Business Associate Agreement

This Business Associate Agreement (“BAA”) is entered into by and between DataMotion, Inc. (“DataMotion”, or “Business Associate”) and You as an Authorized User of DataMotion HISP services.

Recitals

WHEREAS, You are a Covered Entity for purposes of the Federal Privacy and Security Regulations at 45 C.F.R. Parts 160 and 164 promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, and the Health Information Technology for Economic and Clinical Health Act (HITECH), Title XIII of Division A, Title IV of Division B, Pub. L. No 111-5, collectively “HIPAA”; and

WHEREAS, DataMotion provides DataMotion Health Information Service Provider (“HISP” or “Services”) which enables secure electronic communication for You at your sole discretion as fully described in Exhibit A; and

WHEREAS, Services are made available to You for your day-today business communications which may involve the use and/or disclosure of Electronic Protected Health Information (“ePHI”); and

NOW, THEREFORE, in consideration of the mutual covenants, terms and conditions herein contained, the parties hereto agree as follows:

  1. Definitions

    1. Various terms used in this BAA shall have the same meaning as set forth in HIPAA.
    2. “Breach” shall mean the acquisition, access, use, or disclosure of PHI in a manner not permitted under 45 C.F.R. Part 164, Subpart E (the “HIPAA Privacy Rule”) which compromises the security or privacy of PHI “Breach" shall not include:
      1. Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under authority, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule; or
      2. Any inadvertent disclosure by You or Business Associate to another person authorized to access PHI, or Organized Health Care Arrangement in which You may participate, if any, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule; or
      3. A disclosure of PHI where You or Business Associate have a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
    3. “Tracking Information” shall mean information about a communication or electronic mail sent by You using the Services and consists of Your email address, date and time the communication or email was created by You, date and time it was delivered to recipient, recipient email address, IP address of sender and recipient if available, and message byte size.

  2. Obligation of Business Associate

    1. HIPAA Requirements Business

      Associate agrees to protect the confidentiality of ePHI by implementing commercially acceptable encryption technology and access controls and comply with state and federal laws, including HIPAA, governing the confidentiality of ePHI.  Business Associate acknowledges that sections of the HIPAA Privacy Rule and the HIPAA Security Rule and the additional requirements of Title XIII of the HITECH Act may apply directly to Business Associate as they apply to You and Business Associate agrees to comply with such rules and regulations as applicable.

    2. Use of ePHI 

      Business Associate agrees to not use or disclose ePHI other than as permitted or required by this BAA or as required by law. Business Associate agrees that it acquires no title or rights to the ePHI as a result of this BAA.

    3. Safeguards

      Business Associate agrees to use appropriate safeguards such as encryption and access controls to prevent use or disclosure of the ePHI other than as provided for by this BAA.

    4. Mitigation

      Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of ePHI directly attributable to Business Associate in violation of the requirements of this BAA.

    5. Reporting

      Business Associate agrees to immediately report to You any use or disclosure of ePHI not provided for by this BAA of which it becomes aware even when such unauthorized use or disclosure is not directly attributable to any violation of this BAA by Business Associate. Business Associate shall notify You within 5 days following the discovery of a suspected or actual Breach of Unsecured PHI resulting from Business Associate’s violation of the terms of this BAA.

    6. Agents and Subcontractors

      Business Associate agrees to require that any agent, including a subcontractor, which creates, receives, maintains, or transmits ePHI on behalf of You agrees in writing to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such information. For the purpose of this BAA, “Business Associate” shall include DataMotion Inc. and its agents or subcontractors as applicable.

    7. Access

      Business Associate agrees to make relevant internal practices, books and records including policies and procedures relating to the use and disclosure of ePHI received from, or received on behalf of, You available within five (5) working days of receipt of request from You or to the Secretary in a time and manner designated by the Secretary. 

    8. Disclosure Documentation

      Business Associate agrees to document unauthorized disclosures resulting from Business Associate’s violation of the terms of this BAA of ePHI and any information known to Business Associate related to such disclosures requested by You. DataMotion CANNOT read or decipher the encrypted communication and cannot identify any individual ePHI for any Reporting purposes or for the purposes of Disclosure Documentation in accordance with 45 CFR § 164.528.

    9. Security Incident

      Business Associate shall report to You any security incident directly attributable to Business Associate of which it becomes aware within five (5) business days.

    10. Prohibition on Sale of PHI

      Business Associate agrees to comply with the prohibition of sale of PHI without authorization unless an exception under 45 C.F.R. § 164.508 applies.

    11. Minimum Necessary Use and Disclosure

      In conducting functions and/or activities under this BAA that involve the use and/or disclosure of PHI, Business Associate shall limit the use and/or disclosure of PHI to the minimum amount of information necessary as determined by You to accomplish the intended purpose of the use or disclosure, as required by 45 C.F.R. 164.502(b).

  3. Permitted Uses and Disclosures by Business Associate

    1. Service BAA

      Except as otherwise limited in this BAA, Business Associate may use or disclose ePHI to perform functions, activities, or services for, or on behalf of, You as specified in the Service BAA.

    2. Specific Use and Disclosure Provisions

      1. Except as otherwise limited in this BAA, Business Associate may use and disclose ePHI for the proper management and administration of the Business Associate or to meet its legal responsibilities.

      2. Business Associate may use and disclose ePHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

      3. De-Identification. Business Associate is not authorized to use ePHI to de-identify the information in accordance with 45 CFR 164.514(a)-(c).

    3. Other Permitted Usage

      Business Associate shall not use any ePHI for any purposes other than for provisioning its Services as a communication conduit.

  4. Your Obligations as Covered Entity

    1. Change in right to use ePHI

      You shall notify Business Associate of any changes in, or revocation of, permission to use or disclose ePHI, to the extent that such changes may affect Business Associate’s use and disclosure of ePHI.

    2. Change in Restrictions Regarding ePHI

      You shall notify Business Associate of any restriction to the use or disclosure of ePHI in accordance with 45 CFR §164.522, to the extent that such restrictions may affect Business Associate’s use or disclosure of ePHI.  Business Associate will implement similar restrictions as required by the Privacy Rule.

    3. Usage of Services.

      You agree, represent, and warrant the following, and shall be solely responsible for any and all consequences of any Breach or other misuses of data or the Services as result of any failure to ensure the following and, notwithstanding any provision or limitation in this BAA to the contrary, shall indemnify and hold Business Associate harmless against any consequences thereof:

      1. You shall not disclose or permit unauthorized access to Services using Your access credentials (user ID and password);
      2. No recipients of messages sent from You shall disclose or permit unauthorized access to Services using access credentials (user ID and password);
      3. You shall ensure that You do not misspell either Your own email address or Your recipients’ email addresses, which would result the delivery of information through the Services to unauthorized person(s) and such delivery cannot be restricted by Business Associate.
      4. You shall include any ePHI (such as date of birth, Social Security Number, etc.) in the Subject line of the email message sent thru Services, as the Subject line is not encrypted.
      5. You shall not communicate with, or transmit to, Business Associate any ePHI or PHI in any other manner except by use of DataMotion HISP Services. Such communication or transmission shall be considered a Breach by You and the PHI or ePHI cannot be protected by Business Associate.

    4. Mitigation

      You agree to mitigate, to the extent practicable, any harmful effect that is known to You of a use or disclosure of ePHI by You or its Users or its recipients in violation of the requirements of this BAA and as more particularly specified in 4.c) above.

    5. Reporting

      1. You agree to immediately report to Business Associate any disclosure of the ePHI related to Business Associate Services including those specified in 4.c) above of which it becomes aware. Such reporting may, but is not guaranteed to, allow Business Associate to take steps to control further disclosure.
      2. You shall notify Business Associate within 5 days following the discovery of a suspected or actual Breach of Unsecured ePHI related to Business Associate Services including those specified in 4.c) above. Such reporting may, but is not guaranteed to, allow Business Associate to take steps to control further disclosure. You shall hold Business Associate harmless and indemnify Business Associate against any and all claims as a result of Breach not caused by Business Associate.

      3. Safeguards

        You agree to use all appropriate safeguards including safeguards to prevent use or disclosure of the Services access credentials (User ID and password).

      4. Security Incident

        You shall report to Business Associate any security incident related to Services of which You become aware within five (5) business days. Such reporting may, but is not guaranteed to, allow Business Associate to take steps to control impact of security incident.

  5. Permissible Requests by You as Covered Entity

    You shall not request Business Associate to use or disclose ePHI in any manner that would not be permissible under the Privacy Rule.  A written request from You will be necessary for Business Associate to disclose ePHI to a third party.  For purposes of this BAA,  You sending an electronic message containing ePHI through the Services shall be deemed authorization to deliver that electronic message to the recipient designated by You.

  6. Term and Termination

    1. Term

      This BAA will begin on the Effective Date, and shall terminate when all of the ePHI provided by You to Business Associate, or received by Business Associate on behalf of You, is destroyed, or if it is infeasible to destroy ePHI, protections are extended to such information, in accordance with the termination provisions of this Section 6.

    2. Termination for Cause

      In case of a material Breach of this BAA directly attributable to Business Associate, You shall provide not less than thirty (30) days written notice of intent to terminate the BAA if Business Associate does not cure such material Breach no later than the end of the written notice period.  If Business Associate does not cure the Breach within such time, then You may immediately terminate this BAA. If neither termination nor cure is feasible, You shall report the violation to the Secretary.

    3. Upon Business Associate’s knowledge of a material Breach by You including Breach of Section 4.c) above Business Associate shall provide not less than thirty (30) days written notice of its intent to terminate the BAA if You do not cure such material Breach no later than the end of the written notice period.  If You do not cure the Breach within such time, then Business Associate may, in its sole discretion, immediately terminate this BAA.  If neither termination nor cure is feasible, You shall have a fiduciary responsibility to report Breach to the Secretary.

    4. Effect of Termination

      Upon termination of this BAA for any reason, Business Associate shall destroy all ePHI received from You, or received on Your behalf.  Business Associate shall provide You with appropriate evidence of destruction. Business Associate shall retain no copies of the ePHI.

    5. In the event this BAA is terminated for any reason, the provision of Services will also terminate at the same time.

  7. Miscellaneous

    1. Regulatory References

      Any reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.

    2. Indemnification

      Business Associate will indemnify, hold harmless and defend You from and against any and all claims, losses, liabilities, costs, and other expenses to the extent incurred as a result or arising directly out of or in connection with (a) any misrepresentation, breach or non-fulfillment of any undertaking directly attributable to Business Associate under this BAA; (b) any claims, demands, awards, judgments, actions and proceedings made by any person or organization, directly attributable to any violation by Business Associate of its obligations under this BAA; and (c) any enforcement or other action directly attributable to any violation by Business Associate of its obligations under this BAA; provided, however, that Business Associate has no responsibility to indemnify You if the claims, losses, liabilities, costs, or other expenses were caused by any party other than Business Associate or its contractors/agents.

    3. You will indemnify, hold harmless and defend Business Associate from and against any and all claims, losses, liabilities, costs, and other expenses incurred as a result or arising directly out of or in connection with (a) any misrepresentation, breach or non-fulfillment of any undertaking by You or any party other than Business Associate under this BAA; (b) any claims, demands, awards, judgments, actions and proceedings made by any person or organization, arising out of or in any way not connected with Business Associate’s obligations under this BAA; and (c) any enforcement or other action arising from obligations of You or any party other than Business Associate under this BAA; provided, however, that You have no responsibility to indemnify Business Associate to the extent the claims, losses, liabilities, costs, or other expenses were caused by Business Associate.

    4. Survival

      The respective rights and obligations of Business Associate and You under Sections 6(c) and 7(b) shall survive the termination of this BAA.

    5. Interpretation; Conflict

      Any ambiguity in this BAA shall be resolved to permit compliance with the HIPAA Rules amended from time to time.  In addition, to the extent this BAA, only as it relates to the HIPAA Rules and ePHI, is inconsistent with the provision of Services, the terms of this BAA shall govern.  To the extent provision of Services conflicts with the terms of this BAA unrelated to the HIPAA Rules and ePHI, the provision of Services shall govern.  All provision of Services not in conflict with this BAA remain in full force and effect.

    6. No Third-Party Beneficiaries

      This BAA is entered into by You and Business Associate solely for their benefits. The Parties have not created or established any third-party beneficiary status or rights in any person or entity not a party hereto including, but not limited to, any individual, provider, subcontractor, or other third-party, and no such third-party will have any right to enforce or enjoy any benefit created or established under this BAA.

    7. Force Majeure

      The obligations of any party under this BAA will be suspended for the duration of any force majeure applicable to that party.  The term “force majeure” means any cause not reasonably within the control of the party claiming suspension, including, without limitation, an act of God, industrial disturbance, war, riot, civil commotion, weather-related disaster, earthquake and governmental action.  The party claiming suspension under this Section will take reasonable steps to resume performance as soon as possible without incurring unreasonably excessive costs.

    8. Entire BAA; Amendments; Facsimile

      This BAA including any riders, attachments or amendments hereto, constitutes the entire agreement among the parties with respect to the Privacy Rule.  This BAA supersedes any prior agreement or understandings pertaining to the services provided hereunder, whether oral or written. Business Associate reserves the right to amend the terms of the BAA as deemed necessary to comply with any changes or amendments to applicable laws, rules and regulations from time to time.

    9. Governing Law

      This BAA shall be governed and construed under the Federal laws and shall have jurisdiction in the State of New Jersey.

    10. Assignment and Delegation

      No Party may assign its rights or duties under this BAA without the prior written consent of the other which shall not be unreasonably withheld.

    11. Waiver

      A waiver of a breach or default under this BAA is not a waiver of any other or subsequent breach or default.  A failure or delay in enforcing compliance with any term or condition of this BAA does not constitute a waiver of such term or condition unless it is expressly waived in writing.


Exhibit A

DataMotion Services enables pass-through secure electronic communication between You and Your recipient(s) at the sole discretion of the User.

DataMotion Services are fully described as follows:

  1. DataMotion Services are a pass-through service as an electronic conduit. In utilizing the Services, You send an encrypted email to a recipient solely identified by You by specifying recipient’s email address. In other words, DataMotion Services enables a secure conduit for electronic mail at Your sole discretion.
  2. DataMotion has no means to access, read or process contents of the encrypted email You sent using the Service and has no knowledge whether the contents of the encrypted email contains ePHI or any other sensitive information.
  3. DataMotion Services do not receive any unencrypted ePHI; do not create any ePHI; do not process any ePHI; do not use any ePHI; and do not disclose any ePHI. DataMotion Services do not store any unencrypted data and are not capable of storing any unencrypted data, whether it is ePHI or not.
  4. DataMotion Services cannot identify any Individual who may be the owner of any ePHI that You communicated with using the Services.
  5. You are not required to disclose, and shall not disclose, to DataMotion any contents of the encrypted email while utilizing the Service. You shall not communicate with or transmit to DataMotion any ePHI in any manner other than by use of the DataMotion Services. DataMotion cannot obtain or otherwise acquire any unencrypted or unsecured ePHI or other sensitive information and is not a recipient of such information.
  6. Delivery of the encrypted email by DataMotion Services is exclusively and solely governed by the recipient’s email address as specified by You. You are solely responsible for any typing or spelling errors while specifying the recipient’s email address.
  7. DataMotion Services are solely utilized by You at your sole discretion. You are solely and exclusively responsible for protecting your confidential and secure access to the Services (ID and password). If You breach this confidentiality, DataMotion cannot provide any protection against any breach or violation of ePHI whatsoever.
  8. Your communication passing through the Services automatically expires after 30 days and it is purged from the system. In addition, You may delete a communication at any time prior to its expiration. Such deleted communication is also purged from the system. Any deleted or expired and purged communication cannot be recovered in any manner whatsoever and it is permanently lost.  You are solely responsible for ensuring any information contained in such communications is appropriately handled, stored or archived independent of DataMotion Services, and DataMotion shall have no obligation or liability for the retrieval of such communications.