HIPAA Business Associate Agreement

Legal Documents

Terms & Conditions

Privacy Policy

Terms of Use

Data Protection Addendum

Acceptable Use Policy

HIPAA BAA

Master SaaS Agreement

GDPR Policy

Cookie Policy

HIPAA Privacy and Security Policy

Sandbox Policy

Legal Documents

Terms & Conditions

Privacy Policy

Terms of Use

Data Protection Addendum

Acceptable Use Policy

HIPAA BAA

Master SaaS Agreement

GDPR Policy

Cookie Policy

HIPAA Privacy and Security Policy

Sandbox Policy

Legal Documents

Legal Documents

Terms & Conditions

Privacy Policy

Terms of Use

Data Protection Addendum

Acceptable Use Policy

HIPAA BAA

Master SaaS Agreement

GDPR Policy

Cookie Policy

HIPAA Privacy and Security Policy

Sandbox Policy

This Agreement is dated: [11th May 2023]

BETWEEN

  1. [ Company Name ] an entity registered in [Jurisdiction] with registration number [Number], whose registered address is at [Address] (‘Customer’); and
  2. Upvio Healthtech Pty Ltd, an entity registered in Australia with registration number ABN 35 657 030192 whose registered office is at Level 8, 905 Hay Street, Perth, WA, 6000, Australia (‘Upvio’),

each referred to as a party, and together as the parties.

RECITALS

  1. This HIPAA Business Associate Agreement ("Agreement") constitutes a business associate relationship under HIPAA and its implementing privacy and security regulations at 45 C.F.R. Parts 160 and 164 (the “HIPAA regulations"). It is entered into by the Parties in addition to the Master Software as a Service (SaaS) Terms and is intended to form a legally binding agreement between the Parties.
  2. Customer wishes to disclose to Upvio certain information pursuant to the terms of this Agreement, some of which may constitute Protected Health Information ("PHI") and confidential information protected by federal and/or state laws.
  3. As set forth in this Agreement, Upvio is the Business Associate of Customer and provides services, arranges, performs, or assists in the performance of functions or activities on behalf of the Customer and creates, receives, maintains, transmits, uses, or discloses PHI.
  4. Customer and Upvio desire to protect the privacy and provide for the security of PHI and confidential information created, received, maintained, transmitted, used, or disclosed pursuant to this Agreement, in compliance with HIPAA and HIPAA regulations and other applicable laws.
  5. The terms used in this Agreement, but not otherwise defined, shall have the same meanings as those terms in the HIPAA regulations.
  1. DEFINITIONS AND INTERPRETATION
  1. In this Agreement:

Commencement Date

means the date indicated at the top of this Agreement;

HIPAA

means the Health Insurance Portability and Accountability Act;

Master SaaS Terms

means the Master Software as a Service Terms entered into between the Customer and Upvio which governs the terms and conditions of the services provided by Upvio to the Customer;

Protected Health Information or PHI

means any information, whether oral or recorded in any form or medium that relates to the past, present, or future physical or mental condition of an individual, the provision of health and dental care to an individual, or the past, present, or future payment for the provision of health and dental care to an individual;

Secretary

means the Secretary of the U.S. Department of Health and Human Services; and

Security Incident

means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI, or confidential information that is essential to the ongoing operation of the Business Associate’s organization and intended for internal use; or interference with system operations in an information system.
  1. Interpretation

In this Agreement:

  1. a reference to a ‘party’ includes that party’s successors and permitted assigns;
  2. the table of contents and the clause, paragraph, schedule, or other headings in this Agreement are included for convenience only and shall have no effect on interpretation;
  3. words in the singular include the plural and vice versa;
  4. any words that follow ‘include’, ‘includes’, ‘including’, ‘in particular’ or any similar words and expressions shall be construed as illustrative only and shall not limit the sense of any word, phrase, term, definition, or description preceding those words;
  5. a reference to a law is a reference to that law as amended, extended, re-enacted, or consolidated from time to time; and
  6. a reference to a law includes all subordinate laws made from time to time under that law.
  1. Commencement and Term
  1. This Agreement shall commence on the Commencement Date and, unless terminated earlier in accordance with clause 11 or otherwise in accordance with the provisions of this Agreement, shall continue in force until terminated.
  1. Permitted Uses and Disclosures of PHI by Upvio
  1. Except as otherwise indicated in this Agreement, Upvio may use or disclose PHI only to perform functions, activities or services specified in the Master SaaS Terms, for, or on behalf of the Customer, provided that such use or disclosure would not violate HIPAA.
  1. Except as otherwise indicated in this Agreement, Upvio may use and disclose PHI for:
  1. the proper management and administration of Upvio;
  2. to carry out its obligations under the Master SaaS Terms;
  3. to carry out the legal responsibilities and duties of Upvio;
  4. to carry out data aggregation in combining PHI created or received by Upvio to permit data analysis that relate to the health care operations of the Customer.
  1. Responsibilities of Upvio
  1. Upvio agrees:
  1. not to use or disclose PHI other than as permitted or required by this Agreement or as required by law;
  2. to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI, including electronic PHI, that it creates, receives, maintains, uses, or transmits on behalf of the Customer;
  3. to prevent use or disclosure of PHI other than as provided for by this Agreement;
  4. develop and maintain a written information privacy and security policy that includes administrative, technical, and physical safeguards appropriate to the size and complexity of Upvio’s operations and the nature and scope of its activities;
  5. to take any and all steps necessary to ensure the continuous security of all computerized data systems containing PHI;
  6. to mitigate, to the extent practicable, any harmful effects known to Upvio of a use or disclosure of PHI by Upvio or its subcontractors in violation of the requirements of this Agreement;
  7. to ensure that any agents, including subcontractors, to whom Upvio provides PHI received from or created or received by Upvio on behalf of the Customer, agree to the same restrictions and conditions that apply to Upvio with respect to such PHI, including implementation of reasonable and appropriate administrative, physical, and technical safeguards to protect such PHI;
  8. to provide the Customer access as it may require, in the timely manner upon reasonable notice, to the PHI provided by the Customer, or as directed by the Customer to an individual, in accordance with 45 C.F.R. § 164.524;
  9. to notify the Customer as soon as it becomes aware of a Security Incident and take prompt and corrective actions to mitigate any risks or damages involved with the Security Incident and protect the operating environment; and
  10. take any action required by applicable federal and state laws and regulations to prevent unauthorised disclosure of PHI.
  1. Investigation of a Security Incident
  1. The Customer shall immediately investigate any Security Incident or suspected Security Incident and identify, as soon as reasonably possible:
  1. what data elements were involved, and the extent of the data involved in the breach;
  2. a description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI;
  3. a description of where the PHI is believed to have been improperly transmitted, sent, or utilized;
  4. a description of the probable causes of the improper use or disclosure; and
  5. whether Civil Code § 1798.29 or § 1798.82 or any other federal or state laws requiring individual notifications of breaches are triggered.
  1. Upvio shall notify  any affected individuals following a Security Incident when such notification is required under federal or state laws or regulations.
  1. Training
  1. Upvio shall use reasonable endeavours to train its employees regarding the use of PHI in accordance with HIPAA requirements.
  1. Obligations of Customer
  1. The Customer shall:
  2. at all times comply with HIPAA and any other applicable federal and state laws and regulations in its operations and in its collection of PHI.
  1. provide Upvio with the Notice of Privacy Practices that the Customer produces in accordance with 45 C.F.R. § 164.520, as well as any changes to such notice;
  2. provide Upvio with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Upvio’s permitted or required uses and disclosures;
  3. notify Upvio of any restriction to the use or disclosure of PHI that the Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Upvio’s use or disclosure of PHI;
  4. notify Upvio (within 2 days of request) of any patient (or patient’s representative) preferences (or changes to) regarding method of or how to communicate with the patient; and
  5. not request Upvio to use or disclose PHI in any manner that would not be permissible under HIPAA or the HIPAA regulations.
  1. Indemnity
  1. THE CUSTOMER SHALL INDEMNIFY, KEEP INDEMNIFIED AND HOLD HARMLESS UPVIO  FROM AND AGAINST ANY LOSSES, CLAIMS, DAMAGES, LIABILITY, COSTS (INCLUDING LEGAL AND OTHER PROFESSIONAL FEES) AND EXPENSES INCURRED BY IT (OR ANY OF ITS AFFILIATES) AS A RESULT OF THE CUSTOMER’S BREACH OF THIS AGREEMENT OR ANY USE OF THE PHI PROVIDED BY THE CUSTOMER.

THIS CLAUSE 8 SHALL SURVIVE TERMINATION OR EXPIRY OF OUR AGREEMENT.

  1. Confidentiality and Security of PHI
  1. Upvio shall maintain the confidentiality of all PHI provided to it by the Customer.
  2. Upvio shall implement technical and organisational security measures in accordance with its Information Security Addendum and HIPAA Privacy and Security Policy.
  3. Upvio undertakes to disclose the PHI only to those of its officers, employees, agents, contractors, and direct and indirect sub-contractors to whom, and to the extent to which, such disclosure is necessary for the purposes contemplated under our Agreement or as otherwise reasonably necessary for the provision or receipt of the services under the Master SaaS Terms. 
  1. Audit Inspections and Enforcement
  1. Upvio shall, upon two months’ prior written notice, permit the Customer to carry out an inspection of its facilities, books, and records to monitor compliance with this Agreement.
  2. The Customer shall only be entitled to carry out the inspection rights contained within clause 10.1 above once in any 12-month period.
  3. Upvio shall promptly remedy any violation of any provision of this Agreement and certify the same.
  1. Termination
  1. Upvio may terminate our Agreement immediately at any time by giving notice in writing to the Customer if:
  1. the Customer commits a material breach of this Agreement, or the Master SaaS Terms and such breach is not remediable; or
  2. the Customer has failed to pay any amount due under the Master SaaS Terms on the due date and such amount remains unpaid within 14 Business Days after the other party has received notification that the payment is overdue.
  1. Consequences of Termination
  1. Immediately on termination of this Agreement (for any reason), the rights granted by Upvio to the Customer shall terminate and the Customer shall (and shall procure that each Authorised User and Authorised Affiliate shall):
  1. stop using the services and stop sharing PHI with Upvio;
  1. Upvio shall destroy and delete or, if requested by the Customer or if required under HIPAA or applicable federal or state laws or regulations, return PHI to the Customer.
  1. Entire Agreement
  1. This Agreement, the Master SaaS Terms and any document referred to within it constitutes the entire agreement between the parties and supersedes all previous agreements, understandings, and arrangements between them in respect of its subject matter, whether in writing or oral.
  2. Each party acknowledges that it has not entered into this Agreement in reliance on, and shall have no remedies in respect of, any representation or warranty that is not expressly set out in our Agreement.
  3. Nothing in this Agreement shall limit or exclude any liability for fraud.
  1. Variation
  1. The Parties acknowledge that federal and state laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as necessary to implement the standards and requirements of HIPAA, the HIPAA regulations and other applicable laws relating to the security or privacy of PHI.
  1. No variation of this Agreement shall be effective unless it is made in writing, and is duly signed or executed by, or on behalf of, each party.
  1. Severance
  1. If any provision of this Agreement (or part of any provision) is or becomes illegal, invalid, or unenforceable, the legality, validity, and enforceability of any other provision of our Agreement shall not be affected.
  2. If any provision of this Agreement (or part of any provision) is or becomes illegal, invalid or unenforceable but would be legal, valid and enforceable if some part of it was deleted or modified, the provision or part-provision in question shall apply with such deletions or modifications as may be necessary to make the provision legal, valid and enforceable. In the event of such deletion or modification, the parties shall negotiate in good faith in order to agree the terms of a mutually acceptable alternative provision.
  1. Waiver
  1. No failure, delay, or omission by either party in exercising any right, power or remedy provided by law or under our Agreement shall operate as a waiver of that right, power or remedy, nor shall it preclude or restrict any future exercise of that or any other right, power, or remedy.
  2. No single or partial exercise of any right, power or remedy provided by law or under our Agreement shall prevent any future exercise of it or the exercise of any other right, power, or remedy.
  3. A waiver of any term, provision, condition, or breach of our Agreement shall only be effective if given in writing and signed by the waiving party, and then only in the instance and for the purpose for which it is given.
  1. Authority
  1. Each party represents and warrants to the other that it has the right, power, and authority to enter into our Agreement and grant to the other the rights (if any) contemplated in our Agreement and to perform its obligations under our Agreement.
  1. Governing Law
  1. Our Agreement and any dispute or claim arising out of, or in connection with, it, its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of Australia.
  1. Jurisdiction
  1. The parties irrevocably agree that the courts of Australia shall have exclusive jurisdiction to settle any dispute or claim arising out of, or in connection with, our Agreement, its subject matter or formation (including non-contractual disputes or claims).

Agreed by the Parties on the date set out at the head of this Agreement.

Signed for and on behalf of Upvio Healthtech Pty Limited

Name:        

Signature:

Title:

Date:

Signed for and on behalf of the [ Customer Name ]

Name:

Signature:

Title:

Date: