This Business Associate Agreement (“BAA”) is made and entered into by and between:
(i) the Customer identified on an Order Form or, if not in the Order Form, the organization using the Proximie Platform and Services (“Customer”); and
(ii) Proximie Inc. with a registered office at 101 Federal Street, Suite 1900, Boston, Massachusetts, 02110, USA (“Proximie”),
each a Party,and together the Parties.
WHEREAS, the Parties agree that Proximie may have access to PHI (as defined below) in order to perform Proximie’s obligations and services to or on behalf of Customer;
WHEREAS, the Parties desire to comply with the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A of the American Recovery and Reinvestment Act of 2009, and the regulations promulgated thereunder (collectively, “HIPAA”), as applicable to Proximie’s relationship with the Customer, and, to the extent Customer is a Covered Entity or Business Associate under HIPAA, Proximie may be acting a Business Associate or Subcontractor, respectively;
The terms used in this BAA have the meanings set forth in this BAA. Capitalized terms not otherwise defined herein and that are also not defined in the HIPAA have the meaning given to them in the Agreement, if applicable and as defined below.
NOW THEREFORE in consideration of the mutual promises herein, the Parties agree as follows:
1. Scope of Agreement
Customer is a Covered Entity or Business Associate as defined under HIPAA, and the Parties understand and agree that Proximie may have access to PHI (as defined below) when Proximie is performing its obligations and services to or on behalf of Customer.
This BAA governs the relationship between Proximie (as Business Associate or Subcontractor Business Associate) and Customer (as Covered Entity or Business Associate, respectively). If it is determined that Proximie is not a “Business Associate” as defined in 45 C.F.R. §160.103 then this BAA shall be void. This BAA being voided shall not impact the validity of any other BAAs or the agreement(s) between the Parties (including, for example, any enterprise terms and conditions, end user license agreement, or the remainder of the an Agreement(if any)).
This BAA shall remain in force until all of the PHI provided by Customer to Proximie, or created or received by Proximie on behalf of Customer, is destroyed or returned to Customer, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with Section 6.3.
If the Parties have either entered into an agreement under which Proximie has agreed to provide, and Customer has agreed to receive, the Proximie Platform as a service (“Services Agreement”), or Proximie has entered into an agreement with a Third Party Entity under which Proximie has agreed to provide the Proximie Platform as a service to Customer (a “Master Services Agreement”). The Services Agreement and/or Master Services Agreement(s) are referred to as “Agreement” under this BAA, as applicable. Where an Agreement has been entered between the Parties, this BAA shall attach to and form part of the Agreement.
In this BAA, the following terms have the meanings set out below.
2.1 “Breach” shall have the same meaning as the term “breach” in 45 C.F.R. § 164.402. If not capitalized herein, “breach” shall have its general meaning in this BAA.
2.2 “Data Aggregation” shall have the same meaning as the term “data aggregation” in 45 C.F.R. § 164.501.
2.3 “Documentation” means technical documentation provided or made available from time to time to Customer by Proximie regarding the Proximie Platform, Services and/or third-party equipment, as applicable and required by law.
2.4 “Effective Date” means the earlier of either: (i) the date of the Agreement, if any; or (ii) the date on which Customer provides PHI to Proximie for use in the Products or Services.
2.5 “Electronic PHI” shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. § 160.103.
2.6 “Healthcare Establishment” means, where applicable (and if different to Customer), the hospital, clinic or other healthcare establishment or provider to which Customer may make the Products and Services available.
2.7 “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
2.8 “Limited Data Set” shall have the same meaning as the term “Limited Data Set” in 45 C.F.R. § 164.514(e)(2).
2.9 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Subparts A and E of 45 C.F.R. Part 164.
2.10 “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, limited to PHI created or received by Proximie for, on behalf of, or from Customer pursuant to this BAA.
2.11 “Products” means the Proximie Platform and the Documentation pertaining to it.
2.12 “Proximie Platform” means the Proximie proprietary software in a managed cloud-hosted environment, any related software, applicable programming interfaces (APIs), and Proximie models or algorithms provided or made available to the Customer as a service, and any improvements, modifications, derivative works, patches and Updates thereto.
2.13 “Required By Law” shall have the same meaning as the term “required by law” in 45 C.F.R. § 164.103.
2.14 “Secretary” means the Secretary of Health and Human Services (HHS) or any other officer or employee of HHS to whom the authority involved has been delegated.
2.15 “Security Incident” shall have the same meaning as the term “security incident” in 45 C.F.R. § 164.304.
2.16 “Security Rule” shall mean the Security Rule at 45 C.F.R. Part 160 and Subparts A and C of 45 C.F.R. Part 164.
2.17 “Services” means Support Services and/or additional implementation, enablement, training, or other professional services provided by or on behalf of Proximie, as may be set out in an Order Form.
2.18 “Third Party Entity” shall mean a third party organization or entity, including but not limited to, a medical device company, research institution, association, or pharmaceutical company, who has entered into arrangements with Proximie and/or Customer for the purposes of providing its products and/or services to the Customer using or in relation to the use of the Proximie software and related services.
2.19 “Unsecured PHI” shall have the same meaning as the term “unsecured protected health information” in 45 C.F.R. § 164.402, limited to PHI created or received by Proximie for, on behalf of, or from Customer pursuant to this BAA.
2.20 “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Proximie’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
3. Obligations and Activities of Proximie
3.1 Restrictions on Use and Disclosure. Proximie agrees not to use or further disclose PHI other than (a) as permitted or required by the BAAs and other agreements between the Parties or this BAA or (b) as Required By Law.
3.2 Safeguards. Proximie agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA or by HIPAA.
3.3 Reporting Requirements. Proximie agrees to promptly report to Customer any use or disclosure of PHI in violation of this BAA of which Proximie becomes aware, including Breaches of Unsecured PHI as required by 45 C.F.R. § 164.410. Proximie shall promptly report to Customer any Security Incident involving Electronic PHI of which it becomes aware. The Parties agree that this Section constitutes notice by Proximie to Customer of the ongoing existence and occurrence of attempted Unsuccessful Security Incidents. Proximie shall send all notices pertaining to PHI obligations that are set forth in this BAA to the address provided by Customer to Proximie from time to time.
3.4 Agents and Subcontractors. Proximie shall enter into a Subcontractor Business Associate Agreement in compliance with HIPAA with any subcontractor or agent of Proximie that creates, receives, maintains, or transmits PHI on behalf of Proximie for purposes of performing services for, to, or on behalf of Customer under this BAA.
3.5 Access. To the extent Proximie maintains PHI in a Designated Record Set, Proximie agrees to make available, at the request of and in a reasonable time and manner designated by Customer, to Customer or, as directed by Customer, to an Individual or third party designated by the Individual in writing in order to meet the requirements under 45 C.F.R. § 164.524, PHI in a Designated Record Set. If the PHI is maintained in a Designated Record Set electronically, Proximie agrees to make access available in an electronic format when requested by Customer. In the event Proximie receives a request directly from an Individual to make available PHI in a Designated Record Set, Proximie shall promptly forward such request to Customer.
3.6 Amendment. To the extent Proximie maintains PHI in a Designated Record Set, Proximie agrees to make any amendments to PHI (to the extent it is in a Designated Record Set) as directed by Customer, or as requested by an Individual, to meet the right of amendment required by HIPAA, in a reasonable time and manner designated by Customer.
3.7 Accountings. Customer may obtain information required for an accounting of disclosures under 45 C.F.R. § 164.528 directly from the Proximie Platform. To the extent Customer cannot obtain the information required by an accounting of disclosures directly from the Proximie Platform, Proximie shall provide reasonable assistance to Customer to make available information required for an accounting.
3.8 Privacy Rule Obligations. To the extent that Proximie is to carry out one or more of Customer’s obligations under the Privacy Rule, Proximie agrees to comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligations.
3.9 Books and Records. Upon request of and in a time and manner designated by the Secretary, Proximie agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Proximie on behalf of, Customer available to the Secretary for purposes of determining compliance with the Privacy Rule.
3.10 Mitigation. Proximie agrees to mitigate, to the extent practicable, any harmful effect that is known to Proximie of a use or disclosure of PHI by Proximie or any Subcontractor of Proximie in violation of the requirements of this BAA.
3.11 Restrictions to PHI. Proximie agrees to comply with an Individual’s request for restrictions on use or disclosure of such Individual’s PHI if Customer receives and agrees to such a request from an Individual in accordance with 45 C.F.R. § 164.522 or as otherwise Required By Law, and Customer notifies Proximie of such restriction.
3.12 Minimum Necessary. Proximie agrees to limit the use, disclosure, or request of PHI, to the extent practicable, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively.
3.13 Limited Data Sets. Proximie may use PHI to create Limited Data Sets in accordance with HIPAA. The Parties shall enter a separate Data Use BAA to govern the use and disclosure of such Limited Data Sets.
3.14 Compliance with Security Rule. Without limiting any other express provision in this BAA, Proximie acknowledges and agrees that, with respect to Electronic PHI, Proximie shall comply with applicable provisions of the Security Rule, as amended from time to time by the Secretary. Proximie agrees to use appropriate administrative, physical, and technical safeguards to prevent use or disclosure of Electronic PHI other than as provided for by this BAA.
4. Permitted Uses and Disclosures by Proximie.
4.1 Provision of Services to Customer. Except as otherwise limited in this BAA, Proximie may use or disclose PHI as necessary to perform functions, activities, or services for, or on behalf of, Customer consistent with this BAA or any other services contract between the Parties, provided that such use or disclosure would not violate HIPAA if done by Customer.
4.2 Management and Administration of Proximie. Except as otherwise limited in this BAA, Proximie may use PHI for the proper management and administration of Proximie or to carry out the legal responsibilities of Proximie. Except as otherwise limited in this BAA, Proximie may disclose PHI in its capacity as a business associate for the proper management and administration of Proximie or to carry out the legal responsibilities of Proximie, provided the disclosure is (i) Required By Law or (ii) Proximie obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Proximie of any instances of which it is aware in which the confidentiality of the information has been breached.
4.3 Data Aggregation. Proximie may use PHI to provide Data Aggregation services to Customer.
4.4 De-Identification. Proximie may de-identify PHI in accordance with 45 C.F.R. § 164.514 and use de-identified information to provide services to Customer and for any purpose whatsoever, including Proximie’s own purposes (including, but not limited to, use to develop and train Proximie’s algorithms, and to generally improve and develop its specialized products and services). For the avoidance of doubt, de-identified information shall not be subject to this BAA.
5. Obligations of Customer
5.1 General Compliance. Customer undertakes to comply with its obligations under HIPAA.
5.2 Permission. Customer shall notify Proximie of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes affect Proximie’s use or disclosure of PHI.
5.3 Restrictions to PHI. Customer shall immediately notify Proximie of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction affects Proximie’s use or disclosure of PHI. Further, the Customer must inform Proximie immediately if it believes that the continued use or disclosure of PHI by Proximie as set forth in this BAA may no longer be lawful, or conflicts with any agreement entered into by Customer with a third party.
5.4 Permissible Requests. Customer shall not request Proximie to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer.
5.5 No Conflict. Customer warrants and represents that the terms of this BAA do not conflict with any agreement entered into by the Customer with a third party (including without limitation a Healthcare Establishment or Third Party Entity, as applicable).
6. Termination; Effect of Termination
6.1 The Term of this BAA shall be effective as of the Effective Date, and shall terminate when all of the PHI provided by Customer to Proximie, or created or received by Proximie on behalf of Customer, is destroyed or returned to Customer pursuant to Section 6.2, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with Section 6.3.
6.2 Except as provided in Section 6.3, upon termination for any reason, Proximie shall return or destroy all PHI received from Customer, or created or received by Proximie on behalf of Customer. This provision shall apply to PHI that is in the possession of Subcontractors of Proximie.
6.3 In the event that Proximie determines that returning or destroying PHI is infeasible (including if Proximie must maintain the PHI for its own proper management or administration, or to carry out its legal responsibilities), Proximie shall provide to Customer notification of the conditions that make return or destruction infeasible. Upon Proximie’s determination that return or destruction of PHI is infeasible, Proximie shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Proximie maintains such PHI.
7. Limitation of Liability
7.1 Subject to Section 7.2, Proximie’s liability to Customer under or in connection with this BAA (including, without limitation, for any breach of this BAA or of HIPAA) shall be subject to the limitations of liability set out in the Agreement.
7.2 Where the Parties have not entered into an Agreement, Proximie’s total aggregate liability to Customer under or in connection with this BAA (including, without limitation, for any breach of this BAA or of HIPAA) shall be limited to fifty thousand US dollars (US $50,000).
8.1 Amendment. Upon enactment of any law, regulation, court decision or relevant government publication and/or interpretive policy affecting the use or disclosure of PHI, the Parties may amend or replace this BAA as necessary to comply with HIPAA.
8.2 Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA and any current or future regulations promulgated thereunder. In the event of any conflict between the terms of this BAA and any other services contract, the terms of this BAA shall control.
8.3 No Agency. Nothing in this BAA shall be construed to create (a) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates, or (b) a relationship of employer and employee between the Parties. Proximie is an independent contractor, not an agent, to Customer and nothing contained in this BAA shall be intended to expand the scope or nature of the relationship.
8.4 Severability. If any provision of this BAA is held by a court of competent jurisdiction to be illegal, invalid, or unenforceable under present or future laws effective during the term of this BAA, the legality, validity and enforceability of the remaining provisions shall not be affected thereby.
8.5 No Third Party Beneficiaries. Nothing in this BAA confers on any person other than Customer and Proximie and their respective successors and assigns, any rights, remedies, obligations or liabilities.
8.6 Survival. The following terms of this BAA shall continue to apply, notwithstanding termination or expiry of this BAA, clauses 2, 4.4, 7, and 8.
8.7 Waiver. No waiver of any provision of this BAA shall be effective except to the extent made in writing and signed by an authorized representative of the waiving Party. No failure or delay by any Party to exercise any right or remedy will operate as a waiver of it nor will any partial exercise preclude any further exercise of the same, or of some other right or remedy. All such rights and remedies are several and cumulative and not exclusive of each other.
8.8 Governing Law and Jurisdiction. This BAA and shall be governed in accordance with the laws of the State of New York and arbitration will be administered in New York, United States, in accordance with the Comprehensive Arbitration Rules and Procedures of the Judicial Arbitration and Mediation Services Inc. (JAMS) and the Federal Rules of Evidence (notwithstanding any JAMS rules to the contrary).
8.9 Entire Agreement. This BAA constitutes the entire agreement and understanding between the Parties in respect of the matters dealt with herein and supersedes any previous agreement between the Parties relating to such matters. Each of the Parties acknowledges and agrees that in entering into this BAA it does not rely on, and shall have no remedy in respect of, any statement, representation, warranty or understanding (whether negligently or innocently made) other than as expressly set out in this BAA. The only remedy available to any Party in respect of any such statement, representation, warranty or understanding shall be for breach of contract under the terms of this BAA. Nothing in this clause shall operate to exclude or limit any liability for fraud or fraudulent misrepresentation.