This Business Associate Addendum (this “Business Associate Addendum”) applies to any Order and the Agreement between Customer (“Covered Entity”) and ZOLL (“Business Associate”) in order to comply with 45 C.F.R. §164.502(e) and §164.504(e), governing protected health information ("PHI") and business associates under the Health Insurance Portability and Accountability Act of 1996 (P.L. 104 191), 42 U.S.C. Section 1320d, et. seq., and regulations promulgated thereunder, as amended from time to time (statute and regulations collectively referred to as "HIPAA"). Terms used but not otherwise defined in this Business Associate Addendum will have the same meaning as those terms in HIPAA and the Master Software, SaaS and Services Agreement, as applicable; provided that PHI will refer only to protected health information of Covered Entity unless otherwise stated.
To the extent it has access to PHI, Business Associate will fully comply with the requirements of this Business Associate Addendum with respect to such PHI. Business Associate will ensure that every agent, including a subcontractor, of Business Associate to whom it provides PHI received from, or created or received by Business Associate on behalf of, Covered Entity will comply with the same restrictions and conditions as set forth in this Business Associate Addendum.
Business Associate will not use or disclose PHI except as permitted under this Business Associate Addendum, including Section 16 hereof, and in compliance with each applicable requirement of 45 CFR Section 164.504(e). Business Associate may use or disclose the PHI received or created by it: (A) to perform its obligations under this Business Associate Addendum; (B) to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Agreement; or (C) to provide data aggregation functions to Covered Entity as permitted by HIPAA. Further, Business Associate may use the PHI received by it in its capacity as Business Associate, if necessary, to properly manage and administer its business or to carry out its legal responsibilities. Business Associate may disclose the PHI received by it in its capacity as Business Associate to properly manage and administer its business or to carry out its legal responsibilities if: (Y) the disclosure is required by law; or (Z) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it is disclosed to the person and the person notifies Business Associate of any instances of which it is aware that the confidentiality of the information has been breached. Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
Business Associate will develop, document, use and keep current appropriate procedural, physical and electronic safeguards, as required in 45 C.F.R. §§164.308 - 164.312, sufficient to prevent any use or disclosure of electronic PHI other than as permitted or required by this Business Associate Addendum.
Business Associate will limit any use, disclosure or request for use or disclosure to the minimum amount necessary to accomplish the intended purpose of the use, disclosure or request.
Business Associate will report to Covered Entity any information of which it becomes aware concerning any use or disclosure of PHI that is not permitted by this Business Associate Addendum and any security incident of which it becomes aware. Business Associate will, within fifteen (15) days following the discovery of a breach of “unsecured protected health information,” as defined in 45 C.F.R. § 164.402, notify Covered Entity of such breach. The notice will include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during such breach. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Business Associate Addendum.
In accordance with an individual’s right to access to his or her own PHI in a designated record set under 45 CFR §164.524 and the individual’s right to copy or amend such records under 45 CFR §164.524 and §164.526, Business Associate will make available all PHI in a designated record set to Covered Entity to enable the Covered Entity to provide access to the individual to whom that information pertains or such individual’s representative.
Business Associate will make available for amendment PHI in a designated record set and will incorporate any amendments to PHI in a designated record set in accordance with 45 CFR §164.526 and in accordance with any process mutually agreed to by the parties.
Business Associate will document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to an individual’s request for an accounting of disclosures of their PHI in accordance with 45 CFR §164.528. Business Associate agrees to make available to Covered Entity the information needed to enable Covered Entity to provide the individual with an accounting of disclosures as set forth in 45 CFR §164.528.
Business Associate will make available to the U.S. Department of Health and Human Services ("DHHS"), Business Associate’s internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity for purposes of determining the Covered Entity’s compliance with HIPAA.
Covered Entity will notify Business Associate of any limitation in its notice of privacy practices, any restriction to the use or disclosure of PHI that Covered Entity has agreed to with an individual and of any changes in or revocation of an authorization or other permission by an individual, to the extent that such limitation, restriction, change, or revocation may affect Business Associate’s use or disclosure of PHI.
Covered Entity and Business Associate will comply with the amendments to HIPAA included in the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), including all privacy and security regulations issued under the HITECH Act that apply to Business Associate.
This Business Associate Addendum will take effect on the effective date of the Agreement and will continue in effect unless and until either party terminates this Business Associate Addendum or the Agreement.
If Covered Entity knows of a pattern of activity or practice of Business Associate that constitutes a material breach or violation of Business Associate’s obligations under this Business Associate Addendum, Covered Entity and Business Associate will take any steps reasonably necessary to cure such breach and make Business Associate comply, and, if such steps are unsuccessful, Covered Entity may terminate this Business Associate Addendum. Business Associate will take reasonable actions available to it to mitigate any detrimental effects of such violation or failure to comply.
Business Associate will, upon termination of this Business Associate Addendum, and if feasible: (A) return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate has continued to maintain in any form or manner and retain no copies of such information or, (B) if such return or destruction is not feasible, immediately notify Covered Entity of the reasons return or destruction are not feasible, and extend indefinitely the protection of this Business Associate Addendum to such PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI not feasible.
Business Associate may de-identify or aggregate any and all PHI and may create a “Limited Data Set” in accordance with 45 C.F.R. § 164.514(b) & (e). Covered Entity acknowledges and agrees that de-identified information is not PHI and that Business Associate may use such de-identified or aggregated information for any lawful purpose. Use or disclosure of a Limited Data Set must comply with 45 CFR 164.514(e).
All representations, covenants and agreements in or under this Business Associate Addendum will survive the execution, delivery and performance of this Business Associate Addendum.
Each party will in good faith execute, acknowledge or verify, and deliver any and all documents which may from time to time be reasonably requested by the other party to carry out the purpose and intent of this Business Associate Addendum. The terms and conditions of this Business Associate Addendum will override and control any expressly conflicting term or condition of the Agreement. All non-conflicting terms and conditions of the Agreement will remain in full force and effect. Any ambiguity in this Business Associate Addendum with respect to the Agreement will be resolved in a manner that will permit Covered Entity to comply with HIPAA. For the avoidance of doubt, a limitation on liability in the Agreement does not conflict with this Business Associate Addendum.
The parties acknowledge and agree that HIPAA may be amended and additional guidance or regulations implementing HIPAA may be issued after the date of the execution of this Business Associate Addendum and may affect the parties’ obligations under this Business Associate Addendum. The parties agree to take such action as is necessary to amend this Business Associate Addendum from time in order as is necessary for Covered Entity to comply with HIPAA.