Observe.aI Business Associate Agreement
This Business Associate Agreement (the "Agreement") is between Observe.AI, Inc., a Delaware corporation with offices at 275 Shoreline Drive, Suite 450, Redwood City, CA 94065 (“Observe.AI” or “Business Associate”), and the customer that is a Covered Entity and has entered into the Underlying Agreement with Observe.AI (“Customer” or “Covered Entity”). This Agreement is effective as of the date Covered Entity first submits PHI to the Services under an applicable Order Form, and remains in effect for so long as Observe.AI creates, receives, maintains, or transmits PHI on behalf of Covered Entity under such Order Form. The parties agree as follows:
1. Definitions
1.1 Catch-all definition:
The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Personal Health Information (“PHI”), Required by Law, Secretary, Subcontractor, Unsecured PHI, and Use.
1.2 Specific definitions: In addition to capitalized terms defined elsewhere in this Agreement, the following terms shall have the meanings set forth below:
1.2.1 "Business Associate" means “business associate” as defined at 45 CFR 160.103.
1.2.2 “Covered Entity” means “covered entity” as defined at 45 CFR 160.103.
1.2.3 “HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
1.2.4 “Underlying Agreement” means the Subscription Services Agreement or Order Form for Business
Associate’s Services that incorporates this Agreement by reference between Business Associate and Covered Entity which establishes the relationship between Business Associate and Covered Entity and under which Business Associate is providing services to Covered Entity.
2. Obligations & Activities of Business Associate
2.1 Limitations on Use and Disclosure of PHI. Business Associate will not use or disclose PHI other than as permitted or required by this Agreement, the Underlying Agreement, or as required by law.
2.2 Safeguards. Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement. Business Associate will comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI.
2.3 Use of Subcontractors. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate will ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to substantially similar restrictions, conditions, and requirements that apply to the Business Associate with respect to such PHI.
2.4 Amendments to PHI. Business Associate will make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity under 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526
2.5 Designated Record Set. Business Associate will make PHI available to Covered Entity in a Designated Record Set as necessary to allow Covered Entity to satisfy its obligations under 45 CFR 164.524.
2.6 Subpart E. If Business Associate carries out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, then Business Associate will comply with the requirements of Subpart E that apply to Covered Entity in the performance of that obligation.
2.7 Records. Business Associate will maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528. Business Associate will also make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
2.8 Incident Management and Notification. Business Associate will notify Covered Entity without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to PHI transmitted, stored, or otherwise processed by Business Associate or its Subcontractors (a “PHI Incident”). Business Associate’s notice will include, to the extent available, the information Business Associate is required to provide under the HIPAA Rules, and Business Associate may provide additional information in phases without undue delay as it becomes available. If a PHI Incident constitutes a Breach of Unsecured PHI, Business Associate will provide notice without unreasonable delay and in no event later than the maximum period permitted under the HIPAA Rules.
3. Permitted Uses and Disclosures by Business Associate
3.1 Permitted Use and Disclosure. Business Associate will use or disclose PHI only as (i) necessary to perform the services set forth in the Underlying Agreement, or (ii) required by law.
3.2 Subpart E. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.
3.3 Data Aggregation. Business Associate may provide data aggregation services relating to the health care operations of Covered Entity.
4. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
4.1 Covered Entity’s Privacy Practices. Covered Entity will notify Business Associate of any limitations in the notice of privacy practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
4.2 Changes in Individual Consent. Covered Entity will notify Business Associate of any changes in the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
4.3 Privacy Protection for PHI. Covered Entity will notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
4.4 Customer Responsibilities. Customer is responsible for determining whether the PHI may be submitted to the Services, providing required notices and consents, configuring and using the Services in accordance with the HIPAA Rules, and limiting PHI submitted to the Services to the minimum necessary for the applicable purpose.
5. Term and Termination
5.1 Term. The Term of this Agreement shall begin on the Effective Date and remain in effect until Observe.AI no longer creates, receives, maintains, or transmits PHI on behalf of Covered Entity, subject to survival obligations.
5.2 Termination for Cause. Either party may terminate this Agreement immediately upon notice to the other party if the other party materially breaches this Agreement, and such breach remains uncured more than 30 days after receipt of written notice of such breach.
5.3 Obligations of Business Associate upon Termination. Upon termination of this Agreement for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
5.3.1 Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
5.3.2 Return to Covered Entity or destroy the remaining PHI that the Business Associate still maintains in any form;
5.3.3 Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent the use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI;
5.3.4 Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out which applied before termination; and
5.3.5 Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
5.4 Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.
6. Miscellaneous
6.1 Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
6.2 Conflict. This Agreement supplements the Underlying Agreement and applies only to PHI. If this Agreement conflicts with the Underlying Agreement with respect to PHI, this Agreement controls to the extent necessary to satisfy the HIPAA Rules. Except as expressly stated in this Agreement, the parties’ rights and obligations under the Underlying Agreement remain unchanged.
6.3 Amendments. Observe.AI may modify this Agreement from time to time by posting an updated version on its website or otherwise making the updated version available to Covered Entity. The modified Agreement will become effective on the date it is posted or otherwise made available, unless a later effective date is stated in the modified Agreement. Covered Entity’s continued submission of PHI to the Services after the modified Agreement becomes effective constitutes acceptance of the modified Agreement.
Ready to Transform
See how Observe.AI works with your operation
