Last updated: March 11th, 2021
Business Associate Agreement
This Business Associate Agreement (“BAA”) is an agreement between iTranslate GmbH, for itself and on behalf of its corporate affiliates ("Business Associate”), and you or the entity you represent (“Covered Entity” or “you”). This BAA is a “Service-Specific Term”, as that and other capitalized terms used and not otherwise defined herein are defined in the Terms of Service for Online Sales (the “Underlying Agreement”) that accompanies your Order Confirmation Email for the iTranslate Medical mobile application and related services. The effective date of this BAA (“BAA Effective Date”) shall be the same as the Effective Date for the Underlying Agreement. This BAA is deemed incorporated by this reference into the Underlying Agreement.
This Business Associate Agreement does not apply to you if you purchase iTranslate Medical on the Apple App Store or Google Play Store. It only applies to you if you purchase iTranslate Medical directly from us, and if you represent to us that you are a HIPAA “covered entity” or “business associate”. In such circumstances, the BAA will be listed on your Order Confirmation Email. Please contact medical@itranslate.com if you have questions about the BAA in place for your organization.
This BAA addresses the requirements under the Health Insurance Portability and Accountability Act of 1996 as amended (“HIPAA”) with respect to "business associates," as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 ("HIPAA Rules"), and is intended to ensure that Business Associate will establish and implement appropriate safeguards for the PHI that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the "HITECH Act") and under the American Recovery and Reinvestment Act of 2009 ("ARRA"), this BAA also reflects federal breach notification requirements imposed on Business Associate when "Unsecured PHI" (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates.
Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use.
A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the "Privacy Rule") as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules.
Business Associate agrees not to use or disclose PHI, other than as permitted or required by the Underlying Agreement, this BAA or as Required By Law; provided that such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent unauthorized use or disclosure of PHI.
Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
The Business Associate agrees to the following breach notification requirements:
Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within 15 business days of "discovery" within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
In the event of Business Associate's use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act, or ARRA, Business Associate bears the burden of demonstrating that notice as required under this Section 2.4 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
Business Associate agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. § 164.502(b)(1), such request, use, or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in Section 8).
Business Associate agrees to account for the following disclosures:
Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
Business Associate agrees to provide to Covered Entity information collected in accordance with this Section 2.8, to permit Covered Entity to respond to a request by the Secretary for an accounting of Breaches of Unsecured PHI.
Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in Section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
Business Associate acknowledges that, effective on the BAA Effective Date, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
General Uses and Disclosures. Business Associate agrees to receive, create, use, or disclose PHI only in a manner that is consistent with this BAA, the Privacy Rule, or Security Rule (as defined in Section 5) and only in connection with providing the services to Covered Entity related to the Underlying Agreement; provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. § 164.504(e), if the use or disclosure would be done by Covered Entity. For example, the use and disclosure of PHI will be permitted for "treatment, payment, and health care operations," in accordance with the Privacy Rule.
Business Associate may use or disclose PHI as Required By Law.
Subject to the Minimum Necessary requirements:
Business Associate may use or disclose PHI for the proper administration and management of the services provided pursuant to the Underlying Agreement.
Bss Associate may provide Data Aggregation services relating to services provided in the Underlying Agreement using PHI created or received from Covered Entity.
Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity. Business Associate shall not respond to requests it receives from third parties seeking to exercise their rights under Subpart E of 45 C.F.R. Part 164, and shall promptly forward such requests to the Covered Entity.
Responsibility for Implementing Privacy and Security Measures.
Covered Entity is solely responsible for implementing all reasonable and appropriate measures for safeguarding the privacy and security of PHI collected by its authorized users of iTranslate Medical, and the security of the portable devices used by its authorized users to access iTranslate Medical, to include, without limitation reasonable and appropriate measures for: access management, device management, training, audit/log reviews and encryption (in transit and at rest).
Covered Entity will obtain any necessary authorizations, consents and other permissions that may be required under applicable law before using iTranslate Medical to create, receive or transmit protected health information. Without limiting the foregoing, Covered Entity will ensure that its Notice of Privacy Practices has been delivered to relevant individuals before or in connection with their use of Business Associate’s products or services, and that its use of Business Associate’s products or services are at all times covered by the Covered Entity’s HIPAA Notice of Privacy Practices.
Covered Entity will not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause Business Associate to violate this BAA or any applicable law.
Covered Entity shall:
Provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. § 164.520, to the extent that such changes or limitations may affect Business Associate's use or disclosure of PHI.
Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI under this BAA.Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate's permitted or required uses and disclosures of PHI under this BAA.
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under Section 3 of this BAA.
Effective April 20, 2005, Business Associate shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term "Electronic Health Record" or "EHR" as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
In accordance with the Security Rule, Business Associate agrees to:
Implement the administrative safeguards set forth at 45 C.F.R. § 164.308, the physical safeguards set forth at 45 C.F.R. § 164.310, the technical safeguards set forth at 45 C.F.R. § 164.312, and the policies and procedures set forth at 45 C.F.R. § 164.316, to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule. Business Associate acknowledges that, effective on the BAA Effective Date, (a) the foregoing safeguards, policies, and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity, and (b) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies, and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements;
Require that any agent, including a Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI; and
Report to the Covered Entity any successful Security Incident of which it becomes aware. The parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Company shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
The parties agree and acknowledge that except as set forth herein, the indemnification obligations contained under the Underlying Agreement shall govern each party's performance under this BAA. Notwithstanding the foregoing, nothing in this Section shall limit any rights any of the Indemnified Parties may have to additional remedies under the Underlying Agreement or under applicable law for any acts or omissions of Business Associate or its agents or Subcontractors.
This BAA shall be in effect as of the BAA Effective Date, and shall terminate on the earlier of the date that:
Either party terminates for cause as authorized under Section 7.2.
All of the PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is not feasible to return or destroy PHI, protections are extended in accordance with Section 7.3
Upon either party's knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation; or terminate the BAA. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed thirty (30) days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA and the Underlying Agreement, upon written notice to the other party.
Upon termination of this BAA for any reason, the parties agree that:Business Associate shall return to Covered Entity or destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that the Business Associate still maintains in any form. The PHI shall be returned in a format that is reasonably expected to preserve its accessibility and usability. Business Associate shall retain no copies of the PHI.
The obligations of Business Associate under this Section 7 shall survive the termination of this BAA.
The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the HIPAA Rules, and any other applicable law.
The respective rights and obligations of Business Associate under Section 6 and Section 7 of this BAA shall survive the termination of this BAA.
This BAA shall be interpreted in the following manner:
Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.
Any inconsistency between the BAA's provisions and the HIPAA Rules, including all amendments, as interpreted by the HHS, a court, or another regulatory agency with authority over the Parties, shall be interpreted according to the interpretation of the HHS, the court, or the regulatory agency.
Any provision of this BAA that differs from those required by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this BAA.
This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA, except to the extent that the Underlying Agreement imposes more stringent requirements related to the use and protection of PHI upon Business Associate. This BAA supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate without notice or restriction.
Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the laws of the state of New York.
