SHOEBOX® AUDIOMETRY BUSINESS ASSOCIATE ADDENDUM
Effective Date: May 25, 2018
This SHOEBOX® Audiometry Business Associate Addendum (“Addendum”) is an addendum to the Terms of Service (“Terms”) between you (hereinafter referred to as “Client” or “Covered Entity”) and Clearwater Clinical Limited (hereinafter referred to as “Clearwater” or “Business Associate”) for the for the SHOEBOX Audiometry hearing testing application and cloud service provided by Clearwater (“Service”). This Addendum applies to all users of the Service that are Covered Entities, as defined in the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). Unless otherwise agreed by the parties in writing, if you are a Covered Entity or otherwise are covered by the HIPAA Rules, you are deemed to agree to the terms of this Addendum if you access the Service. This Addendum is incorporated into the Terms by reference and is effective as of the effective date of the Terms.
The following terms, if used in this Addendum, shall have the same meaning as those in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Limited Data Set, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. In addition, the following definitions apply:
- Business Associate. “Business Associate” shall generally have the same meaning as the term “Business Associate” at 45 CFR 160.103, and in this Addendum shall mean Clearwater Clinical Limited.
- Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in this Addendum shall mean Client.
- HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
- Protected Health Information. “Protected Health Information” or “PHI” shall have the same meaning as defined in 45 C.F.R. § 160.103, and is limited to the Protected Health Information received from, or received or created on behalf of, Client (for itself and/or its applicable Covered Entity customers) by Clearwater pursuant to performance of the Service.
II. Obligations and Activities of Business Associate
To the extent (if any) that Business Associate creates or receives any individually identifiable health information (“Protected Health Information” or “PHI”) as defined in the HIPAA Privacy Rule, on behalf of Covered Entity, Business Associate will maintain the privacy and security of the PHI as required by this Addendum and to the extent required by the HIPAA Rules. Where applicable, Business Associate agrees to:
- Not use or disclose PHI other than as permitted or required by the Terms or this Addendum or as required by law;
- Use appropriate safeguards for the protection of PHI, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Terms;
- Report to Covered Entity any use or disclosure of PHI not provided for by the Terms of which it becomes aware, including breaches of unsecured PHI, as required by 45 CFR 164.410. Business Associate also shall report any Security Incident affecting Client’s PHI. Such reporting will occur as soon as feasible and without unreasonable delay but in no case more than ten business days after Business Associate becomes aware of the breach. Covered Entity acknowledges and agrees that, because Covered Entity controls the upload, download, use, transfer, processing and storage of information, including PHI, in connection with its use of the Service (“Client Content”), Business Associate does not know the nature of PHI contained in Covered Entity’s account(s), nor is it able to identify which individuals are identified in the PHI. As such, it is not feasible for Business Associate to provide information about the identities of any individuals who may have been affected by an impermissible use, disclosure or breach of PHI, nor is it feasible for Business Associate to provide a description of the type of information that may have been subject to an impermissible use, disclosure or breach of PHI. In the event of an impermissible use, disclosure or breach of PHI, Covered Entity will be responsible for identifying which individuals, if any, may have been included in the Client Content and for providing a description of the PHI disclosed;
- Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the restrictions, conditions, and requirements that apply to Business Associates under HIPAA with respect to such information;
- Within ten business days of a written request from Covered Entity, make any PHI in a designated record set (if one is maintained by Business Associate) available to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;
- Within ten business days of a written request from Covered Entity, make any amendment(s) to PHI in a designated record set (if one is maintained by Business Associate) as directed by the Covered Entity pursuant to 45 CFR 164.526;
- Maintain and, within ten business days of a written request from Covered Entity, make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528;
- To the extent (if any) that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under the HIPAA Privacy Rule, comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation(s); and,
- Make its internal practices, books, and records related to uses and disclosure of PHI available to the Secretary for purposes of determining the Covered Entity’s compliance with the HIPAA Rules. In the event that Business Associate is required to disclose such information to the Secretary, Business Associate will provide a copy of such disclosure to the Covered Entity within ten business days of its disclosure to the Secretary.
III. Permitted Uses, Disclosures and Reporting by Business Associate
- Business Associate may only use or disclose PHI as specified in this Addendum and as necessary to perform the Service in accordance with the Terms. Business Associate may use and disclose PHI as necessary to operate the Service, including but not limited to:
- Analytics to understand how Client (and other Covered Entities) and their provisioned users make use of the Service;
- Determination of how to make improvements to the Service, including the development of new or improved capabilities; and
- Identification of trends in audiological data
- Business Associate may use or disclose PHI as required by law.
- Business Associate agrees to make uses and disclosures and requests for PHI consistent with such minimum necessary policies and procedures as are required by HIPAA.
- Business Associate may perform Data Aggregation services in connection with the Service, and may use and disclose a Limited Data Set for research and Health Care Operations purposes consistent with the requirements of 45 CFR 164.514e1.
- Business Associate may not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity, except that Business Associate may use and disclose PHI for its own proper management and administration or to carry out its own legal responsibilities, provided that (1) any such disclosures are required by law, or (2) for any such disclosures Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and be used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
IV. Obligations of Covered Entity
- Covered Entity warrants that it will have obtained any necessary authorizations, consents, and other permissions that may be required under applicable law prior to uploading Client Content to the Service.
- Covered Entity shall not agree to any restriction on the use or disclosure of PHI that is inconsistent with this Addendum or that would cause Clearwater to violate this Addendum or applicable law.
- Covered Entity shall not ask Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA or this Addendum.
V. Term and Termination
- Term. The Term of this Addendum ends upon termination or expiration of the Service or when Covered Entity terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
- Termination for Cause. Business Associate authorizes termination of the Service, including the Addendum, by Covered Entity, if Covered Entity reasonably determines Business Associate has violated a material term of the Addendum and Business Associate has not cured the breach or ended the violation within ten business days of its receipt of a notice of violation. A termination of the Addendum will be deemed to be a termination of the Service.
- Obligations of Covered Entity Upon Expiration or Termination of the Service. Upon expiration or termination of the Service and consistent with the termination provisions of the Terms, Covered Entity, and not Business Associate, is responsible to obtain any Client Content necessary for Covered Entity to maintain after termination or expiration of the Service. In the event that Covered Entity requires a copy of the Client Content, Covered Entity must download a copy of the Client Content prior to the expiration or termination of the Service.
- Obligations of Business Associate Upon Expiration or Termination of the Service. Upon expiration or termination of the Service for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
- Retain only the PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities, as permitted by law and this Addendum;
- Destroy, to the extent feasible, the remaining PHI that the Business Associate still maintains in any form;
- To the extent not feasible, continue to use appropriate safeguards and comply with the HIPAA Security Rule with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Addendum, for as long as Business Associate retains the PHI;
- Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out herein which applied prior to termination; and,
- Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
- Survival. The obligations of Business Associate under this paragraph shall survive the termination of the Addendum.
- Regulatory References. A reference in this Addendum to a section in the HIPAA Rules means the section as in effect or as amended.
- Amendment. Business Associate may amend this Addendum from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. Business Associate will provide notice to Covered Entity of such changes and Covered Entity’s continued use of the Service after such notice is given will be deemed to indicate its acceptance of the amended Addendum.
- Interpretation. Any ambiguity in this Addendum shall be interpreted to permit compliance with the HIPAA Rules.
- No Third Party Beneficiaries. Nothing express or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity or Business Associate any rights, remedies, obligations or liabilities whatsoever.