Who We Serve

Resources

Brellium BAA

By using Brellium in production or trial, you (Company) are covered under This Business Associate Agreement with Brellium (Business Associate). There is no separate contract to sign to enter into a HIPAA Business Associate Agreement (BAA) with Brellium because this is available by default to all customers by default in the Brellium Terms of Service (https://brellium.com/terms) or Master Services Agreement.


This Agreement sets out the responsibilities and obligations of Business Associate under the Health Insurance Portability and Accountability Act (“HIPAA) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).



RECITALS



  1. Business  Associate  and  Company  have  entered  into  a  certain

 Master Agreement ("Master Agreement") under which Business Associate has agreed to provide Company with certain services (“Services”);



  1. In performing the Services, Business Associate will create, receive, transmit, or maintain Protected Health Information (as defined at 45 C.F.R. § 160.103) for or on behalf of Company;



  1. Business Associate and Company have mutual obligations under the Master Agreement that will require Business Associate and Company to use or disclose Company’s customer(s) PHI of Individuals as that term is defined under HIPAA; and



  1. This Agreement is intended to comply with the rules on handling of PHI under the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subpart E (“Privacy Rule”), the HIPAA Security Standards, 45 C.F.R. Part 160 and Part 164, Subpart C (“Security Rule”), and the HIPAA Breach Notification Regulations, 45 C.F.R. Part 164, Subpart D (“Breach Notification Rule”), so as to permit the Business Associate and Company to access, use and exchange PHI in a manner which complies with the provisions of HIPAA and the HITECH Act.



AGREEMENT



Now, Therefore, in consideration of the mutual covenants, terms and conditions herein contained, the parties hereto agree as follows:



Section 1 - Definitions



The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Subcontractor, Unsecured Protected Health Information, and Use.



  1. Electronic Health Record. "Electronic Health Record" shall have the same meaning as the term "electronic health record" in the HITECH Act, section 13400(5).



  1. Electronic Protected Health Information. "Electronic Protected Health Information" (sometimes “ePHI”) shall have the same meaning as the term 'electronic protected health information' in 45 C.F.R. 160.103 limited to the information received from Company, or created, maintained or transmitted by Business Associate on behalf of Company.

  1. Individual. "Individual" shall have the same meaning as the term "individual" in 45 C.F.R.160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. 164.502(g).



  1. Protected Health Information. "Protected Health Information" (“PHI”) shall have the same meaning as the term "protected health information" in 45 C.F.R. 160.103, limited to the information received from Company, or created, maintained, or transmitted by Business Associate on behalf of Company.



  1. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.



  1. “Security Incident” Notwithstanding anything to the contrary “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.



Section 2 - Obligations and Activities of Business Associate



  1. Permitted Uses and Disclosures. Business Associate agrees to use or disclose Protected Health Information only as permitted or required by this Agreement or as Required by Law.



  1. Safeguards. Business Associate agrees to implement the administrative safeguards set forth at 45 C.F.R 164.308, the physical safeguards set forth at 45

C.F.R 164.310, the technical safeguards set fort at 45 C.F.R. 164.312, and the policies and procedures set fort at 45 C.F.R. 164.316 and to otherwise comply with applicable provisions of the Security Rule, to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Company. Business Associate acknowledges that, effective on the Effective Date of this BAA, (a) the foregoing safeguards, policies, and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Company, and (b) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies, and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements.



  1. Mitigation. Business Associate agrees to mitigate any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.



  1. Agents and Subcontractors. Business Associate agrees to in accordance with

45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), require any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the

Business Associate to agree in writing to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.



  1. Access to Individuals. Business Associate agrees to make available Protected Health Information in a Designated Record Set to either Company or at the direction of Company, the Individual or the Individual’s designee, as necessary to satisfy Company’s obligations under 45 CFR 164.524;



  1. Amendments to Protected Health Information. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by Company pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Company’s obligations under 45 CFR 164.526



  1. Access by Company. Business Associate agrees to make internal practices, books and records including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Company available to the Secretary within the timeframe and in the format requested by the Secretary for purposes of the Secretary determining Company's compliance with HIPAA. Any such audit, inspection, etc. shall be at the sole cost of Business Associate.



  1. Disclosure Documentation. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Company to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528. Within five (5) business days of receipt of a request from Company, Business Associate agrees to provide to Company or, at the direction of Company, an Individual, information collected in accordance with this subsection to permit Company to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528.



  1. Minimum Necessary. Business Associate agrees to limit its request, use, and disclosure of PHI to the minimum necessary to fulfill the Business Associate’s commitments and to perform functions, activities, or services on behalf of Company pursuant to the Master Agreement.



Section 3 - Permitted Uses by Business Associate



  1. Performance of Services. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform the Services, provided that such use or disclosure would be permitted if done by Company.



  1. Other Permitted Usage. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. In addition, Business Associate may use Protected Health

Information to provide Data Aggregation services for Company and other Companies as permitted by 45 CFR Section 164.504(e)(2)(i)(B).



Section 4 - Obligations of Company



  1. Change in Privacy Practices. Company shall notify Business Associate of any limitation(s) in its notice of privacy practices maintained in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.



  1. Change in right to use Protected Health Information. Company shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use and disclosure of Protected Health Information.



  1. Change in Restrictions Regarding Protected Health Information. Company shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Company has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.



  1. Requests. Company shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible if done by Company.



Section 5 - Duties of Business Associate Upon Impermissible Use or Disclosure of PHI



  1. Reporting of Impermissible Use or Disclosure. Business Associate agrees to report to Company any use or disclosure of Protected Health Information not provided for by the Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware (collectively, “Incidents”). Such reports shall be made without unreasonable delay and in all events within ten (10) days of discovery, as set forth in the HITECH Act.



  1. Content of Notification. All notices of an impermissible use or disclosure of Protected Health Information hereunder shall include, if feasible, the identification of each Individual whose PHI has been or is reasonably believed by Business Associate to have been, accessed, acquired, made unusable via ransomware, or disclosed in connection with such Incident. In addition, Business Associate shall provide any additional information reasonably requested by Company for purposes of investigating and evaluating the Incident. The notification shall also include: (a) a brief description of what happened including the date of the Incident and the date of the discovery of the Incident; (b) the types of identifiers involved such as full name, social security number, date of birth, home address, account number, diagnosis, etc.; (c) recommended steps that Individuals should take to protect themselves from potential harm resulting from the Incident; and (d) a brief description of what the Business Associate is doing to investigate the Incident, to mitigate harm to Individuals, and to protect against any further Incidents and any other available information that Company is required to include to the individual

under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available.



  1. Mitigation. Business Associate agrees to mitigate, at its expense, any harmful effect  known  to  Business  Associate  as  a  result  of  an  Incident. Costs incurred by Company due to an Incident are to be reimbursed by the Business Associate to Company such as but not limited to operating call center(s), media reporting costs, Company staffing, attorney fees, court costs, monthly fees paid to Business Associate.



Section 6- Term and Termination



  1. Term. This Agreement will begin on the Effective Date and shall continue in effect until the earlier of the termination of the Master Agreement; termination of this Agreement; or mutual written agreement of the parties.



  1. Termination.



  1. Termination for Cause. Upon either party’s knowledge of a breach of this Agreement by the other, the party shall provide not less than thirty (30) days written notice of its intent to terminate the Agreement to the other party provided if the other party does not cure such breach no later than the end of the written notice period.



  1. Termination without Cause and Termination of the Master Agreement. Either party may terminate this Agreement effective upon thirty (30) days advance written notice to the other party given with or without any reason if Business Associate no longer performs services for Company requiring its creation, access to, transmission, or maintenance of Protected Health Information.



  1. Effect of Termination. Upon termination of this Agreement, Business Associate shall return or, with Company's express permission, destroy, all Protected Health information received from Company, or created or received by Business Associate on behalf of Company. If the Protected Health Information is destroyed, Business Associate shall provide Company with a letter confirming information has been destroyed. Business Associate shall retain no copies of the Protected Health Information, except in cases of actual or threatened litigation or if required by law. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate.




If Business Associate determines that returning or destroying the PHI is infeasible, for example, because such information must be retained for compliance with applicable laws, Business Associate shall provide to Company notification of the conditions that make return or destruction infeasible. Upon notification of the conditions that make return or destruction infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

Section 7 - Right to Audit



  1. Company shall have the right to audit Business Associate at any time upon providing Business Associate in writing (10) ten-day notice of the intent to perform offsite or onsite audit procedures. The scope of the audit will be to confirm Business Associate is in compliance with all information safeguards, access controls, and other items necessary for protecting and controlling PHI as stated within this Agreement. In the event the audit reveals material out of compliance, the Business Associate will have (30) thirty days to mitigate. If within (30) thirty days agreed upon mitigations are not in place, Company has the right to terminate this Agreement, the Master Agreement, and any other contracts and services with Business Associate without additional cost or penalties for termination.



Section 8 - Miscellaneous



  1. Interpretation; Conflict. This Agreement is subject to the term and conditions of the Master Agreement. To the extent this Agreement, only as it relates to HIPAA, is inconsistent with the terms of the Master Agreement, such that the terms in this Agreement are more stringent, the terms of this Agreement shall govern. All terms of the Master Agreement remain in full force and effect.



  1. No Third-Party Beneficiaries. Except as set forth in this Agreement, this Agreement is entered into by and among the parties hereto solely for their benefit. The parties have not created or established any third-party beneficiary status or rights in any person or entity not a party hereto including, but not limited to, any individual, provider, subcontractor, or other third-party, and no such third-party will have any right to enforce any right or enjoy any benefit created or established under this Agreement.



  1. Entire Agreement; Amendments; Facsimile. This Agreement supersedes and terminates any prior agreement or understandings pertaining to HIPAA obligations between the parties, whether oral or written, and may be amended only by a writing executed by authorized representatives of both parties. A facsimile or other reproductive type copy of this Agreement, so long as signed by all parties, will be considered an original and will be fully enforceable against all parties.



  1. Notices. Any notice required pursuant to this Agreement must be in writing and sent by registered or certified mail, return receipt requested, by fax with proof of delivery, or by a nationally recognized private overnight carrier with proof of delivery, to the addresses of the parties set forth below in this Agreement. The date of notice will be the date on which the recipient receives notice or refuses delivery. All notices must be addressed as follows or to such other address as a party may identify in a notice to the other party:



Section 9 – Indemnification and Limitation of Liability.



  1. Business Associate will indemnify Company, its affiliates, officers, directors, employees, or agents (“Indemnified Entity”) from and against any claim, cause of action, liability, damage, cost, or expense, including attorney’s fees and court or proceeding costs, caused by Business Associate’s breach of this Agreement or an Incident. Indemnified Entity shall give Business Associate written notice of such claim, a brief description of the claim, and the amount sought if known. Failure to give such notice shall not relieve Business Associate of its obligations under this section except to the extent the Business Associate is prejudiced by the failure or delay to give such notice.

  2. Company will indemnify the Business Associate, its affiliates, officers, directors, employees, or agents (“Indemnified Associate”) from and against any third-party claim, cause of action, liability, damage, cost, or expense, including attorney’s fees and court or proceeding costs, directly caused Company’s breach of this Agreement. Indemnified Associate shall give Company written notice of such claim, a brief description of the claim, and the amount sought if known. Failure to give such notice shall not relieve Company of its obligations under this section except to the extent Company is prejudiced by the failure or delay to give such notice.

No Limitations. Business Associate’s obligations, including its indemnification obligations hereunder, shall not be subject to any limitations or exclusions on damages, notwithstanding any provision in the Master Agreement to the contrary.

Brellium BAA

By using Brellium in production or trial, you (Company) are covered under This Business Associate Agreement with Brellium (Business Associate). There is no separate contract to sign to enter into a HIPAA Business Associate Agreement (BAA) with Brellium because this is available by default to all customers by default in the Brellium Terms of Service (https://brellium.com/terms) or Master Services Agreement.


This Agreement sets out the responsibilities and obligations of Business Associate under the Health Insurance Portability and Accountability Act (“HIPAA) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).



RECITALS



  1. Business  Associate  and  Company  have  entered  into  a  certain

 Master Agreement ("Master Agreement") under which Business Associate has agreed to provide Company with certain services (“Services”);



  1. In performing the Services, Business Associate will create, receive, transmit, or maintain Protected Health Information (as defined at 45 C.F.R. § 160.103) for or on behalf of Company;



  1. Business Associate and Company have mutual obligations under the Master Agreement that will require Business Associate and Company to use or disclose Company’s customer(s) PHI of Individuals as that term is defined under HIPAA; and



  1. This Agreement is intended to comply with the rules on handling of PHI under the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subpart E (“Privacy Rule”), the HIPAA Security Standards, 45 C.F.R. Part 160 and Part 164, Subpart C (“Security Rule”), and the HIPAA Breach Notification Regulations, 45 C.F.R. Part 164, Subpart D (“Breach Notification Rule”), so as to permit the Business Associate and Company to access, use and exchange PHI in a manner which complies with the provisions of HIPAA and the HITECH Act.



AGREEMENT



Now, Therefore, in consideration of the mutual covenants, terms and conditions herein contained, the parties hereto agree as follows:



Section 1 - Definitions



The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Subcontractor, Unsecured Protected Health Information, and Use.



  1. Electronic Health Record. "Electronic Health Record" shall have the same meaning as the term "electronic health record" in the HITECH Act, section 13400(5).



  1. Electronic Protected Health Information. "Electronic Protected Health Information" (sometimes “ePHI”) shall have the same meaning as the term 'electronic protected health information' in 45 C.F.R. 160.103 limited to the information received from Company, or created, maintained or transmitted by Business Associate on behalf of Company.

  1. Individual. "Individual" shall have the same meaning as the term "individual" in 45 C.F.R.160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. 164.502(g).



  1. Protected Health Information. "Protected Health Information" (“PHI”) shall have the same meaning as the term "protected health information" in 45 C.F.R. 160.103, limited to the information received from Company, or created, maintained, or transmitted by Business Associate on behalf of Company.



  1. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.



  1. “Security Incident” Notwithstanding anything to the contrary “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.



Section 2 - Obligations and Activities of Business Associate



  1. Permitted Uses and Disclosures. Business Associate agrees to use or disclose Protected Health Information only as permitted or required by this Agreement or as Required by Law.



  1. Safeguards. Business Associate agrees to implement the administrative safeguards set forth at 45 C.F.R 164.308, the physical safeguards set forth at 45

C.F.R 164.310, the technical safeguards set fort at 45 C.F.R. 164.312, and the policies and procedures set fort at 45 C.F.R. 164.316 and to otherwise comply with applicable provisions of the Security Rule, to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Company. Business Associate acknowledges that, effective on the Effective Date of this BAA, (a) the foregoing safeguards, policies, and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Company, and (b) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies, and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements.



  1. Mitigation. Business Associate agrees to mitigate any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.



  1. Agents and Subcontractors. Business Associate agrees to in accordance with

45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), require any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the

Business Associate to agree in writing to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.



  1. Access to Individuals. Business Associate agrees to make available Protected Health Information in a Designated Record Set to either Company or at the direction of Company, the Individual or the Individual’s designee, as necessary to satisfy Company’s obligations under 45 CFR 164.524;



  1. Amendments to Protected Health Information. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by Company pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Company’s obligations under 45 CFR 164.526



  1. Access by Company. Business Associate agrees to make internal practices, books and records including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Company available to the Secretary within the timeframe and in the format requested by the Secretary for purposes of the Secretary determining Company's compliance with HIPAA. Any such audit, inspection, etc. shall be at the sole cost of Business Associate.



  1. Disclosure Documentation. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Company to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528. Within five (5) business days of receipt of a request from Company, Business Associate agrees to provide to Company or, at the direction of Company, an Individual, information collected in accordance with this subsection to permit Company to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528.



  1. Minimum Necessary. Business Associate agrees to limit its request, use, and disclosure of PHI to the minimum necessary to fulfill the Business Associate’s commitments and to perform functions, activities, or services on behalf of Company pursuant to the Master Agreement.



Section 3 - Permitted Uses by Business Associate



  1. Performance of Services. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform the Services, provided that such use or disclosure would be permitted if done by Company.



  1. Other Permitted Usage. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. In addition, Business Associate may use Protected Health

Information to provide Data Aggregation services for Company and other Companies as permitted by 45 CFR Section 164.504(e)(2)(i)(B).



Section 4 - Obligations of Company



  1. Change in Privacy Practices. Company shall notify Business Associate of any limitation(s) in its notice of privacy practices maintained in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.



  1. Change in right to use Protected Health Information. Company shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use and disclosure of Protected Health Information.



  1. Change in Restrictions Regarding Protected Health Information. Company shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Company has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.



  1. Requests. Company shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible if done by Company.



Section 5 - Duties of Business Associate Upon Impermissible Use or Disclosure of PHI



  1. Reporting of Impermissible Use or Disclosure. Business Associate agrees to report to Company any use or disclosure of Protected Health Information not provided for by the Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware (collectively, “Incidents”). Such reports shall be made without unreasonable delay and in all events within ten (10) days of discovery, as set forth in the HITECH Act.



  1. Content of Notification. All notices of an impermissible use or disclosure of Protected Health Information hereunder shall include, if feasible, the identification of each Individual whose PHI has been or is reasonably believed by Business Associate to have been, accessed, acquired, made unusable via ransomware, or disclosed in connection with such Incident. In addition, Business Associate shall provide any additional information reasonably requested by Company for purposes of investigating and evaluating the Incident. The notification shall also include: (a) a brief description of what happened including the date of the Incident and the date of the discovery of the Incident; (b) the types of identifiers involved such as full name, social security number, date of birth, home address, account number, diagnosis, etc.; (c) recommended steps that Individuals should take to protect themselves from potential harm resulting from the Incident; and (d) a brief description of what the Business Associate is doing to investigate the Incident, to mitigate harm to Individuals, and to protect against any further Incidents and any other available information that Company is required to include to the individual

under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available.



  1. Mitigation. Business Associate agrees to mitigate, at its expense, any harmful effect  known  to  Business  Associate  as  a  result  of  an  Incident. Costs incurred by Company due to an Incident are to be reimbursed by the Business Associate to Company such as but not limited to operating call center(s), media reporting costs, Company staffing, attorney fees, court costs, monthly fees paid to Business Associate.



Section 6- Term and Termination



  1. Term. This Agreement will begin on the Effective Date and shall continue in effect until the earlier of the termination of the Master Agreement; termination of this Agreement; or mutual written agreement of the parties.



  1. Termination.



  1. Termination for Cause. Upon either party’s knowledge of a breach of this Agreement by the other, the party shall provide not less than thirty (30) days written notice of its intent to terminate the Agreement to the other party provided if the other party does not cure such breach no later than the end of the written notice period.



  1. Termination without Cause and Termination of the Master Agreement. Either party may terminate this Agreement effective upon thirty (30) days advance written notice to the other party given with or without any reason if Business Associate no longer performs services for Company requiring its creation, access to, transmission, or maintenance of Protected Health Information.



  1. Effect of Termination. Upon termination of this Agreement, Business Associate shall return or, with Company's express permission, destroy, all Protected Health information received from Company, or created or received by Business Associate on behalf of Company. If the Protected Health Information is destroyed, Business Associate shall provide Company with a letter confirming information has been destroyed. Business Associate shall retain no copies of the Protected Health Information, except in cases of actual or threatened litigation or if required by law. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate.




If Business Associate determines that returning or destroying the PHI is infeasible, for example, because such information must be retained for compliance with applicable laws, Business Associate shall provide to Company notification of the conditions that make return or destruction infeasible. Upon notification of the conditions that make return or destruction infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

Section 7 - Right to Audit



  1. Company shall have the right to audit Business Associate at any time upon providing Business Associate in writing (10) ten-day notice of the intent to perform offsite or onsite audit procedures. The scope of the audit will be to confirm Business Associate is in compliance with all information safeguards, access controls, and other items necessary for protecting and controlling PHI as stated within this Agreement. In the event the audit reveals material out of compliance, the Business Associate will have (30) thirty days to mitigate. If within (30) thirty days agreed upon mitigations are not in place, Company has the right to terminate this Agreement, the Master Agreement, and any other contracts and services with Business Associate without additional cost or penalties for termination.



Section 8 - Miscellaneous



  1. Interpretation; Conflict. This Agreement is subject to the term and conditions of the Master Agreement. To the extent this Agreement, only as it relates to HIPAA, is inconsistent with the terms of the Master Agreement, such that the terms in this Agreement are more stringent, the terms of this Agreement shall govern. All terms of the Master Agreement remain in full force and effect.



  1. No Third-Party Beneficiaries. Except as set forth in this Agreement, this Agreement is entered into by and among the parties hereto solely for their benefit. The parties have not created or established any third-party beneficiary status or rights in any person or entity not a party hereto including, but not limited to, any individual, provider, subcontractor, or other third-party, and no such third-party will have any right to enforce any right or enjoy any benefit created or established under this Agreement.



  1. Entire Agreement; Amendments; Facsimile. This Agreement supersedes and terminates any prior agreement or understandings pertaining to HIPAA obligations between the parties, whether oral or written, and may be amended only by a writing executed by authorized representatives of both parties. A facsimile or other reproductive type copy of this Agreement, so long as signed by all parties, will be considered an original and will be fully enforceable against all parties.



  1. Notices. Any notice required pursuant to this Agreement must be in writing and sent by registered or certified mail, return receipt requested, by fax with proof of delivery, or by a nationally recognized private overnight carrier with proof of delivery, to the addresses of the parties set forth below in this Agreement. The date of notice will be the date on which the recipient receives notice or refuses delivery. All notices must be addressed as follows or to such other address as a party may identify in a notice to the other party:



Section 9 – Indemnification and Limitation of Liability.



  1. Business Associate will indemnify Company, its affiliates, officers, directors, employees, or agents (“Indemnified Entity”) from and against any claim, cause of action, liability, damage, cost, or expense, including attorney’s fees and court or proceeding costs, caused by Business Associate’s breach of this Agreement or an Incident. Indemnified Entity shall give Business Associate written notice of such claim, a brief description of the claim, and the amount sought if known. Failure to give such notice shall not relieve Business Associate of its obligations under this section except to the extent the Business Associate is prejudiced by the failure or delay to give such notice.

  2. Company will indemnify the Business Associate, its affiliates, officers, directors, employees, or agents (“Indemnified Associate”) from and against any third-party claim, cause of action, liability, damage, cost, or expense, including attorney’s fees and court or proceeding costs, directly caused Company’s breach of this Agreement. Indemnified Associate shall give Company written notice of such claim, a brief description of the claim, and the amount sought if known. Failure to give such notice shall not relieve Company of its obligations under this section except to the extent Company is prejudiced by the failure or delay to give such notice.

No Limitations. Business Associate’s obligations, including its indemnification obligations hereunder, shall not be subject to any limitations or exclusions on damages, notwithstanding any provision in the Master Agreement to the contrary.

Brellium BAA

By using Brellium in production or trial, you (Company) are covered under This Business Associate Agreement with Brellium (Business Associate). There is no separate contract to sign to enter into a HIPAA Business Associate Agreement (BAA) with Brellium because this is available by default to all customers by default in the Brellium Terms of Service (https://brellium.com/terms) or Master Services Agreement.


This Agreement sets out the responsibilities and obligations of Business Associate under the Health Insurance Portability and Accountability Act (“HIPAA) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).



RECITALS



  1. Business  Associate  and  Company  have  entered  into  a  certain

 Master Agreement ("Master Agreement") under which Business Associate has agreed to provide Company with certain services (“Services”);



  1. In performing the Services, Business Associate will create, receive, transmit, or maintain Protected Health Information (as defined at 45 C.F.R. § 160.103) for or on behalf of Company;



  1. Business Associate and Company have mutual obligations under the Master Agreement that will require Business Associate and Company to use or disclose Company’s customer(s) PHI of Individuals as that term is defined under HIPAA; and



  1. This Agreement is intended to comply with the rules on handling of PHI under the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subpart E (“Privacy Rule”), the HIPAA Security Standards, 45 C.F.R. Part 160 and Part 164, Subpart C (“Security Rule”), and the HIPAA Breach Notification Regulations, 45 C.F.R. Part 164, Subpart D (“Breach Notification Rule”), so as to permit the Business Associate and Company to access, use and exchange PHI in a manner which complies with the provisions of HIPAA and the HITECH Act.



AGREEMENT



Now, Therefore, in consideration of the mutual covenants, terms and conditions herein contained, the parties hereto agree as follows:



Section 1 - Definitions



The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Subcontractor, Unsecured Protected Health Information, and Use.



  1. Electronic Health Record. "Electronic Health Record" shall have the same meaning as the term "electronic health record" in the HITECH Act, section 13400(5).



  1. Electronic Protected Health Information. "Electronic Protected Health Information" (sometimes “ePHI”) shall have the same meaning as the term 'electronic protected health information' in 45 C.F.R. 160.103 limited to the information received from Company, or created, maintained or transmitted by Business Associate on behalf of Company.

  1. Individual. "Individual" shall have the same meaning as the term "individual" in 45 C.F.R.160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. 164.502(g).



  1. Protected Health Information. "Protected Health Information" (“PHI”) shall have the same meaning as the term "protected health information" in 45 C.F.R. 160.103, limited to the information received from Company, or created, maintained, or transmitted by Business Associate on behalf of Company.



  1. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.



  1. “Security Incident” Notwithstanding anything to the contrary “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.



Section 2 - Obligations and Activities of Business Associate



  1. Permitted Uses and Disclosures. Business Associate agrees to use or disclose Protected Health Information only as permitted or required by this Agreement or as Required by Law.



  1. Safeguards. Business Associate agrees to implement the administrative safeguards set forth at 45 C.F.R 164.308, the physical safeguards set forth at 45

C.F.R 164.310, the technical safeguards set fort at 45 C.F.R. 164.312, and the policies and procedures set fort at 45 C.F.R. 164.316 and to otherwise comply with applicable provisions of the Security Rule, to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Company. Business Associate acknowledges that, effective on the Effective Date of this BAA, (a) the foregoing safeguards, policies, and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Company, and (b) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies, and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements.



  1. Mitigation. Business Associate agrees to mitigate any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.



  1. Agents and Subcontractors. Business Associate agrees to in accordance with

45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), require any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the

Business Associate to agree in writing to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.



  1. Access to Individuals. Business Associate agrees to make available Protected Health Information in a Designated Record Set to either Company or at the direction of Company, the Individual or the Individual’s designee, as necessary to satisfy Company’s obligations under 45 CFR 164.524;



  1. Amendments to Protected Health Information. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by Company pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Company’s obligations under 45 CFR 164.526



  1. Access by Company. Business Associate agrees to make internal practices, books and records including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Company available to the Secretary within the timeframe and in the format requested by the Secretary for purposes of the Secretary determining Company's compliance with HIPAA. Any such audit, inspection, etc. shall be at the sole cost of Business Associate.



  1. Disclosure Documentation. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Company to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528. Within five (5) business days of receipt of a request from Company, Business Associate agrees to provide to Company or, at the direction of Company, an Individual, information collected in accordance with this subsection to permit Company to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR Section 164.528.



  1. Minimum Necessary. Business Associate agrees to limit its request, use, and disclosure of PHI to the minimum necessary to fulfill the Business Associate’s commitments and to perform functions, activities, or services on behalf of Company pursuant to the Master Agreement.



Section 3 - Permitted Uses by Business Associate



  1. Performance of Services. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform the Services, provided that such use or disclosure would be permitted if done by Company.



  1. Other Permitted Usage. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. In addition, Business Associate may use Protected Health

Information to provide Data Aggregation services for Company and other Companies as permitted by 45 CFR Section 164.504(e)(2)(i)(B).



Section 4 - Obligations of Company



  1. Change in Privacy Practices. Company shall notify Business Associate of any limitation(s) in its notice of privacy practices maintained in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.



  1. Change in right to use Protected Health Information. Company shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use and disclosure of Protected Health Information.



  1. Change in Restrictions Regarding Protected Health Information. Company shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Company has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.



  1. Requests. Company shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible if done by Company.



Section 5 - Duties of Business Associate Upon Impermissible Use or Disclosure of PHI



  1. Reporting of Impermissible Use or Disclosure. Business Associate agrees to report to Company any use or disclosure of Protected Health Information not provided for by the Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware (collectively, “Incidents”). Such reports shall be made without unreasonable delay and in all events within ten (10) days of discovery, as set forth in the HITECH Act.



  1. Content of Notification. All notices of an impermissible use or disclosure of Protected Health Information hereunder shall include, if feasible, the identification of each Individual whose PHI has been or is reasonably believed by Business Associate to have been, accessed, acquired, made unusable via ransomware, or disclosed in connection with such Incident. In addition, Business Associate shall provide any additional information reasonably requested by Company for purposes of investigating and evaluating the Incident. The notification shall also include: (a) a brief description of what happened including the date of the Incident and the date of the discovery of the Incident; (b) the types of identifiers involved such as full name, social security number, date of birth, home address, account number, diagnosis, etc.; (c) recommended steps that Individuals should take to protect themselves from potential harm resulting from the Incident; and (d) a brief description of what the Business Associate is doing to investigate the Incident, to mitigate harm to Individuals, and to protect against any further Incidents and any other available information that Company is required to include to the individual

under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available.



  1. Mitigation. Business Associate agrees to mitigate, at its expense, any harmful effect  known  to  Business  Associate  as  a  result  of  an  Incident. Costs incurred by Company due to an Incident are to be reimbursed by the Business Associate to Company such as but not limited to operating call center(s), media reporting costs, Company staffing, attorney fees, court costs, monthly fees paid to Business Associate.



Section 6- Term and Termination



  1. Term. This Agreement will begin on the Effective Date and shall continue in effect until the earlier of the termination of the Master Agreement; termination of this Agreement; or mutual written agreement of the parties.



  1. Termination.



  1. Termination for Cause. Upon either party’s knowledge of a breach of this Agreement by the other, the party shall provide not less than thirty (30) days written notice of its intent to terminate the Agreement to the other party provided if the other party does not cure such breach no later than the end of the written notice period.



  1. Termination without Cause and Termination of the Master Agreement. Either party may terminate this Agreement effective upon thirty (30) days advance written notice to the other party given with or without any reason if Business Associate no longer performs services for Company requiring its creation, access to, transmission, or maintenance of Protected Health Information.



  1. Effect of Termination. Upon termination of this Agreement, Business Associate shall return or, with Company's express permission, destroy, all Protected Health information received from Company, or created or received by Business Associate on behalf of Company. If the Protected Health Information is destroyed, Business Associate shall provide Company with a letter confirming information has been destroyed. Business Associate shall retain no copies of the Protected Health Information, except in cases of actual or threatened litigation or if required by law. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate.




If Business Associate determines that returning or destroying the PHI is infeasible, for example, because such information must be retained for compliance with applicable laws, Business Associate shall provide to Company notification of the conditions that make return or destruction infeasible. Upon notification of the conditions that make return or destruction infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

Section 7 - Right to Audit



  1. Company shall have the right to audit Business Associate at any time upon providing Business Associate in writing (10) ten-day notice of the intent to perform offsite or onsite audit procedures. The scope of the audit will be to confirm Business Associate is in compliance with all information safeguards, access controls, and other items necessary for protecting and controlling PHI as stated within this Agreement. In the event the audit reveals material out of compliance, the Business Associate will have (30) thirty days to mitigate. If within (30) thirty days agreed upon mitigations are not in place, Company has the right to terminate this Agreement, the Master Agreement, and any other contracts and services with Business Associate without additional cost or penalties for termination.



Section 8 - Miscellaneous



  1. Interpretation; Conflict. This Agreement is subject to the term and conditions of the Master Agreement. To the extent this Agreement, only as it relates to HIPAA, is inconsistent with the terms of the Master Agreement, such that the terms in this Agreement are more stringent, the terms of this Agreement shall govern. All terms of the Master Agreement remain in full force and effect.



  1. No Third-Party Beneficiaries. Except as set forth in this Agreement, this Agreement is entered into by and among the parties hereto solely for their benefit. The parties have not created or established any third-party beneficiary status or rights in any person or entity not a party hereto including, but not limited to, any individual, provider, subcontractor, or other third-party, and no such third-party will have any right to enforce any right or enjoy any benefit created or established under this Agreement.



  1. Entire Agreement; Amendments; Facsimile. This Agreement supersedes and terminates any prior agreement or understandings pertaining to HIPAA obligations between the parties, whether oral or written, and may be amended only by a writing executed by authorized representatives of both parties. A facsimile or other reproductive type copy of this Agreement, so long as signed by all parties, will be considered an original and will be fully enforceable against all parties.



  1. Notices. Any notice required pursuant to this Agreement must be in writing and sent by registered or certified mail, return receipt requested, by fax with proof of delivery, or by a nationally recognized private overnight carrier with proof of delivery, to the addresses of the parties set forth below in this Agreement. The date of notice will be the date on which the recipient receives notice or refuses delivery. All notices must be addressed as follows or to such other address as a party may identify in a notice to the other party:



Section 9 – Indemnification and Limitation of Liability.



  1. Business Associate will indemnify Company, its affiliates, officers, directors, employees, or agents (“Indemnified Entity”) from and against any claim, cause of action, liability, damage, cost, or expense, including attorney’s fees and court or proceeding costs, caused by Business Associate’s breach of this Agreement or an Incident. Indemnified Entity shall give Business Associate written notice of such claim, a brief description of the claim, and the amount sought if known. Failure to give such notice shall not relieve Business Associate of its obligations under this section except to the extent the Business Associate is prejudiced by the failure or delay to give such notice.

  2. Company will indemnify the Business Associate, its affiliates, officers, directors, employees, or agents (“Indemnified Associate”) from and against any third-party claim, cause of action, liability, damage, cost, or expense, including attorney’s fees and court or proceeding costs, directly caused Company’s breach of this Agreement. Indemnified Associate shall give Company written notice of such claim, a brief description of the claim, and the amount sought if known. Failure to give such notice shall not relieve Company of its obligations under this section except to the extent Company is prejudiced by the failure or delay to give such notice.

No Limitations. Business Associate’s obligations, including its indemnification obligations hereunder, shall not be subject to any limitations or exclusions on damages, notwithstanding any provision in the Master Agreement to the contrary.

© 2024 Brellium Inc. all rights reserved

© 2024 Brellium Inc. all rights reserved

© 2024 Brellium Inc. all rights reserved