HIPAA Business Associate Addendum
April 2022This HIPAA Business Associate Addendum (“BAA”) is part of our Terms of Use and Sale for Businesses and applies only to the extent that you, acting as a Covered Entity under HIPAA, share Protected Health Information about your consumers with us and to the extent we, as a result, are deemed under HIPAA to be acting as your Business Associate.
1. Definitions
Words or expressions defined in “quotation marks” have the same meanings each time they are used in this BAA. Unless we say otherwise below, any words or expressions that are defined in the Terms of Use and Sale for Businesses (including the Data Processing Agreement) have the same meanings when used in this BAA.
“Business Associate”, “Breach”, “Covered Entity”, “Required by Law”, “Security Incident” and “Subcontractor” have the definitions given under HIPAA.
“Covered Services” means one or more of our review invitation services, as defined in the Terms of Use and Sale for Businesses (when you send (or we send on your behalf) invitations to your consumers asking them to write a review on our platform about your services, locations and/or your products).
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations made under it, as amended.
“Protected Health Information” or “PHI” has the definition given to it under HIPAA and for purposes of this BAA is limited to PHI which is part of invitation data to which we have access through the Covered Services.
2. Permitted use and disclosure of PHI: Except as otherwise stated in this BAA, we will only use or disclose PHI as necessary to perform the Covered Services, or as Required by Law.
3. Invitation data: If the type of review invitation services we provide to you requires us to receive or process invitation data that is PHI, then we will process that invitation data in accordance with the Data Processing Agreement.
4. Security practices: We will use appropriate safeguards designed to prevent unauthorized use or disclosure of PHI, and as otherwise required under HIPAA, with respect to the Covered Services. The security practices that we apply to PHI, will be the same as those that we describe in the Security practices section of our Data Processing Agreement.
On your request, we will provide you with sufficient information to enable you to check that we are complying with these security practices.
5. Reporting: We will without undue delay after becoming aware of the facts, inform you in writing about any finding of a Security Incident (excluding any unsuccessful attempt) regarding PHI, including a Breach of unsecured PHI.
6. Subcontractors: We will take appropriate measures to ensure that any Subcontractors used to perform our obligations under the Terms of Use and Sale for Businesses that require access to PHI are bound by written obligations that provide at least the same material level of protection for PHI as this BAA. We will be liable for any breach of this BAA that is caused by an act, error or omission of one or more of our Subcontractors
7. Access and amendment: We will provide you with access to PHI via the Covered Services so that you may fulfill your obligations under HIPAA with respect to individuals’ rights of access and amendment, but will have no other obligations to you or any individual with respect to the rights afforded to individuals by HIPAA, including rights of access or amendment of PHI.
8. Accounting of disclosures: We will document our disclosures of PHI and make available the information required to provide an accounting of disclosures, as necessary to satisfy your obligations under HIPAA.
9. Access to records: Unless we are prohibited under applicable laws or regulations, we will make our internal practices, books, and records concerning the use and disclosure of PHI received from you, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining your compliance with HIPAA.
10. Term and termination: If we materially breach this BAA, you may exercise your termination rights in accordance with the Terms of Use and Sale for Businesses.
Upon termination of the Terms of Use and Sale for Businesses we will return or delete (including anonymise) PHI received from you as part of your use of Covered Services. This won’t apply to the extent that we are required under applicable laws or regulations to retain some or all of the PHI.