BY REGISTERING FOR AN ACCOUNT AND/OR BY USING/ACCESSING THE POWERSHARE SERVICES YOU HEREBY ACCEPT AND AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THE TERMS AND CONDITIONS OF THIS AGREEMENT AND, IN SUCH EVENT, "COVERED ENTITY" AS USED IN THIS AGREEMENT SHALL REFER TO SUCH ENTITY. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU OR SUCH ENTITY DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, YOU MAY NOT USE THE SERVICES.
If you or the Covered Entity on behalf of which you are entering into this Agreement have entered into a separate written Business Associate Agreement with Nuance Communications, Inc., as Business Associate, such Business Associate Agreement shall govern Business Associate's performance of services on behalf of Covered Entity pursuant to underlying agreements entered into by the parties that require Business Associate to access, create and use health information that is subject to HIPAA.
BUSINESS ASSOCIATE AGREEMENT
WHEREAS, Company ("Covered Entity") and Nuance Communications, Inc., for itself and on behalf of its direct and indirect subsidiaries or predecessors in interest ("Business Associate"), have entered into, or are entering into one or more agreements (each, an "Underlying Agreement"), under which, Business Associate may perform certain services on behalf of or for Covered Entity pursuant to the Underlying Agreement that requires Business Associate to access, create and use health information that is subject to the Health Insurance Portability and Accountability Act of 1996, Subtitle D of the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations, as amended (collectively, "HIPAA");
WHEREAS, this Agreement serves to establish the responsibilities of both Parties regarding Protected Health Information ("PHI"), and to bring the Underlying Agreement into compliance with HIPAA.
NOW, THEREFORE, the Parties hereto agree to incorporate and make a part of and thereby amend each Underlying Agreement under which Business Associate receives PHI from, or creates or receives PHI on behalf of, Covered Entity while performing services for Covered Entity, the following additional terms and conditions, which terms and conditions shall govern the use and/or disclosure of such PHI received or created by Business Associate as a result of services performed. References to "the Underlying Agreement" are understood to mean each Underlying Agreement as applicable.
1. Definitions. Capitalized terms used in this Agreement, but not otherwise defined, shall have the same meanings ascribed to them in HIPAA.
2. Permitted Uses and Disclosures. Business Associate may use and/or disclose PHI to perform the functions, activities, or services for or on behalf of Covered Entity as specified in the Underlying Agreement, this Agreement or as Required by Law, but shall not otherwise use or disclose PHI. Business Associate will not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity. Except as otherwise limited in this Agreement, Business Associate may:
- a. use PHI for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate.
- b. disclose PHI for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate, provided that the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom PHI is disclosed that the PHI will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person will notify Business Associate of any instances of which it is aware in which the confidentiality of PHI has been breached.
- c. use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
- d. use PHI to create de-identified health information in accordance with 45 C.F.R. §164.514(b) and may use and disclose de-identified health information for any purpose permitted by law.
- e. use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. §164.502(j)(1).
3. Responsibilities of Business Associate. Business Associate agrees:
- a. to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of PHI other than as provided for by this Agreement.
- b. to report to Covered Entity promptly, but in no case longer than fifteen (15) business days, any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including a Breach of Unsecured PHI as required by 45 C.F.R. § 164.410, and any successful Security Incident of which it becomes aware. The Parties acknowledge and agree that this section 3.b. constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. "Unsuccessful Security Incidents" means, without limitation, pings and other broadcast attacks on Business
Associate's firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI. The contact information for the Business Associate and Covered Entity employees to whom reports of unauthorized use or disclosure of PHI, Breaches of Unsecured PHI and successful Security Incidents under this Section shall be made as provided below (as such information may be updated from time to time between the parties). Notification shall be made using the methods as provided in the relevant Underlying Agreement.
- Business Associate:Attn: Privacy Officer
- Nuance Communications, Inc.
- 1 Wayside Road
- Burlington MA 01803
- Phone: (781) 565-5000
- Email: email@example.com
- Covered Entity:Attn: Data Protection or Privacy Officer at Covered Entity
- c. to take reasonable steps to mitigate, to the extent practicable, any known harmful effect of a use or disclosure of PHI in violation of the requirements of this Agreement. Upon request, Business Associate shall promptly provide Covered Entity with information reasonably related to its discovery, investigation and mitigation activities associated with a Breach that affects Covered Entity.
- d. to make PHI about an Individual contained in any Designated Record Set of Covered Entity maintained by Business Associate available to Covered Entity for Covered Entity to comply with an Individual's right of access to their PHI in compliance with 45 C.F.R. §164.524; provided, however, that unless otherwise expressly set forth in the Underlying Agreement, Covered Entity acknowledges that Business Associate does not maintain any Designated Record Set on behalf of Covered Entity.
- e. to make PHI about an Individual contained in any Designated Record Set of Covered Entity maintained by Business Associate available to Covered Entity for amendment and incorporate any amendment(s) to PHI that Covered Entity directs, in accordance with 45 C.F.R. §164.526; provided, however, that unless otherwise expressly set forth in the Underlying Agreement, Covered Entity acknowledges that Business Associate does not maintain any Designated Record Set on behalf of Covered Entity.
- f. to make the information required to provide an accounting of disclosures of PHI with respect to an Individual available to Covered Entity in response to a request from an Individual in accordance with 45 C.F.R. §164.528.
- g. to the extent the Underlying Agreement requires Business Associate to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).
- h. to make its internal practices, books, and records relating to the use and disclosure of PHI received from or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of the Department of Health and Human Services or his/her designee (the "Secretary"), in a time and manner designated by the Secretary, for purposes of determining Covered Entity's compliance with the HIPAA.
- i. to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to substantially the same restrictions and conditions that apply to Business Associate with respect to such information in accordance with 45 C.F.R. § 164.502(e)(1)(ii).
- j. if Business Associate knows of a pattern of activity or practice of a Subcontractor that constitutes a material breach or violation of HIPAA, to take reasonable steps to cure the breach or end the violation, as applicable, and if such steps are unsuccessful, terminate the contract or arrangement with such entity, if feasible.
- k. to the extent required by the "minimum necessary" requirements of HIPAA, Business Associate shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
- l. to refrain from receiving any remuneration in exchange for any Individual's PHI unless such exchange (i) is pursuant to a valid authorization that includes a specification of whether the PHI can be further exchanged for remuneration by the entity receiving PHI of that Individual, or (ii) satisfies one of the exceptions enumerated in the HIPAA regulations and specifically Section 13405(d)(2) of the HITECH Act.
- m. to refrain from Marketing activities involving the use or disclosure of PHI that would violate HIPAA and specifically Section 13406 of the HITECH Act.
- n. to provide training to applicable employees as required by HIPAA.
4. Responsibilities of Covered Entity. Covered Entity shall:
- a. provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. §164.520, as well as any changes to such notice.
- b. provide Business Associate, in writing, with any changes in, or revocation of, permission by Individual to the use or disclosure of PHI, if such changes affect Business Associate's permitted or required uses or disclosures. Upon receipt by Business Associated of such notice of changes, Business Associate shall cease the use and disclosure of any such Individual's PHI except to the extent it has relied on such use or disclosure, or where an exception under HIPAA expressly applies.
- c. notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. §164.522.
- d. not request or require Business Associate to use and/or disclose PHI in a manner not permitted by HIPAA.
- a. Termination. This Agreement shall terminate automatically upon termination of all Underlying Agreements. Either party may immediately terminate this Agreement and any Underlying Agreement if such party (the "Non-Breaching Party") determines that the other party (the "Breaching Party") has breached a material term of this Agreement. Alternatively, the Non-Breaching Party may choose to provide the Breaching Party with written notice of the existence of an alleged material breach and afford the Breaching Party an opportunity to cure the alleged breach. Failure to cure the material breach within thirty (30) days of the written notice constitutes grounds for immediate termination of this Agreement and the Underlying Agreement.
- b. Effect of Termination.
- (1) Except as provided in paragraph (2) of this Section 5(b), upon termination of this Agreement, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This Section 5(b)(1) shall apply to PHI that is in the possession of Business Associate and its Subcontractors or agents. Business Associate, its Subcontractors or agents shall retain no copies of the PHI.
- (2) In the event that Business Associate reasonably determines that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
- a. Survival. The respective rights and obligations of Business Associate under Section 5(b) of this Agreement shall survive termination of this Agreement and the Underlying Agreement for so long as the Business Associate maintains Covered Entity's PHI.
- b. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the parties to comply with HIPAA.
- c. No Third Party Beneficiary. Nothing in this Agreement is intended, nor shall be deemed, to confer any benefits on any third party.
- d. Severability.If a court of competent jurisdiction finds any term of this Agreement invalid, illegal or unenforceable, that term shall be curtailed, limited or deleted, but only to the extent necessary to remove the invalidity, illegality or unenforceability, and without in any way affecting or impairing the remaining terms.
- e. Disclosures Required by Law. In the event Business Associate is Required by Law to disclose PHI, Business Associate shall, subject to attorney-client privilege and any other applicable legal privileges and if permitted by law, promptly notify Covered Entity of such requirement and reasonably cooperate with Covered Entity in regards to such disclosure. Business Associate shall, to the extent it is permitted, use reasonable efforts to provide advance notice to Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief unless immediate disclosure is Required by Law.