Legal

Business Associate Agreement

HIPAA-compliant agreement for handling Protected Health Information (PHI)

BUSINESS ASSOCIATE AGREEMENT

This BUSINESS ASSOCIATE AGREEMENT (the "BAA") is made and entered into as of the date of acceptance by the Covered Entity ("Effective Date") by and between Bloo Inc., a Delaware corporation with its principal place of business at COMPANY ADDRESS ("Business Associate"), and the entity or organization accepting this agreement ("Covered Entity"). In this BAA, Covered Entity and Business Associate are each a "Party" and, collectively, are the "Parties".

BACKGROUND

  1. Covered Entity is either a "covered entity" or "business associate" of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act and the related regulations promulgated by HHS (collectively, "HIPAA") and, as such, is required to comply with HIPAA's provisions regarding the confidentiality and privacy of Protected Health Information;
  2. The Parties have entered into or will enter into one or more agreements under which Business Associate provides certain specified services to Covered Entity through the Blue platform (collectively, the "Agreement");
  3. In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information;
  4. By providing the services pursuant to the Agreement, Business Associate will become a "business associate" of the Covered Entity as such term is defined under HIPAA;
  5. Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the "Privacy Rule"); and
  6. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA and other applicable laws.

AGREEMENT

NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:

1. Definitions

For purposes of this BAA, the Parties give the following meaning to each of the terms below. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law.

1.1 HIPAA Terms as Defined in 45 CFR § 160.103:

  • "Protected Health Information" or "PHI" means individually identifiable health information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
  • "Covered Entity" has the meaning given to that term in 45 CFR §160.103.
  • "Business Associate" has the meaning given to that term in 45 CFR §160.103.
  • "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
  • "Designated Record Set" has the meaning given to such term under the Privacy Rule, including 45 CFR §164.501.

1.2 Additional Definitions:

  • "Blue Services" means the project management and data storage services provided through https://www.blue.cc
  • "Electronic PHI" or "ePHI" means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103.
  • "HHS" means the U.S. Department of Health and Human Services.
  • "HITECH Act" means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
  • "Individual" has the same meaning given to that term in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
  • "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
  • "Security Rule" means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
  • "Unsecured Protected Health Information" or "Unsecured PHI" means any PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary.

2. Obligations of Business Associate

2.1 Permitted Uses: Business Associate may use or disclose PHI only as follows:

  • Process PHI solely for: (a) Patient data storage (b) Analytics for treatment/operations (c) Other services specified in the Terms of Service
  • As necessary to provide the services described in the Agreement to Covered Entity
  • For the proper management and administration of Business Associate's business
  • To carry out the legal responsibilities of Business Associate
  • As required by law

2.2 Prohibited Uses and Disclosures: Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act.

2.3 Safeguards: Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including:

  • AES-256 encryption at rest and in transit
  • Role-based access controls (RBAC) with per-project permissions
  • Audit controls tracking PHI access/modification
  • Secure authentication using magic links via email (passwordless)
  • Emergency access procedure documentation
  • Such other safeguards as are necessary to prevent the use or disclosure of PHI other than as permitted by this BAA

3. Subcontractors

3.1 Authorized Subcontractors: Business Associate may use the following subcontractors in connection with services provided to Covered Entity:

  • Cloudflare (Transit encryption)
  • Amazon AWS (Storage encryption)

3.2 Requirements:

  • Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this BAA
  • Business Associate maintains BAAs with all subcontractors handling PHI
  • Business Associate will provide 30-day notice for new subcontractors via email notification
  • Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security as this BAA

4. Reporting Requirements

4.1 Breach Notification:

  • Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware within five business days
  • Business Associate will report breaches of unsecured PHI within 60 calendar days of discovery
  • Business Associate will provide immediate preliminary notice if more than 500 individuals are affected
  • Reports will identify affected individuals, describe the nature of the breach, outline mitigation steps taken, and provide contact procedures for affected parties

4.2 Security Incidents: Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware within five business days.

5. Data Management

5.1 Minimum Necessary:

  • Business Associate will implement policies to limit PHI access to least necessary for task
  • Business Associate will conduct quarterly access reviews by its security team

5.2 Individual Rights:

  • Upon request, Business Associate will furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set to enable Covered Entity to respond to an Individual's request for access under 45 CFR §164.524
  • Upon request and instruction from Covered Entity, Business Associate will amend PHI in a Designated Record Set as directed by Covered Entity in accordance with 45 CFR §164.526
  • Business Associate will document disclosures of PHI as required for Covered Entity to respond to a request for an accounting of disclosures under 45 CFR §164.528

5.3 Disposal:

  • Business Associate will implement secure deletion using NIST 800-88 standards
  • PHI destruction certificates will be made available on request

6. Term and Termination

6.1 Term: This BAA will become effective on the Effective Date, and will continue in effect until all obligations of the Parties have been met under the Agreement and under this BAA.

6.2 Termination for Cause:

  • Covered Entity may terminate immediately this BAA and the Agreement if Covered Entity determines that Business Associate has breached a material term of this BAA and Business Associate has failed to cure that material breach within 30 days after written notice
  • Business Associate may terminate this BAA and the Agreement if it determines that Covered Entity has breached a material term of this BAA and has failed to cure within 30 days after notice

6.3 Obligations upon Termination:

  • Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Business Associate will be returned to Covered Entity or destroyed
  • Business Associate will not retain any copies of PHI unless return or destruction is infeasible
  • Obligations related to PHI retained due to infeasibility will survive termination
  • Full destruction certification will be provided within 180 days of termination when feasible

6.4 Survival: The obligations of Business Associate under this Section shall survive the termination of this BAA.

7. General Provisions

7.1 Audit Rights:

  • Covered Entity has the right to request annual third-party HIPAA audits
  • Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI upon request to HHS for purposes of determining compliance
  • Business Associate will cooperate with HHS audit requirements

7.2 Conflict:

  • HIPAA requirements prevail over conflicting terms in this BAA or the Agreement
  • In the event of any conflict between the terms of this BAA and the terms of the Agreement, the terms of this BAA will govern

7.3 Amendments:

  • This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties
  • Amendments may be required for changes in HIPAA rules or regulations

7.4 HITECH Act Compliance: The Parties acknowledge that the HITECH Act includes significant changes to HIPAA requirements. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act.

7.5 Data Ownership: Business Associate's data stewardship does not confer data ownership rights on Business Associate with respect to any data shared with it under the Agreement, including any and all forms of PHI.

7.6 No Third-Party Beneficiaries: Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.

7.7 Notices: All notices, requests and demands or other communications to be given under this BAA to a Party will be made via either first class mail, registered or certified or express courier, or electronic mail to the Party's address provided during account registration or subsequently updated in writing.

IN WITNESS WHEREOF, the Parties acknowledge their agreement to the terms above through the Covered Entity's acceptance of these terms during account creation or through continued use of the Blue Services after notification of these terms.

Data Processing Agreement

This agreement outlines how Blue processes customer data in compliance with data protection regulations.