Business Associate Agreement

Business Associate Agreement

This Business Associate Agreement (“Business Associate Agreement”) updated as of December 15, 2021, is entered into between Glooko, Inc., a Delaware corporation, located at 411 High St., Palo Alto, CA 94301 (the “Business Associate”), and the party who meets the definition of a covered entity under the Health Insurance Portability and Accountability Act (the “Covered Entity”) who has signed a duly executed Order Form with the Business Associate, as of the date of the final signature on such Order Form (the “Effective Date”). The parties agree as follows:

WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act (“HIPAA”) of 1996, Public Law 104-191, known as “the Administrative Simplification provisions,” direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information; and

WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services issued regulations modifying 45 CFR Parts 160 and 164 (the “HIPAA Security and Privacy Rule”); and

WHEREAS, the American Recovery and Reinvestment Act (“ARRA“) of 2009 (Pub. L. 111-5), pursuant to Title XIII of Division A and Title IV of Division B, called the “Health Information Technology for Economic and Clinical Health” (“HITECH”) Act, provides modifications to the HIPAA Security and Privacy Rule (hereinafter, all references to the “HIPAA Security and Privacy Rule” are deemed to include all amendments to such rule contained in the HITECH Act and any accompanying regulations, and any other subsequently adopted amendments or regulations); and

WHEREAS, the Parties are entering into an agreement (“Master Agreement”) whereby Business Associate will provide certain services to Covered Entity, and, pursuant to such Master Agreement, Business Associate may be considered a “business associate” of Covered Entity as defined in the HIPAA Security and Privacy; and

WHEREAS, Business Associate may have access to Protected Health Information (“PHI”) as defined below, in fulfilling its responsibilities under such arrangement; and Business Associate and Covered Entity (each a “Party” and collectively the “Parties”) agree to the terms and conditions of this Business Associate Agreement.

Article 1. Definitions.

Terms used but not otherwise defined in this Business Associate Agreement shall have the same meaning as the meaning ascribed to those terms in the Health Information Portability and Accountability Act of 1996, codified as 42 U.S.C. §1320d (“HIPAA”), the Health Information Technology Act of 2009, as codified at 42 U.S.C.A. prec. § 17901 (the “HITECH” Act), and any current and future regulations promulgated under HIPAA or HITECH.

1.1 “Breach” shall mean the acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under 45 C.F.R. Part 164, Subpart E (the “HIPAA Privacy Regulations”) which compromises the security or privacy of the Protected Health Information. “Breach” shall not include:

  1. Any unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of Covered Entity or Business Associate, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Regulations; or
  2. Any inadvertent disclosure by a person who is authorized to access Protected Health Information at Covered Entity or Business Associate to another person authorized to access Protected Health Information at Covered Entity or Business Associate, respectively, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Regulations; or
  3. A disclosure of Protected Health Information where Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

1.2 “Designated Record Set” means a group of records maintained by or for a Covered Entity that is (a) the medical and billing records about Individuals maintained by or for a covered healthcare provider; (b) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, or (c) information used in whole or in part by or for the Covered Entity to make decisions about Individuals.

1.3 “Electronic Protected Health Information” or “Electronic PHI” means Protected Health Information that is transmitted by or maintained in electronic media as defined by the HIPAA Security Regulations.

1.4 “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. §164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).

1.5 “HIPAA Privacy Regulations” shall mean the Standards for Security of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E.

1.6 “HIPAA Security Regulations” shall mean the Standards for Security of Individually Identifiable Health Information at 45 C.F.R. part 160 and subparts A and C of part 164.

1.7 “HITECH Standards” means the privacy, security and security Breach notification provisions applicable to a Business Associate under Subtitle D of the HITECH Act and any regulations promulgated thereafter.

1.8 “Individually Identifiable Information” means information that is a subset of health information, including demographic information collected from an individual, and:

  1. is created or received by a health care provider, health plan, employer or health care clearinghouse; and
  2. relates to past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and: (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

1.9 “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. §160.103 (as amended by the HITECH Act), limited to the information created or received by Business Associate from or on behalf of Covered Entity including, but not limited to Electronic PHI. PHI shall include individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. “Protected Health Information” includes without limitation “Electronic Protected Health Information” as defined above. PHI does not include any data received by the business associate directly from a patient where the patient consents to sharing their data. Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity’s behalf shall be subject to this Business Associate Agreement.

1.10 “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.

1.11 “Unsecured Protected Health Information” shall mean Electronic PHI that is not secured through the use of technology or methodology specified by the Secretary in regulations or as otherwise defined in section 13402(h) of the HITECH Act.

Article 2. Obligations of Business Associate

2.1 Subcontractors. Business Associate agrees to require any subcontractor to whom it provides Protected Health Information received from or created or received by Business Associate on behalf of Covered Entity, to agree to the same restrictions and conditions that apply throughout this Business Associate Agreement to Business Associate with respect to such information. Subcontractors shall receive appropriate training and agree to implement reasonable and appropriate safeguards to protect any of such information which is PHI or Electronic Protected Health Information. In addition, Business Associate agrees to take reasonable steps to ensure that its employees’ actions or omissions do not cause Business Associate to breach the terms of this Business Associate Agreement.

2.2 Safeguards. Business Associate agrees to use appropriate administrative, physical and technical safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Business Associate Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule.

2.3 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Association in violation of this Business Associate Agreement.

2.4 Compliance. Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all additional applicable requirements of the Privacy Rule, including those contained in 45 CFR §§ 164.502(e) and 164.504(e)(1)(ii), at such time as the requirements are applicable to Business Associate. Business Associate will not directly or indirectly receive remuneration in exchange for any PHI, subject to the exceptions contained in the HITECH Act, without a valid authorization from the applicable individual. Business Associate will not engage in any communication which might be deemed to be “marketing” under the HITECH Act. In addition, Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all applicable requirements of the Security Rule, contained in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316, at such time as the requirements are applicable to Business Associate.

2.5 Notice of Use or Disclosure, Security Incident or Breach.

  1. Business Associate agrees to notify the designed Privacy Officer of the Covered Entity of any use or disclosure of PHI by Business Associate not permitted by this Business Associate Agreement, any Security Incident (as defined in 45 C.F.R. §164.304) involving Electronic PHI, and any Breach of Unsecured Protected Health Information without unreasonable delay, but in no case more than thirty (30) days following discovery of breach. Business Associate shall provide the following information in such notice to Covered Entity:

    (i) the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach;

    (ii) a description of the nature of the Breach including the types of unsecured PHI that were involved, the date of the Breach and the date of discovery;

    (iii) a description of the type of Unsecured PHI acquired, accessed, used or disclosed in the Breach (e.g., full name, social security number, date of birth, etc.);

    (iv) the identity of the person who made and who received (if known) the unauthorized acquisition, access, use or disclosure;

    (v) a description of what the Business Associate is doing to mitigate the damages and protect against future breaches; and

    (vi) any other details necessary for Covered Entity to assess risk of harm to Individual(s), including identification of each Individual whose unsecured PHI has been Breached and steps such Individuals should take to protect themselves.

  2. Covered Entity will be responsible for providing notification to Individuals whose unsecured PHI has been disclosed, as well as to the Secretary and the media, as required by the HITECH Act. In the event that a breach of unsecured PHI, as defined in the HITECH Act or accompanying regulations, occurs as a result of actions by Covered Entity or by the customer or owner of such PHI, and not by Business Associate, Business Associate will cooperate in the Covered Entity’s breach analysis procedures, including risk assessment and determination of the extent of access of such unsecured PHI, at the written request of the Covered Entity or customer/owner of such breached PHI, and for a fee consistent with Business Associate’s then current rates.
  3. Business Associate agrees to establish procedures to investigate the Breach, mitigate losses, and protect against any future Breaches, and to provide a description of these procedures and the specific findings of the investigation to Covered Entity in the time and manner reasonably requested by Covered Entity.
  4. (d) The Parties agree that this section satisfies any notice requirements of Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. For purposes of this Business Associate Agreement, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Electronic PHI.

2.6 Access. Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner reasonably requested by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual. Business Associate may charge Covered Entity or Individual for the actual labor cost involved in providing such access. Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by Section 164.524 of the HIPAA Security and Privacy Rule. If Business Associate maintains Protected Health Information electronically, it agrees to make such Protected Health Information electronically available to the applicable individual. Business Associate agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule and Section 13405(c)(3) of the HITECH Act. Business Associate and Covered Entity shall cooperate in providing any accounting required on a timely basis.

2.7 Amendments. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees, upon request of Covered Entity or an Individual.

2.8 Disclosure of Practices, Books and Records. Business Associate agrees to make internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to Covered Entity or the Secretary in a time and manner designated by the Covered Entity or Secretary, for the purposes of the Secretary in determining the Parties compliance with HIPAA, the HITECH Act, the American Recovery and Reinvestment Act, and corresponding regulations.

2.9 Accounting and Audit. Business Associate agrees to provide to Covered Entity an accounting of PHI disclosures made by Business Associate, including disclosures made for treatment, payment and health care operations. The accounting shall be made within a reasonable amount of time upon receipt of a request from Covered Entity. The Secretary of Health and Human Services shall have the right to audit Business Associate’s records and practices related to use and disclosure of Protected Health Information to ensure Covered Entity’s compliance with the terms of the HIPAA Security and Privacy Rule.

2.10 Security of Electronic Protected Health Information. Business Associate agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity; (2) ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; and (3) report to the Covered Entity any security incidents of which it becomes aware.

2.11 Minimum Necessary. Business Associate agrees to limit its uses and disclosures of, and requests for, PHI (a) when practical, to the information making up a Limited Data Set; and (b) in all other cases subject to the requirements of 45 C.F.R. §164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.

2.12 Use and Disclosure of PHI. Except as otherwise limited in this Business Associate Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity provided that such use or disclosure would not violate HIPAA, ARRA, or the HITECH Act if done by the Covered Entity. Notwithstanding the prohibitions set forth in this Business Associate Agreement, Business Associate may use and disclose Protected Health Information as follows:

  1. if necessary, for the proper management and administration of Business Associate services or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, (i) the disclosure is required by law; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; or
  2. for data aggregation services, if to be provided by Business Associate for the health care operations of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship, or as mutually agreed in writing by both Parties. For purposes of this Business Associate Agreement, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
  3. Business Associate may de-identify and aggregate any and all Protected Health Information created or received by Business Associate under the Master Agreement; provided, however, that such de-identification conforms to the requirements under HIPAA. Anonymized and aggregated data is data that has been de-identified into a form that does not identify Client, its Authorized Users, or Patients, or other individually identifiable data subjects, and that meets de-identification criteria as specified in applicable regulations such as the Health Insurance Portability and Accountability Act (HIPAA) (45 CFR 164.514(a)-(c)) and the California Consumer Privacy Act (CCPA). Such resulting de-identified information shall not be subject to the terms of this Business Associate Agreement.
  4. Business Associate will not sell PHI or use or disclose PHI for marketing or fundraising purposes as set forth in the HITECH Act.

Article 3. Obligations of Covered Entity

3.1 Notice of Privacy Practices of Covered Entity. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. §164.520, as well as any changes to such notice.

3.2 Restrictions in Use of PHI. Covered Entity shall notify Business Associate of any changes in restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

3.3 Changes in the Use of PHI. Covered Entity agrees to notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such changes or revocation affects Business Associate’s use or disclosure of PHI.

3.4 Appropriate Requests. Except as otherwise provided in this Business Associate Agreement, Covered Entity will not ask Business Associate to use or disclose PHI in any manner that would violate the HIPAA Privacy Regulations, ARRA, or the HITECH Act if done by Covered Entity.

3.5 Consents. Obtain from individuals any and all consents or authorizations necessary for Business Associate to provide services to Covered Entity.

Article 4. Term and Termination

4.1 Term. The Term of this Business Associate Agreement shall be effective as of the date listed above and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this section.

4.2 Termination for Cause. Upon either Party’s determination that the other Party has committed a violation or material breach of this Business Associate Agreement, the non-breaching Party may take one of the following steps:

  1. Provide an opportunity for the breaching Party to cure the breach or end the violation, and if the breaching Party does not cure the breach or end the violation within a reasonable time, terminate this Business Associate Agreement;
  2. Immediately terminate this Business Associate Agreement if the other Party has committed a material breach of this Business Associate Agreement and cure of the material breach is not possible; or
  3. If neither cure nor termination is feasible, elect to continue this Business Associate Agreement and report the violation or material breach to the Secretary in accordance with the requirements set forth in the HITECH Act.

4.3 Disposition of PHI Upon Termination or Upon Request.

  1. Upon termination of this Business Associate Agreement, for any reason, or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate shall return or destroy all Protected Health Information created or received by Business Associated on behalf of Covered Entity which Business Associated still maintains in any form and retain no copies of such information. This provision shall apply to Protected Health Information that is in the possession of subcontractors of Business Associate.
  2. It may not be feasible for Business Associate to return or destroy all copies of customer data constituting Protected Health Information. In such cases, where such return or destruction is not feasible, Business Associate will extend the protections of this Business Associate Agreement to the information and limit further uses and disclosures solely to those purposes as originally intended under this Business Associate Agreement that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.

Article 5. Miscellaneous

5.1 Limitation of Liability. Business Associate’s aggregate liability for claims under this Business Associate Agreement shall not exceed the amounts paid by Covered Entity to Business Associate under the Agreement in the twelve (12) months preceding the first claim made under this Business Associate Agreement.

5.2 No Third Parties; Survival. Except as expressly stated herein or within the HIPAA Security and Privacy Rule, the Parties to this Business Associate Agreement do not intend to create any rights in any third parties. The respective rights and obligations of Business Associate under this Section shall survive the expiration, termination, or cancellation of this Business Associate Agreement, and/or the business relationship of the Parties, and shall continue to bind Business Associate, its agents, employees, contractors, successors, and assigns as set forth herein.

5.3 Amendment. The Parties agree to take such action as is necessary to amend this Business Associate Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA, ARRA, or the HITECH Act and any applicable regulations in regard to such laws.

5.4 Prior Agreement. This Business Associate Agreement shall replace and supersede any prior Business Associate Agreement between the Parties.

5.5 Ambiguity. Any ambiguity of this Business Associate Agreement shall be resolved to permit the Parties to comply with the HITECH Act, HIPAA, ARRA, and the Privacy and Security Rules and other implementing regulations and guidance.

5.6 Minimum Requirements. The provisions of this Business Associate Agreement are intended to establish the minimum requirements regarding Business Associate’s use and disclosure of Protected Health Information.

5.7 Notices. All notices, requests, demands and other communications required or permitted hereunder shall be in writing and, if mailed by prepaid first class mail or certified mail, return receipt requested, shall be deemed to have been received on the earlier of the date of receipt or three (3) business days after the postmarked date thereof. All notices and other communications under this Agreement shall be given to the Parties hereto at the following addresses with adequate postage thereon, if applicable, and as follows unless and until notice of another or different address shall be given as provided herein:

If to Company:
Glooko, Inc.
411 High Street
Palo Alto, California, 94301
Attn: Legal Department

If to Covered Entity:
To Covered Entity’s address listed on a duly executed Order Form referencing this Business Associate Agreement

5.8 Entire Agreement, Amendments, Assignment, Relationship, Waiver, Governing Law. This Business Associate Agreement is the entire agreement between the parties in connection with the subject matter herein. Either party may assign, sublicense, delegate or transfer all or any portion of its rights or responsibilities under this Business Associate Agreement by operation of law or otherwise to any subsidiaries or affiliates thereof, or to any other party, in connection with a sale of the business related to this Business Associate Agreement. Any assignment of this Business Associate Agreement by Business Associate in connection with a sale of this business shall relieve Business Associate from any further liability hereunder. None of the provisions of this Business Associate Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Business Associate Agreement and any other agreements between the Parties evidencing their business relationship. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. In the event that any provision of this Business Associate Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Business Associate Agreement will remain in full force and effect. In addition, in the event a Party believes in good faith that any provision of this Business Associate Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, including any then-current requirements of the HITECH Act or its regulations, such Party shall notify the other Party in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and amend the terms of this Business Associate Agreement as necessary to bring it into compliance. If, after such thirty (30) day period, the Business Associate Agreement fails to comply with the HIPAA Security and Privacy Rule, including the HITECH Act, then either Party has the right to terminate upon written notice to the other Party.