Pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), Domo, Inc., a Utah corporation with a primary address at 772 East Utah Valley Drive, American Fork UT 84003, or any of its affiliates ("Business Associate") and the counterparty that signed an agreement with Domo ("Covered Entity") referencing this Business Associate Agreement (“BAA”) located at: http://www.domo.com/baa, enter into this BAA as of the date Business Associate and Covered Entity signed the agreement referencing this BAA (the "Effective Date"). This BAA addresses the HIPAA requirements with respect to "business associates," as defined under the privacy, security, breach notification and enforcement rules at 45 C.F.R. Part 160 and Part 164 ("HIPAA Rules"). A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended. The following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Electronic Media, Protected Health Information (PHI), Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured PHI and Use.
The functions, activities and services that Business Associate performs for Covered Entity are defined in the Service Order and Service Agreement entered between the parties (the "Agreement").
1. General Obligations of Business Associate.
1.1 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA, the Agreement or as required by applicable law.
1.2 Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the BAA or the Agreement.
1.3. Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within 45 calendar days of "discovery" within the meaning of the HITECH Act. Business Associate shall provide information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the Individual under 45 C.F.R. 164.404(c) at the time of notification or promptly thereafter as information becomes available.
1.4. Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information.
1.5. Business Associate agrees to make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.524, or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR 164.526. If Business Associate receives a request for access directly from an Individual, Business Associate will promptly forward the Individual’s request to Covered Entity so that Covered Entity may satisfy its obligations under 45 C.F.R. 164.524.
1.6. Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.526. If Business Associate receives a request for amendment directly from an Individual, Business Associate will promptly forward the Individual’s request to Covered Entity so that Covered Entity may satisfy its obligations under 45 C.F.R. 164.526.
1.7. Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. 164.528. If Business Associate receives a request for an accounting of disclosures directly from an Individual, Business Associate will promptly forward the Individual’s request to Covered Entity so that Covered Entity may satisfy its obligations under 45 C.F.R. 164.526.
1.8. Business Associate agrees to make its internal practices, books and records relating to the use and disclosure of PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to the Secretary for the purpose of determining compliance with the HIPAA Rules.
1.9. To the extent that Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.
2. Permitted Uses and Disclosures by Business Associate.
2.1. General Uses and Disclosures. Business Associate agrees to receive, create, use or disclose PHI only in a manner that is consistent with the terms of this BAA and the Agreement.
2.2. Business Associate may use or disclose PHI as Required by Law.
2.3. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the covered entity, except for the following specific uses and disclosures:
(a) Business Associate may use PHI for the proper management and administration of the Domo Service provided to Covered Entity, and to carry out the legal responsibilities of the Business Associate.
(b) Business Associate may provide data aggregation services relating to the health care operations of Covered Entity.
3. Obligations of Covered Entity.
3.1. Covered Entity shall:
(a) Provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with the HIPAA Rules, and any changes or limitations to such notice under the HIPAA Rules, to the extent that such changes or limitations may affect Business Associate's use or disclosure of PHI.
(b) Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI under this BAA.
(c) Notify Business Associate of any changes in or revocation of permission by an Individual to use or disclose PHI, if such change or revocation may affect Business Associate's permitted or required uses and disclosures of PHI under this BAA.
3.2. Except as otherwise authorized under this BAA, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
4. Term and Termination.
4.1. This BAA shall be in effect as of the date it is fully executed between the parties, and shall terminate on the earlier of the date that either party terminates for cause as authorized under this BAA, and the date all of the PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.
4.2. Upon either party's knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation; or terminate the BAA. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed 30 days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA, upon written notice to the other party.
4.3. Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
(a) Retain only that PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities.
(b) Destroy the remaining PHI that the Business Associate still maintains in any form.
(c) Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this section, for as long as Business Associate retains the PHI.
(d) Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out herein which applied prior to termination.
(e) Destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
4.4. The obligations of Business Associate under this section shall survive the termination of this BAA.
5.1. The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the HIPAA Rules and any other applicable law.
5.2. The respective rights and obligations of the parties under of this BAA shall survive the termination of this BAA.
5.3. Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.
5.4. This BAA and the Agreement constitute the entire agreement between the parties related to the subject matter of this BAA. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
5.5. This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate.
5.6. Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the same internal laws as that of the Agreement. If there is a direct conflict between this BAA and a provision of the Agreement, the terms in this BAA will control.
Each party agrees to comply with the terms of this BAA.