Skip to main content

BUSINESS ASSOCIATE ADDENDUM

This Business Associate Addendum (“Addendum”) forms part of the Terms and Conditions (“Agreement”) and shall apply only to the extant Customer is acting as a Covered Entity (“Covered Entity”) and as a result, is deemed under the HIPAA Rules (as defined below).
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
WHEREAS, in the course of the provision of its services, Clanz Technologies Ltd. (“Business Associate”) may create, receive, maintain, or transmit protected health information, including electronic protected health information and/or unsecured health information, as those terms are defined in 45 C.F.R. Section 160.103, 45 C.F.R. Section 164.402 and 42 U.S.C. Section 17932(h), on behalf of Covered Entity; and
WHEREAS, the purpose of this Addendum is to satisfy the standards and requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), as may be amended from time to time (collectively referred to as “the HIPAA Rules”).
NOW THEREFORE, in consideration of the mutual covenants set forth in this Addendum, and other good and valuable consideration, the sufficiency and receipt of which are hereby severally acknowledged, the parties agree as follows:
  • Definitions. All capitalized terms used but not otherwise defined in this Addendum shall have the same meaning as those terms are defined in the HIPAA Rules.
    • “Breach” shall have the same meaning as the term “breach” in 45 C.F.R. Section 164.402 and 42 U.S.C. Section 17921(1). The date of breach shall be determined as set forth in 45 C.F.R. Section 164.410.
    •  “Individual” shall have the same meaning that the term has in 45 C.F.R. Section 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. Section 164.502(g).
    • “Individually Identifiable Health Information” shall have the same meaning that the term has in 45 C.F.R. Section 160.103.
    • “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
    • “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. Section 160.103, limited to the information created, maintained or received by Business Associate from or on behalf of Covered Entity. PHI shall be inclusive of ePHI and uPHI (as those terms are defined directly below).
    • “Electronic Protected Health Information” or “ePHI” shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. Section 160.103, limited to the information created, maintained or received by Business Associate from or on behalf of Covered Entity.
    • “Unsecured Protected Health Information” or “uPHI” shall have the same meaning as the term “unsecured protected health information” in 45 C.F.R. Section 164.402 and 42 U.S.C. Section 17932(h), limited to the information created, maintained or received by Business Associate from or on behalf of Covered Entity.
    • “Required by law” shall have the same meaning as the term “required by law” in 45 C.F.R. Section 164.103.
    • “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.
    • “Security Incident” shall have the same meaning as the term “security incident” in 45 CFR Section 164.304.
  • Business Associate Permitted Uses and Disclosures
    • Business Associate provides services for or on behalf of the Covered Entity that involve (i) the use and disclosure of PHI or (ii) access, maintenance, retention, modification, storage, or destruction of PHI (“Services”).
    • Business Associate may use or disclose PHI only to perform functions, activities, or Services for, or on behalf, of the Covered Entity as specified in this Addendum and the Agreement in effect between Covered Entity and Business Associate. All uses of PHI not authorized by this Addendum are prohibited.
    • Business Associate may not engage in any use or disclosure of PHI that would violate the HIPAA Rules if done by the Covered Entity, except for the specific uses and disclosures set forth below:
      • Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
      • Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided: (a) the disclosures are required by law, or (b) Business Associate obtains reasonable assurances from the person or entity to whom the information is disclosed that the information will remain confidential and only be used or further disclosed as required by law or for the purposes for which it was disclosed to the person/entity, and (c) the person/entity notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
      • Business Associate may provide data aggregation services relating to the Services provided to the Covered Entity.
    • To the extent that any PHI is de-identified, or is otherwise limited in scope by the removal of any individual identifiers, Business Associate agrees not to take any action aimed at or likely to result in a re-identification of the individual to whom the PHI relates. Further, Business Associate will not make any attempt to contact the individual to whom the PHI relates.
    • Covered Entity data that is used, disclosed, or otherwise made available under this Addendum (including PHI and personally identifiable information) and regardless of form or format, including whether de-identified, may not be used, sold, transferred, transmitted, or otherwise made accessible for any purpose, including without limitation for any for-profit or commercial purpose whatsoever other than what is expressly agreed to between the Parties. This paragraph shall survive termination or expiration of this Addendum.
  • Responsibilities of the Covered Entity
    • Covered Entity warrants that it has all the necessary rights to provide the PHI to Business Associate for the Services to be provided under this Addendum. To the extent required, Covered Entity is responsible for ensuring that all necessary privacy notices are provided to individuals whose PHI is collected, and that any necessary permissions or consents for the Services to be performed are obtained, and for ensuring that a record of such are maintained.
    • Covered Entity shall promptly notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
    • Covered Entity shall promptly notify Business Associate of any changes in, or revocation of consents or permissions by an Individual to use or disclose PHI to the extent that such changes may affect Business Associate’s use or disclosure of PHI under this Addendum.
    • Covered Entity shall promptly notify Business Associate of any restriction to the use or disclosure of PHI in accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
  • Responsibilities of the Business Associate. 
    • Business Associate shall use and/or disclose the PHI only as permitted or required by this Addendum or as otherwise required by law.
    • Business Associate shall use appropriate safeguards to maintain the privacy and security of PHI, and prevent unauthorized use and/or disclosure of PHI in violation of this Addendum.
    • Business Associate shall report to the designated privacy officer of the Covered Entity, regarding any use or disclosure of PHI not provided for in this Addendum, including Security Incidents and Breaches of uPHI, of which Business Associate becomes aware.
    • Business Associate shall provide such notice without unreasonable delay from the Business Associate’s discovery of such Security Incident or Breach. Such written notice shall include:
      • a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known,
      • the scope of the incident, including the types of uPHI involved.
      • the identification of each individual whose uPHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed during such Breach, including the individual’s first and last name, mailing address, street address, phone number, email address, if known.
      • the identification of the party responsible for causing the Breach or Security Incident, including first and last name, mailing address, street address, phone number, email address, if known.
      • the steps individuals should take to protect themselves from potential harm resulting from the Breach or Security Incident,
      • a description of what the Business Associate is doing to investigate the Breach or Security Incident, to mitigate losses and to protect against any further breaches or incidents, and
      • contact procedures for individuals to ask questions or learn additional information.
      • Business Associate shall keep a log of any and all security incidents and their outcomes.
    • Business Associate shall require all of its agents, including subcontractors, that receive, use, or have access to PHI under this Addendum to agree, in writing, to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate through this Addendum.
    • Business Associate represents and warrants to Covered Entity that all of its employees, agents, representatives, subcontractors, and members of its workforce, whose services may be used to fulfil obligations under this Addendum are or shall be appropriately informed of the terms of this Addendum and their legal obligations, by contract or otherwise, sufficient to enable the Business Associate to fully comply with all provisions of this Addendum.
    • Business Associate shall make available PHI in accordance with the requirements of 45 C.F.R. 164.524, in the time and manner reasonably designated by Covered Entity.
    • Business Associate shall make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 C.F.R. 164.526, in the time and manner reasonably designated by the Covered Entity.
    • Business Associate shall make available information related to such disclosures upon request and to the extent reasonably required by the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528.
    • To the extent applicable and required, Business Associate shall make available all records, books, Addendums, internal practices, policies and procedures and PHI received by the Business Associate on behalf of the Covered Entity available to the Secretary and the Covered Entity, for purposes of determining the Covered Entity’s compliance with the HIPAA Rules and the terms of this Addendum.
    • Business Associate shall, when using or disclosing PHI or when requesting PHI from the Covered Entity, limit the request, disclosure and use of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
    • Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI that it creates, receives, maintains or transmits to or on behalf of Covered Entity; and to ensure that any agent, including a subcontractor, to whom it provides such information, agrees to implement reasonable and appropriate safeguards to protect it. Business Associate shall document and keep current such security measures in written policies, procedures or guidelines, and make its policies, procedures, and any documentation required by this Addendum and the Security Regulations relating to such safeguards available to Covered Entity and to the Secretary for the purposes of determining Covered Entity’s compliance with the Security Regulations.
    • Upon Covered Entity’s prior written request and Business Associate’s consent to confirm Business Associate’s compliance with this Addendum, as well as any applicable laws, regulations and industry standards, Business Associate grants Covered Entity or, upon Covered Entity’s election, a third party on Covered Entity’s behalf, permission to perform an assessment, audit, examination or review of all controls in Business Associate’s relevant physical and/or technical environment in relation to all PHI being handled and/or Services being provided to Covered Entity pursuant to this Addendum. Business Associate shall fully cooperate with such assessment by providing reasonable access to knowledgeable personnel, physical premises and documentation relevant to this Addendum. In the alternative, Business Associate shall, at covered entity’s expense, provide Covered Entity with the results of any relevant audit or assessment made by or on behalf of Business Associate.
    • Business Associate shall notify Covered Entity if the Department of Health and Human Service (“HHS”) or any other federal or state regulator or agency initiates an investigation into Business Associate related to Covered Entity’s PHI. Such notice shall be provided to Covered Entity within five (5) business days’ of Business Associate learning of such investigation.
    • Business Associate shall mitigate, to the extent reasonably practicable, any harmful effects known to the Business Associate of any improper use and/or disclosure of PHI by the Business Associate in violation of the requirements of this Addendum.
    • Business Associate represents and warrants to the Covered Entity that Business Associate (i) is not currently excluded, debarred, or otherwise ineligible to participate in any federal health care program as defined in 42 U.S.C. Section 1320a-7b(f) (“the Federal Healthcare Programs”); (ii) has not been convicted of a criminal offense related to the provision of health care items or services and not yet been excluded, debarred, or otherwise declared ineligible to participate in the Federal Healthcare Programs, and (iii) is not aware to any investigation or otherwise aware of any circumstances which may result in Business Associate being excluded from participation in the Federal Healthcare Programs.
  • Term and Termination
    • Term. This Agreement shall be in effect as of the Effective Date and shall continue until the earlier of the following: (1) the Agreement expire or terminate; or (2) this Agreement terminates.
    • Termination. Upon parties reasonable determination that the other party has violated a material term of the Addendum, each party may, in its sole discretion, provide a reasonable opportunity (no longer than thirty days) for the other party to cure the material breach or end the material violation, and if such party does not cure the material breach or end the material violation within a reasonable time (no longer than thirty days), the other party may terminate this Addendum and the Agreement.
    • Effect of Termination. In the event of termination of this Addendum for any reason, Business Associate agrees to return or destroy all PHI in its possession pursuant to 45 C.F.R. Section 164.504(e)(2)(ii)(J) if it is feasible to do so. If it is not feasible for the Business Associate to return or destroy said PHI, the Business Associate will notify Covered Entity in writing.
  • Miscellaneous
    • Independent Contractor. The parties hereto shall be independent contractors and neither shall at any time be considered an agent or employee of the other. No joint venture, partnership, or like relationship is created between the parties by this Addendum or the Agreement.
    • Regulatory Compliance. If the HIPAA Rules are amended in a manner that would alter the obligations of Business Associate as set forth in this Addendum, then the parties agree to take such action as is necessary in good faith to amend this Addendum to comply with the HIPAA Rules. All amendments shall be mutually agreed to by the parties in writing.
    • Entire Addendum; Amendment; Conflict of Terms. There are no oral Addendums with respect to the subject matter of this Addendum which are not fully expressed herein. No representations, understanding, or Addendums have been made or relied upon in the making of this Addendum other than those specifically set forth herein. This Addendum can only be modified or amended by writing signed by authorised representatives of both parties. In the event of any conflict between this Addendum and any other documents or instruments, the language of this Addendum shall govern.
    • Interpretation. Any ambiguity in this Addendum shall be resolved in favor of a meaning that permits compliance with the HIPAA Rules. The terms of this Addendum shall prevail in the case of any conflict with the terms of the Agreement to the extent necessary to allow the parties to comply with the HIPAA Rules.
    • Assignment. Neither party may assign this Addendum or its rights thereunder without prior written consent from the other party, which shall not be unreasonably withheld.
    • Third Party Beneficiaries. This Addendum is entered into by and between the parties hereto and for their benefit. There is no intent by either party to create or establish a third-party beneficiary status or rights in any third party to this Addendum.
    • Governing Law. This Addendum shall be considered as having been entered into in the State of Israel, and shall be construed and interpreted in accordance with the laws of that state. Any action or proceeding arising out of or relating to this Addendum shall be heard and determined under the competent courts of Tel-Aviv.
    • Notification. Service of all notices under this Addendum shall be in writing and sent by certified or registered mail or courier service, postage prepaid, and addressed to the addresses set forth below until such addresses are changed by written notice.
This page was updated in May 2023.