HIPAA Business Associate Agreement

Last Updated: January 2019

This HIPAA Business Associate Agreement (“BAA”) dated as of January 2019, is made a part of the Online Services Terms (“Agreement”) by and between the Licensee and ORHub Inc. Licensee and ORHub Inc. may collectively be referred to as the “Parties”, and each individually as a “Party”.

1. Definitions.

Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.

“Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.

“Business Associate” shall have the same meaning as the term “business associate” in 45 CFR § 160.103 of HIPAA.

“Covered Entity” shall have the same meaning as the term “covered entity” in 45 CFR § 160.103 of HIPAA.

“Licensee”, for this BAA only, means Licensee and its Affiliates.

“HIPAA” collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.

“ORHub Inc. Online Services”, for this BAA only, means Surgical Spotlight ® services.

“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information.

“Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103 of HIPAA, provided that it is limited to such protected health information that is received by ORHub Inc. from, or created, received, maintained, or transmitted by ORHub Inc. on behalf of, Licensee (a) through the use of the ORHub Inc. Online Services.

“Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information.

2. Permitted Uses and Disclosures of Protected Health Information.

(a) Performance of the Agreement for ORHub Inc. Online Services. ORHub Inc. will not collect or store Personal Health Information (PHI) for its Surgical Spotlight product. Any PHI given to ORHub Inc. is a result of an error by licensee; it will be permanently deleted upon discovery. ORHub Inc. is not liable for any PHI they receive, per the terms of ORHub Inc’s privacy policy.

(b) Management, Administration, and Legal Responsibilities. Except as otherwise limited in this BAA, ORHub Inc. may Use and Disclose Protected Health Information for the proper management and administration of ORHub Inc. and/or to carry out the legal responsibilities of ORHub Inc., provided that any Disclosure may occur only if:

  1. Required by Law; or
  2. ORHub Inc. obtains written reasonable assurances from the person to whom the Protected Health Information is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person, and the person notifies ORHub Inc. of any instances of which it becomes aware in which the confidentiality of the Protected Health Information has been breached.

Responsibilities of the Parties with Respect to Protected Health Information.

(a) ORHub Inc.’s Responsibilities. To the extent ORHub Inc. is acting as a Business Associate, ORHub Inc. agrees to the following:

(i) Limitations on Use and Disclosure. ORHub Inc. shall not Use and/or Disclose the Protected Health Information other than as permitted or required by the Agreement and/or this BAA or as otherwise Required by Law. ORHub Inc. shall not disclose, capture, maintain, scan, index, transmit, share or Use Protected Health Information for any activity not authorized under the Agreement and/or this BAA. ORHub Inc. Online Services shall not use Protected Health Information for any advertising, marketing or other commercial purpose of ORHub Inc. or any third party. ORHub Inc. shall not violate the HIPAA prohibition on the sale of Protected Health Information. ORHub Inc. shall make reasonable efforts to Use, Disclose, and/or request the minimum necessary Protected Health Information to accomplish the intended purpose of such Use, Disclosure, or request.

(ii) Safeguards. ORHub Inc. shall:

  1. use reasonable and appropriate safeguards to prevent inappropriate Use and Disclosure of Protected Health Information other than as provided for in this BAA; and
  2. comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule.

(iii) Reporting. ORHub Inc. shall report to Licensee:

  1. any Use and/or Disclosure of Protected Health Information that is not permitted or required by this BAA of which ORHub Inc. becomes aware;
  2. any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or
  3. any Breach of Licensee’s Unsecured Protected Health Information that ORHub Inc. may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than five (5) business days after ORHub Inc.’s determination of a Breach. Taking into account the level of risk reasonably likely to be presented by the Use, Disclosure, Security Incident, or Breach, the timing of other reporting will be made consistent with ORHub Inc.’s and Licensee’s legal obligations.

For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on ORHub Inc.’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information. Notification(s) under this Section, if any, will be delivered to contacts identified by Licensee pursuant to Section 3b(ii) (Contact Information for Notices) of this BAA by any means ORHub Inc. selects, including through email. ORHub Inc.’s obligation to report under this Section is not and will not be construed as an acknowledgement by ORHub Inc. of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.

(iv) Subcontractors. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, ORHub Inc. shall require its Subcontractors who create, receive, maintain, or transmit Protected Health Information on behalf of ORHub Inc. to agree in writing to:

  1. the same or more stringent restrictions and conditions that apply to ORHub Inc. with respect to such Protected Health Information;
  2. appropriately safeguard the Protected Health Information; and
  3. comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. ORHub Inc. remains responsible for its Subcontractors’ compliance with obligations in this BAA.

(v) Disclosure to the Secretary. ORHub Inc. shall make available its internal practices, records, and books relating to the Use and/or Disclosure of Protected Health Information received from Licensee to the Secretary of the Department of Health and Human Services for purposes of determining Licensee’s compliance with HIPAA, subject to attorney-client and other applicable legal privileges. ORHub Inc. shall respond to any such request from the Secretary in accordance with the ORHub Inc’s privacy policy.

(vi) Access. If ORHub Inc. maintains Protected Health Information in a Designated Record Set for Licensee, then ORHub Inc., at the request of Licensee, shall within fifteen (15) days make access to such Protected Health Information available to Licensee in accordance with 45 CFR § 164.524 of the Privacy Rule.

(vii) Amendment. If ORHub Inc. maintains Protected Health Information in a Designated Record Set for Licensee, then ORHub Inc., at the request of Licensee, shall within fifteen (15) days make available such Protected Health Information to Licensee for amendment and incorporate any reasonably requested amendment in the Protected Health Information in accordance with 45 CFR § 164.526 of the Privacy Rule.

(viii) Accounting of Disclosure. ORHub Inc., at the request of Licensee, shall within fifteen (15) days make available to Licensee such information relating to Disclosures made by ORHub Inc. as required for Licensee to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.

(ix) Performance of a Covered Entity’s Obligations. To the extent ORHub Inc. is to carry out a Covered Entity obligation under the Privacy Rule, ORHub Inc. shall comply with the requirements of the Privacy Rule that apply to Licensee in the performance of such obligation.

(b) Licensee Responsibilities.

(i) No Impermissible Requests. Licensee shall not request ORHub Inc. to Use or Disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a Business Associate).

(ii) Contact Information for Notices. Licensee hereby agrees that any reports, notification, or other notice by ORHub Inc. pursuant to this BAA may be made electronically. Licensee shall provide contact information to ORHub Inc at hospitalcontractadmins@orhub.com. For other ORHub Inc. Online Services (or such other location or method of updating contact information as ORHub Inc. may specify from time to time for each ORHub Inc. Online Service) and shall ensure that Licensee’s contact information remains up to date during the term of this BAA. Contact information provided to ORHub Inc. must include the security contact information it also must include name of individual(s) to be contacted, title of individuals(s) to be contacted, e-mail address of individual(s) to be contacted, name of Licensee organization, and, if available, Licensee’s contract number. (Failure to submit and maintain as current the aforementioned contact information may delay ORHub Inc.’s ability to provide Breach notification under this BAA.

(iii) Safeguards and Appropriate Use of Protected Health Information. Licensee is responsible for implementing appropriate privacy and security safeguards to protect its Protected Health Information in compliance with HIPAA. Without limitation, it is Licensee’s obligation to:

  1. Not include Protected Health Information in:
    1. information Licensee submits to technical support personnel through a technical support request or to community support forums; and
    2. Licensee’s address book or directory information. In addition, ORHub Inc. does not act as, or have the obligations of, a Business Associate under HIPAA with respect to Licensee Data once it is sent to or from Licensee outside ORHub Inc. Online Services over the public Internet, or if Licensee fails to follow applicable instructions regarding physical media transported by a common carrier.
  2. Implement privacy and security safeguards in the systems, applications, and software Licensee controls, configures, and uploads into the ORHub Inc. Online Services.

4. Applicability of BAA.

This BAA is applicable to ORHub Inc. Online Services. ORHub Inc. may, from time to time, update the definition of ORHub Inc. Online Services in this BAA accordingly, and such updated definitions will apply to Licensee without additional action by Licensee. It is Licensee’s obligation to not store or process in an online service or provide to ORHub Inc. for performance of a professional service, protected health information (as that term is defined in 45 CFR § 160.103 of HIPAA) until this BAA is effective as to the applicable service.

5. Term and Termination.

(a) Term. This BAA shall continue in effect until the earlier of

  1. termination by a Party for breach as set forth in Section 5b, below, or
  2. expiration of Licensee’s Agreement.

(b) Termination for Breach. Upon written notice, either Party immediately may terminate the Agreement and this BAA if the other Party is in material breach or default of any obligation in this BAA. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice.

(c) Return, Destruction, or Retention of Protected Health Information Upon Termination. Upon expiration or termination of this BAA, ORHub Inc. shall return or destroy all Protected Health Information in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Agreement. If it is not feasible to return or destroy any portions of the Protected Health Information upon termination of this BAA, then ORHub Inc. shall extend the protections of this BAA, without limitation, to such Protected Health Information and limit any further Use or Disclosure of the Protected Health Information to those purposes that make the return or destruction infeasible for the duration of the retention of the Protected Health Information.

6. Miscellaneous.

(a) Amendment to Comply with Law. The Parties acknowledge that state and federal laws relating to data security and privacy are rapidly evolving and that amendment of the Agreement or BAA may be required to provide for procedures to ensure compliance with such developments. The Parties specifically agree to take such action as is necessary to implement the standards and requirement of HIPAA. Upon the request of either party, the other party agrees to promptly enter into negotiations concerning the terms of an amendment to this BAA embodying written assurance consistent with the standards and requirement of HIPPA.

(b) Interpretation. The Parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Except where this BAA conflicts with the Agreement, all other terms and conditions of the Agreement remain unchanged. Any captions or headings in this BAA are for the convenience of the Parties and shall not affect the interpretation of this BAA.

(c) BAAs; Waiver. This BAA may not be modified or amended except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, as a bar to, or as a waiver of any right or remedy as to subsequent events.

(d) No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

(e) Severability. In the event that any provision of this BAA is found to be invalid or unenforceable, the remainder of this BAA shall not be affected thereby, but rather the remainder of this BAA shall be enforced to the greatest extent permitted by law.

(f) No Agency Relationship. It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Licensee and ORHub Inc. under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this BAA shall be construed to make or render ORHub Inc. an agent of Licensee.

(g) Miscellaneous. The terms of this BAA are hereby incorporated into the Agreement. Except as otherwise set forth in Section 6(b) of this BAA, in the event of a conflict between the terms of this BAA and the terms of the Agreement, the terms of this BAA shall prevail. ORHub Inc.’s obligations hereunder shall not be subject to any limitations of liability or remedies in the Agreement. The terms of the Agreement which are not modified by this BAA shall remain in full force and effect in accordance with the terms thereof. This BAA shall be governed by, and construed in accordance with, the laws of the state of Nevada exclusive of conflict of law rules. Each Party hereby agrees and consents that any legal action or proceeding with respect to this BAA shall only be brought in the courts of the state of Nevada. The rights and obligations under Section 3(a)(viii), Section 5(c), and Section 6 of this BAA shall survive the termination of the Agreement and the BAA. No amendments or modifications to the BAA shall be effective unless upon by the Parties in writing.

ORHub Inc Terms of Service

ORHub Inc Privacy Policy