Health Note Business Associate Addendum

This Health Note Business Associate Agreement (this “Addendum”) is an agreement between Health Note, Inc. (“Health Note”) and you or the entity you represent (“you” or “your”), and is an addendum to the Health Note Terms of Service available at healthnote.com/legal/terms-of-service (as updated from time to time) by and between you and Health Note, or other agreement between you and Health Note governing your use of the Services (the “Agreement”). This Addendum takes effect on the date when you click “I Agree” (or other electronic means made available by Health Note for such purpose) presented with this Addendum (the “Addendum Effective Date”). You represent to Health Note that you are lawfully able to enter into contracts (e.g., you are not a minor). If you are entering into this Addendum for an entity, such as the company you work for, you represent to Health Note that you have legal authority to bind that entity.

1.    Definitions.

Terms used in this Addendum but not otherwise defined in this Addendum or the Agreement shall have the meaning ascribed to them by HIPAA. For purposes of this Addendum only, when Health Note is deemed to be a Business Associate of Customer, as applicable, Health Note shall be referred to as “Business Associate,” and Customer, as applicable, shall be referred to as “Covered Entity.” In the event of an inconsistency between this Addendum and another term of the Agreement as it relates to PHI, this Addendum shall control.

2.    Use and Disclosure.

Business Associate agrees not to use or disclose Customer PHI other than as permitted or required by this Addendum, the Agreement or as Required By Law. Business Associate shall comply with the provisions of this Addendum relating to privacy and security of PHI and that are applicable to Business Associates.

3.    Appropriate Safeguards.

Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of Customer PHI other than as provided for by this Addendum, the Agreement or as Required By Law. Without limiting the generality of the foregoing sentence, Business Associate will:

1. Implement administrative, organizational, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information contained within Customer PHI (“Electronic Customer PHI”) as required by the Security Rule; and comply with the applicable requirements, policies, procedures and documentation requirements of the Security Rule.
2. Report to Covered Entity any Security Incident involving Electronic Customer PHI or involving systems in which Electronic Customer PHI is stored, maintained, or over which it is transmitted, of which Business Associate becomes aware. Any actual, successful Security Incident will be reported to Covered Entity in writing without unreasonable delay. With respect to attempted, unsuccessful Security Incidents, the parties acknowledge and agree that this Addendum constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, disclosure, modification or destruction of Electronic Customer PHI or interference with system operations in an information system that contains Electronic Customer PHI.
3. Notify Covered Entity following the discovery of a Breach of Unsecured PHI that is Customer PHI in accordance with 45 C.F.R. § 164.410 without unreasonable delay and in no event later than sixty (60) days (or within any shorter deadline imposed by applicable state law) after discovery of the Breach. The notice shall include the following information if known (or can be reasonably obtained) by Business Associate: (i) contact information for the individuals who were or who may have been impacted by the Breach (e.g., first and last name, mailing address, street address, phone number, email address); (ii) a brief description of the circumstances of the Breach, including the date of the Breach and date of discovery; (iii) a description of the types of Unsecured PHI involved in the Breach (e.g., names, social security numbers, dates of birth, addresses, account numbers of any type, and similar information); and (iv) a brief description of what the Business Associate has done or is doing to investigate the Breach and mitigate harm to the individuals impacted by the Breach. A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach.
4. Report, without unreasonable delay, to Covered Entity any access, use or disclosure of Customer PHI by Business Associate or a third party to which Business Associate disclosed Customer PHI which is not permitted by this Addendum and of which Business Associate becomes aware.
5. Comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations, to the extent that Business Associate carries out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164.

4.    Mitigation.

Business Associate agrees to take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Customer PHI by Business Associate in violation of the requirements of this Addendum (including, without limitation, any Security Incident or Breach of Unsecured PHI). Business Associate agrees to reasonably cooperate and coordinate with Covered Entity in the investigation of any violation of the requirements of this Addendum and/or any Security Incident or Breach. Business Associate shall also reasonably cooperate and coordinate with Covered Entity in the preparation of any reports or notices to the Individual, a regulatory body or any third party required to be made under HIPAA or any other federal or state laws, rules or regulations, provided that any such reports or notices shall be subject to the prior written approval of Covered Entity.

5.    Minimum Necessary.

To the extent required by the “minimum necessary” requirements of HIPAA, Business Associate shall only request, use and disclose the minimum amount of Customer PHI necessary to accomplish the purpose of the request, use or disclosure.

6.    Subcontractors.

Business Associate shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits Customer PHI on behalf of Business Associate. Business Associate shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions or conditions that apply to Business Associate through this Addendum with respect to such information.

7.    Access to Designated Record Sets.

The parties do not expect that Business Associate will maintain Designated Record Sets. In the event, however, that Covered Entity requests and Business Associate agrees to maintain a Designated Record Set, Business Associate agrees to provide access, within thirty (30) days of a request by Covered Entity, and in the manner designated by the Covered Entity, to Customer PHI in a Designated Record Set created or received by Business Associate solely on behalf of Covered Entity only, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements of the HIPAA Regulations. If an Individual makes a request for access to Customer PHI directly to Business Associate, Business Associate shall notify Covered Entity of the request within three (3) business days of such request. Covered Entity shall have the sole responsibility to make decisions regarding whether to approve a request for access to Customer PHI.

8.    Amendments to Designated Record Sets.

The parties do not expect that Business Associate will maintain Designated Record Sets. In the event however, that Covered Entity requests and Business Associate agrees to maintain a Designated Record Set, Business Associate agrees to provide information to Covered Entity for amendment and to incorporate any such amendment(s) to Customer PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to the HIPAA Regulations within thirty (30) days of a request by Covered Entity, and in the manner designated by the Covered Entity. If an Individual makes a request for an amendment to Customer PHI directly to Business Associate, Business Associate shall notify Covered Entity of the request within three (3) business days of such request. Covered Entity will have the sole responsibility to make decisions regarding whether to approve a request for an amendment to Customer PHI.

9.    Access to Books and Records.

Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Covered Entity’s PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s and Business Associate’s compliance with the Privacy Rule.

10.    Accountings.

Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA. Business Associate agrees to, within thirty (30) days of request from Covered Entity, make available to Covered Entity such information as is in Business Associate’s possession and as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Customer PHI in accordance with HIPAA. If Business Associate receives a request for an accounting for Customer PHI directly from an Individual, Business Associate shall forward such request to Covered Entity within ten (10) business days. Covered Entity shall have the sole responsibility to provide an accounting of such disclosures to an Individual.

11.    Permitted Uses and Disclosures by Business Associate.

1. Services. Business Associate may use or disclose PHI to perform the Services, provided that such use or disclosure would not violate HIPAA if done by Covered Entity and except as expressly permitted in paragraphs (b)-(d) below.
2. Use for Administration of Business Associate. Business Associate may use Covered Entity’s PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. Covered Entity acknowledges and agrees that proper management and administration of Business Associate includes, without limitation, modifications of, upgrades to, and the development and/or addition of additional features and functionality for, the Services.
3. Disclosure for Administration of Business Associate. Business Associate may disclose Customer PHI for the proper management and administration of the Business Associate, provided that (i) disclosures are Required By Law, or (ii) Business Associate obtains reasonable written assurances from the third party to whom the information is disclosed that the third party will (1) protect the confidentiality of Customer PHI, (2) use or further disclose the Customer PHI only as Required By Law or for the purpose for which it was disclosed to the third party, and (3) notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
4. Data Aggregation. Business Associate may use Customer PHI to provide Data Aggregation services relating to the Health Care Operations of Covered Entity if required or permitted under this Addendum or the Agreement.
5. De-Identified Information. Business Associate may use Customer PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Business Associate may use or disclose de-identified health information for any purpose permitted by law.
6. Authorization. Business Associate may present patients with a valid HIPAA Authorization to obtain patients’ authorizations for Business Associate to be able to use and disclose Customer PHI for the purposes set forth in the Authorization. If a patient has signed a valid HIPAA Authorization for Business Associate to retain such individual’s Customer PHI and use and disclose such PHI for the purposes set forth in the Authorization, then, notwithstanding anything in Section 14 of this Addendum, the parties agree that Business Associate will have no obligation to return or destroy such PHI upon the termination of the Agreement.

12.    Obligations of Covered Entity.

1. Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose Covered Entity’s PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
2. Minimum Necessary PHI. Consistent with Business Associate’s mutual obligation in Section 5 of this Addendum, when Covered Entity discloses PHI to Business Associate, Covered Entity shall provide the minimum amount of PHI necessary for the accomplishment of Business Associate’s purpose.
3. Permissions; Restrictions. Covered Entity warrants and represents that it has obtained or will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Business Associate. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her Covered Entity’s PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. Covered Entity shall not agree to any restriction on the use or disclosure of PHI under 45 C.F.R. § 164.522 that restricts Business Associate’s use or disclosure of Covered Entity’s PHI under this Addendum or the Agreement unless Business Associate grants its written consent.
4. Notice of Privacy Practices. Except as required by HIPAA or other applicable law, with Business Associate’s consent or as set forth in the Agreement, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Business Associate’s use or disclosure of Covered Entity’s PHI under this Addendum or the Agreement.

13.    Termination Upon Breach.

Notwithstanding anything to the contrary in this Addendum or in the Agreement, either party (the “Non-Breaching Party”), upon knowledge of a material breach of this Addendum relating to Customer PHI by the other party (the “Breaching Party”), shall provide an opportunity for the Breaching Party to cure the breach or end the violation. If Breaching Party does not cure the breach or end the violation to the reasonable satisfaction of the Non-Breaching Party within thirty (30) days, the Non-Breaching Party may terminate: (a) this Addendum; (b) all of the provisions of the Agreement that involve the use or disclosure of Customer PHI; and (c) such other provisions, if any, of the Agreement as the Non-Breaching Party designates in its sole discretion.

14.    Effect of Termination.

1. Return of PHI. Except as provided in paragraph b) of this Section, upon termination of this Addendum or the Agreement, for any reason, Business Associate shall return or destroy, without unreasonable delay, all Customer PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Customer PHI that is in the possession of subcontractors or agents of Business Associate.
2. Infeasibility. In the event that Business Associate determines in its sole reasonable discretion that returning or destroying the Customer PHI is infeasible, Business Associate shall extend the protections of this Addendum to such PHI and limit further uses and disclosures of Customer PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains Customer PHI. Without limiting the generality of the foregoing, Covered Entity acknowledges and agrees that: (i) it is infeasible for Business Associate to delete Customer PHI from its backup tapes or other backup systems; and (ii) it is infeasible for Business Associate to delete all Customer PHI during an ongoing investigation in connection with a Security Incident or Breach of Unsecured PHI, and that temporarily retaining certain Customer PHI may be necessary for such investigation.