retains.