GDPR Addendum
This Business Associate Agreement (“BAA”) applies under the following conditions: if “Covered Entity” (legal entity that uses ABBYY Timeline under the ABBYY Cloud Service Agreement (the “Agreement”) wishes to upload information protected by Health Insurance Portability and Accountability Act, Covered Entity should first send such notification to ABBYY on the following email address: dataprotection@abbyy.com, in which case the BAA shall become enforceable next working day following the receipt of such notification by Business Associate. Effective date will be the next working day when Business Associate receives such notification. BAA applies to all activities performed in connection with the Agreement in which the ABBYY staff or a third party acting on behalf of ABBYY may come into contact with Protected Health Information (“PHI”) while providing ABBYY Timeline to Covered Entity.
BAA is made by and between ABBYY USA Software House, Inc., having its principal office at 890 Hillview Court, Suite 300, Milpitas, California 95035 (“Business Associate”) and Covered Entity (each a “Party” and collectively the “Parties”) to comply with the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), and their respective implementing regulations, including the Privacy Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160 and 164, subparts A and E (the “Privacy Rule”), the Security Standards adopted by the U.S. Department of Health and Human Services , 45 C.F.R. parts 160, 162 and 164, subpart C (the “Security Rule”), the Breach Notification Standards adopted by the U.S. Department of Health and Human Services, at 45 C.F.R. part 164, subpart D (the “Breach Notification Rule”), as well as related state laws and/or regulations (collectively, the “HIPAA Rules”).
WHEREAS, Business Associate provides ABBYY Timeline to Covered Entity, as defined in the Agreement;
WHEREAS, in connection with the Agreement, Covered Entity may disclose to Business Associate certain Protected Health Information (“PHI”) (as defined below) that is subject to protection under the HIPAA Rules;
WHEREAS, if Business Associate performs or assists in performing certain functions or activities for or on behalf of Covered Entity that involve the use or disclosure of PHI, the HIPAA Rules require that Covered Entity receive adequate assurances that Business Associate will comply with certain obligations with respect to the PHI received in the course of providing services to or on behalf of Covered Entity; and
WHEREAS, the Parties agree that the terms of this BAA will have no effect unless and until Business Associate performs or assists in performing certain functions or activities for or on behalf of Covered Entity that involve the use or disclosure of PHI.
NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
A. Definitions.
1. Unless otherwise provided, all capitalized terms in the BAA will have the same meaning as provided under the HIPAA Rules.
2. Protected Health Information or PHI: Protected Health Information or PHI, as defined by the Privacy Rule, for this BAA means PHI that is created, received, maintained, or transmitted on behalf of Covered Entity by Business Associate pursuant to the BAA.
B. Purposes for which PHI May Be Disclosed to Business Associate.
In connection with the services provided by Business Associate to or on behalf of Covered Entity under the Agreement, Covered Entity may disclose PHI to Business Associate during the performance of the Agreement in compliance with HIPAA. Covered Entity may disclose PHI directly to Business Associate subcontractors.
C. Obligations of Business Associate.
1. Compliance with Laws. Business Associate agrees to comply with the provisions of the HIPAA Rules that are applicable to Business Associate.
2. Use and Disclosure of PHI. Business Associate may use or disclose PHI as Required by Law. Business Associate shall not use or further disclose PHI other than as permitted or required by this BAA or as Required by Law. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if used or disclosed by Covered Entity, provided, however, that Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, for the specific uses and disclosures set forth herein, and to carry out its legal responsibilities. Business Associate agrees, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, to comply with the requirements of Subpart E of 45 C.F.R. Part 164 that apply to Covered Entity in the performance of such obligation(s).
3. Safeguards. Business Associate shall maintain appropriate safeguards to ensure that PHI is not used or disclosed in violation of this BAA or applicable law. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity and shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to such electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this BAA.
4. Disclosure to Agents and Subcontractors. If Business Associate discloses PHI received from Covered Entity, or created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, to agents, including a subcontractor, Business Associate shall, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any agents or subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA with respect to such information. Business Associate shall ensure that any such agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of Business Associate or Covered Entity. Covered Entity authorizes Business Associate to use any subcontractors.
5. Minimum Necessary. Business Associate agrees to make reasonable efforts to limit use and disclosure of PHI to the minimum necessary to accomplish the intended purposes, consistent with Business Associate’s policies and procedures.
6. Individual Rights. Business Associate agrees as follows:
a. Individual Right to Copy or Inspection. To the extent Business Associate or its agents or subcontractors maintains PHI in a Designated Record Set, if an Individual makes a request for access directly to Business Associate, Business Associate will within twenty five (25) business days forward such request in writing (including electronic format) to Covered Entity. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Except as Required by Law, only Covered Entity will release and be responsible for releasing PHI to an Individual pursuant to such a request. Notwithstanding the above, ABBYY doesn’t maintain PHI in a Designated Record Set and doesn’t have access to PHI due to technical design of the services provided under the Agreement. If applicable, ABBYY may maintain PHI due to provisions of technical support and professional services.
b. Amendment of an Individual’s PHI or Record. To the extent Business Associate or its agents or subcontractors maintains PHI in a Designated Record Set, if an Individual makes a request for an amendment of his or her PHI or record directly to Business Associate, Business Associate will within twenty five (25) business days forward such request in writing to Covered Entity, and Business Associate will incorporate any such amendment upon written (including electronic format) request from Covered Entity. As between the parties, Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment, and except as Required by Law Business Associate will not make or be responsible for making any such determinations. Notwithstanding the above, ABBYY doesn’t maintain a PHI in a Designated Record Set and doesn’t have access to PHI due to technical design of the services provided under the Agreement. If applicable, ABBYY may maintain PHI due to provisions of technical support and professional services.
c. Accounting of Disclosures. Business Associate agrees to maintain documentation of the information required to provide an Accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528, and to make this information available to Covered Entity upon Covered Entity’s request, in order to allow Covered Entity to respond to an Individual’s request for Accounting of Disclosures. Because Business Associate cannot readily identify which individuals are identified or what type of PHI are included in the content uploaded to the service or otherwise transferred, processed, used or stored in the Service, Covered Entity is solely responsible for identifying which individuals, if any, may have been included in the content. If applicable, ABBYY may maintain PHI due to provisions of technical support and professional services. Such accounting is limited to disclosures that were made in the three (3) years prior to the request to the extent that the purpose of such accounting is to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI through an Electronic Health Record, as the term is defined in section 13400 of HITECH, made to carry out Treatment, Payment and Health Care Operations as provided in 45 C.F.R. §164.506. Notwithstanding the above, any such accounting shall be provided only for as long as Business Associate maintains the PHI. If an Individual request an Accounting of Disclosures directly from Business Associate, Business Associate will forward the request and its Disclosure record to Covered Entity within twenty-five (25) business days of Business Associate’s receipt of the Individual’s request. As between the parties, Covered Entity will be responsible for preparing and delivering the Accounting to the Individual. Except as required by law, Business Associate will not provide or be responsible for providing an Accounting of its Disclosures directly to any Individual. Notwithstanding the above, ABBYY doesn’t have access to PHI due to technical design of the services provided under the Agreement and therefor unable to Disclose PHI.
7. Internal Practices, Policies and Procedures. Except as otherwise specified herein, Business Associate shall make available its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received on behalf of, Covered Entity to the Secretary for the purpose of determining Covered Entity’s compliance with the HIPAA Rules.
8. Reporting of Improper Use or Disclosure, Security Incident or Breach. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in any event no more than ten (10) business days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by Business Associate shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Business Associate’s notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.
9. Use of Disclosure of PHI Not Provided for by this BAA. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware.
10. Breaches of Unsecured PHI. Business Associate will report in writing to Covered Entity any Breach of Unsecured Protected Health Information, as required at 45 C.F.R. § 164.410 of which it becomes aware, without unreasonable delay, and in no case later than 20 calendar days after discovery of such Breach.
11. Reporting. For all reporting obligations under this BAA, the parties acknowledge that, (a) because Business Associate does not know the nature of PHI contained in the Service, it will not be possible for Business Associate to provide information about the identities of the individuals who may have been affected, or a description of the type of information that may have been subject to Security Incident, Impermissible Use or Disclosure, or Breach.
D. Rights of Business Associate.
1. Management and Administration. Except as otherwise limited in this BAA, Business Associate may use and disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
2. De-identified Information. Business Associate may de-identify any and all PHI created or received by Business Associate under this BAA at any location and use all such de-identified data in accordance with the de-identification requirements of the HIPAA Rules.
3. Reporting Violations of Law. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. 164.502(j)(1).
E. Obligations of Covered Entity.
1. Consents. Covered Entity warrants that it has obtained and (or) provided any necessary authorizations, consents, notices and other permissions that may be required under applicable law prior to disclosing content to Business Associate.
2. Changes in Authorization. Covered Entity shall inform Business Associate, in writing and in a timely manner, of any changes in, or withdrawal of, any authorization provided to Covered Entity by any Individual pursuant to 45 CFR § 164.508, to the extent that such changes or withdrawal may affect Business Associate’s use or disclosure of PHI. In addition, Covered Entity shall notify Business Associate, in writing and in a timely manner, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. Covered Entity shall promptly notify Business Associate of any breach by Covered Entity of any obligation under the HIPAA Rules as such breach relates to PHI as defined herein. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, and Business Associate is not required to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
3. Minimum Necessary. Covered Entity shall disclose to Business Associate only the “Minimum Necessary” amount of PHI for Business Associate to perform the Agreement and its rights and obligations under this BAA, and only in compliance with the HIPAA Rules.
4. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI under the HIPAA Rules.
5. Covered Entity shall make its Notice of Privacy Practices available to Business Associate by publishing the Notice of Privacy Practices on Covered Entity’s website.
6. Covered Entity is solely responsible for informing ABBYY if it wishes to upload information protected by Health Insurance Portability and Accountability Act (HIPAA). BAA will be applicable only in case if such notification was received by ABBYY. Business Associate takes no responsibility for HIPAA compliance if such notification was not sent to ABBYY by Business Associate.
F. Term and Termination.
1. Term. The term of this BAA shall be effective as of the date last executed below and shall continue until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or this BAA is terminated pursuant to this Article F.
2. Termination for Breach. Either party may terminate this BAA upon written notice to the other party if the non-breaching party determines that the other party or its subcontractors or agents has breached a material term of this BAA, provided that the non-breaching party will first provide the other party with written notice of the breach of this BAA and afford the other party the opportunity to cure the breach within ninety (90) days of the date of such notice. If the other party or any of its subcontractors or agents fails to timely cure the breach, the non-breaching party may terminate this BAA.
3. Effect of Termination. Upon termination of this BAA for any reason, Business Associate agrees to return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity, maintained by Business Associate in any form and to retain no copies. If Business Associate determines that the return or destruction of PHI is not feasible, Business Associate shall inform Covered Entity in writing of the reason thereof, and the Parties shall agree to extend the protections of this BAA to such PHI and Business Associate shall limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Business Associate retains the PHI. Notwithstanding the above, Business Associate may retain PHI for its proper management and administration. Hereby Covered Entity agrees to such retention.
G. Limitation of Liability.
Limitation of liability is stipulated in the Agreement that governs the provision of the services.
H. Miscellaneous.
1. Survival. The respective rights and obligations of the Parties under Article H. of this BAA shall survive the termination of this BAA.
2. Notices. Any notices pertaining to this BAA shall be given in writing and shall be deemed duly given when personally delivered to a Party or a Party's authorized representative as listed below or sent by means of a reputable overnight carrier, or sent by means of certified mail, return receipt requested, postage prepaid. A notice sent by certified mail shall be deemed given on the date of receipt or refusal of receipt. All notices shall be addressed to the appropriate Party as follows:
If to Covered Entity:
Contact details provided in the Covered Entity account information
If to Business Associate:
ABBYY USA Software House, Inc.
890 Hillview Court,
Suite 300,
Milpitas, CA 95035
Attn: General Counsel
dataprotection@abbyy.com
3. Amendments. This BAA may not be changed or modified in any manner except by an instrument in writing signed by a duly authorized person of each of the Parties hereto. The Parties, however, agree to amend this BAA from time to time as necessary, in order to allow the Parties to comply with the requirements of the HIPAA Rules.
4. Choice of Law. This BAA and the rights and the obligations of the Parties hereunder shall be governed by and construed under the laws of the Agreement without regard to applicable conflict of laws principles.
5. Assignment of Rights and Delegation of Duties. This BAA is binding upon and inures to the benefit of the Parties and their respective successors and permitted assigns.
6. Nature of BAA. Nothing in this BAA shall be construed to create (i) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates, (ii) any fiduciary duty owed by one Party to another Party or any of its affiliates, or (iii) a relationship of employer and employee between the Parties.
7. Severability. The provisions of this BAA shall be severable, and if any provision of this BAA shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BAA shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
8. No Third Party Beneficiaries. Nothing in this BAA shall be considered or construed as conferring any right or benefit on a person not party to this BAA nor imposing any obligations on either Party hereto to persons not a party to this BAA.
9. Headings. The descriptive headings of the articles, sections, subsections, exhibits and schedules of this BAA are inserted for convenience only, do not constitute a part of this BAA and shall not affect in any way the meaning or interpretation of this BAA.
10. Entire Agreement. This BAA, together with all exhibits, riders and amendments, if applicable, which are fully completed and signed by authorized persons on behalf of both Parties from time to time while this BAA is in effect, constitutes the entire BAA between the Parties hereto with respect to the subject matter hereof and supersedes all previous written or oral understandings, addendums, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof. In the event of any inconsistencies between any provisions of this BAA and any provisions of any exhibits, riders, or amendments, the provisions of this BAA shall control.
11. Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Rules. The provisions of this BAA shall prevail over the provisions of any other prior agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this BAA or the HIPAA Rules, unless otherwise explicitly set forth in such agreement.
12. Regulatory References. A citation in this BAA to the Code of Federal Regulations shall mean the cited section as that section may be amended from time to time.