SHOEBOX LTD. BUSINESS ASSOCIATE ADDENDUM
Last Revised: May 12, 2020
This SHOEBOX LTD. Business Associate Addendum (“Addendum”) is an addendum to the Terms of Service (“Terms”) between you (hereinafter referred to as “Customer” or “Covered Entity”) and SHOEBOX LTD. (hereinafter referred to as (“SHOEBOX” or “Business Associate”) for the SHOEBOX hearing testing and hearing screening products and services provided by SHOEBOX and defined in the Terms as “SHOEBOX Solutions and Services”. This Addendum applies to all users of the SHOEBOX Solutions and Services that are Covered Entities, as defined in the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). Unless otherwise agreed by the parties in writing, if you are a Covered Entity or otherwise are covered by the HIPAA Rules, you are deemed to agree to the terms of this Addendum if you access the SHOEBOX Solutions and Services. This Addendum is incorporated into the Terms by reference and is effective as of the effective date of the Terms.
The following terms, if used in this Addendum, shall have the same meaning as those in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Limited Data Set, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. In addition, the following definitions apply:
a. Business Associate. “Business Associate” shall generally have the same meaning as the term “Business Associate” at 45 CFR 160.103, and in this Addendum shall mean SHOEBOX Ltd.
b. Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in this Addendum shall mean Customer.
c. HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
d. Protected Health Information. “Protected Health Information” or “PHI” shall have the same meaning as defined in 45 C.F.R. § 160.103, and is limited to the Protected Health Information received from, or received or created on behalf of, Customer (for itself and/or its applicable Covered Entity customers) by SHOEBOX pursuant to performance of the SHOEBOX Solutions and Services.
II. Obligations and Activities of Business Associate
To the extent (if any) that Business Associate creates or receives any individually identifiable health information (“Protected Health Information” or “PHI”) as defined in the HIPAA Privacy Rule, on behalf of Covered Entity, Business Associate will maintain the privacy and security of the PHI as required by this Addendum and to the extent required by the HIPAA Rules. Where applicable, Business Associate agrees to:
a. Not use or disclose PHI other than as permitted or required by the Terms or this Addendum or as required by law;
b. Use appropriate safeguards for the protection of PHI, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Terms;
c. Report to Covered Entity any use or disclosure of PHI not provided for by the Terms of which it becomes aware, including breaches of unsecured PHI, as required by 45 CFR 164.410. Business Associate also shall report any Security Incident affecting Customer’s PHI. Such reporting will occur as soon as feasible and without unreasonable delay but in no case more than seventy-two (72) hours after Business Associate becomes aware of the breach. Covered Entity acknowledges and agrees that, because Covered Entity controls the upload, download, access to and use of information, including PHI, in connection with its use of the SHOEBOX Solutions (“ Content”), Business Associate does not know the nature of PHI, if any, contained in Covered Entity’s SHOEBOX organization within the SHOEBOX Data Management Portal, nor is it able to easily identify which individuals may be identified in the PHI. As such, it is not feasible for Business Associate to provide information about the identities of any individuals who may have been affected by an impermissible use, disclosure or breach of PHI. It is also not feasible for Business Associate to provide a description of the type of information that may have been subject to an impermissible use, disclosure or breach of PHI. In the event of an impermissible use, disclosure or breach of PHI, Covered Entity will be responsible for identifying which individuals, if any, may have been included in the impermissible use, disclosure or breach of PHI, for providing a description of the PHI used, disclosed or breach, and for contacting them about such impermissible use, disclosure or breach of PHI;
d. Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the restrictions, conditions, and requirements that apply to Business Associates under HIPAA with respect to such information;
e. Within ten business days of a written request from Covered Entity, make any PHI in a designated record set (if one is maintained by Business Associate) available to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;
f. Within ten business days of a written request from Covered Entity, make any amendment(s) to PHI in a designated record set (if one is maintained by Business Associate) as directed by the Covered Entity pursuant to 45 CFR 164.526;
g. Maintain and, within ten business days of a written request from Covered Entity, make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;
h. To the extent, if any, that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under the HIPAA Privacy Rule, comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation(s); and,
i. Make its internal practices, books, and records related to uses and disclosure of PHI available to the Secretary for purposes of determining the Covered Entity’s compliance with the HIPAA Rules. In the event that Business Associate is required to disclose such information to the Secretary, Business Associate will provide a copy of such disclosure to the Covered Entity within ten business days of its disclosure to the Secretary.
III. Permitted Uses, Disclosures and Reporting by Business Associate
a. Business Associate may only use or disclose PHI as specified in this Addendum and as necessary to perform the Service in accordance with the Terms.
b. Business Associate may use or disclose PHI as required by law.
c. Business Associate agrees to make uses and disclosures and requests for PHI consistent with such minimum necessary policies and procedures as are required by HIPAA.
d. Business Associate may perform Data Aggregation services in connection with the Service, and may use and disclose a Limited Data Set for research and Health Care Operations purposes consistent with the requirements of 45 CFR 164.514e1.
e. Business Associate may collect, compile and analyze anonymous, aggregate and/or de-identified data derived from Business Associate’s access to and use of the SHOEBOX Solutions and Services, including PHI (“Compiled Data”). Business Associate employs an automated system to securely de-identify the data used to create the Compiled Data and then uses third party software to perform analytics on the Compiled Data.
Business Associate may use Compiled Data to:
- understand how its customers and their provisioned users access and use the SHOEBOX Solutions and Services;
- understand the results generated by its customers’ use of the SHOEBOX Solutions and Services;
- evaluate how the SHOEBOX Solutions and Services perform;
- perform analyses of the Compiled Data, including but not limited to, analysis of geographic data, demographic data, the number of hearing tests conducted, the number of hearing impairments found, and to identify trends in audiological data;
- determine how to make improvements to the SHOEBOX Solutions and Services and to develop new capabilities;
- investigate reported bugs in the SHOEBOX Solutions or Services and identify customers who may be affected by such bugs; and,
- conduct research, whether such research is conducted by SHOEBOX, its affiliates or partners.
f. Business Associate may not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity, except that Business Associate may use and disclose PHI for its own proper management and administration or to carry out its own legal responsibilities, provided that (1) any such disclosures are required by law, or (2) for any such disclosures Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and be used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
IV. Obligations of Covered Entity
a. Covered Entity warrants that it will have obtained any necessary authorizations, consents, and other permissions that may be required under applicable law prior to uploading Content to the SHOEBOX Solutions and/or Services.
b. Covered Entity shall not agree to any restriction on the use or disclosure of PHI that is inconsistent with this Addendum or that would cause SHOEBOX to violate this Addendum or applicable law.
c. Covered Entity shall not ask Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA or this Addendum.
V. Term and Termination
a. Term. The Term of this Addendum ends upon termination or expiration of the SHOEBOX Solutions and Services or when Covered Entity terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
b. Termination for Cause. Business Associate authorizes termination of the SHOEBOX Solutions and Services, including the Addendum, by Covered Entity, if Covered Entity reasonably determines Business Associate has violated a material term of the Addendum and Business Associate has not cured the breach or ended the violation within ten business days of its receipt of a notice of violation. A termination of the Addendum will be deemed to be a termination of the Service.
c. Obligations of Covered Entity Upon Expiration or Termination of the SHOEBOX Solutions and Services. Upon expiration or termination of the SHOEBOX Solutions and Services and consistent with the termination provisions of the Terms, Covered Entity, and not Business Associate, is responsible to obtain any Content necessary for Covered Entity to maintain after termination or expiration of the Service. In the event that Covered Entity requires a copy of the Content, Covered Entity must download a copy of the Content prior to the expiration or termination of the SHOEBOX Solutions and Services.
d. Obligations of Business Associate Upon Expiration or Termination of the SHOEBOX Solutions and Services. Upon expiration or termination of the SHOEBOX Solutions and Services for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
i. Retain only the PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities, as permitted by law and this Addendum;
ii. Destroy, to the extent feasible, the remaining PHI that the Business Associate still maintains in any form;
iii. To the extent not feasible, continue to use appropriate safeguards and comply with the HIPAA Security Rule with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Addendum, for as long as Business Associate retains the PHI;
iv. Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out herein which applied prior to termination; and,
v. Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
e. Survival. The obligations of Business Associate under this paragraph shall survive the termination of the Addendum.
a. Regulatory References. A reference in this Addendum to a section in the HIPAA Rules means the section as in effect or as amended.
b. Amendment. Business Associate may amend this Addendum from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. Business Associate will provide notice to Covered Entity of such changes and Covered Entity’s continued use of the Service after such notice is given will be deemed to indicate its acceptance of the amended Addendum.
c. Interpretation. Any ambiguity in this Addendum shall be interpreted to permit compliance with the HIPAA Rules.
d. No Third Party Beneficiaries. Nothing express or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity or Business Associate any rights, remedies, obligations or liabilities whatsoever.