© 2023 SocialClimb, LLC. Do not copy and edit this contract form. If you have questions or concerns regarding the contents of this contract, please contact SocialClimb.
BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (this “BAA”) is between SocialClimb, LLC, with a principal place of business at 1355 W Innovation Way #500, Lehi, UT 84043 (“SocialClimb”) and each customer of SocialClimb that is a Covered Entity under HIPAA (“Covered Entity”) and has signed a Master Subscription and Services Agreement or other agreement with SocialClimb (the “Services Agreement”) that may require SocialClimb to access, use and/or disclose PHI received from Covered Entity, as a business associate. However, if SocialClimb and Covered Entity have signed a different form of Business Associate Agreement, that form shall apply rather than this BAA.
WHEREAS, the parties desire to ensure that their respective rights and responsibilities under the Services Agreement are in accordance with applicable federal statutory and regulatory requirements relating to the access, use and disclosure of Protected Health Information (or “PHI”), including, without limitation, the Standards for Privacy of Individually Identifiable Health Information, and the Security Standards, collectively codified at 45 C.F.R. Parts 160, 162 and 164 (respectively the “Privacy Standards” and “Security Standards” ) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act, as set forth in Subtitle D of the American Recovery and Reinvestment Act of 2009 (“HITECH”); and
WHEREAS, the purpose of this BAA is to satisfy certain standards and requirements of HIPAA, HITECH, the Privacy Standards, and the Security Standards, and regulations thereunder;
NOW, THEREFORE, in consideration of the foregoing recitals and the mutual covenants and agreement set forth herein, SocialClimb and Covered Entity agree as follows:
1. Definitions.
a. “Electronic Health Record” shall have the same meaning as the term “electronic health record” in the American Recovery and Reinvestment Act of 2009, § 13400(5).
b. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 and regulations issued thereunder, as may be expanded by HITECH.
c. “Protected Health Information” or “PHI” has the meaning given to Protected Health Information in the HIPAA Rules and, for purposes of this BAA, is limited to PHI that is provided, created, exchanged or received by or between SocialClimb and Covered Entity.
d. Other Terms. Unless otherwise defined in this BAA, all capitalized words, including Breach, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information (or “Electronic PHI”), Electronic Transactions Rule, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, Transaction, Unsecured Protected Health Information, and Use, shall have the meanings set forth in the HIPAA Rules, as modified from time to time.
e. Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as then in effect or as amended.
2. Scope. This BAA sets forth the terms and conditions pursuant to which any and all PHI will be handled. SocialClimb and Covered Entity will comply with all applicable laws, including those governing the creation, use, disclosure, access, storage, and maintenance of PHI. This BAA supplements the Services Agreement between SocialClimb and Covered Entity and is incorporated therein by reference.
3. Duties and Responsibilities of SocialClimb: SocialClimb agrees to:
a. Use and Disclosure of PHI. Not Use or Disclose PHI other than as permitted or required by this BAA, as set forth in Section 4.a below, or as required by applicable law;
b. Safeguards. Use reasonable and appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 and HITECH with respect to electronic PHI, to protect the security of all PHI against Security Incidents, prohibited Uses or Disclosures of PHI or other misuse of PHI, as required by the HIPAA Rules;
c. Required Reporting. Report to Covered Entity, within five (5) business days, any prohibited Use or Disclosure of PHI of which SocialClimb becomes aware, by SocialClimb, any of its employees, Subcontractors or agents, or any third party receiving or obtaining such PHI from or through SocialClimb, including Breaches of Unsecured Protected Health Information, in addition to any other reporting obligations of SocialClimb under the HIPAA Rules, as well as any Security Incident of which it becomes aware; provided, however, that the parties acknowledge and agree that from time to time Unsuccessful Security Incidents may occur, that this section constitutes notice to Covered Entity with respect to such incidents, and that no additional notice to Covered Entity is required for such incidents. “Unsuccessful Security Incidents” means any pings and other broadcast attacks on SocialClimb’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and/or comparable attacks or attempts, as long as no such incident results in unauthorized access, Use or Disclosure of PHI. Such reports will include a description of the PHI used or disclosed and the nature of the Use or Disclosure, to the extent such information is known by SocialClimb;
d. Subcontractors. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit PHI or Electronic PHI on behalf of SocialClimb agree to same restrictions, conditions, and requirements that apply to SocialClimb with respect to such PHI or Electronic PHI; including the obligation to report to SocialClimb any unauthorized disclosures of PHI;
e. Individual and Third Party Requests. If SocialClimb receives a request from an Individual or any third party to inspect, obtain a copy of, or amend PHI, SocialClimb will forward such request in writing to Covered Entity within five (5) business days of receiving the request. Covered Entity will be responsible for making all determinations regarding the third party request for PHI; SocialClimb will neither make such determinations nor release PHI to a third party pursuant to such a request, except if and to the extent required by the HIPAA Rules;
f. Designated Record Sets. If SocialClimb’s services under the Services Agreement require it to maintain a Designated Record Set, then:
(i) within five (5) business days of Covered Entity’s request to SocialClimb for a copy of PHI, SocialClimb will provide the requested PHI to Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; and
(ii) SocialClimb will make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;
g. Accounting of Disclosures. Maintain and, within ten (10) business days of receiving a request, or sooner if Required by Law, make available the information required to provide an accounting of disclosures to either Covered Entity or the Individual as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528, for a period of at least six (6) years following the date of termination of this BAA;
h. Comply with Applicable Obligations of Covered Entity. To the extent SocialClimb is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s);
i. Books and Records. Make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules. Neither SocialClimb nor Covered Entity waives any attorney-client, accountant-client, or other legal privilege or confidentiality as a result of this section; and
j. Training. SocialClimb will require each employee who will have access to PHI to comply with the restrictions and conditions applicable to SocialClimb herein. SocialClimb will train its employees who may have access to PHI regarding the terms and conditions of this BAA and their obligations under the HIPAA Rules.
k. Electronic PHI. SocialClimb will comply with the Security Standards and will use appropriate administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that SocialClimb creates, receives, maintains, or transmits on Covered Entity’s behalf, as required by the Security Standards. SocialClimb shall review and modify the security measures implemented in accordance with the above as needed to continue provision of reasonable and appropriate protection of Electronic PHI. SocialClimb shall update documentation of such security measures in accordance with 45 C.F.R. § 164.316(b)(2)(iii) and shall designate a security officer and undertake appropriate training of its personnel in accordance with the Security Standards.
l. Compliance with Electronic Transactions Rule. If SocialClimb conducts in whole or part electronic Transactions on behalf of Covered Entity for which the Department of Health and Human Services has established standards, SocialClimb shall comply, and will require any Subcontractor it involves with the conduct of such Transactions to comply, with each applicable requirement of the Electronic Transactions Rule.
4. Permitted Uses and Disclosures by SocialClimb.
a. Permitted Uses and Disclosures. SocialClimb may only Use or Disclose PHI:
(i) as required to perform services for Covered Entity as specified under the Services Agreement or other agreement between the parties;
(ii) for SocialClimb’s proper management and administration (including improving its services), or to carry out the legal responsibilities of SocialClimb, provided the disclosures are Required by Law, or SocialClimb obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and Used or further Disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies SocialClimb of any instances of which it is aware in which the confidentiality of the information has been breached;
(iii) to provide Data Aggregation services relating to the Health Care Operations of Covered Entity, if so provided under the Services Agreement or otherwise agreed in writing by the parties; and/or
(iv) to create de-identified information, in accordance with the standards set forth in 45 CFR 164.514(a)-(c), for SocialClimb’s use in performing predictive analytics functions and creating predictive data models, for use for its internal purposes of providing and improving SocialClimb’s products and services and such other purposes as are permitted under the Services Agreement.
b. Required Uses and Disclosures. SocialClimb shall disclose PHI (i) when required by the Secretary of HHS under 45 C.F.R. Part 160, Subpart C to investigate or determine SocialClimb’ compliance with Subchapter C of 45 C.F.R., Subtitle A, and (ii) to Covered Entity, the individual or the individual’s designee, as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524(c)(2)(ii) and (3)(ii) with respect to the individual’s request for an electronic copy of his or her PHI.
c. Access. SocialClimb will make available PHI in accordance with 45 C.F.R. § 164.524, upon request from Covered Entity, so that Covered Entity may meet its access obligations under 45 C.F.R. § 164.524.
d. Minimum Necessary. SocialClimb will, in its performance of the functions, activities, services, and operations specified above, make reasonable efforts to use, to disclose, and to request only the minimum amount of the PHI reasonably necessary to accomplish the intended purpose of the use, disclosure or request, except that SocialClimb will not be obligated to comply with this minimum-necessary limitation of 45 C.F.R. § 164.502(b) if neither SocialClimb nor Covered Entity is required to limit its use, disclosure or request to the minimum necessary. SocialClimb and Covered Entity acknowledge that the phrase “minimum necessary” shall be interpreted in accordance with 45 C.F.R. § 164.502(b).
e. Subpart E. SocialClimb may not Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except for the specific Uses and Disclosures set forth in Section 4.a.
5. Obligations of Covered Entity.
a. Notice of Privacy Practices. Covered Entity shall notify SocialClimb of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect SocialClimb’s Use or Disclosure of PHI.
b. Notice of Changes in Consent. Covered Entity shall notify SocialClimb of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect SocialClimb’s Use or Disclosure of PHI.
c. Notice of Restrictions. Covered Entity shall notify SocialClimb of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect SocialClimb’s Use or Disclosure of PHI.
d. Permitted Requests. Covered Entity will not request or require SocialClimb to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
6. Term and Termination.
a. Term. The term of this BAA shall begin upon the effective date of the Services Agreement and shall continue in effect until terminated as provided herein and until SocialClimb returns or destroys all PHI.
b. Termination at End of Business Association. This BAA will automatically terminate without further action of the parties upon the termination or expiration of the business association between SocialClimb and Covered Entity.
c. Termination for Cause. If either party materially breaches this BAA, the other party may terminate this BAA and, at its election, the Services Agreement, subject to thirty (30) days prior written notice and opportunity to cure the breach. However, if SocialClimb has breached a material term of this BAA and cure is not possible, Covered Entity may immediately terminate this BAA.
d. Effect of Termination. Termination of this BAA will automatically result in termination of the Services Agreement. Within thirty (30) days of the termination of this BAA, SocialClimb will either return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI that SocialClimb still maintains in any form (including any information in the possession of any employee, Subcontractor or other agent of SocialClimb). Upon request of Covered Entity, SocialClimb will provide a certificate to Covered Entity acknowledging such destruction. SocialClimb will thereafter retain no written, digital, back-up or other copies of any PHI. Notwithstanding the foregoing, if the return or destruction of PHI upon termination is not feasible, SocialClimb shall so inform Covered Entity and will continue to maintain the security and privacy of such Protected Health Information in a manner consistent with the obligations of this BAA and as required by applicable law, for so long as SocialClimb is in possession of such information. SocialClimb will return or destroy such retained PHI as soon as is reasonably feasible. SocialClimb may retain all de-identified information created prior to the date of termination of this BAA. The obligations of SocialClimb under this Section 6 shall survive the termination of this BAA.
7. Ownership. As between the parties, all PHI is and will remain the property of Covered Entity.
8. Limitation of Liability. NOTWITHSTANDING ANY OTHER PROVISION IN THIS BAA, UNDER NO CIRCUMSTANCES WILL BUSINESS ASSOCIATE HAVE ANY OBLIGATION OR LIABILITY HEREUNDER FOR ANY INCIDENTAL, INDIRECT, CONSEQUENTIAL, COLLATERAL, EXEMPLARY, PUNITIVE OR SPECIAL DAMAGES INCURRED BY COVERED ENTITY (INCLUDING DAMAGES FOR LOST BUSINESS, LOST PROFITS, COSTS OF COVER, COSTS OF DELAY, OR DAMAGES TO BUSINESS REPUTATION), REGARDLESS OF HOW SUCH DAMAGES ARISE, WHETHER OR NOT BUSINESS ASSOCIATE WAS ADVISED SUCH DAMAGES MIGHT ARISE, OR THE FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. IN NO EVENT SHALL BUSINESS ASSOCIATE HAVE ANY OBLIGATION, OR BE LIABLE FOR ANY DAMAGES, DIRECT OR OTHERWISE, UNDER THIS BAA IN EXCESS OF THE TOTAL AMOUNTS PAID BY COVERED ENTITY TO BUSINESS ASSOCIATE PURSUANT TO THE SERVICES AGREEMENT. These limitations are cumulative; the sum of multiple claims may not exceed such limit.
9. Miscellaneous.
a. Assignment; Binding Effect. This BAA is personal to SocialClimb and Covered Entity and may not be assigned or delegated by either party without the prior written consent of the other party in each instance; provided, however, that in the event of a permitted assignment of the Services Agreement, this BAA may be assigned together with the Services Agreement. This BAA shall be binding upon and shall inure to the benefit of the parties hereto and their respective representatives, successors, and permitted assigns.
b. Entire Agreement; Amendment. This BAA contains the entire agreement between the parties, and supersedes all prior or contemporaneous agreements, understandings, or representations with respect to the subject matter hereof. SocialClimb and Covered Entity hereby agree to amend this BAA to the extent necessary to allow both parties to comply with the HIPAA Rules as they may be amended or recodified from time to time, or to comply with other applicable regulations or statutes for the protection of PHI. SocialClimb also may update this BAA from time to time, subject to compliance with the HIPAA Rules, by posting an amended BAA to Covered Entity’s SocialClimb Service Dashboard with notice to Covered Entity of this revision by email or in-app notification. The revised version will become effective and binding the next business day after it is posted. If Covered Entity does not agree with a modification to this BAA, Covered Entity must notify SocialClimb in writing of any reasonable objections within thirty (30) days after SocialClimb sends notice of the revision. If Covered Entity provides such notice, then the prior form of BAA will continue to apply until Covered Entity’s next renewal date, after which the updated version of this BAA will apply.
c. Severability. If any term or provision of this BAA shall to any extent be invalid or unenforceable, the remainder of this BAA shall not be affected thereby and each term and provision of this BAA shall be valid and enforced to the fullest extent permitted by law.
d. Conflict. The terms and provisions of this BAA shall supersede any other conflicting or inconsistent terms and provisions in the Services Agreement, including all exhibits or other attachments thereto and all documents incorporated therein by reference.
e. Choice of Law and Venue. This BAA shall be construed in accordance with the laws of the State of Utah, without giving effect to the choice of law provisions thereof. Venue for any action or proceeding related to this BAA shall be in the state or federal courts of the state of Utah, as appropriate. The parties agree to the personal jurisdiction and venue of such courts.
f. Notices. Any notice or report hereunder shall be deemed given if delivered or sent by first class mail, postage prepaid, addressed to the other party at the address first set forth above, or at such other address as designated by the party by written notice, or by commercial delivery service, or by confirmed email or facsimile. If notice is given by mail and the notice affects the other parties’ rights hereunder, the effective date of the notice shall be seven (7) days after the date of mailing or the date the notice is received, whichever is earlier.
g. Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.