Trust Center
Legal Resources at Bob
HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“BAA”) is incorporated by reference and forms an integral part of the US Benefit Administration Terms of Use and the US Benefit Administration Early Access Program Rider (together, the “Terms”) governing the use of HiBob’s benefit administration services (the “Services”), entered by and between you, the Customer (as defined in the Terms) (hereinafter, “Covered Entity”), and the HiBob entity set forth in the relevant order form (together with its affiliates hereinafter, “Business Associate”). Business Associate and Covered Entity may each be referred to as a “Party” and collectively, as the “Parties”. This BAA shall become effective upon Covered Entity’s first use of the Services (the “Effective Date”). In the event of any conflict between this BAA and the Terms, the provisions of the BAA shall prevail solely with regard to the use and disclosure of PHI (as defined below).

RECITALS

WHEREAS, Business Associate provides certain services to entities that are themselves HIPAA Covered Entities as such terms are defined in 45 C.F.R. §160.103); and

WHEREAS, Business Associate may in connection with those services, receive or create certain information, including PHI (as defined below), from or on behalf of such Covered Entities, requiring special treatment and protection; and

WHEREAS, Business Associate provides certain Services to Covered Entity as described in the Terms, and in connection with the Services provided by Business Associate, Covered Entity will be disclosing or providing Business Associate with access to certain PHI (as defined below); and

WHEREAS, to comply with the requirements of the privacy, security, breach notification and enforcement regulations under the Health Insurance Portability and Accountability Act of 1996, as amended and set forth at 45 C.F.R. Parts 160 and 164 (the “HIPAA Rules” or “HIPAA”), the Parties desire to enter into this BAA documenting the permitted uses and disclosures of PHI by Business Associate and other rights and obligations of the Parties.

NOW, THEREFORE, in consideration of the mutual promises set forth in this BAA and the Terms, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties hereby agree as follows:

  1. Definitions. Terms used, but not otherwise defined in this BAA shall have the same meaning as those terms in the HIPAA Rules or in the Terms, as applicable.
    (a) Breach” shall have the same meaning as the term “breach” in 45 C.F.R. §164.402, limited to breaches of PHI not rendered unusable, unreadable or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of Health and Human Services (the “Secretary”) in guidance issued under Section 13402(h) of Public Law 111-5
    (b) Breach Notification Rule” shall mean the Standards for Notification in the Case of Breach of Unsecured Protected Health Information at 45 C.F.R. Part 164, Subpart D.
    (c) “Business Associate” shall mean the entity identified as “Business Associate” in the opening paragraph of this BAA, and the subcontractors, agents, and person(s) or entity(ies) under its control, which create, receive maintain, or transmit PHI on behalf of Covered Entity. “Business Associate” shall include any subcontractor to whom Business Associate as defined above delegates a function, activity, or service to be performed on behalf of Covered Entity.
    (d) “ePHI” shall mean a subset of PHI that is maintained in or transmitted by electronic media as such term is defined in 45 C.F.R. §160.103.
    (e) “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).
    (f) “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. §160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity pursuant to this BAA. For the avoidance of doubt, the term “PHI” shall include ePHI.
    (g) “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
    (h) “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
    (i) “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and C.
    (j) “Unsuccessful Security Incidents” means Security Incidents that do not result in the unauthorized access, use, disclosure, modification, or destruction of PHI and may include Security Incidents that do result in disruption to Business Associate’s systems or networks containing PHI.
  2. Applicability. Covered Entity is solely responsible for: (i) selecting the appropriate type of account based on its particular data privacy and security compliance obligations; (ii) implementing appropriate privacy and security features within the Services and relevant environment where the products and Services are deployed, if applicable; and (iii) assessing whether its type, manner and usage of the Services are appropriate for the security, storage or control of, or access to PHI.
  3. Obligations and Activities of Business Associate.
    (a) Business Associate agrees to not use or disclose PHI other than as permitted or required by this BAA or as “Required by Law” (as such term is defined in 45 C.F.R. §164.103).
    (b) Business Associate agrees to comply with the provisions of the HIPAA Rules concerning minimum necessary uses, disclosures, and requests for PHI. Business Associate shall use its professional judgment in making minimum necessary determinations.
    (c) Business Associate agrees to use appropriate safeguards and to comply with the Security Rule with respect to ePHI designed to prevent the use or disclosure of PHI other than as provided for by this BAA. In particular, Business Associate agrees to implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of all PHI.
    (d) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including, but not limited to, any Breach and any Security Incident of which it becomes aware, and such notification must be furnished to Covered Entity without unreasonable delay and no later than ten (10) days from the discovery of the same, provided, however, that if a delay is requested by a law enforcement official in accordance with 45 C.F.R. §164.412, Business Associate may delay notifying Business Associate for the applicable time period.
    (e) In accordance with 45 C.F.R. §164.308(b)(2) and §164.502(e)(1)(ii), Business Associate agrees to enter into a written contract with subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate. Such contract shall require that such subcontractors agree to substantially similar restrictions and conditions that apply to Business Associate with respect to PHI in this BAA, and provide: (i) appropriate and robust measures to safeguard ePHI; and (ii) stipulate compliance with the applicable requirements of 45 C.F.R. Part 164 Subpart C of the Security Rule.
    (f) To the extent that Business Associate has a Designated Record Set for an Individual that is not maintained by Covered Entity, Business Associate agrees to provide access to the Individual’s PHI in a Designated Record Set pursuant to 45 C.F.R. §164.524 upon a twenty (20) day prior written request from Covered Entity or the Individual. The Business Associate’s response will be made to the Covered Entity or, if so directed by Covered Entity, directly to the requesting Individual. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Business Associate, or enquiries about their right to access, Business Associate shall forward such request to Covered Entity promptly upon receipt of such request. Where the Individual’s request concerns PHI contained in a Designated Record Set that is duplicative of the PHI contained in a Designated Record Set possessed by Covered Entity, Business Associate is not required to provide such access and shall forward such request to the Covered Entity.
    (g) To the extent that Business Associate has a Designated Record Set for an Individual that is not maintained by the Covered Entity, Business Associate agrees to respond to requests for amendment(s) to PHI in a Designated Record Set pursuant to 45 C.F.R. §164.526 upon prior written request from the Business Associate or the Individual within twenty (20) business days of receipt.
    (h) The Business Associate’s response will be made to Covered Entity or, if expressly directed by Covered Entity in writing, directly to the requesting Individual. If Business Associate receives a request for amendment directly from an Individual, Business Associate shall forward such request to Covered Entity within ten (10) business days and shall not respond to such request directly unless instructed in writing by Covered Entity.Business Associate agrees to document certain disclosures of PHI and information related to such disclosures and agrees to provide an accounting of such information pursuant to 45 C.F.R. §164.528 upon prior written request from Covered Entity or the Individual. The Business Associate’s response will be made to Covered Entity within twenty (20) business days of receiving a relevant request.
    (i) To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule pursuant to the terms of this BAA, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of these obligations.
    (j) Business Associate agrees to make internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI, available to the Secretary for purposes of determining compliance with the HIPAA Rules.
    (k) To the extent that Business Associate or any of its subcontractors conducts Standard Transaction(s) on behalf of Covered Entity, Business Associate and its subcontractors shall comply with the Administrative Requirements of, and provide reasonable assistance to Covered Entity to comply with any applicable certification and compliance requirements under, 45 C.F.R. Part 162 by the applicable compliance date(s).     
  4. Obligations of Covered Entity.
    (a) Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
    (b) Covered Entity shall obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing Business Associate with PHI.  Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
    (c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
    (d) Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as otherwise permitted under this BAA.
  5. Permitted Uses and Disclosures by Business Associate.
    (a) Except as otherwise limited by this BAA or permitted by this Section, Business Associate may use or disclose PHI only as necessary to perform functions, activities or services for, or on behalf of, Covered Entity in accordance with the Terms and the provision of the Services thereunder.
    (b) Business Associate may not use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity.
    (c) Business Associate may use or disclose PHI as Required by Law, provided that such use or disclosure would not violate the HIPAA Privacy Rule if done by Covered Entity, except as otherwise permitted or Required by Law.
    (d) Business Associate may use PHI when necessary for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. Business Associate may disclose PHI when necessary for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate if the disclosure is Required by Law or made to a recipient from whom Business Associate obtains, prior to disclosure, reasonable written assurances that (i) the PHI will be held confidentially as outlined in this BAA and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and (ii) such person agrees to notify Business Associate of any instance of which it is aware in which the confidentiality of the PHI has been breached.
    (e) Business Associate may use or disclose PHI to provide Data Aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
    (f) Business Associate may de-identify PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and may use or disclose such de-identified data for any purpose.
  6. Term; Effect of Termination.
    (a) Term. This BAA shall be effective as of the Effective Date and shall terminate upon the last to occur of the following: (i) the termination of the Terms; or (ii) when all PHI in Business Associate’s possession or control is destroyed or returned to Business Associate in accordance with Section 6(c) below (Effect of Termination). The provisions of Sections ‎3(d) and ‎6(c) hereto shall survive any termination of this BAA.    
    (b) Termination for Cause. Covered Entity may terminate immediately this BAA and/or the Terms solely with respect to the affected Services if Covered Entity makes a determination that Business Associate has breached a material term of this BAA and Business Associate has failed to cure that material breach, to Covered Entity’s reasonable satisfaction, within forty-five (45) days after written notice from Covered Entity. Covered Entity may report the problem to the Secretary if termination is not feasible.
    (c) Effect of Termination.
    (i) Within sixty (60) days from the effective date of the termination or expiration of the Terms, Business Associate shall delete any and all PHI, unless further retention of such PHI is required by applicable law. 
    (ii) In the event that Business Associate reasonably determines that returning or destroying the PHI is infeasible, including where further storage thereof is required by law to which Business Associate is subject, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains the PHI.
  7. Miscellaneous.
    (a) Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
    (b) Status of Parties.Business Associate is an independent contractor of Covered Entity. Nothing in this BAA shall be construed to create a joint venture, partnership, or agency. No employee or agent of Business Associate shall be deemed to be an employee or agent of Business Associate, and no employee or agent of Business Associate shall be deemed to be an employee or agent of Business Associate.
    (c) Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as may be required for the Parties to comply with the requirements of the HIPAA Rules. This BAA may only be amended by a written amendment signed by both Parties.
    (d) Reporting. For all reporting obligations under this BAA, the Parties acknowledge that, due to encryption, Business Associate may not have visibility into the nature of the PHI contained in Covered Entity files or accounts. As a result, Business Associate may not be able to identify the Individuals affected or describe the information subjected to a Security Incident, Impermissible use or disclosure, or Breach. Business Associate’s reporting obligations shall be limited to the information it can readily see without decryption, provided that (i) Business Associate shall continue to report any Security Incident, Impermissible User or Disclosure, or Breach involving PHI as required under this BAA, regardless of whether PHI content is accessible, and (ii) upon request, Business Associate shall cooperate with Covered Entity in assessing the incident and, to the extent feasible, assist in identifying affected Individuals or the nature and scope of PHI involved.
    (e) Unsuccessful Security Incidents. The Parties agree that, other than where such Unsuccessful Security Incident reveals or indicates any substantial vulnerability that needs to be addressed immediately or otherwise mitigated and (therefore) needs to be reported to Covered Entity, Unsuccessful Security Incidents occur frequently and that there is no significant benefit for data security from requiring the documentation and reporting of such unsuccessful intrusion attempts. Consequently, the Parties agree that this BAA shall constitute the documentation, notice and written report of such Unsuccessful Security Incidents as required by the Security Rule and that no further notice or report of such attempts will be required. An Unsuccessful Security Incident shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access to, or use or disclosure of, PHI.
    (f) Interpretation. Any ambiguity in this BAA shall be resolved to permit the Parties (as relevant) to comply with the HIPAA Rules.
    (g) Severability. The invalidity or unenforceability of any provisions of this BAA shall not affect the validity or enforceability of any other provision of this BAA, which shall remain in full force and effect.
    (h) Notices. All notices and communications required or permitted pursuant to the terms of this BAA shall be in writing and by electronic mail to the addresses listed below:
Business Associate: Covered Entity:
HiBobCustomer
Email: [email protected]Email: on record for Customer’s registered account administrator for the Services

Email shall be deemed an effective and sufficient method of delivery for all purposes under this BAA. No PHI shall be included in any email notice unless appropriate safeguards are in place in accordance with the HIPAA Security Rule.

(i) Entire Agreement. This BAA constitutes the entire agreement between the Parties with respect to its subject matter and constitutes and supersedes all prior agreements, representations and understandings of the Parties, written or oral, with regard to this same subject matter.