Business Associate Agreement (EN)

Purpose: Business Associate provides a cloud backup and recovery service known as Backup Space for Google Workspace. In the course of providing these services (“Services”) to Covered Entity, Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity. The Parties enter into this Agreement to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 and its regulations, as amended, including the HITECH Act (collectively, "HIPAA"), and to safeguard the privacy and security of Protected Health Information (“PHI”) in accordance with HIPAA requirements.

NOW, THEREFORE, in consideration of the mutual promises and agreements below and other good and valuable consideration, the Parties agree as follows:

I. Term

This Agreement shall commence on the Effective Date and shall remain in effect for the duration that Business Associate provides the Backup Space Services to Covered Entity, and until all PHI provided to Business Associate is returned or destroyed pursuant to Section VI below . Covered Entity may terminate this Agreement for cause as set forth herein (see Section V).

II. Permitted Uses and Disclosures by Business Associate

Except as otherwise limited in this Agreement or by law, Business Associate is permitted to use and disclose PHI received from or created on behalf of Covered Entity only as follows:

• Service Provision: To use or disclose PHI as necessary to perform the Backup Space Services for Covered Entity, provided that such use or disclosure would not violate HIPAA if done by Covered Entity. This includes uses or disclosures necessary for data backup, storage, and recovery operations on Google Workspace data that may contain PHI.
• Management and Administration: To use PHI for the proper management and administration of Business Associate and to carry out Business Associate’s legal responsibilities. Disclosure of PHI for Business Associate’s management or administration is permitted only if required by law, or if Business Associate obtains reasonable assurances from the recipient that the PHI will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed, and the recipient notifies Business Associate of any instances of breach of confidentiality.
• De-Identification: To use PHI to create de-identified information in accordance with 45 C.F.R. § 164.514(b). Once PHI is de-identified in compliance with HIPAA standards, it is no longer considered PHI and may be used or disclosed by Business Associate for any lawful purposes.
• As Required by Law: To use or disclose PHI to the extent Required by Law (as defined by HIPAA). In any case where disclosure is required by law, Business Associate shall disclose only the minimum necessary PHI to comply with the law.

Business Associate shall not use or disclose PHI in any manner that is not permitted by this Agreement or that would violate the HIPAA Privacy Rule if done by Covered Entity . All uses and disclosures of PHI not expressly authorized by this Agreement or by HIPAA are prohibited.

III. Obligations of Business Associate

In handling PHI on behalf of Covered Entity, Business Associate agrees to the following obligations, in accordance with HIPAA and applicable regulations  :

a) Compliance with HITECH and Security Rule: Business Associate acknowledges that the provisions of the HITECH Act and the HIPAA Security Standards (45 C.F.R. §§ 164.308, 164.310, 164.312, 164.316) apply to it in the same manner as they apply to Covered Entity . Business Associate shall comply with the applicable requirements of the HIPAA Security Rule for protecting Electronic PHI. Business Associate will implement and use appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of Electronic PHI, and to prevent any use or disclosure of PHI other than as permitted by this Agreement .

b) No Unauthorized Use or Disclosure: Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity (except as specifically allowed for Business Associate under this Agreement) .

c) Minimum Necessary: Business Associate agrees to request, use, and disclose only the minimum necessary PHI required to accomplish the intended purpose of any permitted use or disclosure, in accordance with 45 C.F.R. §§ 164.502(b) and 164.514(d).

d) Reporting of Improper Use or Breach: Business Associate shall promptly report to Covered Entity any use or disclosure of PHI not permitted by this Agreement of which it becomes aware, including any Security Incident or any Breach of Unsecured PHI as those terms are defined by HIPAA . Such report shall be made without unreasonable delay and in no case later than [X] days after discovery of the improper use/disclosure or Breach. The report shall include, to the extent known, the identification of each individual whose PHI was affected and any other information required under 45 C.F.R. § 164.410 to enable Covered Entity to comply with its breach notification obligations. (For purposes of this Agreement, “Breach” and “Unsecured PHI” have the meanings set forth in 45 C.F.R. § 164.402.)

e) Mitigation: Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement or applicable law.

f) Subcontractors and Agents: Business Associate shall ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement . Business Associate shall obtain satisfactory assurances that any such subcontractor or agent will safeguard the PHI to at least the same extent as required of Business Associate herein. Business Associate remains responsible for any acts or omissions of its subcontractors or agents that would constitute a breach of this Agreement if committed by Business Associate.

g) Access to PHI: To the extent that PHI in Business Associate’s possession constitutes a Designated Record Set (as defined in 45 C.F.R. §164.501), Business Associate shall make such PHI available to Covered Entity as necessary to allow Covered Entity to fulfill its obligations under 45 C.F.R. §164.524 (Access of Individuals to PHI). If an individual directs a request for access to PHI held by Business Associate directly to Business Associate, Business Associate shall promptly forward the request to Covered Entity. Business Associate shall not deny an individual access to their PHI; all such determinations shall be made by Covered Entity.

h) Amendment of PHI: In accordance with 45 C.F.R. §164.526, Business Associate shall incorporate any amendments or corrections to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to the Privacy Rule . If an individual requests an amendment of PHI directly from Business Associate, Business Associate shall promptly forward the request to Covered Entity for determination. Business Associate shall make PHI available for amendment and incorporate any approved amendments as instructed by Covered Entity.

i) Accounting of Disclosures: Business Associate shall document all disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 C.F.R. §164.528. Upon request, Business Associate shall provide to Covered Entity an accounting of PHI disclosures made by Business Associate or its agents or subcontractors over the preceding six (6) years (or such shorter time as Covered Entity may request) . The accounting shall include the date of each disclosure, the name and address (if known) of the entity or person who received the PHI, a brief description of the PHI disclosed, and a brief statement of the purpose of the disclosure or a copy of the request for disclosure, if any, as required by 45 C.F.R. §164.528 .

j) Access to Internal Practices: Upon request, Business Associate shall make its internal practices, books, and records relating to the use or disclosure of PHI received from (or created or received on behalf of) Covered Entity available to the Secretary of the U.S. Department of Health and Human Services (HHS) for purposes of determining Covered Entity’s compliance with HIPAA . Business Associate shall notify Covered Entity of any such request and shall provide Covered Entity with a copy of any PHI or other information that Business Associate provides to the Secretary.

k) Compliance and Cooperation: Business Associate agrees to take any action and execute any agreements or amendments necessary to ensure compliance with the requirements of HIPAA. This includes cooperating with Covered Entity to amend this Agreement as needed pursuant to Section IX (Amendment) below and to execute any additional business associate agreements that may be required by law or regulation.

IV. Obligations of Covered Entity

Covered Entity agrees to:

• Notice of Privacy Practices: Provide Business Associate with any applicable limitations in Covered Entity’s Notice of Privacy Practices, to the extent that such limitations affect Business Associate’s permitted use or disclosure of PHI. Covered Entity will also notify Business Associate of any changes to, or revocation of, authorization by an individual to use or disclose PHI, if such changes affect Business Associate’s obligations.
• Restrictions on PHI Use/Disclosure: Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. §164.522 (for example, if an individual has requested a restriction on certain disclosures of PHI) to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
• Permissible Requests: Not request or require Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity. Covered Entity shall not direct Business Associate to disclose more than the minimum necessary PHI for any given task or purpose.
• Mitigation and Cooperation: In the event of any use or disclosure of PHI in violation of this Agreement by Business Associate of which Covered Entity becomes aware, Covered Entity will cooperate with Business Associate’s efforts to mitigate any harmful effects and will assist in any required notifications or other remedial actions as reasonably requested.

‍

V. Termination for Breach

a. Termination Rights: If Covered Entity determines that Business Associate has violated or breached a material term of this Agreement, Covered Entity may terminate this Agreement immediately upon written notice to Business Associate . Alternatively, Covered Entity may choose to provide written notice of the breach to Business Associate with a reasonable opportunity to cure the breach (not to exceed thirty (30) days, or a shorter period as specified by Covered Entity) . If Business Associate fails to cure the breach within the provided time, Covered Entity may terminate this Agreement and any underlying services agreement for cause.

b. Cessation of PHI Disclosure: In addition to termination rights, if Covered Entity reasonably determines that Business Associate has breached a material obligation under this Agreement, Covered Entity may immediately suspend further disclosures of PHI to Business Associate until the breach is remedied .

c. Reporting to Authorities: If termination of this Agreement is not feasible, and/or if despite breach Business Associate’s services are still required by Covered Entity, Covered Entity shall report the violation to the Secretary of HHS as required by 45 C.F.R. §164.504(e)(1)(ii) . Business Associate acknowledges that in such case Covered Entity has the obligation to report the breach to HHS.

VI. Return or Destruction of PHI upon Termination

Upon termination or expiration of this Agreement for any reason, Business Associate shall return to Covered Entity or destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form . Business Associate shall not retain any copies of such PHI except as required by law or as provided below.

If Covered Entity requests destruction of PHI, Business Associate shall certify such destruction in writing. If return or destruction of PHI is determined by Business Associate to be infeasible, Business Associate must provide to Covered Entity written notification of the conditions that make return or destruction infeasible . In such event, Business Associate shall extend the protections of this Agreement to the retained PHI and will limit further uses and disclosures of the retained PHI to those purposes that make return or destruction infeasible, for as long as Business Associate maintains such PHI . Any retained PHI shall be maintained in accordance with the security and privacy requirements of this Agreement, and this duty shall survive termination of the Agreement.

VII. No Third Party Beneficiaries

Nothing in this Agreement is intended to confer any rights, remedies, obligations, or liabilities upon any person or entity other than the Parties hereto and their respective successors or assigns . There are no third party beneficiaries to this Agreement.

VIII. De-Identified Data

Notwithstanding any other provision of this Agreement, Business Associate may use or disclose information that has been de-identified in accordance with 45 C.F.R. §164.514, provided that the de-identified information does not include any key, code, or other means that could be used to re-identify the information . Use or disclosure of de-identified data is not restricted by this Agreement, as de-identified data is not PHI.

IX. Amendment

The Parties agree to take such action as is necessary to amend this Agreement from time to time as needed for compliance with the requirements of HIPAA and any other applicable law or regulation concerning the privacy and security of PHI . Any amendment to this Agreement must be in writing and signed by both Parties . If a change in law or regulations affects the obligations of the Parties under this Agreement, the Parties shall negotiate in good faith to amend this Agreement to comply with the change in law.

X. Definitions

Capitalized Terms: All capitalized terms used but not otherwise defined in this Agreement shall have the same meanings as set forth in HIPAA, including 45 C.F.R. §§ 160.103, 164.304, 164.501, and 164.502, and the HIPAA Rules. This includes, but is not limited to, terms such as Protected Health Information, Breach, Unsecured Protected Health Information, Disclosure, Use, Privacy Rule, Security Rule, Covered Entity, Business Associate, Secretary, and Required by Law. In the event of an inconsistency between the definitions in this Agreement and the definitions under HIPAA, the HIPAA definitions shall govern .

XI. Survival

The obligations of Business Associate under this Agreement shall survive the termination or expiration of this Agreement for so long as Business Associate retains any PHI received from Covered Entity, or created or received on behalf of Covered Entity, and until all PHI is returned or destroyed in accordance with Section VI above. Additionally, Section III (Obligations of Business Associate), Section V(c), Section VII, Section VIII, and this Section XI shall survive termination of this Agreement.