Business Associate Agreement (BAA) for Unhush Global Inc.
This Business Associate Agreement ("Agreement") is made and entered into as of [Effective Date] by and between Unhush Global Inc. ("Business Associate") and entity using the Unhush Platform and Services ("Covered Entity"). Business Associate and Covered Entity may collectively be referred to as "Parties" or individually as a "Party."
WHEREAS, Covered Entity is a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations, including the Privacy Rule, Security Rule, and Breach Notification Rule;
WHEREAS, Business Associate provides certain services to Covered Entity that involve the use or disclosure of Protected Health Information ("PHI");
WHEREAS, the Parties desire to comply with the requirements of HIPAA and the HITECH Act by entering into this Agreement to protect the privacy and security of PHI in accordance with the HIPAA Rules.
The terms used in this BAA have the meanings set forth in this BAA. Capitalized terms not otherwise defined herein and that are also not defined in the HIPAA have the meaning given to them in the Agreement, if applicable and as defined below;
This Agreement takes effect on the date (the “Agreement Effective Date”) when you click the “Accept Unhush Business Associate Agreement” button (or other electronic means made available by Unhush for such purpose) presented with this Agreement (an “Accept Button”). You represent to Unhush that you are lawfully able to enter into contracts, and if you are entering into this Agreement for an entity, such as the company you work for, you represent to Unhush that you have legal authority to bind that entity.
NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, the Parties agree as follows:
1. Purpose
This Agreement is intended to ensure that Business Associate will establish and implement appropriate safeguards for Protected Health Information ("PHI") that Business Associate may receive, create, use, or disclose in connection with certain functions, activities, or services to be provided by Business Associate to Covered Entity.
2. Definitions
Catch-all definition:
The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
Specific definitions:
1.1 "HIPAA Rules" means the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and any other applicable regulations issued under HIPAA.
1.2 "Protected Health Information (PHI)" shall have the same meaning as the term "protected health information" as defined in 45 CFR § 160.103.
1.3 "Business Associate" shall have the same meaning as the term "business associate" as defined in 45 CFR § 160.103.
1.4 "Covered Entity" shall have the same meaning as the term "covered entity" as defined in 45 CFR § 160.103.
1.5 "Subcontractor" means a person or entity to whom a Business Associate delegates a function, activity, or service that involves PHI.
3. Obligations and Activities of Business Associate
3.1 Use and Disclosure of PHI
Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement or as required by law. Business Associate shall use or disclose PHI solely for the purpose of providing the services outlined in the Terms of Service Agreement between the Parties.
3.2 Safeguards
Business Associate agrees to implement appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. Such safeguards include, but are not limited to, administrative, physical, and technical safeguards as required under the HIPAA Security Rule.Safeguarding Responsibilities of Unhush
3.2.1 Data Security and Confidentiality:
Encryption: Unhush will employ robust encryption methods for PHI both in transit and at rest to protect against unauthorized access and breaches.
Access Controls: Implement stringent access control measures to ensure that only authorized personnel have access to PHI. This includes role-based access controls and strong authentication mechanisms.
Secure Storage: PHI will be stored in secure, HIPAA-compliant cloud environments, with data access restricted to authorized individuals and systems.
Audit Trails: Maintain comprehensive audit trails to monitor and log access to PHI, ensuring transparency and accountability.
3.2.2 Compliance with Legal Standards:
HIPAA Compliance: Adhere to all applicable provisions of HIPAA (Health Insurance Portability and Accountability Act) and any other relevant data protection laws.
Business Associate Agreements (BAAs): Execute BAAs with subcontractors and third-party service providers who handle PHI to ensure they meet the same security and confidentiality standards.
Regular Reviews: Conduct regular reviews and updates to security policies and procedures to ensure ongoing compliance with legal requirements and best practices.
3.2.3 Data Integrity and Accuracy:
Data Accuracy: Implement procedures to ensure that all PHI entered into the Unhush system is accurate, complete, and free from errors. This includes mechanisms for Providers to review and verify session data.
Error Correction: Establish processes for promptly correcting any inaccuracies or discrepancies in PHI as reported by Providers or Clients/Patients.
3.2.4 Incident Management:
Breach Notification: Develop and maintain a breach notification policy to promptly notify affected parties, including Providers, Clients/Patients, and regulatory bodies, in the event of a data breach.
Incident Response: Have a defined incident response plan to address any security incidents, including identification, containment, eradication, and recovery.
3.2.5 Training and Awareness:
Employee Training: Provide regular training for employees on data security practices, HIPAA compliance, and the importance of safeguarding PHI.
Ongoing Awareness: Promote ongoing awareness of security best practices and potential threats to ensure a culture of security within the organization.
3.2.6 Vendor Management:
Due Diligence: Perform due diligence on third-party vendors and service providers to ensure they comply with relevant data protection standards and practices.
Monitoring: Regularly monitor and review the security practices of third-party vendors to ensure continued compliance with contractual and regulatory obligations.
3.3 Subcontractors and Agents
Business Associate shall ensure that any Subcontractor or agent to whom it provides PHI agrees to the same restrictions and conditions that apply to Business Associate under this Agreement.
Subcontractor Compliance with HIPAA Requirements
3.3.1 Subcontractor Selection and Oversight:
Due Diligence: Unhush will conduct due diligence before engaging any subcontractor that will have access to Protected Health Information (PHI). This includes evaluating the subcontractor's ability to comply with HIPAA requirements and their overall security posture.
Contractual Obligations: Unhush will ensure that all subcontractors are bound by written agreements that include provisions ensuring their compliance with HIPAA requirements. These agreements will include terms that mirror the requirements set forth in this BAA and specifically address the subcontractor's obligations to protect PHI.
3.3.2 Subcontractor Agreements:
Business Associate Agreements: All subcontractors that handle PHI will be required to enter into a Business Associate Agreement with Unhush. This agreement will detail the subcontractor’s responsibilities regarding the protection of PHI and their compliance with HIPAA.
HIPAA Compliance Requirements: The subcontractor agreement will stipulate that subcontractors must adhere to all applicable HIPAA privacy and security regulations. This includes safeguarding PHI from unauthorized access, use, or disclosure and implementing appropriate administrative, physical, and technical safeguards.
3.3.3 Monitoring and Auditing:
Regular Audits: Unhush will conduct regular audits of subcontractors to ensure compliance with HIPAA requirements and the terms of the subcontractor agreements. These audits may include reviewing security practices, data access logs, and incident reports.
Performance Reviews: Performance reviews will be conducted periodically to assess the subcontractor's adherence to HIPAA requirements and to address any identified deficiencies or issues.
3.3.4 Subcontractor Compliance Reporting:
Incident Reporting: Subcontractors are required to promptly report any breaches or potential breaches of PHI to Unhush. This includes reporting any security incidents, unauthorized access, or other compliance issues.Compliance Documentation: Subcontractors must provide documentation of their compliance with HIPAA requirements upon request. This may include records of security measures, training programs, and any incidents or breaches.
3.3.5 Termination of Subcontractor Agreements:
Breach of Compliance: Unhush reserves the right to terminate any subcontractor agreement if the subcontractor fails to comply with HIPAA requirements or the terms of the agreement. Termination will be executed in accordance with the provisions of the subcontractor agreement and applicable laws.
Data Return or Destruction: Upon termination of a subcontractor agreement, Unhush will ensure that any PHI in the possession of the subcontractor is returned or destroyed in accordance with the terms of the agreement and applicable regulations.
3.4 Reporting of Breaches
Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any breaches of unsecured PHI, as soon as practicable but no later than 30 days after discovery of the breach.
Procedures for Handling and Reporting Data Breaches Involving PHI
3.4.1 Definition of a Data Breach:
A data breach is defined as any unauthorized access, use, disclosure, or acquisition of Protected Health Information (PHI) that compromises the security or privacy of PHI. This includes incidents where PHI is accessed or acquired by unauthorized individuals, whether intentional or accidental.
3.4.2 Breach Notification Procedures:
Notification Timeline: Unhush will notify the Covered Entity (the Provider) without unreasonable delay and within 24 hours upon discovering a breach of PHI. This notification will include details about the nature of the breach, the type of PHI involved, and the steps being taken to address the breach.
Content of Notification: The breach notification will provide sufficient information to allow the Covered Entity to understand the scope of the breach, including affected individuals, potential risks, and recommended actions. It will also outline any mitigation measures taken or planned.
Notification to Individuals: If the breach involves unsecured PHI and affects more than 500 individuals, Unhush will notify affected individuals directly, as well as notify the Secretary of the Department of Health and Human Services (HHS) as required under HIPAA.
3.4.3 Incident Response Plan:
Incident Identification: Implement procedures for promptly identifying and assessing potential security incidents or breaches, including monitoring systems for signs of unauthorized access or data loss.
Containment and Mitigation: Once a breach is identified, Unhush will take immediate steps to contain the breach, prevent further unauthorized access, and mitigate any potential harm. This may include isolating affected systems, disabling compromised accounts, and applying patches or updates.
Investigation and Analysis: Conduct a thorough investigation to determine the cause of the breach, the extent of the exposure, and the impact on affected PHI. This includes analyzing how the breach occurred and identifying any weaknesses in existing security measures.
Correction and Remediation: Develop and implement corrective actions to address the root cause of the breach and prevent recurrence. This may involve updating security policies, enhancing training programs, or improving technical controls.
3.4.4 Documentation and Reporting:
Incident Documentation: Maintain detailed records of the breach or security incident, including the investigation findings, corrective actions taken, and communication with affected parties. This documentation will be used for internal review and may be required for regulatory reporting.
Regulatory Reporting: Report the breach to relevant regulatory bodies, such as the HHS or state attorneys general, in accordance with applicable laws and regulations. Ensure that reports are submitted within the required timeframes.
3.4.5 Notification to Covered Entity:
Timely Reporting: Unhush will notify the Covered Entity of any data breach involving PHI within 30 business days of discovering the breach. The notification will be sent to the Covered Entity’s designated contact person or office.
Details of the Breach: The notification will include detailed information about the breach, including the nature of the breach, the PHI involved, the steps taken to address the breach, and any potential risks to individuals.
3.4.6 Notification to Affected Individuals:
Notification Requirement: If required by HIPAA, Unhush will assist the Covered Entity in notifying affected individuals of the breach. This notification will include information about what occurred, the PHI affected, and steps individuals can take to protect themselves.
Content of Notification: The notification will include a description of the breach, the type of information involved, what steps the Covered Entity and Unhush are taking to address the breach, and contact information for additional inquiries.
3.4.7 Regulatory Reporting:
Reporting to Authorities: Unhush will assist the Covered Entity in reporting the breach to the Department of Health and Human Services (HHS) and other relevant regulatory bodies as required by HIPAA. This includes preparing and submitting necessary documentation and reports.
3.4.8 Review and Improvement:
Post-Incident Review: Following the breach, Unhush will conduct a post-incident review to evaluate the response and identify any areas for improvement. This review will inform updates to security policies, procedures, and training programs to prevent future breaches.
3.4.9 Continuous Improvement:
]Review and Update Policies: Regularly review and update incident response policies and procedures based on lessons learned from each incident. Ensure that security practices are adapted to address emerging threats and vulnerabilities.
Training and Awareness: Incorporate findings from incidents into ongoing training programs for employees and contractors to enhance their awareness of security risks and proper response protocols.
3.4.10 Contact Information:
Privacy Officer Contact: For any questions or concerns regarding data breaches or PHI security, the Covered Entity may contact Unhush’s Privacy Officer at privacy@un-hush.com.
3.5 Access to PHI
Business Associate agrees to make PHI available to Covered Entity or an individual in accordance with 45 CFR § 164.524.
3.5.1 Data Retention Policy:
Retention Period: Unhush will retain PHI for as long as necessary to fulfill the purposes for which it was collected, in accordance with applicable laws and regulations. This period typically includes the duration of the business relationship with the Covered Entity and any additional time required to comply with legal, regulatory, or contractual obligations.
Compliance with Laws: Retention periods for PHI will comply with federal, state, and local laws, including HIPAA requirements. The Covered Entity is responsible to retain PHI for the minimum period required by law, which is generally six years from the date of creation or the date when it was last in effect, whichever is later.
3.5.2 Data Management:
Periodic Review: Conduct regular reviews of retained PHI to ensure that it is still necessary for business or legal purposes. This includes assessing the relevance and accuracy of the data and ensuring that it is securely stored.
Access Control: Implement access controls to limit access to retained PHI to authorized personnel only. This includes ensuring that only individuals with a legitimate need to access the data can do so.
3.5.3 Data Destruction Procedures:
Destruction Methods: Upon the expiration of the retention period or upon request by the Covered Entity, Unhush will securely destroy or de-identify PHI in a manner that ensures it cannot be reconstructed or retrieved. Acceptable methods of destruction include shredding physical documents, securely deleting electronic records, and degaussing magnetic media.
Documentation of Destruction: Maintain documentation of data destruction activities, including the date of destruction, the method used, and the type of data destroyed. This documentation will be kept for audit and compliance purposes.
3.5.4 Notification of Data Destruction:
Confirmation of Destruction: Provide confirmation to the Covered Entity upon completion of the destruction of PHI, including details of the data destroyed and the method used. This confirmation will serve as proof of compliance with data retention and destruction requirements.
3.6 Amendment of PHI
Business Associate agrees to make PHI available for amendment and incorporate any amendments to PHI in accordance with 45 CFR § 164.526.Requests for Data Destruction:
Requests by Covered Entity: The Covered Entity may request the destruction of PHI at any time. Unhush will comply with such requests in a timely manner, ensuring that all copies of the PHI are securely destroyed or de-identified as per the agreed-upon procedures.
Data De-identification: If destruction is not feasible or if the data needs to be retained for analytical or other purposes, Unhush will de-identify the PHI in accordance with HIPAA guidelines to ensure that it cannot be used to identify individuals.
3.7 Accountings of Disclosures
Business Associate agrees to provide an accounting of disclosures of PHI to Covered Entity in accordance with 45 CFR § 164.528.
3.8 Documentation.
Business Associate agrees to maintain documentation of policies and procedures and make such documentation available to Covered Entity and the Secretary of the Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
4. Permitted Uses and Disclosures
4.1 Permitted Uses
Business Associate may:
Use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Terms of Service agreement, provided that such use or disclosure would not violate HIPAA if done by Covered Entity.
Use PHI for the proper management and administration of Business Associate or to fulfill any legal responsibilities of Business Associate.
Use PHI to provide data aggregation services related to the health care operations of the Covered Entity, as permitted by 45 CFR § 164.504(e)(2)(i)(B).
4.2 Permitted Disclosures
Business Associate may:
Disclose PHI to its subcontractors or agents who perform services for or on behalf of Business Associate as necessary to perform the functions, activities, or services for Covered Entity.
Disclose PHI for the proper management and administration of Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
5. Term and Termination
5.1 Term
This Agreement shall be effective as of Agreement Effective Date and shall continue in effect until terminated by either Party.
5.2 Termination for Cause
Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall provide written notice to Business Associate and afford Business Associate a reasonable period of time to cure the breach. If Business Associate fails to cure the breach within such time, Covered Entity may terminate this Agreement.
5.3 Effect of Termination
Upon termination of this Agreement for any reason, Business Associate shall return to Covered Entity or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. If return or destruction of PHI is not feasible, Business Associate shall extend the protections of this Agreement to such information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. This does not apply to the PII redacted and anonymized data in the system.
6. Miscellaneous
6.1 Amendment
The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA.
6.2 No Third-Party Beneficiaries
Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
6.3 Governing Law
This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware.
6.4 Severability
If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions will remain in full force and effect.
6.5 Interpretation
Any ambiguity in this Agreement shall be resolved to permit compliance with the HIPAA Rules.
6.6 Survival
The respective rights and obligations of Business Associate under Section 5.3 of this Agreement shall survive the termination of this Agreement.
6.7 Regulatory References
A reference in this Agreement to a section in HIPAA means the section as in effect or as amended.
6.8 Independent Contractors
The parties agree that each is acting as an independent contractor and not as an agent of the other.
6.9 Notices
Any notices required under this Agreement to be given to Covered Entity shall be sent to the Covered Entity Contact Information as registered upon signing up on the Unhush Platform and any notices required to be given to Business Associate shall be sent to privacy@un-hush.com.
IN WITNESS WHEREOF, the Parties hereto have executed this Business Associate Agreement as of the Agreement Effective Date by their duly authorized representatives.
