HIPAA Business Associate Addendum
This HIPAA Business Association Addendum (this “HIPAA Addendum”) is an addendum to your Product Terms and Conditions (and incorporated therein by reference). This HIPAA Addendum defines the rights and responsibilities of each of us with respect to Protected Health Information as defined in the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, including the HITECH Act and Omnibus Rule, as each may be amended from time to time (collectively, “HIPAA”). This Agreement shall be applicable only in the event and to the extent Rackspace meets, with respect to you, the definition of a Business Associate set forth at 45 C.F.R. §160.103, or applicable successor provisions.
1. Defined Terms. For the purposes of this HIPAA Addendum, capitalized terms shall have the following meanings:
“Agreement” shall have the same meaning as given in the General Terms and Conditions.
“Business Associate” shall mean the Rackspace entity from which you purchase Services.
“CFR” shall mean the Code of Federal Regulations.
“Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.
“Protected Health Information” or “PHI”shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information received by Business Associate from or on behalf of Customer.
“Required By Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.103.
“Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, located at 45 CFR Part 160 and Subparts A and C of Part 164.
“Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
2. Obligations and Activities of Business Associate.
(a) Business Associate shall not use or disclose Protected Health Information other than as permitted or required by this HIPAA Addendum or as permitted or Required by Law.
(b) Business Associate agrees to provide those physical, technical, and administrative safeguards described in the General Terms and Conditions and the other parts of the Agreement including those safeguards and Services selected by you and described in the Service Description. If Business Associate agrees as part of this HIPAA Addendum to carry out an obligation of yours under the Privacy Rule, then Business Associate will comply with the requirements of the Privacy Rule applicable to such obligation.
(c) Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate or its agents or subcontractors in violation of the requirements of this HIPAA Addendum.
(d) Within five Business Days of becoming aware, Business Associate agrees to report to you (i) Security Incidents (as defined in 45 C.F.R. §164.304 and as further described below), (ii) the Breach of unsecured PHI (as defined in 45 CFR §164.402), or (iii) an access, acquisition, use or disclosure of PHI in violation of this HIPAA Addendum.
(1) Both parties acknowledge that there are likely to be a significant number of meaningless or unsuccessful attempts to access Customer’s Hosted System or Services, which make a real-time reporting requirement impractical for both parties. The parties acknowledge that Business Associate’s ability to report on system activity, including Security Incidents, is limited by, and to, the Services which Customer has purchased.
(2) Certain Rackspace Services can provide detailed reporting of potential Security Incidents (including those listed above), and Customer is responsible for purchasing, implementing, and monitoring such Services for potential Security Incidents as appropriate based on Customer’s use of the Services.
(3) Other than as included with and permitted by those Services Customer purchases (such as Intrusion Detection Systems or Log Management) or those procedures separately agreed to in writing (such as configuring SNMP traps on firewall appliances), Business Associate undertakes no obligation to report unsuccessful security incidents or to monitor Customer’s Services. Business Associate undertakes no obligation to report network security related incidents which occur on the Rackspace managed network but do not directly involve Customer’s Hosted System. Where Customer has purchased Services or devices which include reporting on network and system security events, the parties agree that the following are illustrative examples of unsuccessful security incidents which, when they do not result in the unauthorized access, use, disclosure, modification or destruction of PHI need not be reported by Business Associate: pings against network devices, port scans, attempts to log on to a system or database with an invalid password or username, malware.
(e) Business Associate agrees to obtain from any agent, including a subcontractor to whom it provides Protected Health Information, reasonable assurances that it will adhere to the same restrictions and conditions that apply to Business Associate under this HIPAA Addendum with respect to such information.
(f) All Protected Health Information maintained by Business Associate for you will be available to you in a time and manner that reasonably allows you to comply with the requirements under 45 CFR § 164.524. Business Associate shall not be obligated to provide any such information directly to any Individual or person other than you.
(g) All Protected Health Information and other information maintained by Business Associate for you will be available to you in a time and manner that reasonably allows you to comply with the requirements under 45 CFR § 164.526.
(h) Business Associate agrees to make internal practices, books, and records available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary’s determining your compliance with the Privacy Rule; provided, however, that time incurred by Business Associate in complying with any such request that exceeds its normal customer service parameters shall be charged to you at Business Associate’s then current standard hourly rate for Supplemental Services.
(i) You acknowledge that Business Associate is not required by this HIPAA Addendum to make disclosures of Protected Health Information to Individuals or any person other than you, and that Business Associate does not, therefore, expect to maintain documentation of such disclosure as described in 45 CFR § 164.528. In the event that Business Associate does make such disclosure, it shall document the disclosure as would be required for you to respond to a request by an Individual for an accounting of disclosures in accordance with 45 CFR §164.504(e)(2)(ii)(G) and §164.528, and shall provide such documentation to you promptly on your request. In the event that a request for an accounting is made directly to Business Associate, Business Associate shall, within 2 Business Days, forward such request to Customer.
(j) Business Associate shall, for the duration of the Agreement, obtain an SSAE16 audit report (or equivalent successor report) from independent auditors on an annual basis, and make such report available to you.
3. Permitted Uses and Disclosures by Business Associate. Except as otherwise limited in this HIPAA Addendum or other portion of the Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, you as specified in the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by you.
4. Specific Use and Disclosure Provisions. Except as otherwise limited in this HIPAA Addendum or other portion of the Agreement, Business Associate may:
(a) use Protected Health Information for the proper management and administration of Business Associate or to carry out its legal responsibilities;
(b) disclose Protected Health Information for the proper management and administration of Business Associate, provided that disclosures are (i) Required By Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and
(c) use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
5. Your Obligations. You shall notify Business Associate of:
(a) any limitations(s) in your notice of privacy practices in accordance with 45 CFR § 164.520 to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information;
(b) any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information; and
(c) any restriction to the use or disclosure of Protected Health Information that you have agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
You agree that you will not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by you.
You agree to comply with those security obligations identified in the General and Product Terms, and to implement, purchase, or maintain appropriate safeguards (including security appliances, services, and practices) as required for you to comply with the Security and Privacy rules as applicable to you.
6. Term and Termination
(a) The term of this HIPAA Addendum shall continue for the term of the Agreement to which this HIPAA Addendum is incorporated by reference, and following termination of such Agreement until all Protected Health Information is destroyed or returned to you or your designee.
(b) If Business Associate materially breaches the terms of this HIPAA Addendum, then you may terminate any related Hosting Services Agreement(s).
(c) Upon termination of the Agreement for any reason Business Associate shall destroy all Protected Health Information which remains on your Hosted System or otherwise in Business Associates possession. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate as well as Business Associate itself. Business Associate shall retain no copies of the Protected Health Information. In the event that Business Associate determines that destroying the Protected Health Information is infeasible, Business Associate shall promptly provide you notification of the conditions that make destruction infeasible. Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the destruction infeasible, for so long as Business Associate maintains such Protected Health Information. You shall bear the cost of storage of such Protected Health Information for as long as storage by Business Associate is required. This Section does not require Business Associate to segregate any Protected Health Information from other information maintained by you on Business Associate’s servers and Business Associate may comply with this requirement by returning or destroying all of the information maintained on its servers by you. By default, Rackspace will zero-fill (meaning to format a hard disk by filling available sectors with zeroes) any hard disk drive dedicated to your use upon termination of the Service(s). Upon your written request Rackspace shall either physically destroy or multi-pass wipe any hard drive dedicated to your use, provided that Rackspace may charge you an additional fee at its then current rates for such additional services.
(d) If you request contemporaneously with any termination event or notice, Business Associate will allow you to have access to your Hosted System for a reasonable period of time following termination as necessary for you to retrieve or delete any Protected Health Information at your then current monthly recurring rate; provided, however, that if the security of your servers has been compromised, or the Agreement was terminated for your failure to use reasonable security precautions, Rackspace may: (i) provide you with restricted access via a dedicated or private link or tunnel to your Hosted System or (ii) refuse to allow you to have access to your Hosted System but will use reasonable efforts to copy your data on to media you provide to Rackspace, and will ship the media to you at your expense. Rackspace’s efforts to copy your data onto your media shall be billable as a Supplemental Service at Rackspace’s then current hourly rates.
(a) Amendment. Each of us agrees to take such action as is reasonably necessary to amend this HIPAA Addendum from time to time as is necessary for you to comply with the requirements of HIPAA as they may be amended from time to time; provided, however, that if such an amendment would materially increase the cost of Business Associate providing service under the Agreement, Business Associate shall have the option to terminate the Agreement on thirty (30) days advance notice.
(b) Survival. Our respective rights and obligations under this HIPAA Addendum shall survive the termination of the Agreement.
(c) Interpretation. Any ambiguity in the Agreement shall be resolved to permit you to comply with HIPAA and the Privacy Rule.
© 2008 Rackspace US, Inc.
November 7, 2013 revision