Business Associate Agreement
This Business Associate Agreement (“BAA”) is an addendum to one or more service agreements (each being the “Agreement”), and this BAA is effective as of the Effective Date specified below by and between Talarian S.à.r.l. (“Talarian”) and <<Your Company/Organization Legal Name>> on behalf of itself and its subsidiaries and affiliates (“Customer” or “you”).
Customer and Talarian mutually agree to the terms of this BAA in order to comply with the HIPAA Rules, as defined below.
This BAA will be applicable to technology, hosting, consulting, maintenance or other services provided by Talarian to Customer but only to the extent that Talarian meets the regulatory definition of a business associate under the HIPAA Rules with respect to a particular service.
Customer must have an existing Agreement in place for this BAA to be valid and effective. Together with the Agreement, this BAA will govern each party’s respective obligations regarding Protected Health Information (defined below).
This BAA is effective as of the date of last signature below (the “Effective Date”).
“Breach” has the same meaning as the term “Breach” in 45 CFR 164.402.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5) (the “HITECH Act”) and the federal regulations (“HIPAA Rules”) published at 45 CFR parts 160 and 164.
“Individual” has the same meaning as the term “Individual” in 45 CFR 160.103 and includes a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g) or other applicable law.
“Protected Health Information” has the same meaning as that term as defined in 45 CFR 160.103, but limited to information created, received, maintained or transmitted on behalf of Customer to which Talarian has access through the Customer’s use of the applicable services.
“Secure” means to render unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of the HITECH Act.
“Successful Security Incident” means any Security Incident (as defined in 45 CFR 164.304) that results in the unauthorized use, access, disclosure, modification or destruction of electronic Protected Health Information.
All capitalized terms used in this BAA and not defined elsewhere herein or in the Agreement will have the same meaning as those terms as used or defined in the HIPAA Rules.
Obligations of Talarian with respect to Use and Disclosure of Protected Health Information
Talarian will satisfy and comply with the HIPAA Rules concerning the confidentiality, privacy, and security of Protected Health Information that apply to business associates.
Talarian will not use or disclose Protected Health Information except as permitted or required by this BAA or as Required by Law.
Talarian may use and disclose Protected Health Information if that use or disclosure is in compliance with the applicable requirement of 45 CFR 164.504(e).
Talarian will mitigate to the extent practicable any harmful effect resulting from a Successful Security Incident involving Protected Health Information or any use or disclosure of Protected Health Information in violation of the requirements of this BAA, the HIPAA Rules, or other applicable law.
Talarian will ensure that any agent, including a subcontractor, to whom it provides Protected Health Information agrees in writing to comply with the HIPAA Rules through a business associate or similar agreement with respect to that information.
Talarian will not request from Customer nor disclose to its affiliates, subsidiaries, agents and subcontractors or other third parties, more than the minimum necessary Protected Health Information to perform or fulfill a specific function required or permitted hereunder.
Talarian will report any use or disclosure of Protected Health Information not permitted by this BAA and any Successful Security Incident to Customer promptly, but in no event later than within ten (10) business days, after it is discovered (within the meaning of 45 CFR 164.410(a)(2)). That report shall be made to the contact person identified at the end of this BAA. Talarian shall provide the information concerning the Successful Security Incident as required by 45 CFR 164.410(c) to determine whether a Breach has occurred, including Talarian’s own risk assessment to determine whether a Breach has occurred. If that information is not available to Talarian at the time the Successful Security Incident is reported to Customer, Talarian will provide that information to Customer promptly as it becomes available. Customer and Talarian will mutually determine whether a Breach has occurred. Talarian will maintain records regarding the Successful Security Incident for the period required by 45 CFR 164.530(j). Talarian will not be required to report unsuccessful Security Incidents. Both parties acknowledge that there are likely to be a significant number of meaningless or unsuccessful attempts to access Talarian’s systems or services, which make a real-time reporting requirement impractical for both parties. The parties acknowledge that Talarian’s ability to report on system activity, including unsuccessful or attempted Security Incidents, is limited by, and to, the Services that Customer has purchased.
Subject to consistency with the nature of the Services provided, within ten (10) business days of receipt of a request from Customer, Talarian shall make accessible to Customer Protected Health Information relating to that individual held by Talarian or its agents or subcontractors in a Designated Record Set in accordance with 45 CFR 164.524. In the event any Individual requests access to his or her Protected Health Information directly from Talarian, Talarian will, within five (5) business days of receipt of that request, forward the request to Customer.
Subject to consistency with the nature of the Services provided, within ten (10) business days of receipt of a request from Customer, Talarian will make accessible to Customer so that Customer may make any requested amendment(s) to Protected Health Information held by it or any agent or subcontractor in a Designated Record Set in accordance with 45 CFR 164.526. In the event any individual requests an amendment to his or her Protected Health Information directly from Talarian, Talarian will within five (5) business days of receipt thereof, notify Customer of the request.
Within ten (10) business days after Talarian, its agents or subcontractors makes any disclosure of Protected Health Information for which an accounting may be required under 45 CFR 164.528, Talarian will provide in writing to the contact person identified at the end of this BAA , the information related to that disclosure as would be required to respond to a request by an Individual for an accounting in accordance with 45 CFR 164.528. In the event any Individual requests an accounting of disclosures under 45 CFR 164.528(a) directly from Talarian, Talarian will, within ten (10) business days of receipt of that request, forward the request to Customer.
Talarian will make its internal practices, books, and records relating to the use and disclosure of Protected Health Information available to the Secretary of Health and Human Services or her/his designees or other government authorities in a time and manner mutually agreed upon or as required by those governmental authorities, for purposes of determining compliance with the HIPAA Rules.
Talarian will maintain documentation of its obligations hereunder to the extent and for the period required by the HIPAA Rules, including 45 CFR 164.530(j).
Customer will limit disclosure and access to the minimum amount of Protected Health Information, to the minimum number of personnel for the minimum of amount of time necessary for Talarian to accomplish the intended purpose of that use, disclosure, or request, respectively.
Customer will notify Talarian of any restriction on the use or disclosure of Protected Health Information that Customer has agreed to or must comply with in accordance with 45 C.F.R. § 164.522, to the extent that the restriction may affect Talarian’s use or disclosure of Protected Health Information.
Customer will provide Talarian with notice of any changes to or revocation of permission by an Individual to use or disclose Protected Health Information, if those changes may affect Talarian's permitted uses or disclosures, within a reasonable period of time after Customer becomes aware of those changes to or revocation of permission.
Customer will maintain and comply with policies and procedures to avoid the unauthorized or otherwise improper disclosure of Protected Health Information to Talarian.
Customer will implement appropriate administrative, physical, and technical safeguards to prevent the unauthorized use and disclosure of Protected Health Information, and to protect the confidentiality, integrity, and availability of Electronic Protected Health Information, as required by the HIPAA Rules. Without limiting the foregoing, Customer will comply with the requirements of 45 CFR 164.308, 164.310, 164.312, and 164.316, as may be amended and interpreted in guidance from time to time. Furthermore, Customer will protect all Protected Health Information stored in or transmitted using the Services in accordance with the Secretary of HHS’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html as it may be updated from time to time, and as may be made available on any successor or related site designated by HHS.
Customer shall undertake commercially reasonable efforts to assist Talarian with responding to an investigation or compliance audit by the Secretary, or an action by an attorney general having jurisdiction.
Security of Protected Health Information
Talarian will implement appropriate administrative, physical, and technical safeguards to prevent the unauthorized use and disclosure of Protected Health Information, and to protect the confidentiality, integrity, and availability of Electronic Protected Health Information, as required by the HIPAA Rules. Without limiting the foregoing, Talarian will comply with the requirements of 45 CFR 164.308, 164.310, 164.312, and 164.316, as may be amended and interpreted in guidance from time to time.
Talarian will conduct periodic reviews of its security safeguards to ensure they are appropriate and operating as intended.
Documentation of Talarian’s security assessments will be retained by Talarian for the period required by law.
Permitted Uses and Disclosures of Protected Health Information.
Talarian will not use or disclose Protected Health Information other than as permitted or required by this BAA or as Required by Law. Subject to those limitations set forth in this BAA, Talarian may use and disclose Protected Health Information as necessary in order to provide its services as described in the Agreement.
Subject to the limitations set forth in this BAA, Talarian may use Protected Health Information if necessary for its proper management and administration or to carry out its legal responsibilities. In addition, Talarian may disclose Protected Health Information as necessary for its proper management and administration or to carry out its legal responsibilities provided that:
that disclosure is Required By Law; or
(1) Talarian obtains reasonable assurances, in the form of a written agreement, from the person to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person; and (2) the person will promptly notify Talarian (which will promptly notify Customer) of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached in accordance with Section 2 above.
Term and Termination.
The term of this BAA will continue for so long as the Agreement remains in effect, except that (i) Section 6(c) will survive after the termination of the Agreement for as long as Talarian retains any Protected Health Information; and (ii) any provision that by its nature survives termination will so survive.
Effect of Termination. Except as provided in Section 6(c), upon termination of the Agreement for any reason, the effect of that termination on data within the applicable Talarian system(s) will be governed by the Agreement.
In the event that returning or destroying the Protected Health Information is impractical upon termination, Customer will bear the cost of storage of that Protected Health Information for as long as storage by Talarian is required. This Section does not require Talarian to segregate any Protected Health Information from other information maintained by Customer on Talarian’s systems and Talarian may comply with this requirement by returning or destroying all of the information maintained on its servers by Customer.
The parties will take action as is necessary to amend this BAA from time to time to comply with the requirements of any HIPAA Rules; provided, however, that if any amendment of the HIPAA Rules or guideline from the Department of Health and Human Services would materially increase the cost of Talarian providing service under the Agreement, then Talarian will have the option to terminate the Agreement on thirty (30) days advance notice. In the event of that termination, Talarian will refund any prepaid fees, pro-rated for the remainder of your Subscription Term (as that term is defined in the Agreement), and less any discounts that would then not be earned.
A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended, and as of its effective date.
Any ambiguity in this BAA shall be resolved to permit compliance with the HIPAA Rules.
The terms and conditions of this BAA shall override and control any conflicting term or condition of the Agreement. All non-conflicting terms and conditions of the Agreement remain in full force and effect.
Within 15 business days of a written request by Customer, Talarian will provide Customer with detailed information as may be reasonably requested by Customer from time to time regarding Talarian’s compliance with its use or disclosure of Protected Health Information pursuant to this BAA for the purpose of determining whether Talarian has complied with this BAA and the HIPAA Rules; provided, however, that (i) disclosure of that information would not violate Talarian’s privacy or data security policies and, (ii) Customer will make these requests no more than annually unless it is in response to a specific Successful Security Incident.
Relationship of Parties. It is expressly agreed that Talarian, its divisions, and its affiliates, including its employees and subcontractors, are performing the services under this BAA as independent contractors for Customer. Neither Talarian nor of its affiliates, officers, directors, employees or subcontractors is an employee or agent of Customer. Nothing in this BAA will be construed to create (i) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, or (ii) an agency relationship for purposes of HIPAA or the HITECH Act.
IN WITNESS WHEREOF, the parties hereto have caused this BAA to be executed by their respective duly authorized officers or agents as of the Effective Date.
<<Your Company/Organization Legal Name>> /CUSTOMER, on behalf of itself and its affiliates
Signature: <<Workflow signature>>
Name: <<Your Organization Signatory Name>>
Title: <<Signatory Title >>
Date: <<BAA Effective Date>>
Privacy or Security Contact Person
(for the purposes of notification under Sections 2(g) and 2(j))
Name: <<Your First Name>>
<<Your Last Name>>
Title: <<Your Title>>
Email: <<Your Email>>
Telephone: <<Your Phone Number>>
Address: <<Your Address>>
Name: Alain Renard