Business Associate Agreement (template)
The following Business Associate Agreement is a sample template provided by AssemblyAI to our customers who need to process Protected Health Information (or PHI) within our platform, subject to HIPAA. If you are a prospective or current customer and need to sign a BAA with us, please contact our sales team!
<div class="gray-line"></div>
THIS BUSINESS ASSOCIATE AGREEMENT (“<u>BAA</u>”) hereby attaches to, amends, and modifies the services agreement executed between AssemblyAI (“AssemblyAI”) and [Customer] (“<u>Customer</u>”) on [X] (“<u>TOS</u>”). Unless otherwise expressly provided within the TOS, or mutually agreed to between the Parties in writing, this BAA is effective as of the TOS Effective Date, and will remain until expiration or termination of the TOS. To the extent that there are conflicts or inconsistencies between this BAA and the TOS or any relevant Order Form, this BAA shall prevail. Each Party may be identified as “<u>Party</u>”, and collectively “<u>Parties</u>”.
The Parties intend to use the BAA to satisfy the Subcontractor and/or Business Associate contract requirements in the regulations at 45 CFR 164.502(e), 164.504(e) and 164.314(a), issued under the Health Insurance Portability and Accountability Act of 1996 (as amended, the “<u>HIPAA Act</u>”), and the Privacy Standards and Security Standards and other rules and regulations promulgated thereunder, the Health Information Technology for Economic and Clinical Health Act (“<u>HITECH Act”</u>), and the rules and regulations promulgated thereunder (HIPAA Act, HITECH Act, the Privacy Standards, the Security Standards and such other rules and regulations, collectively, “<u>HIPAA</u>”).
To the extent AAI is acting as a Subcontractor and/or Business Associate of Company, pursuant to this BAA or the TOS, the provisions of this BAA will apply. This BAA will not apply to any operations, functions, or activities of AAI that are not subject to HIPAA, do not involve processing of PHI, or do not otherwise require a Business Associate Agreement.
<div class="gray-line"></div>
1.<span class="indent"> </span>DEFINITIONS
Capitalized terms used but not otherwise defined in this BAA or the TOS shall have the meaning assigned by HIPAA.
1.1<span class="indent"></span><u>Affiliate</u>. "<u>Affiliate</u>” means a subsidiary or affiliate of Company that is, or has been, considered a Covered Entity.
1.2<span class="indent"></span><u>Applicable Law</u>. "<u>Applicable Law</u>” means the laws and regulations applicable to the processing of information pursuant to this BAA.
1.3<span class="indent"></span><u>Breach</u>. <u>Breach</u>” has the same meaning as the term “breach” in 45 CFR § 164.402.
1.4<span class="indent"></span><u>Business Associate</u>. "<u>Business Associate</u>” has the same meaning as the term “business associate” in 45 CFR § 160.103.
1.5<span class="indent"></span><u>Business Associate Agreement</u>. "<u>Business Associate Agreement</u>” or “<u>BAA</u>” means an agreement satisfying HIPAA requirements for contracts with “business associates”, including 45 CFR § 164.504(e)(1).
1.6<span class="indent"></span><u>Covered Entity</u>. "<u>Covered Entity</u>” has the same meaning as the term “covered entity” in 45 CFR § 160.103.
1.7<span class="indent"></span><u>Data Aggregation</u>. "<u>Data Aggregation</u>” has the same meaning as the term “data aggregation” in 45 CFR § 164.501.
1.8<span class="indent"></span><u>Designated Record Set</u>. "<u>Designated Record Set</u>” has the same meaning as the term “designated record set” in 45 CFR § 164.501.
1.9<span class="indent"></span><u>Disclose</u>. "<u>Disclose</u>” or “<u>Disclosure</u>” has the same meaning as the term “disclosure” in 45 CFR § 160.103.
1.10<span class="indent"></span><u>Electronic Protected Health Information</u>. "<u>Electronic Protected Health Information</u>” or “<u>ePHI</u>” has the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to the information created, received, maintained or transmitted by AAI for, or on behalf of, Company.
1.11<span class="indent"></span><u>Individual</u>. "<u>Individual</u>” has the same meaning as the term “individual” in 45 CFR § 160.103 and includes any person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
1.12<span class="indent"></span><u>Privacy Standards</u>. "<u>Privacy Standards</u>” means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E, as amended by the HITECH Act and as may otherwise be amended from time to time.
1.13<span class="indent"></span><u>Protected Health Information</u>”. "<u>Protected Health Information</u>” or “<u>PHI</u>” has the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by AAI for, or on behalf of, Company. As used in this BAA and where otherwise specified, Protected Health Information includes Electronic Protected Health Information.
1.14<span class="indent"></span><u>Required by Law</u>. "<u>Required by Law</u>” has the same meaning as the term “required by law” in 45 CFR § 164.103.
1.15<span class="indent"></span><u>Secretary</u>. "<u>Secretary</u>” means the Secretary of the U.S. Department of Health and Human Services or his or her designee.
1.16<span class="indent"></span><u>Security Incident</u>. "<u>Security Incident</u>” has the same meaning as the term “security incident” in 45 CFR § 164.304.
1.17<span class="indent"></span><u>Security Standards</u>. "<u>Security Standards</u>” means the regulations found at 45 CFR Part 160 and Part 164, Subparts A and C, as amended by the HITECH Act and as may otherwise be amended from time to time.
1.18<span class="indent"></span><u>Unsecured Protected Health Information</u>. "<u>Unsecured Protected Health Information</u>” has the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402.
1.19<span class="indent"></span><u>Use</u>. "<u>Use</u>” has the same meaning as the term “use” in 45 CFR § 160.103.
2.<span class="indent"> </span>USES OR DISCLOSURES OF PHI
2.1<span class="indent"></span><u>Permitted Uses or Disclosures</u>. In accordance with the terms and conditions of this BAA, AAI may only Use or Disclose Protected Health Information, and in such a manner, as necessary to perform its duties, obligations, and functions under the TOS; as Required by Law; or as otherwise permitted by this BAA, or authorized by Company in writing, unless any such Use or Disclosure violates HIPAA or other Applicable Law. AAI will only Use and Disclose Protected Health Information if such Use or Disclosure complies with each applicable requirement of 45 CFR § 164.504(e) and would not otherwise violate the requirements of the Privacy Standards if done by Company or otherwise the applicable Covered Entity.
2.2<span class="indent"></span><u>Management & Administration</u>. AAI may Use or Disclose Protected Health Information for its own proper management and administration or to carry out its legal responsibilities, provided that any such Disclosures are Required by Law or any third Party to which AAI Discloses Protected Health Information provides reasonable assurances that such Protected Health Information will be held confidentially and Used or further Disclosed only as Required by Law or for the purposes for which it was Disclosed to the third Party, and the third Party agrees to notify AAI immediately of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached.
2.3<span class="indent"></span><u>De-identification</u>. AAI may de-identify Protected Health Information in accordance with the Privacy Standards, including 45 CFR § 164.514, and Use and Disclose such de-identified information as permitted by the Privacy Standards, or other Applicable Law, including 45 CFR § 164.506(c).
2.4<span class="indent"></span><u>Data Aggregation</u>. AAI may Use or Disclose Protected Health Information to perform Data Aggregation for the Health Care Operations of the applicable Covered Entity, when authorized by Company.
2.5<span class="indent"></span><u>Minimum Necessary</u>. AAI shall limit its Uses and Disclosures of, and requests for, PHI (i) when practical, to the information making up a Limited Data Set; and (ii) in all other cases subject to the requirements of 45 CFR §164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the Use, Disclosure or request.
2.6<span class="indent"></span><u>Marketing, Sales, and Fundraising</u>. AAI will not Sell Protected Health Information, or Disclose Protected Health for purposes of Marketing or Fundraising, unless expressly authorized by Company in writing and then only as permitted under HIPAA.
3.<span class="indent"> </span>ADDITIONAL OBLIGATIONS OF VENDOR
3.1<span class="indent"></span><u>Security Standards & Safeguards</u>. AAI shall use and maintain appropriate administrative, physical, and technical safeguards, and comply with the applicable Security Standards with respect to any Electronic Protected Health Information it creates, receives, maintains, or transmits on behalf of Company, to prevent the Use or Disclosure of such information other than as permitted by this BAA and to ensure the integrity and availability of such information.
3.2<span class="indent"></span><u>Subcontractors and Agents</u>. AAI shall ensure that any “subcontractor” (within the meaning of 45 CFR § 160.103) or agent that creates, receives, maintains, transmits, or otherwise processes Protected Health Information on behalf of Company, or applicable Covered Entity, agree in a writing compliant with 45 CFR § 164.504(e)(2) through (e)(4), that it will comply with no less restrictive restrictions and conditions that apply to AAI with respect to such information. AAI shall also ensure that any such “subcontractor” or agent that creates, receives, maintains or transmits Electronic Protected Health Information on behalf of AAI agrees to comply with the applicable requirements of the Security Standards with respect to such information.
3.3<span class="indent"></span><u>Books and Records</u>. AAI shall make its internal practices, books, and records relating to its Use and Disclosure of Protected Health Information on behalf of Company available to the Secretary for the purposes of determining the Parties’ compliance with HIPAA. Where legally permissible and reasonable, prior to responding to a request received by AAI from the Secretary subject this Section, AAI shall provide notice to Company of the Secretary’s request. Notwithstanding the above, no attorney-client or other legal privilege will be deemed waived by the Parties by virtue of this provision.
3.4<span class="indent"></span><u>Access Requests</u>. If AAI maintains Protected Health Information in a Designated Record Set, AAI shall, pursuant to a written request from Company, provide in a prompt and reasonable way to Company access to such information at reasonable times, in accordance with the requirements under 45 CFR § 164.524, provided, however, that AAI is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Company.
3.5<span class="indent"></span><u>Amendment Requests</u>. If AAI maintains Protected Health Information in a Designated Record Set, AAI shall, pursuant to a written request from Company, make in a prompt and reasonable way any amendments to Protected Health Information in a Designated Record Set, pursuant to 45 CFR § 164.526.
3.6<span class="indent"></span>A<u>ccounting Requests</u>. Except for disclosures excluded from the accounting obligations under HIPAA, AAI shall, pursuant to a written request from Company, make available to Company information relating to Disclosures made by AAI of Protected Health Information as would be required for the applicable Covered Entity to satisfy its obligations under 45 CFR § 164.528 and Section 13405(c) of the HITECH ACT, and any regulations issued pursuant thereto. The information provided by AAI under this Section will exclude any information for Disclosures occurring before the effective date of this BAA, or with respect to Disclosures required by HITECH, the effective date of the HITECH regulations. This Section 3.6 will survive termination of this BAA.
3.7<span class="indent"></span><u>Request Administration</u>. If an Individual submits a request to AAI subject to Sections 3.4-3.6, AAI shall direct the Individual to the Company.
3.8<span class="indent"></span><u>Performance of Covered Entity Obligations</u>. To the extent AAI is required to carry out any obligation of an applicable Covered Entity pursuant to this BAA or the TOS, AAI shall comply with the same Privacy Standards that apply to such Covered Entity in its performance of such obligation.
4.<span class="indent"> </span>OBLIGATIONS OF COMPANY
4.1<span class="indent"></span>Company shall, if applicable, (i) notify AAI of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect AAI’s use or disclosure of PHI; (ii) notify AAI of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, if such changes affect AAI’s permitted or required uses or disclosures; (iii) notify AAI of any confidential communication request or restriction to the Use or Disclosure of PHI affecting AAI that Company has agreed to in accordance with 45 CFR §164.522; and (iii) not request AAI to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Regulations or Applicable Law otherwise.
5.<span class="indent"> </span>REPORTING
5.1<span class="indent"></span><u>Duty to Report</u>. If AAI becomes aware of any Use or Disclosure of Protected Health Information in violation of this BAA, Business Associate shall, within five (5) business days after becoming aware, report such information in writing to Company.
5.2<span class="indent"></span><u>Breach Reporting</u>. If AAI becomes aware of any known or reasonably suspected Breach of Unsecured Protected Health Information subject to this BAA, AAI shall report to Company without unreasonable delay, but in no event more than five (5) business days after becoming aware of the Breach, if and to the extent known at the time of reporting: a description of the breach, including the occurrence date and circumstances surrounding discovery, and all such other information Company may request of AAI in order for the applicable Covered Entity to meet its obligations under 45 CFR Part 164, Subpart D, or other applicable state breach notification laws.
5.3<span class="indent"></span><u>Security Incidents</u>. AAI agrees to implement and maintain reasonable systems for the discovery and prompt reporting of Security Incidents. AAI shall report to Company any Security Incident of which it becomes aware, within five (5) business days of discovery of the Security Incident. The Parties acknowledge that AAI may, from time to time, experience trivial and “Unsuccessful Security Incidents”, which shall mean (for purposes of this BAA) pings and other broadcast attacks on firewalls, port scans, unsuccessful log-on attempts, denials of service, or any combination of the above, where regardless of the means used no unauthorized access, Use, or Disclosure of Electronic Protected Health Information occurs. This BAA will be sufficient notice of such trivial and Unsuccessful Security Incidents, and no further notice of the same will be required. AAI shall mitigate, to the extent practicable, any harmful effect that is known to AAI of any such Security Incident(s).
6.<span class="indent"> </span>TERM AND TERMINATION
6.1<span class="indent"></span><u>Term</u>. This BAA shall be effective as of the Effective Date and shall remain in effect until all obligations of the Parties have been met under the TOS or under this BAA, unless terminated earlier subject to an express provision within Section 6.
6.2<span class="indent"></span><u>Termination due to breach or default</u>. Either Party may terminate this BAA, effective upon written notice to the other party (the “Defaulting Party”), if the Defaulting Party materially breaches this BAA, and such breach is incapable of cure or, with respect to a material breach capable of cure, the Defaulting Party does not cure such breach within thirty (30) days after receipt of written notice of such breach by the non-breaching Party.
6.3<span class="indent"></span><u>Effect of Termination</u>. Upon termination or expiration of this BAA for any reason, AAI shall, if feasible, destroy or return to Company all PHI that AAI has or maintains in any form (including copies of such PHI). To the extent it is not feasible for AAI to return or destroy all PHI, AAI may continue to maintain such PHI and shall extend the protections of this BAA to such PHI and limit its further use and disclosure to those purposes that make return or destruction of such PHI infeasible, for so long as AAI maintains such PHI. For purposes of this BAA, de-identified information does not constitute Protected Health Information and is not subject to return or destruction under this Section 6.3. This Section 6.4 will survive any termination of the BAA.
7.<span class="indent"> </span>LIMITS TO LIABILITY
7.1<span class="indent"></span>NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN, ASSEMBLYAI’S TOTAL LIABILITY ARISING OUT OF OR RELATING TO THIS BUSINESS ASSOCIATE AGREEMENT FOR ANY CLAIMS OF ANY NATURE WILL NOT EXCEED THE AMOUNT OF FEES RECEIVED BY ASSEMBLYAI PURSUANT TO THE UNDERLYING AGREEMENT DURING THE PRECEDING 12-MONTH PERIOD. IN NO EVENT WILL ASSEMBLYAI BE LIABLE FOR ANY INDIRECT, SPECIAL, EXEMPLARY, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING OUT OF OR RELATED TO THIS BUSINESS ASSOCIATE AGREEMENT OR THE BREACH THEREOF, INCLUDING LOST PROFITS, LOST DATA, BUSINESS INTERRUPTION OR OTHER ECONOMIC LOSS. THE LIMITATION OF LIABILITY SET FORTH IN THIS SECTION 7 WILL APPLY EVEN IF ASSEMBLYAI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS SECTION 7 SHALL SURVIVE THE EXPIRATION OR TERMINATION OF THIS BUSINESS ASSOCIATE AGREEMENT.
8.<span class="indent"> </span>DATA OWNERSHIP
8.1<span class="indent"></span>Unless as otherwise provided for in this BAA or the TOS, AAI’s data stewardship pursuant to this BAA does not confer data ownership rights on AAI with respect to any data shared with it under the TOS, including any and all forms thereof.
9.<span class="indent"> </span>GENERAL
9.1<span class="indent"></span><u>Entire Agreement</u>. This BAA and the TOS (and the exhibits, amendments, Order Forms, and schedules thereto) constitute the complete agreement between the Parties relating to the matters specified in this BAA, and supersedes all prior representations or agreements, whether oral or written, with respect to such matters. This BAA is for the benefit of, and will be binding upon the Parties, their Affiliates and respective successors and assigns.
9.2<span class="indent"></span><u>Notices</u>. Except as otherwise set forth herein, in the applicable TOS, all notices required or permitted hereunder will be in writing and deemed to have been duly given to the addresses specified in the preamble: (1) on the next day if delivered personally to such Party; (ii) on the next day after mailing if mailed by registered or certified mail; (iii) if sent by email from and to the addresses herein specified and upon reply email acknowledgement to sender by recipient; or (iv) to such other address or email as either Party may notify the other through written notice.
9.3<span class="indent"></span><u>Amendments and Waivers</u>. This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of both Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
9.4<span class="indent"></span><u>HITECH or HIPAA Changes</u>. To the extent there are material changes to the HIPAA Regulations following the date this BAA is executed (or applicable state privacy law not preempted by HIPAA), the Parties agree to meet and confer in good faith about amending this BAA and/or the BAA as reasonably necessary to be in compliance with the HIPAA Regulations. Any ambiguity in this BAA will be resolved to permit the Parties to comply with the HIPAA Regulations. If the Parties are unable to reach an agreement on an amendment pursuant to this Section 8.4, either Party will have the right to terminate this BAA upon 30 days’ prior written notice to the other Party.
9.5<span class="indent"></span><u>Interpretation</u>. The headings of the Sections of this BAA are inserted for convenience of reference only and shall not in any manner affect the construction or meaning of anything herein contained or govern the rights or liabilities of the Parties hereto. The words “include,” “includes,” and “including” shall be deemed to be followed by the words “without limitation”. The word “or” is not exclusive. The words “herein,” “hereof,” “hereto,” and “hereunder” refer to this BAA as a whole.
9.6<span class="indent"></span><u>Counterparts</u>. The Parties agree that this BAA may be signed in counterparts, each of which will be deemed an original and all of which together will constitute one and the same instrument.
IN WITNESS WHEREOF, the parties hereto have caused their duly authorized representatives to execute this Agreement as of the Effective Date.
AssemblyAI, Inc.
Signature: _______________________________
Name: __________________________________
Title: __________________________________
Date: __________________________________
Customer
Signature: _______________________________
Name: __________________________________
Title: __________________________________
Date: __________________________________
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
-
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript