Kipu Business Associate Agreement (“BAA”)

BUSINESS ASSOCIATE AGREEMENT (“BAA”)

BACKGROUND

The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), the HIPAA Privacy Rule (“Privacy Rule”), 45 C.F.R. Parts 160 and 164, and the HIPAA Security Rule (“Security Rule”), 45 C.F.R. Parts 160, 162 and 164, require a Covered Entity to enter into a written agreement with a Business Associate in order to protect the privacy and security of individually identifiable health information maintained by a Covered Entity (“Protected Health Information,” or “PHI”).   

To fulfill obligations pursuant to the Service Agreement for services to be provided by Business Associate to Covered Entity, the Parties enter into this BAA and, intending to be bound, hereby agree to the following:

1. Definitions.

Terms used, but not otherwise defined, in this BAA shall have the meanings set forth below.

• “Breach” shall have the same meaning given to such term in 42 U.S.C. § 17921(1) and 45 C.F.R. § 164.402.
• “Business Associate” shall mean Kipu Systems LLC.
• “Covered Entity” shall mean the Client.
• “Data Aggregation” shall have the same meaning as the term “data aggregation” in 45 C.F.R. § 160.103.
• “Designated Record Set” shall have the same meaning as the term “designated record set” in 45 C.F.R. § 164.501.
• “Electronic Protected Health Information” or “Electronic PHI” shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. § 160.103, as applied to the information that is created, received, maintained or transmitted to Kipu by, from or on behalf of Client.
• “Electronic Media” shall have the same meaning as the term “electronic media” in 45 C.F.R. § 160.103..
• “Health Care Operations” shall have the same meaning as the term “health care operations” in 45 C.F.R. § 164.501.
• “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act of 2009, and regulations promulgated thereunder.
• “Individual” shall have the same meaning given such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
• “Individually Identifiable Health Information” shall have the same meaning as the term “individually identifiable health information” in 45 C.F.R. § 160.103.
• “Payment” shall have the same meaning as the term “payment” in 45 C.F.R. § 164.501.
• “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E.
• “Privacy Standards” shall mean the Standard for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164.
• “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, as applied to the information that is created, transmitted, maintained or received by Kipu by, from or on behalf of Client.
• “Required By Law” shall have the same meaning as the term “required by law” in 45 C.F.R. 164.103.
• “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
• “Security Incident” shall have the meaning given to such term in 45 C.F.R. § 164.304, but shall not include, (a) unsuccessful attempts to penetrate computer networks or servers maintained by Kipu or its third party service providers and (b) immaterial incidents that occur on a routine basis, such as general “pinging” or “denial of service” attacks.
• “Security Rule” shall mean the Security Standards at 45 C.F.R. Parts 160, 162 and 164.
• “Service Agreement” collectively refers to and means the Service Agreement entered between Business Associate and Covered Entity.
• “Subcontractor” means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.
• “Treatment” shall have the same meaning as the term “treatment” in 45 C.F.R. § 164.501.

2. Responsibilities of Business Associate.

            Business Associate agrees to:

• Except as otherwise permitted by this BAA, the Service Agreement or HIPAA, the Privacy Rule, the Security Rule or the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”), Business Associate will use and disclose Protected Health Information only as permitted or required by the terms of this BAA, HIPAA, the Privacy Rule, the Security Rule, and the Recovery Act, to the extent required to fulfill Business Associate’s obligations under the Service Agreement or to perform any other related function, activity or service specifically requested by Covered Entity in writing, or as Required By Law.
• Use or further disclose only the minimum necessary PHI in performing the activities required under the Service Agreement between the Parties.
• Establish, implement and enforce all appropriate safeguards to prevent the use or disclosure of Protected Health Information other than pursuant to the terms and conditions of this BAA.
• Enter into a written agreement with any Subcontractor or agent that receives, creates, maintains or transmits PHI received by Business Associate from or on behalf of Covered Entity, binding such subcontractor or agent to the same restrictions, terms and conditions that apply to Business Associate pursuant to this HIPAA Agreement with respect to such PHI, including the requirement that the Subcontractor or agent, as applicable, implement reasonable and appropriate safeguards to protect any electronic PHI that is disclosed to it by Business Associate.
• Maintain the integrity of any PHI transmitted by or received from Covered Entity.
• Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate shall implement policies and procedures regarding such safeguards.
• Report to Covered Entity in writing any use or disclosure of the PHI of which Business Associate becomes aware that is not provided for under the Service Agreement within forty-five (45) days of Business Associate’s discovery of such use or disclosure.
• Promptly report to Covered Entity any Security Incident of which Business Associate becomes aware.
• Notify Covered Entity of any Breach of Unsecured PHI as soon as practicable, and in no event later than forty-five (45) calendar days after discovery of such Breach by Business Associate. The notice shall include the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during such Breach and (b) any particulars regarding the Breach that Customer would need to include in its notification, as such particulars are identified in 42 U.S.C. § 17932 and 45 C.F.R. § 164.404.
• Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this BAA.
• Comply with requested restrictions on the disclosure of PHI as communicated to Business Associate by Covered Entity if the disclosure is to a health plan for the purposes of carrying out Payment or Health Care Operations (and is not for the purpose of carrying out Treatment) and the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.
• If Business Associate maintains Electronic Health Records as that term is defined in Section 13400 of the Recovery Act and an Individual requests a copy of such records, transmit the electronic records directly to an entity or person designated by the Individual, provided that any such choice is clear, conspicuous, and specific. Any fee charged for such electronic records shall not exceed Business Associate’s labor costs.
• to the extent Business Associate is carrying out one or more obligations of Covered Entity under 45 C.F.R. Part 164, Subpart E, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).

3. Permitted Uses by Business Associate.

            Business Associate may:

• Use PHI in its possession for its proper management and administration or to fulfill any of its legal responsibilities.
• Disclose PHI in its possession to third-parties for its proper management and administration, or to fulfill any of its legal responsibilities; provided that (i) the disclosures are Required By Law, as provided for in 45 C.F.R. § 164.103, or (ii) Business Associate has received reasonable assurances from the third party that the PHI will be held confidentially, and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the third party, and that the third party will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached, as required under 45 C.F.R. § 164.504(e)(4).
• Except as otherwise limited in this BAA, use PHI to provide Data Aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B), including use of PHI for statistical compilations, reports, research and all other purposes permitted under applicable law.
• De-identify PHI in accordance with the standards set forth in 45 CFR 164.514(b) and use or disclose such de-identified information for any purpose permitted under applicable law. Pursuant to 45 C.F.R. § 164.502(d), de-identified information does not constitute PHI and is not subject to the terms of this BAA.

4. Responsibilities of Covered Entity.

            Covered Entity shall:

• Provide to Individuals a notice of privacy practices pursuant to 45 C.F.R. § 164.520 that shall, throughout the term of this BAA, give notice of the types of uses and disclosures that are allowed, including types undertaken by Business Associate pursuant to this BAA. Covered Entity shall notify Business Associate in writing of any limitations in Covered Entity’s notice of privacy practices to the extent such limitation(s) may affect Business Associate’s use of PHI.
• Notify Business Associate in writing of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522 or a restriction pursuant to the Recovery Act § 13405 (a) to which Covered Entity’s compliance was mandatory to the extent such restriction may affect Business Associate’s use or disclosure of Protected Health Information. Before agreeing to any restriction on use or disclosure permitted under 45 C.F.R. § 164.522, but not mandated under the Recovery Act § 13405(a), Covered Entity shall advise Business Associate of the contemplated restrictions and Business Associate shall, as promptly as practicable, advise Covered Entity of the additional costs Covered Entity will incur to implement such restriction.
• Notify Business Associate of any changes to, or withdrawal of, the consent or authorization of an Individual provided to Covered Entity pursuant to 45 C.F.R. § 164.506 or § 164.508 to the extent such changes may affect Business Associate’s ability to perform its obligations under this BAA.
• Implement and maintain appropriate administrative, physical and technical safeguards to protect PHI within the Service. Such safeguards shall comply with federal, state, and local requirements, including the Privacy Rule and the Security Rule. Covered Entity shall maintain appropriate security with regard to all personnel, systems, and administrative processes used by Covered Entity or members of its Workforce to transmit, store and process Electronic PHI through the use of the Service.
• Immediately notify us of any breach or suspected breach of the security of the Service of which Covered Entity becomes aware, or any unauthorized use or disclosure of PHI within or obtained from the Service, and you will take such actions to mitigate the breach, suspected breach, or unauthorized use or disclosure of PHI within or obtained from the Service as we may direct, and will cooperate with us in investigating and mitigating the same.

5. Access to PHI. The parties do not intend for Business Associate to maintain any PHI in a Designated Record Set for Covered Entity.  To the extent Business Associate possesses PHI in a Designated Record Set, Business Associate agrees to make such information available to Covered Entity pursuant to 45 C.F.R. § 164.524 and 42 U.S.C. § 17935(e)(1), as applicable, within ten business days of Business Associate’s receipt of a written request from Covered Entity; provided, however, that Business Associate is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Customer.  If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Business Associate, or inquires about his or her right to access, Business Associate will direct the Individual to Covered Entity.
6. Amendment of PHI. The parties do not intend for Business Associate to maintain any PHI in a Designated Record Set for Covered Entity.  To the extent Business Associate possesses PHI in a Designated Record Set, Business Associate agrees to make such information available to Covered Entity for amendment pursuant to 45 C.F.R. § 164.526 within 20 business days of Business Associate’s receipt of a written request from Covered Entity.  If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to Business Associate, or inquires about his or her right to amendment, Business Associate will direct the Individual to Covered Entity.
7. Documentation of Disclosures of PHI. Business Associate agrees to document disclosures of PHI in accordance with 45 C.F.R. 164.528, in order for Covered Entity to respond to a request from an Individual for an accounting of disclosures of PHI or in order for the Business Associate to respond to a request for an accounting to the extent required by HIPAA and the Recovery Act.
8. Accounting for Disclosures of PHI. Within thirty (30) days of written notice by Covered Entity to Business Associate that it has received a request for an accounting of disclosures of PHI, Business Associate shall make available to Covered Entity such information as is in Business Associate’s possession required for Covered Entity to satisfy the accounting of disclosures requirement set forth in the Privacy Rule.  In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall, within five (5) days, forward the request to Covered Entity.  It shall be Covered Entity’s responsibility to prepare and deliver any such accounting requested.
9. Government Access. Business Associate will make its internal policies, procedures, books and records relating to use and disclosure of PHI (excluding the actual PHI) received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Privacy and Security Rules, subject to any privileges covering Business Associate.
10. 42 CFR Part 2 Responsibilities.
    • To the extent that in performing its services for or on behalf of Covered Entity, Business Associate uses, discloses, maintains, or transmits PHI that is protected by 42 CFR Part 2, Business Associate acknowledges and agrees that in receiving, storing, processing or otherwise dealing with any such patient records, it is fully bound by the Part 2 regulations; and, if necessary will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by the Part 2 regulations.
    • Notwithstanding any other language in this Agreement, Business Associate acknowledges and agrees that any patient information it receives from Covered Entity that is protected by Part 2 is subject to protections that prohibit Business Associate from disclosing such information to agents or subcontractors without the specific written consent of the subject individual.
11. Term. This BAA shall become effective on the Order Effective Date and shall remain in effect unless otherwise terminated as provided in Section 12.
12. Termination.
    • Automatic Termination. This BAA will automatically terminate without any further action of the Parties upon termination of the Services;  provided, however, certain provisions and requirements of this BAA shall survive such expiration or termination in accordance with Section 12.
    • Termination for Cause. Either Party may immediately terminate this BAA, the Services Agreement and any related agreements if the Party makes the determination that the other Party has breached a material term of this BAA.  Alternatively, and in the sole discretion of the non-breaching Party, the non-breaching Party may choose to provide the breaching Party with written notice of the existence of the Breach and provide the breaching Party thirty (30) calendar days to cure said breach upon mutually agreeable terms.  Failure by the breaching Party to cure said breach or violation in the manner set forth above shall be grounds for immediate termination of the Services Agreement by the non-breaching Party.  If termination is not feasible, the Covered Entity shall report the problem to the Secretary.
13. Effect of Termination. Upon termination of this BAA, Business Associate agrees to return or destroy all PHI in whatever form or medium (including any Electronic Media under Business Associate’s custody or control) received from Covered Entity, created, received, transmitted or maintained by Business Associate on behalf of Covered Entity, including all copies of any data or compilations derived from PHI that are in the possession of subcontractors or agents of Business Associate, except to the extent that such PHI is necessary to carry out Business Associate’s obligations under the associated Agreement.  Business Associate shall retain no copies of the PHI except those stored within standard backups.  Business Associate will complete such return or destruction as promptly as possible, following termination, cancellation, expiration or other conclusion of this BAA.
14. Third-Party Beneficiaries. Nothing in this BAA shall be construed to create third-party beneficiary rights in any person or entity.
15. Amendments; Waiver. This BAA may not be modified, nor shall any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties.  The failure of either Party to enforce at any time any provision of this BAA shall not be construed to be a waiver of such provision, nor in any way to affect the validity of this BAA or the right of either Party thereafter to enforce each and every such provision.
16. Notices. Any notice or other communication required or desired to be given to any Party under this BAA shall be in writing and shall be deemed given when (a) deposited in the United States mail, first-class postage prepaid, and addressed to that Party at the address for such Party set forth below; (b) the next business day immediately following delivery to Federal Express, or any other similar express delivery service for next-day delivery to that Party at that address; or (c) sent by email transmission, with electronic confirmation, to that Party at its email address set forth below.  Any Party may change its address or email address for notices under this BAA by giving the other party notice of such change.  

Notice of change of address of a Party shall be given in writing to the other Party as provided above

17. Governing Law, Venue and Attorney Fees and Costs. This BAA shall be governed by and construed in accordance with the laws of the State of Florida.  In the event of any litigation in connection with, arising out of, or related to this BAA, the Parties agree that the Circuit Court of Dade County, Florida shall be the exclusive venue and jurisdiction for any litigation.  At the option of Covered Entity, the United States District Court for the Southern District of Florida, Miami Division, shall be the exclusive venue and jurisdiction for any litigation.
18. Assignment. Neither Party may assign this BAA without the prior written consent of the other, except in accordance with the terms of the underlying Service Agreement. 
19. Compliance with Law; Regulatory Changes. It is the Parties’ intent to comply with HIPAA in connection with this BAA.  In the event there shall be a change in HIPAA, or in the reasoned interpretation of any of HIPAA or the adoption of new federal legislation governing the privacy or security of PHI, any of which are reasonably likely to materially and adversely affect the manner in which either Party may perform or be compensated under this BAA or which shall make this BAA unlawful, then the Parties agree to negotiate in good faith to amend this BAA, to the extent possible consistent with its purposes, to conform to law and approximate as closely as possible the economic position of the Parties prior to the change.
20. Severability. In the event any provision of this BAA is held to be unenforceable for any reason, the unenforceability thereof shall not affect the remainder of this BAA, which shall remain in full force and effect and enforceable in accordance with its terms.
21. Binding Effect. The provisions of this BAA shall be binding upon and shall inure to the benefit of the Parties and their respective heirs, executors, administrators, legal representatives, successors and assigns.
22. Headings. All section headings contained in this BAA are to be considered for reference purposes only, and are not intended to define or limit the scope of any provisions of this BAA.
23. Conflict. In the event of an express conflict between the terms governing confidentiality of PHI in the Ts&Cs and this BAA, the terms and conditions of this BAA shall govern.

Last Updated: March 26, 2024