BY REGISTERING FOR AN ACCOUNT OR USING/ACCESSING THE POWERSHARE SERVICES
YOU ("CLIENT") HEREBY ACCEPT THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS
AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO
BIND SUCH ENTITY TO THE TERMS AND CONDITIONS OF THIS AGREEMENT AND, IN SUCH EVENT, "COVERED ENTITY" AS
USED IN THIS AGREEMENT SHALL REFER TO SUCH ENTITY. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU OR SUCH
ENTITY DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, YOU MAY NOT USE THE SERVICES.
HIPAA BUSINESS ASSOCIATE AGREEMENT
WHEREAS, Nuance Communications, Inc. ("Business Associate") or ("Nuance") may perform certain
services on behalf of or for Client ("Covered Entity") pursuant to this Agreement that require Nuance to
access, create and use health information that is subject to the federal privacy regulations (the
"Privacy Rule") and the federal security regulations (the "Security Rule") issued pursuant to the Health
Insurance Portability and Accountability Act of 1996 ("HIPAA") and codified at 45 C.F.R. parts 160 and
164, and Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions
of the American Recovery and Reinvestment Act of 2009 (the "HITECH Act"); and
WHEREAS, this Agreement, shall be attached to and made part of any and all Underlying Agreement(s)
between the Parties, serves to establish the responsibilities of both parties regarding Protected Health
Information, and to bring this Agreement into compliance with HIPAA and the HITECH Act.
NOW, THEREFORE, the parties agree to the following additional terms and conditions to those otherwise
in the Agreement
1. Definitions. Capitalized terms used in this Agreement, but not otherwise defined, shall have
the same meanings ascribed to them in the Privacy Rule, the Security Rule and the HITECH Act.
2. Permitted Uses and Disclosures. Except as otherwise specified herein, Business Associate may
use and/or disclose Protected Health Information (“PHI”) to perform the functions, activities, or
services for or on behalf of Covered Entity as specified in this Agreement, provided that such use
and/or disclosure would not violate HIPAA if done by Covered Entity. Except as otherwise limited in this
Agreement, Business Associate may:
- a. use PHI for the proper management and administration of Business Associate and to carry out
the legal responsibilities of Business Associate, and except as otherwise limited by this Agreement
or the Agreement, as permitted by HIPAA.
- b. disclose PHI for the proper management and administration of Business Associate and to carry
out the legal responsibilities of Business Associate, provided that the disclosures are required by
law, or Business Associate obtains reasonable assurances from the person to whom PHI is disclosed
that the PHI will remain confidential and used or further disclosed only as required by law or for
the purpose for which it was disclosed to the person, and the person notifies Business Associate of
any instances of which it is aware in which the confidentiality of PHI has been breached
- c. use PHI to provide Data Aggregation services to Covered Entity as permitted by 42 C.F.R.
Business Associate may use PHI to report violations of law to appropriate Federal and State
authorities, consistent with 45 C.F.R. §164.502(j)(1).
3. Responsibilities of Business Associate. Except as otherwise required by law, Business
Associate shall use PHI in compliance with 45 C.F.R. §164.504(e). To comply with the security and
privacy obligations imposed by HIPAA, Business Associate agrees to:
- a. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to
electronic protected health information, to prevent use or disclosure of protected health
information other than as provided for by this Agreement.
- b. not use or further disclose PHI other than as permitted or required by this Agreement,
HIPAA, or as required by law.
- c. use appropriate safeguards to prevent the use or disclosure of PHI other than as provided
for by this Agreement.
- d. report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of
which Business Associate becomes aware, including breaches of unsecured protected health information
as required by § 164.410, and any successful security incident of which it becomes aware. The
Parties acknowledge and agree that this section 3.d. constitutes notice by Business Associate to
Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security
Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security
Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s
firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination
of the above, so long as no such incident results in unauthorized access, use, or disclosure of
- e. in accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive,
maintain, or transmit PHI on behalf of Business Associate agree to substantially the same
restrictions and conditions that apply to Business Associate with respect to such information
- f. make PHI available to Covered Entity for Covered Entity to comply with an Individual’s right
of access to their PHI in compliance with 45 C.F.R. §164.524 and Section 13405(e) of the HITECH Act.
This provision shall be applicable only if Business Associate maintains a Designated Record Set on
behalf of Covered Entity.
- g. make PHI available to Covered Entity for amendment and incorporate any amendment(s) to PHI
that Covered Entity directs, in accordance with 45 C.F.R. §164.526. This provision shall be
applicable only if Business Associate has PHI in a Designated Record Set..
- h. document disclosures of PHI and information related to such disclosures as would be required
for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI
in accordance with 45 C.F.R. §164.528 and Section 13405(c) of the HITECH Act.
- i. make available to Covered Entity in response to a request from an Individual, the
information required to provide an accounting of disclosures of PHI with respect to the Individual
in accordance with 45 C.F.R. §164.528 and Section 13405(c) of the HITECH Act.
- (j) to the extent this Agreement requires Business Associate to carry out one or more of
Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of
Subpart E that apply to Covered entity in the performance of such obligation(s).
- k. make its internal practices, books, and records relating to the use and disclosure of PHI
received from, or created or received by Business Associate on behalf of, Covered Entity available
to the Secretary of the Department of Health and Human Services or his/her designee (the
“Secretary”), in a time and manner designated by the Secretary, for purposes of determining Covered
Entity’s compliance with the HIPAA.
- l. notify Covered Entity following Business Associate’s discovery of a security breach of
Unsecured PHI, in accordance with Section 13402 of the HITECH Act.
- m. refrain from exchanging any PHI with any entity (including Covered Entity) of which Business
Associate knows of a pattern of activity or practice that constitutes a material breach or violation
of HIPAA, and upon becoming aware of such behavior by an entity with which Business Associate has
already exchanged PHI, take reasonable steps to cure the breach or end the violation, as applicable,
and if such steps are unsuccessful, terminate the contract or arrangement with such entity, if
feasible; or if termination is not feasible, report the problem to the Secretary, in accordance with
Section 13404 of the HITECH Act and 45 C.F.R §164.504(e).
- n. limit the use, disclosure or request for PHI in accordance with Section 13405(b) of the
- o. refrain from receiving any remuneration in exchange for any Individual’s PHI unless such
exchange (i) is pursuant to a valid authorization that includes a specification of whether the PHI
can be further exchanged for remuneration by the entity receiving PHI of that Individual, or (ii)
satisfies one of the exceptions enumerated in the HIPAA regulations and specifically Section
13405(d)(2) of the HITECH Act.
- p. refrain from marketing activities that would violate HIPAA and specifically Section 13406 of
the HITECH Act.
4. Responsibilities of Covered Entity. Covered Entity shall:
- a. provide Business Associate with the notice of privacy practices that Covered Entity produces
in accordance with 45 C.F.R. §164.520, as well as any changes to such notice.
- b. provide Business Associate, in writing, with any changes in, or revocation of, permission by
Individual to the use or disclosure of PHI, if such changes affect Business Associate’s permitted or
required uses or disclosures. Upon receipt by Business Associated of such notice of changes,
Business Associate shall cease the use and disclosure of any such Individual’s PHI except to the
extent it has relied on such use or disclosure, or where an exception under HIPAA expressly applies.
- c. notify Business Associate of any restriction to the use or disclosure of PHI that Covered
Entity has agreed to in accordance with 45 C.F.R. §164.522.
- a. Termination for Cause. Either party may immediately terminate this Agreement if such
party (the “Non-Breaching Party”) determines that the other party (the “Breaching Party”) has
breached a material term of this Agreement. Alternatively, the Non-Breaching Party may choose to
provide the Breaching Party with written notice of the existence of an alleged material breach and
afford the Breaching Party an opportunity to cure the alleged breach. Failure to cure the material
breach within thirty (30) days of the written notice constitutes grounds for immediate termination
of this Agreement.
- b. Effect of Termination.
- (1) Except as provided in paragraph (2) of this Section 5(b), upon termination of this
Agreement for any reason, Business Associate shall return or destroy all PHI received from
Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This
Section 5(b)(1) shall apply to PHI that is in the possession of Business Associate and its
subcontractors or agents. Business Associate shall retain no copies of the PHI.
- (2) In the event that Business Associate determines that returning or destroying the PHI is
infeasible, Business Associate shall provide to Covered Entity, in writing, notification of the
conditions that make return or destruction infeasible, and Business Associate shall extend the
protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to
those purposes that make the return or destruction infeasible, for so long as Business Associate
maintains such PHI.
- a. Amendment. The parties agree to negotiate in good faith an amendment to this
Agreement from time to time as is necessary for the parties to comply with the requirements of
HIPAA, as amended from time to time. No amendment shall be effective unless in writing and signed by
duly authorized representatives of both parties.
- b. Survival. The respective rights and obligations of Business Associate under Section
5(b) of this Agreement shall survive termination of this Agreement.
- c. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a
meaning that permits the parties to comply with HIPAA.
- d. No Third Party Beneficiary. Nothing in this Agreement is intended, nor shall be
deemed, to confer any benefits on any third party.
- e. Severability. If a court of competent jurisdiction finds any term of this Agreement
invalid, illegal or unenforceable, that term shall be curtailed, limited or deleted, but only to the
extent necessary to remove the invalidity, illegality or unenforceability, and without in any way
affecting or impairing the remaining terms.
- f. Counterparts; Facsimiles. This Agreement may be executed in any number of
counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to
- g. Entirety. The terms and conditions of this Agreement supersede and replace any prior
business associate agreements and any existing terms and conditions between the parties (including
any such terms and conditions in any Agreement) pertaining to the privacy and security of PHI. This
Agreement is made a part of and subject to the terms of the Agreement. In the event of any conflict
between this Agreement and an Underlying Agreement, this Agreement shall control with respect to