Subcontractor BAA
SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (“BAA”) is entered into between dbt Labs, Inc. (“Client”) and the entity (“Business Associate”) that entered into an underlying master agreement with Client that references this BAA, including any active statements of work, in each case as updated from time to time (“Agreement”). This BAA supplements the Agreement and is effective as of the same date as the Agreement. Business Associate and Client may be individually referred to as a “party” and, collectively, the “parties” in this BAA. Client may be the business associate or subcontractor of one or more Covered Entities or have a relationship to one or more entities in such relationships to one or more Covered Entities (“End-Clients”). To the extent Business Associate performs certain functions or activities that involve the use or disclosure of any individual’s or Covered Entity’s PHI through its services as a business associate or subcontractor of Client (“Use”), this BAA applies to such Use provided applicable law as referenced herein requires the parties to enter into such a BAA.
(A) Business Associate is providing services to Client under an underlying agreement (“Agreement”), and Client or End-Clients may wish to disclose certain information to Business Associate pursuant to the terms of such Agreement, some of which may constitute Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), and the Privacy Rule, Security Rule, Enforcement Rule and Breach Notification Rule set forth at 45 C.F.R. Parts 160 and 164 and the Health Information Technology for Economic and Clinical Health Act § 13400 (“HITECH”) and any related implementing regulations and guidance (jointly, the “HIPAA Rules”) promulgated thereunder.
(B) Business Associate may create, maintain, access, use, disclose, transmit or receive PHI on behalf of Client only as set forth in this BAA and to the extent allowed under the HIPAA Rules.
(C) Client, End-Clients, and Business Associate intend to protect the privacy and provide for the security of PHI in compliance with HIPAA and the HIPAA Rules.
(D) The purpose of this BAA is to satisfy certain standards and requirements of HIPAA and the HIPAA Rules, including, but not limited to, Title 45, §§ 164.314(a)(2)(i), 164.502(e) and 164.504(e) of the Code of Federal Regulations (C.F.R.).
Accordingly, the parties hereto agree as follows:
1. DEFINITIONS
“Capitalized Terms”. Capitalized terms used in this BAA and not otherwise defined herein has the meanings set forth in the HIPAA Rules, which definitions are incorporated in this BAA by reference.
“Protected Health Information”or “PHI”has the same meaning given to such term in 45 C.F.R. § 160.103, as applied to the protected health information created, received, maintained or transmitted by Business Associate from or on behalf of Client.
“Unsuccessful Security Incident” means pings and other broadcast attacks on a firewall, port scans, unsuccessful log-on attempts, denials of service, or other similar attempted but unsuccessful Security Incident, or a combination thereof, so long as no such incident results in unauthorized access, use or disclosure of PHI.
2. PERMITTED USES AND DISCLOSURES OF PHI
i. Uses and Disclosures of PHI Pursuant to the Agreement. Business Associate shall not use or disclose PHI other than as permitted or required to perform functions, activities, or services for, or on behalf of, Client and/or End-Clients as specified in the Agreement or as Required by Law, provided that such use or disclosure would not violate the Privacy Rule if done by Client and/or End-Clients, except as set forth in Sections 2(ii) and 2(iii) of this BAA. To the extent Business Associate is carrying out any of Client’s and/or End-Clients’ obligations under the Privacy Rule pursuant to the terms of the Agreement or this BAA, Business Associate shall comply with the requirements of the Privacy Rule that apply to Client and/or End-Clients in the performance of such obligation(s). To the extent Client is subject to policies related to PHI of End-Clients not parties hereto, Business Associate will use commercially reasonable efforts to comply with any End-Client’s policies provided those policies and procedures do not conflict with law or with Business Associate’s policies.
ii. Permitted Uses of PHI by Business Associate. Except as otherwise limited in this BAA, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
iii. Permitted Disclosures of PHI by Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it is to remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed upon Business Associate pursuant to this BAA), and that the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3. OBLIGATIONS OF BUSINESS ASSOCIATE
i. Appropriate Safeguards. Business Associate shall use appropriate safeguards and shall comply with the Security Rule with respect to Electronic PHI, to prevent use or disclosure of such information other than as provided for by the Agreement and this BAA.
ii. Reporting of Improper Use or Disclosure, Security Incident or Breach. Business Associate shall report to Client any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in any event no more than 3 business days following discovery; provided, however, that the parties acknowledge and agree that this Section constitutes notice by Business Associate to Client of the ongoing existence and occurrence of Unsuccessful Security Incidents.
iii. Business Associate’s Agents. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), as applicable, Business Associate shall enter into a written agreement with any agent or subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate for services provided to Client, providing that the subcontractor or agent agrees to substantially the same restrictions and conditions that apply to Business Associate through this BAA with respect to such PHI. Neither Business Associate nor its agents or subcontractors will sell PHI under any circumstances.
iv. Access to PHI. To the extent Business Associate has PHI on its systems, Business Associate agrees to cooperate with reasonable requests for assistance by Client and to make information available to Client to enable Client to comply with 45 C.F.R. § 164.524.
v. Amendment of PHI. To the extent Business Associate has PHI on its systems, Business Associate agrees to make such information available to Client for amendment pursuant to 45 C.F.R. § 164.526.
vi. Documentation of Disclosures. To the extent Business Associate has PHI on its systems, Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
vii. Accounting of Disclosures. To the extent Business Associate has PHI on its systems, Business Associate agrees to provide to Client, upon receipt of a written request from Client, information collected in accordance with Section 3(vi) of this BAA to permit Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
viii. Governmental Access to Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Client available to the Secretary for purposes of the Secretary determining Client’s compliance with the Privacy Rule.
ix. Mitigation. To the extent practicable, Business Associate will reasonably cooperate with Client’s efforts to mitigate a harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate that is not permitted by this BAA. Such mitigation efforts shall comply with the obligations of 45 CFR § 164.530, the direction of HHS, and the requirements of any other governmental agency with applicable authority.
x. Minimum Necessary. Business Associate shall request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure, in accordance with 45 C.F.R. § 164.514(d), and any amendments thereto.
4. OBLIGATIONS OF CLIENT
i. Notice of Privacy Practices. Client shall notify Business Associate of any limitation(s) in its, or an applicable, Notice of Privacy Practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
ii. Notification of Changes Regarding Individual Permission. To the extent Client receives PHI directly from the individual, Client shall obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing Business Associate with PHI. If applicable, Client shall notify Business Associate of any changes in, or revocation of, permission by an Individual, or other entities providing such PHI, to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
5. TERM AND TERMINATION
i. Term. This BAA terminates when all of the PHI provided by Client and/or End-Clients to Business Associate, or created or received by Business Associate on behalf of Client, is destroyed or returned to Client and/or End-Clients. If it is infeasible to return or destroy PHI, Business Associate shall extend protections to such information in accordance with Section 5(iii).
ii. Termination for Cause. Upon either party’s knowledge of a material breach by the other party of this BAA, such party may terminate this BAA immediately if cure is not possible. Otherwise, the non-breaching party shall provide written notice to the breaching party detailing the nature of the breach and providing an opportunity to cure the breach within 30 business days. Upon the expiration of such 30-day cure period, the non-breaching party may terminate this BAA if the breaching party does not cure the breach or if cure is not possible.
iii. Effect of Termination.
- Except as provided in Section 5(iii)(2), within two (2) business days of termination of the Agreement or this BAA for any reason, Business Associate shall return or destroy all PHI on its systems received from Client and/or End-Clients, or created or received by Business Associate on behalf of Client and/or End-Clients, and shall retain no copies of the PHI.
- If Business Associate determines that it is infeasible to return or destroy the PHI upon termination of the Agreement or this BAA (e.g., retention of PHI is necessary to continue Business Associate’s proper management and administration or to carry out Business Associate’s legal obligations), Business Associate shall give notice to Client and any End-Clients who provided the PHI directly to Business Associate and: (a) extend the protections of this BAA to such PHI and (b) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
6. COOPERATION IN INVESTIGATIONS
The parties acknowledge that certain breaches or violations of this BAA may result in litigation or investigations pursued by federal or state governmental authorities of the United States resulting in civil liability or criminal penalties. Each party shall give notice of any contact or requests by such authorities and cooperate in good faith in all respects with the other party and/or End-Clients in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry.
7. SURVIVAL
The respective rights and obligations of Business Associate under Section 5(iii) of this BAA survive the termination of this BAA and the Agreement until resolved.
8. AMENDMENT
This BAA may be modified to by Client to address legal or regulatory changes in HIPAA Rules, but no rights may be waived without a document executed by the authorized representatives of both parties. In addition, if any relevant provision of the HIPAA Rules is amended in a manner that changes the obligations of Business Associate or Client and/or End-Clients that are embodied in terms of this BAA, then the parties agree to negotiate in good faith appropriate non-financial terms or amendments to this BAA to give effect to such revised obligations.
9. EFFECT OF BAA
In the event of any inconsistency between the provisions of this BAA and the Agreement, the provisions of this BAA control. In the event that a court or regulatory agency with authority over Business Associate, Client, and/or End-Clients interprets the mandatory provisions of the HIPAA Rules, in a way that is inconsistent with the provisions of this BAA, such interpretation controls. Where provisions of this BAA are different from those mandated in the HIPAA Rules, but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this BAA shall control.
10. GENERAL
This BAA is governed by, and will be construed in accordance with, the laws of the State that govern the Agreement. Client shall not assign this BAA without the prior written consent of Business Associate, which shall not be unreasonably withheld. If any part of a provision of this BAA is found illegal or unenforceable, it will be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this BAA are not affected. All notices relating to the parties’ legal rights and remedies under this BAA will be provided in writing to a party, will be sent to its address below or as set forth in the Agreement, or to such other address as may be designated by that party by notice to the sending party, and will reference this BAA. Any notice to Client will be effective if copied to legal@dbtlabs.com. If End-Clients provide PHI directly to Business Associate, Business Associate will be responsible for identifying End-Clients’ notice address(es). Nothing in this BAA confers any right, remedy, or obligation upon anyone other than Client and Business Associate. This BAA is the complete and exclusive agreement between the parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications, and understandings (written and oral) regarding its subject matter.
11. INDEPENDENT CONTRACTOR
Business Associate is, for all purposes, an independent contractor, and Business Associate will not, directly or indirectly, act as agent, servant or employee of Client and/or End-Clients or make any commitments or incur any liabilities on behalf of Client and/or End-Clients without express written consent. Nothing in this BAA creates an employment, principal-agent or partner relationship between the parties. Business Associate retains sole and absolute discretion in the manner and means of carrying out its activities and responsibilities under this BAA.
Last Updated March 27, 2023