SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (PROVIDER)
This Subcontractor Business Associate Agreement (“BAA”) is entered into by you, the provider (“Subcontractor”) and monday.com Ltd. (“Business Associate”) and forms part of the applicable agreement established between Subcontractor and Business Associate (the “Services Agreement”). Subcontractor acknowledges that it has read and understood and agrees to comply with this BAA, and by engaging with Business Associate in the framework of the Services Agreement, Subcontractor accepts this BAA and represents and warrants that it has full authority to bind the Subcontractor to this BAA. Both parties shall be referred to as the “Parties” and each, a “Party”. In the event of any conflict between certain provisions of this BAA and the provisions of the Agreement, the provisions of this BAA shall prevail over the conflicting provisions of the Agreement solely with respect to PHI (as defined below).
Subcontractor has been engaged under the Agreement by Business Associate to assist in the completion of Business Associate’s duties and responsibilities under Business Associate’s arrangement to provide services on behalf of one or more organizations meeting the definition of Covered Entity under 45 CFR §160.103 (each such entity with whom Business Associate maintains an arrangement shall be a “Covered Entity” for purposes of this BAA). In the course of the Agreement, Business Associate may need to disclose to Subcontractor and Subcontractor may need to collect and transmit to Business Associate certain Protected Health Information (as defined below) (“PHI”) that is subject to protection under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (“HITECH Act”), and regulations promulgated thereunder by the U.S. Department of Health and Human Services to implement certain privacy and security provisions of HIPAA (the “HIPAA Regulations”), codified at 45 C.F.R. Parts 160 and 164. The Parties agree to comply – pursuant to HIPAA Regulations with the following mandatory provisions with respect to any PHI that may be exposed to Subcontractor as a result of the services under the Agreement.
1. Definitions. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement or as defined under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations, as may be updated from time to time (collectively, “HIPAA”).
(a) “Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402, and shall include the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information.
(b) “Data Aggregation” shall have the meaning given to such phrase under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.501.
(c) “Designated Record Set” means a group of records maintained by or for a Covered Entity that may include (i) medical records and billing records about Individuals maintained by or for a covered health care provider, (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, or (iii) records used, in whole or in part, by or for Business Associate to make decisions about Individuals.
(d) “Electronic Health Record” shall have the meaning given to such phrase in the HITECH Act, including, but not limited to, 42 U.S.C. § 17921(5).
(e) “Electronic Protected Health Information” (“ePHI”) means individually identifiable health information that is transmitted by, or maintained in, electronic media.
(f) “Health Care Operations” shall have the meaning given to such phrase under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.501.
(g) “Individual” has the same meaning as the term “individual” in 45 C.F.R.
§ 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
(h) “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information codified at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as amended by the HITECH Act and as may otherwise be amended from time to time.
(i) “Protected Health Information” (“PHI”) means any information, whether oral or recorded in any form or medium: (i) that relates to the past, present or future physical or mental condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual; and (ii) that identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify that Individual; and (iii) shall include the definition as set forth in the Privacy Rule including, but not limited to, 45 C.F.R. § 160.103. PHI excludes individually identifiable health information regarding a person who has been deceased for more than fifty (50) years. For purposes of this BAA, PHI shall include ePHI.
(j) “Required By Law” shall have the same meaning as the phrase “Required by Law” in 45 C.F.R. § 164.103.
(k) “Secretary” means the Secretary of the U.S. Department of Health and Human Services or his/her designee.
(l) “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
(m) “Security Rule” shall mean the HIPAA Regulations that are codified at 45 C.F.R. Part 160 and Part 164, Subparts A and C, as amended by the HITECH Act and as may otherwise be amended from time to time.
(n) “Unsecured PHI” shall mean PHI that is not secured through the use of a technology or methodology specified by the Secretary in guidance or as otherwise defined in 45 C.F.R. § 164.402.
2. Scope of Agreement. This BAA applies to the PHI of Covered Entities to which Subcontractor may be exposed as a result of the services that Subcontractor will provide to Business Associate pursuant to the Services Agreement. Subcontractor shall abide by HIPAA, the HIPAA Regulations, and the HITECH Act with respect to PHI of Covered Entities, as outlined below.
3. Obligations and Activities of Subcontractor.
(a) Permitted Uses. Except as otherwise limited in this BAA, Subcontractor may use PHI (i) for the proper management and administration of Subcontractor or (ii) to carry out the legal responsibilities of Subcontractor. Subcontractor shall not use PHI in any manner that would constitute a violation of the HIPAA Regulations if so used by Business Associate. Subcontractor agrees to limit its use of PHI to the minimum amount necessary to accomplish the intended purpose of the use.
(b) Permitted Disclosures. Subcontractor may disclose PHI (i) for the proper management and administration of Subcontractor, (ii) to carry out the legal responsibilities of Subcontractor, or (iii) as Required by Law. Subcontractor shall not disclose PHI in any manner that would constitute a violation of the HIPAA Regulations if so disclosed by Business Associate or a Covered Entity. In addition, if Subcontractor discloses PHI to a third party, Subcontractor must obtain, prior to making any such disclosure, (i) satisfactory written assurances from such third party that the PHI will be held as confidential as provided pursuant to this BAA and only disclosed as Required by Law or for the purposes for which it was disclosed to such third party, and (ii) a written agreement from such third party to immediately notify Subcontractor of any Breaches of confidentiality of the PHI or Security Incident.
(c) Prohibited Uses and Disclosures. Subcontractor shall not use or disclose PHI for fundraising or marketing purposes. In accordance with 45 C.F.R. § 164.522(a)(1)(B)(6), Subcontractor shall not disclose PHI to a health plan for payment or Health Care Operations purposes if a patient has requested this special restriction, and has paid out of pocket in full for the health care item or service to which the PHI solely relates. Subcontractor shall not sell PHI as provided in 45 C.F.R. § 164.502.
(d) Other Subcontractors. As part of its providing functions, activities, and/or services to Business Associate, Subcontractor may disclose information, including PHI, to other Subcontractors of Business Associate, and Subcontractor may use and disclose information, including PHI, received from other Subcontractors or Business Associates of an applicable Covered Entity as if this information was received from, or originated with, such Covered Entity(ies).
(e) Safeguards. Subcontractor agrees to use industry standard safeguards to prevent use or disclosure of PHI other than as provided for by this BAA and to implement administrative, physical, and technical safeguards in accordance with the Security Rule that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Business Associate or an applicable Covered Entity.
(f) Reporting of Unauthorized Uses or Disclosures and Security Incidents. Subcontractor agrees to report to Business Associate in writing within two (2) days of Discovery, any access, use, or disclosure of PHI not provided for or permitted by this BAA and, any successful Security Incidents of which Subcontractor (or Subcontractor’s employee, officer or agent) becomes aware.
(g) Reporting of Breach of Unsecured PHI. Subcontractor agrees to report to Business Associate in writing any Breach of Unsecured PHI of which Subcontractor (or Subcontractor’s employee, officer or agent) becomes aware as soon as possible and in no case later than two (2) days following discovery of such Breach. Subcontractor will provide to Business Associate the information specified under 45 C.F.R. 164.410 and shall cooperate with Business Associate in the investigation and remediation of the Breach, in Business Associate’s sole discretion and direction.
(h) Agents and Subcontractors. Subcontractor agrees to ensure that any agent, including a subcontractor, to whom Subcontractor provides PHI, agrees in writing to the same restrictions and conditions that apply through this BAA to Subcontractor with respect to such PHI, and implement the safeguards required by Section 3(e) above with respect to ePHI. If Subcontractor knows of a pattern of activity or practice of an agent that constitutes a violation of this BAA, Subcontractor shall take reasonable steps to end the violation, and if such steps are unsuccessful, Subcontractor must terminate the arrangement.
(i) Mitigation of Unauthorized Uses or Disclosures. Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Subcontractor of a use or disclosure of PHI by Subcontractor or one of its agents or subcontractors in violation of the requirements of this BAA.
(j) Authorized Access to PHI.
(1) Individual Requests for Access. Subcontractor shall cooperate with Business Associate and applicable Covered Entities to fulfill all requests by Individuals for access to the Individual’s PHI. Subcontractor shall cooperate with Business Associate in all respects necessary for Business Associate and applicable Covered Entities to comply with 45 C.F.R. § 164.524. Subcontractor agrees to forward any copies requested by Business Associate within ten (10) days of such request.
(2) Scope of Disclosure. Business Associate or Covered Entity shall be responsible for determining the scope of PHI and/or Designated Record Set with respect to each request by an Individual for access to PHI.
(3) Designated Record Set. To the extent that Subcontractor maintains PHI in a Designated Record Set and at the request of Business Associate, Subcontractor agrees to provide access to PHI in a Designated Record Set to Business Associate in a time and manner designated by Business Associate or, as directed by Business Associate, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. If Subcontractor maintains PHI in a Designated Record Set, and maintains an Electronic Health Record, then Subcontractor shall provide such Designated Record Set in electronic format.
(4) Patient Right to Amend to PHI. A patient has the right to have a Covered Entity amend his/her PHI, or a record in a Designated Record Set for as long as the PHI is maintained in the Designated Record Set, in accordance with 42 C.F.R. § 164.526. To the extent that Subcontractor maintains PHI in a Designated Record Set, Subcontractor agrees to make any amendment(s) to PHI in a Designated Record Set at the request of Business Associate in accordance with 45 C.F.R. § 164.526. Within ten (10) days following Subcontractor’s amendment of PHI as directed by Business Associate, Subcontractor shall provide written notice to Business Associate confirming that Subcontractor has made the amendments or addenda to PHI as directed by Business Associate and containing any other information as may be necessary for Business Associate to provide adequate notice to the Individual in accordance with 45 C.F.R. § 164.526.
(k) Accounting for Disclosures. Subcontractor agrees to document such disclosures of PHI as would be required for Business Associate or Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Subcontractor agrees to maintain and provide to Business Associate, Covered Entity, or an Individual, in the time and manner designated by Business Associate, such information collected in order to permit Business Associate to respond to a request by a Covered Entity or an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, as amended by Section 13405(c) of the HITECH Act and any related regulations or guidance issued by DHHS in accordance with such provision. Upon receipt of a request for an accounting of disclosures Subcontractor shall forward the request to Business Associate within ten (10) days of receipt.
(l) Secretary’s Right to Audit. Subcontractor agrees to keep records and make its internal practices, books, and records relating to the use and disclosure of PHI received from Business Associate or a Covered Entity, or created or received by Subcontractor on behalf of Business Associate or an applicable Covered Entity, available to the Secretary for purposes of the Secretary determining an applicable Covered Entity’s, Business Associate’s and/or Subcontractor’s compliance with HIPAA, the HIPAA Regulations and the HITECH Act. Subcontractor agrees to cooperate with the Secretary if the Secretary undertakes an investigation or compliance review of Business Associate or an applicable Covered Entity. Subcontractor shall permit the Secretary access to its facilities, books, records, accounts, and other sources of information, including PHI, during normal business hours. No attorney-client, or other legal privilege will be deemed to have been waived by Subcontractor by virtue of this provision of the BAA. Subcontractor shall provide to Business Associate a copy of any PHI that Subcontractor provides to the Secretary concurrently with providing such PHI to the Secretary.
4. Obligations of Business Associate.
(a) Notice of Privacy Practices. Upon written request by Subcontractor, Business Associate shall provide Subcontractor with each applicable Covered Entity’s then current Notice of Privacy Practices.
(b) Revocation of Permitted Use or Disclosure of PHI. Business Associate shall notify Subcontractor of any changes in, or revocation of, permission by a patient to use or disclose PHI of an applicable Covered Entity, to the extent that such changes may affect Subcontractor’s use or disclosure of PHI.
(c) Restrictions on Use or Disclosure of PHI. Business Associate shall notify Subcontractor of any restriction to the use or disclosure of PHI that an applicable Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Subcontractor’s use or disclosure of PHI.
(d) Requested Uses or Disclosures of PHI. Neither Business Associate nor an applicable Covered Entity shall request Subcontractor to use or disclose PHI in any manner that would not be permissible under the HIPAA Regulations if done by Business Associate or such Covered Entity.
5. Term and Termination.
(a) Term. The term of this BAA shall be coterminous with the Services Agreement. However, Subcontractor shall have a continuing obligation to safeguard the confidentiality of PHI received from Business Associate or an applicable Covered Entity after the termination of the Services Agreement.
(b) Termination for Cause. A breach of any provision of this BAA by Subcontractor shall constitute a material breach of this BAA and shall provide grounds for immediate termination of this BAA and/or the Services Agreement in the sole discretion of Business Associate, any provision in this BAA or the Services Agreement to the contrary notwithstanding.
(c) Effect of Termination.
(1) Except as provided in paragraph (2) of this section, upon termination of this BAA for any reason, Subcontractor shall return or destroy all PHI received from Business Associate or an applicable Covered Entity, or created or received by Subcontractor on behalf of Business Associate or an applicable Covered Entity. Subcontractor shall certify in writing to Business Associate that such PHI has been destroyed.
(2) In the event that Business Associate and Subcontractor determine that returning or destroying the PHI is not feasible, Subcontractor shall provide to Business Associate written notification of the conditions that make return or destruction unfeasible. Upon mutual agreement by the Parties that destroying is unfeasible, Subcontractor shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI unfeasible, for so long as Subcontractor maintains such PHI. The Parties understand this Section 5 (c) (2) shall survive any termination of this BAA.
6. Certification. To the extent that Business Associate determines that such examination is necessary to comply with Business Associate’s legal obligation pursuant to HIPAA, the HIPAA Regulations, and the HITECH Act, Business Associate or its authorized agents or contractors may, at Business Associate’s expense, examine Subcontractor’s facilities, systems, procedures and records as may be necessary for such agents or contractors to certify to Business Associate the extent to which Subcontractor’s security safeguards comply with HIPAA, the HIPAA Regulations, the HITECH Act, and this BAA.
7. Compliance With State Law. Subcontractor acknowledges that Subcontractor and Business Associate may have confidentiality and privacy obligations under state law. If any provisions of this BAA or HIPAA, the HIPAA Regulations, or the HITECH Act conflict with applicable state law regarding the degree of protection provided for PHI and personal information, then Subcontractor shall comply with the more restrictive requirements.
8. Limitation of Liability, Indemnification and Insurance.
(a) Limitation of Liability. To the extent that Subcontractor has limited its liability under the terms of the Services Agreement, whether with a maximum recovery for direct damages or a disclaimer against any consequential, indirect or punitive damages, or other such limitations, all limitations shall exclude all damages to Business Associate arising out of the acts or omissions of Subcontractor arising under or relating to: (i) any inappropriate release or misuse of PHI by Subcontractor, its employees, agents or subcontractors; (ii) any breach of the confidentiality provisions contained in this BAA or the Services Agreement by Subcontractor, its employees, agents or subcontractors; or (iii) any violation by Subcontractor, its employees, agents or subcontractors of any state or federal law or regulation governing the protection of PHI or personal information.
(b) Indemnification. Notwithstanding any limitation of liability provisions contained in the Services Agreement and, in addition to any other indemnification provisions contained in the Services Agreement, Subcontractor agrees to indemnify, defend, and hold harmless Business Associate (and its parents, officers, directors, members, stockholders, subsidiaries, affiliates and agents) from and against any liability, claim, action, loss, cost, damage or expense incurred or suffered by Business Associate, directly or indirectly, arising out of the acts and omissions of Subcontractor arising under or relating to: (i) any inappropriate release or misuse of PHI by Subcontractor, its employees, agents or subcontractors, including any Security Incident and/or Breach of Unsecured PHI; (ii) any breach of the confidentiality provisions contained in the Agreement or the Services Agreement by Subcontractor, its employees, agents or subcontractors; or (iii) any violation by Subcontractor, its employees, agents or subcontractors of any state or federal law or regulation governing the protection of protected health information or personal information.
(c) Insurance. Subcontractor shall take out and maintain adequate insurance to protect against any liabilities under law and/or under this BAA and shall at a minimum maintain in full force and effect, through the term of this Agreement, the following insurance coverages with reputable insurer: Professional Liability Insurance or Errors and Omissions insurance – including Media liability and Network Security/Privacy (cyber) liability insurance with limits of not less ten million dollars ($10,000,000) per occurrence/claim, covering: (i) negligent act, error, or omission, or negligent misrepresentation, that results in breach of contract in rendering or failing to render professional or technology based services; (ii) unauthorized acquisition or disclosure of personal information or other private or confidential information by Subcontractor or any third party, (iii) privacy notification costs, credit monitoring, cyber extortion and forensics investigations; (iv) third party liability settlements or judgements as may be caused by any act, omission, or negligence of the Subcontractor’s employees, officers, agents, representatives, assigns or subcontractors. Such coverage shall be maintained by Subcontractor for a period of at least three (3) years after termination of this BAA. Subcontractor shall maintain certificates (and any other appropriate documentation) evidencing such policies and indicating Business Associate its officers, managers, and employees as additional insureds thereunder shall be furnished to Business Associate and shall provide that such policies may not be changed or canceled without thirty (30) days’ prior written notice to Business Associate. Subcontractor hereby waives and shall cause Subcontractor insurers to waive their rights of subrogation against Business Associate and its affiliates, directors, officers, and employees under such policies. The foregoing insurance coverages shall be primary to and non-contributory with respect to any other insurance or self-insurance that may be maintained by customer and each of its affiliates, directors, officers, and employees and shall contain a cross-liability or severability-of-interest clause where applicable. Subcontractor shall provide insurance coverage by insurance companies having policy holder ratings no lower than “A-” and financial ratings not lower than “XII” in the Best’s Insurance Guide, latest edition in effect as of the date of this Agreement. Such insurance shall be written with insurers of good standing and licensed to do business in the locations where the services are to be performed. The fact that Subcontractor has obtained the insurance required in this Section shall in no manner lessen nor affect Subcontractors other obligations or liabilities set forth in this BAA. Any self-insurance, self-retained layer, deductibles, and exclusions in coverage in the policies required under this Section shall be assumed by, for the account of, and at the sole risk of, Subcontractor. In no event shall Subcontractor’s liability be limited to the extent of the minimum limits of insurance required above. Subcontractor shall verify that all of Subcontractor’s agents and subcontractors are insured against claims arising out of or relating to their performance related to this Agreement.
9. Miscellaneous.
(a) Amendment. Subcontractor and Business Associate agree to take such action as is necessary to amend this BAA from time to time to enable the Parties to comply with the requirements of HIPAA, the HIPAA Regulations and the HITECH Act. Business Associate may amend this BAA for minor edits (e.g., typos, grammatical edits and/or non-material edits) with or without notice to Subcontractor. The Parties shall mutually agree to any material edits to this BAA. In the event either of the Parties, acting reasonably, is unable to agree to new or modified terms as required to bring the BAA into compliance, either Party may terminate this BAA on thirty (30) days written notice to the other Party, or earlier if necessary to prevent non-compliance with a HIPAA requirement..
(b) Interpretation. The provisions of this BAA shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HIPAA Regulations, the HITECH Act, the Privacy Rule and the Security Rule. The Parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the HIPAA Regulations, the HITECH Act, the Privacy Rule and the Security Rule.
(c) Entire Agreement. This BAA supersedes all prior agreements, contracts and understandings, whether written or otherwise, between the Parties relating to the subject matter hereof.
(d) No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Subcontractor and Business Associate, and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
(e) Notices. All notices required to be given to either Party under this BAA will be in writing and sent by traceable carrier, which includes via email, in accordance with the terms of the Agreement. Notices will be effective upon receipt.
(f) Regulatory References. A reference in this BAA to a section in the HIPAA Regulations or the HITECH Act means the section as in effect or as amended, and for which compliance is required.
(g) Governing Law; Venue. This BAA shall be governed by and construed in all respects under the laws of the jurisdiction identified in the Services Agreement and all actions commenced to enforce or interpret this BAA shall be brought in the federal and state courts located in the jurisdiction stated in the Services Agreement. If no jurisdiction is identified in the Services Agreement, then this BAA shall be governed by, and jurisdiction for all actions shall be had exclusively in courts located in, New York City in the State of New York.