HIPAA Business Associate Agreement (BAA)

Business Associate shall not use or disclose PHI other than as permitted or required by this BAA or as required by law. Business Associate is permitted to use and disclose PHI solely for the following purposes:

• To perform vulnerability scanning, penetration testing, and related security assessment services on behalf of Covered Entity as described in the underlying service agreement
• To carry out the legal responsibilities of Business Associate, including compliance with the HIPAA Rules
• For the proper management and administration of Business Associate, provided that such disclosures are required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed

Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted under this Section. Business Associate shall not use or disclose PHI for marketing purposes, sell PHI, or use PHI for underwriting purposes.

Business Associate agrees to the following obligations:

Business Associate shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no event later than forty-eight (48) hours after discovery of such Breach, in accordance with the requirements of 45 CFR §164.410 and the HITECH Act. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.

The notification to Covered Entity shall include, to the extent reasonably available:

• The identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach
• A description of the nature of the Breach, including the types of Unsecured PHI involved
• A description of what Business Associate has done or is doing to investigate the Breach, mitigate harm to individuals, and protect against further Breaches
• Any other details necessary for Covered Entity to fulfill its notification obligations under 45 CFR §§164.404 through 164.408

Business Associate shall cooperate with Covered Entity in investigating any Breach and shall provide reasonable assistance to Covered Entity in meeting its obligations under the HIPAA Breach Notification Rule, including any required notifications to affected individuals, the Secretary of HHS, and the media.

Business Associate shall also report to Covered Entity any Security Incident of which Business Associate becomes aware. The parties acknowledge that unsuccessful Security Incidents (such as pings, port scans, unsuccessful log-on attempts, or denial-of-service attacks that do not result in unauthorized access, use, or disclosure of PHI) occur routinely, and Business Associate shall provide notice of such unsuccessful incidents upon request.

This BAA shall become effective on the date it is executed by both parties and shall remain in effect for the duration of the underlying service agreement, unless earlier terminated in accordance with this Section.

Either party may terminate this BAA and the underlying service agreement if the other party materially breaches any provision of this BAA and fails to cure such breach within thirty (30) days after receiving written notice of the breach. If cure is not reasonably possible, the non-breaching party may terminate this BAA immediately upon written notice.

Covered Entity may terminate this BAA immediately if Covered Entity determines that Business Associate has violated a material term of this BAA and cure is not possible. Upon any determination that Business Associate has breached a material term of this BAA, Covered Entity shall have the right, at its sole discretion, to either terminate this BAA and the underlying service agreement or, if termination is not feasible, report the breach to the Secretary of HHS.

Upon termination of this BAA for any reason, Business Associate shall:

• Return to Covered Entity or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form, and retain no copies of such PHI
• If return or destruction is not feasible, extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI
• Provide written certification to Covered Entity of the destruction of PHI within thirty (30) days of termination, where destruction is feasible

The obligations of Business Associate under this Section shall survive termination of this BAA.

Covered Entity agrees to the following obligations in connection with this BAA:

• Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices under 45 CFR §164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI
• Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI
• Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI
• Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as expressly permitted in this BAA
• Covered Entity represents and warrants that it has obtained all necessary consents, authorizations, and permissions required under applicable law for the disclosure of PHI to Business Associate in connection with the Service

The parties acknowledge and agree that Find The Breach's security scanning and penetration testing services are not designed to intentionally access, store, or process Protected Health Information. The Service is directed at identifying security vulnerabilities in Covered Entity's systems and infrastructure. Any exposure to PHI during the course of providing the Service is incidental in nature.

This BAA is provided to address the possibility of incidental exposure to PHI that may occur during authorized security assessments. Notwithstanding anything to the contrary in this BAA:

• Business Associate does not intentionally access, index, copy, or retain PHI encountered during vulnerability scans or penetration tests
• Scan results and reports generated by the Service are designed to capture technical vulnerability data, not the content of health records or PHI
• Covered Entity is responsible for configuring its systems and access controls to minimize the exposure of PHI during security assessments
• Business Associate employs technical measures to minimize the retention of any data that may constitute PHI incidentally encountered during scans

Covered Entity acknowledges that the effectiveness of the safeguards described in this BAA is limited to the extent that Business Associate does not intentionally access or process PHI. Covered Entity is encouraged to implement appropriate de-identification or data segmentation measures before initiating security assessments on systems containing PHI.

Regulatory References. Any reference in this BAA to a section of the HIPAA Rules shall mean the section as in effect or as amended from time to time, and any comparable successor provisions.

Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits both parties to comply with the HIPAA Rules.

No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.

Entire Agreement. This BAA, together with the underlying service agreement and any attachments, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior negotiations, representations, and agreements relating to this subject matter.

For questions, concerns, or requests related to this Business Associate Agreement or HIPAA compliance, please contact:

To execute a BAA or inquire about Enterprise plan eligibility: