Business Associate Addendum
BY ENTERING INTO AN ORDER UNDER WHICH BUSINESS ASSOCIATE WILL BE GIVEN ACCESS TO AND/OR USE OF ANY PROTECTED HEALTH INFORMATION, COVERED ENTITY HEREBY ENTERS INTO THIS BUSINESS ASSOCIATE ADDENDUM (THIS “ADDENDUM”) AND IS LEGALLY BOUND THEREBY. THIS ADDENDUM IS HEREBY ATTACHED TO AND MADE A PART OF THE GENERAL TERMS AND CONDITIONS (“GENERAL TERMS”) SET FORTH AT HTTPS://WWW.INFINX.COM/TERMS-AND-CONDITIONS-FOR-CUSTOMER-AGREEMENTS BY AND BETWEEN THE CONTRACTING INFINX ENTITY PROVIDER DESIGNATED IN THE ORDER(S) ON BEHALF OF ITSELF AND ITS AFFILIATES (INCLUDING WITHOUT LIMITATION, ITS OFF-SHORE AFFILIATES WHICH INCLUDE INFINX SERVICES PVT. LTD., LOCATED IN INDIA AND INFINX HEALTHCARE PHILIPPINES, INC., LOCATED IN THE PHILIPPINES) (COLLECTIVELY, “INFINX” OR “BUSINESS ASSOCIATE”), AND THE PURCHASING BUSINESS OR OTHER ENTITY TO WHICH BUSINESS ASSOCIATE PROVIDES SERVICES AS A BUSINESS ASSOCIATE (AS THAT TERM IS DEFINED PURSUANT TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (“HIPAA”)), TO THE EXTENT SUCH PERSON OR ENTITY IS A COVERED ENTITY AS THAT TERM IS DEFINED PURSUANT TO HIPAA (“CUSTOMER” OR “COVERED ENTITY”). THE PARTIES ARE ENTERING INTO THIS ADDENDUM TO ASSIST THE COVERED ENTITY IN COMPLYING WITH HIPAA, AND TO SET FORTH BUSINESS ASSOCIATE’S OBLIGATIONS UNDER THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT OF 2009 (THE “HITECH ACT”), AND 45 CFR PARTS 160 AND 164, SUBPART C (THE “SECURITY RULE”), SUBPART D (THE “DATA BREACH NOTIFICATION RULE”), AND SUBPART E (THE “PRIVACY RULE”) (COLLECTIVELY, THE “HIPAA REGULATIONS”). TERMS USED IN THIS ADDENDUM HAVE THE MEANINGS GIVEN THEM IN THE HIPAA REGULATIONS. THIS ADDENDUM APPLIES TO ANY PROTECTED HEALTH INFORMATION BUSINESS ASSOCIATE RECEIVES FROM COVERED ENTITY, OR CREATES, RECEIVES OR MAINTAINS ON BEHALF OF COVERED ENTITY, UNDER ITS AGREEMENTS WITH COVERED ENTITY, WHICH MAY INCLUDE, WITHOUT LIMITATION, THOSE TERMS AND CONDITIONS SET FORTH IN THE APPLICABLE ORDER, MASTER SERVICES AGREEMENT AND/OR SIMILAR AGREEMENT (EACH, AN “ORDER”). THE PERSON EXECUTING THE ORDER(S) ON BEHALF OF COVERED ENTITY REPRESENTS AND WARRANTS TO BUSINESS ASSOCIATE THAT THEY HAVE FULL LEGAL AUTHORITY TO ACCEPT THE TERMS OF THIS ADDENDUM. ALL CAPITALIZED TERMS USED IN THIS ADDENDUM BUT NOT DEFINED WILL HAVE THE SAME MEANINGS GIVEN IN THE GENERAL TERMS, THE APPLICABLE ORDER OR HIPAA. IN THE EVENT OF A CONFLICT BETWEEN THE TERMS OF THIS ADDENDUM, THE GENERAL TERMS AND THE ORDER, THE FOLLOWING DESCENDING ORDER OF PRECEDENCE WILL CONTROL: THE ORDER, THIS ADDENDUM AND THE GENERAL TERMS. THIS ADDENDUM SHALL BE EFFECTIVE AS OF THE DATE ON WHICH THE PRIVACY RULE REQUIRES COMPLIANCE BY COVERED ENTITY (“EFFECTIVE DATE”), AND IN THE EVENT SUCH EFFECTIVE DATE IS PRIOR TO THE EFFECTIVE DATE OF ANY APPLICABLE ORDER, THE PARTIES HEREBY AGREE THAT THE GENERAL TERMS APPLY TO THIS ADDENDUM FROM ITS EFFECTIVE DATE.
AGREEMENT
-
- Business Associate may use and disclose Covered Entity’s Protected Health Information to provide Covered Entity with the goods and services contemplated by the Orders. Except as expressly provided below, this Addendum does not authorize Business Associate to make any use or disclosure of Protected Health Information that Covered Entity would not be permitted to make.
- Business Associate will:
- Not use or further disclose Covered Entity’s Protected Health Information except as permitted by the Orders or this Addendum, or as required by law;
- Use appropriate safeguards, and comply, where applicable, with the HIPAA Security Rule with respect to electronic protected health information, to prevent use or disclosure of Covered Entity’s Protected Health Information other than as provided for by the Orders or this Addendum;
- Promptly report to Covered Entity any use or disclosure of Covered Entity’s Protected Health Information not provided for by the Orders or this Addendum of which it becomes aware, including breaches of unsecured protected health information as required by the Data Breach Notification Rule (45 CFR § 164.410), and any security incident of which Business Associate becomes aware. Notwithstanding the foregoing, Covered Entity and Business Associate hereby agree that Business Associate receives frequent, routine, unsuccessful attempts to penetrate or compromise its systems, including pings, port scans and log on attempts, and that this constitutes Business Associate’s report and notification to Covered Entity of such events, and no further reporting of such Security Incidents is required unless these attempts result in an unauthorized access to, use, disclosure, destruction or loss of electronic Protected Health Information, Business Associate will not report them to Covered Entity.
- Ensure that any of Business Associate’s subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate with respect to such information, including compliance with the HIPAA Security Rule with respect to electronic protected health information;
- Make any Protected Health Information in a designated record set available to Covered Entity to enable Covered Entity to meet its obligation to provide access to the information in accordance with 45 CFR § 164.524;
- Make any Protected Health Information in a designated record set available for amendment and incorporate any amendments to Protected Health Information as directed by Covered Entity pursuant to 45 CFR § 164.526;
- Make available to Covered Entity the information concerning disclosures that Business Associate makes of Covered Entity’s Protected Health Information required to enable Covered Entity to provide an accounting of disclosures in accordance with 45 CFR § 164.528;
- To the extent that Business Associate carries out Covered Entity’s obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations;
- Upon termination of the Orders, promptly return or destroy all Covered Entity’s Protected Health Information that Business Associate still maintains in any form and retain no copies of such information or, if return or destruction is not feasible, extend the protections of this Addendum to that information and limit further use and disclosure to those purposes that make the return or destruction of the information infeasible.
- If Covered Entity determines that Business Associate has violated a material term of this Addendum, and if Business Associate fails to cure such violation within 30 days of delivery of written notice thereof, Covered Entity may immediately terminate this Addendum.
- Business Associate may use Covered Entity’s Protected Health Information for the management and administration of Business Associate’s company and to carry out Business Associate’s own legal responsibilities, and Business Associate may disclose the information for these purposes if Business Associate is required to do so by law, or if Business Associate obtains reasonable assurances from the recipient of the information (a) that it will be held confidentially, and used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and (b) that the recipient will notify Business Associate of any instances of which the recipient is aware in which the confidentiality of the information is breached.
- Business Associate may use Covered Entity’s Protected Health Information for data aggregation, as permitted by the Privacy Rule.
- Business Associate may de-identity Covered Entity’s Protected Health Information, in compliance with the requirements of 45 C.F.R. Section 164.514. Business Associate shall be the owner of such de-identified data.
- Business Associate shall make its internal practices, books and records relating to the use and disclosure of Covered Entity’s Protected Health Information available to the Secretary of the United States Department of Health and Human Services, or his or her designee for purposes of determining Covered Entity’s compliance with the HIPAA standards. Records requested that are not protected by applicable legal privilege will be made available in the time and manner specified by Covered Entity, or the Secretary.
- Business Associate agrees to document disclosures of Covered Entity’s Protected Health Information and information related to such disclosures, as required for the Covered Entity to promptly respond to requests by an individual for an accounting of disclosures of such individual Protected Health Information by Business Associate in compliance with the HIPAA regulations. Business Associate agrees to provide Covered Entity information in such time for Covered Entity to make a timely and prompt response to a request by an individual for such accounting, as required by the HIPAA regulations.
- This Addendum applies to all present and future contracts and relationships between Covered Entity and Business Associate, written or unwritten, formal or informal, in which Covered Entity provides any Protected Health Information to Business Associate in any form whatsoever. As of the Effective Date, this Addendum automatically amends all existing agreements between Business Associate and Covered Entity involving the use or disclosure of Protected Health Information. This Addendum shall automatically be incorporated in all subsequent agreements between Business Associate and Covered Entity involving the use or disclosure of Protected Health Information, in which a business associate relationship exists, whether or not specifically referenced therein.
- Covered Entity acknowledges that once Business Associate has completed using Protected Health Information to provide the services it is obligated to provide to Covered Entity, Business Associate will need to periodically destroy the Protected Health Information, a duplicate copy of which is maintained and used by Covered Entity for its operational, legal and business needs. Covered Entity expressly grants Business Associate permission to destroy Protected Health Information periodically after its use in providing services to Covered Entity and before termination or expiration of this Addendum.
- This Addendum is to be interpreted in accordance with HIPAA, the HITECH Act, and the regulations promulgated thereunder, as amended from time to time. The terms of this Addendum shall prevail in the case of any conflict with the terms of any Orders to the extent necessary to allow Covered Entity to comply with the Privacy Rule.
- Nothing in this Addendum shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. Subject to Section 2(d) above, Business Associate may delegate its obligations under this Addendum without consent of the Covered Entity, including without limitation to subcontractors located outside of the United States.
- This Addendum contains the entire agreement and understanding between the Parties with respect to the subject matter hereof and supersedes any prior or contemporaneous written or oral agreements, representations and warranties between them respecting the subject matter hereof.
Business Associate Addendum, Version 1.0, Promulgated February 5, 2025.