DermDetect Business Associate Agreement for Customers
This DermDetect Business Associate Agreement (“BA Agreement”) becomes effective as of the date on which the authorized party accepting this BA Agreement completes the electronic acceptance process and signs the consent and release of liability agreement prior to any screening. The authorized party electronically accepting this BA Agreement represents and warrants that it has the authority to bind Customer(as defined in the DermDetect End User Services Agreement or other applicable agreement (“Underlying Agreement”)and agree to the terms and conditions of this BA Agreement.
Pursuant to the Underlying Agreement, DermDetect distributes services to Customer. In connection with such services, DermDetect may receive, use, and/or disclose for or on behalf of Customer certain Protected Health Information relating to individuals that is subject to protection under HIPAA.
Customer represents it is a Covered Entity or a Business Associate of a Covered Entity. By reason of such activities, the parties believe that DermDetect is a Business Associate of Customer in the delivery of the DermDetect HIPAA Services to Customer. Customer and DermDetect wish to comply in all respects with the requirements of HIPAA applicable to the relationship between covered entities and their business associates.
This BA Agreement shall be limited exclusively to Customer’s use of the DermDetect HIPAA Services, as that term is defined below, and shall apply to no other agreements, products, or services of DermDetect.
- Terms used, but not otherwise defined in this BA Agreement shall have the same meaning as those terms set forth in the Privacy Rule or the Security Rule.
- Breach. “Breach” shall mean the unauthorized acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under the Privacy Rule which compromises the security or privacy of such information. “Breach” excludes:
- any unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of Customer or DermDetect, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.
- any inadvertent disclosure by a person who is authorized to access Protected Health Information at Customer or DermDetect to another person authorized to access Protected Health Information at Customer or DermDetect, if the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.
- Breach. “Breach” shall mean the unauthorized acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under the Privacy Rule which compromises the security or privacy of such information. “Breach” excludes:
- a disclosure of Protected Health Information where Customer or DermDetect has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Except as provided in exceptions (i)-(iii) above, the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the Privacy Rule is presumed to be a Breach unless the Customer or DermDetect, as applicable, demonstrates that there is a low probability that the Protected Health Information has been compromised based on a risk assessment of at least the following factors:
- the nature and extent of the Protected Health Information involved, including the types of identifiers and the likelihood of re-identification.
- the unauthorized person who used the Protected Health Information or to whom the disclosure was made.
- whether the Protected Health Information was actually acquired or viewed; and
- the extent to which the risk to the Protected Health Information has been mitigated.
(b) Business Associate. Business Associate” has the same meaning as the term “business associate” in 45 CFR § 160.103.
(c) Covered Entity. “Covered Entity” has the same meaning as the term “covered entity” in 45 CFR §160.103.
(d) DermDetect HIPAA Services. “DermDetect HIPAA Services” shall mean the services listed athttps://www.DermDetect.com/about/trust-center/DermDetect-hipaa-services.html,provided to Customer pursuant to the Underlying Agreement, for which Customer has paid the applicable fees. To comply with the Privacy Rule and the Security Rule, some features or functionality of the DermDetect HIPAA Services may be limited or unavailable. Customer must configure and operate the DermDetect HIPAA Services in accordance with DermDetect’s HIPAA documentation, as described athttps://www.DermDetect.com/about/trust-center/DermDetect-hipaa-documentation.html. DermDetect may, in its sole discretion, modify the list of DermDetect HIPAA Services at any time to add or remove Services. DermDetect will provide at least 6 months prior notice at the page linked above if DermDetect decides to remove an existing service from the DermDetect HIPAA Services. However, DermDetect will not be obligated to provide notice under the prior sentence if the removal is necessary to address an emergency or threat to the security or integrity of DermDetect, respond to claims, litigation, or loss of license rights related to third-party intellectual property rights, or comply with the law or requests of a government entity.
(e)Designated Record Set. “Designated Record Set” has the same meaning as the term “designated record set” in 45 CFR § 164.501.
(f) Electronic Protected Health Information. “Electronic Protected Health Information” has the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to the information received by DermDetect from or on behalf of Customer.
(g )HIPAA. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended, or modified, including by the Health Information Technology for Economic and Clinical Health Act, and its implementing rules and regulations.
(h) Individual. “Individual” has the same meaning as the term “individual” in 45 CFR § 160.103.
(i) Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.
(j) Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR §160.103, limited to the information received by DermDetect from or on behalf of Customer.
(k) Required by Law. “Required by Law” has the same meaning as the term “required by law” in 45 CFR § 164.103.
(l) Secretary. “Secretary” has the same meaning as the term “secretary” in 45 CFR § 160.103.
(m) Security Incident. “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system that provides access to Electronic Protected Health Information.
(n) Security Rule. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR part 164 subpart C.
2.Obligations and Activities of DermDetect. DermDetect agrees to:
(a) not use or further disclose Protected Health Information other than as permitted or required by this BA Agreement or as Required by Law.
(b) use, disclose and request only the minimum necessary amount of Protected Health Information necessary to perform its services for Customer.
(c) use appropriate safeguards and comply with the Security Rule with respect to Electronic Protected Health Information to prevent use or disclosure of the Protected Health Information other than in accordance with this BA Agreement.
(d) mitigate, to the extent practicable, any harmful effect that is known to DermDetect of a use or disclosure of Protected Health Information by DermDetect in violation of the requirements of this BA Agreement, the Privacy Rule or the Security Rule.
(e) report to Customer any use or disclosure of the Protected Health Information not in accordance with this BA Agreement of which DermDetect becomes aware, including any Breach of unsecured Protected Health Information and any Security Incident. For all reporting obligations under this BA Agreement, the parties acknowledge that, because DermDetect does not know the nature of the Protected Health Information contained in any of the Customer’s accounts, it will not be possible for DermDetect to provide information about the identities of the Individuals who may have been affected, or a description of the type of information that may been subject to a Security Incident or Breach.
(f) in accordance with the Privacy Rule and the Security Rule, ensure that any subcontractor to whom it provides Protected Health Information agrees to the same restrictions and conditions that apply to DermDetect with respect to such information.
(g) to the extent any Protected Health Information is in a Designated Record Set, make available Protected Health Information to the extent, for the purposes and in the manner required by 45 CFR §164.524 (Access of Individuals to Protected Health Information) and 45 CFR §164.526 (Amendment of Protected Health Information) and incorporate any amendment to Protected Health Information as required under 45 CFR §164.526.
(h) to the extent DermDetect is to carry out one or more of Customer’s obligations under the Privacy Rule, DermDetect shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligations.
(i) make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or received by DermDetect on behalf of, Customer available to the Secretary for purposes of the Secretary determining Customer's compliance with the Privacy Rule or the Security Rule.
(j) document such disclosures of Protected Health Information and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528 (Accounting of disclosures of Protected Health Information). For avoidance of doubt, DermDetect will document and make available to Customer the information required to provide an accounting of disclosures in accordance with 45 CFR §164.528 of which DermDetect is aware if requested by the Customer. Because DermDetect cannot readily identify which Individuals are identified or what types of Protected Health Information are included in a Customer’s accounts, Customer will be solely responsible for identifying which Individuals, if any, any have been included in Customer data that may have been disclosed and for providing a brief description of the Protected Health Information disclosed.
(k) provide to Customer, at a time and in a manner agreed by the parties, information collected in accordance with Section 2
(j) of this BA Agreement to permit Customer to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528.
3.Permitted Uses and Disclosures by DermDetect.
(a) General Use and Disclosure Provisions. Subject to the terms of this BA Agreement, DermDetect may use or disclose Protected Health Information to provide the DermDetect HIPAA Services to Customer, provided that such use or disclosure would not violate the Privacy Rule if done by Customer.
(b)Specific Use and Disclosure Provisions. DermDetect may use or disclose Protected Health Information for the proper management and administration of DermDetect (such as for the purposes of quality improvement and product or service testing, support; and system maintenance) or to carry out the present and/or future legal responsibilities of DermDetect; provided that, DermDetect shall disclose such Protected Health Information only: (i) as Required by Law or (ii) to persons from which DermDetect obtains reasonable assurances that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies DermDetect of any instances of which it is aware in which the confidentiality of the information has been breached
(c)Report Violations of Law. DermDetect may use Protected Health Information to report violations of law appropriate to Federal and State authorities consistent with 45 CFR § 164.502(j)(1).
(d) Data Aggregation. DermDetect may use Protected Health Information to aggregate data as permitted by45 C.F.R. § 164.504(e)(2)(i)(B).
(e)De-Identification. DermDetect may use Protected Health Information to create de-identified information pursuant to the requirements set forth at 45 C.F.R. § 164.514(a)-(c).
4.Obligations of Customer. Customer agrees that, to the extent applicable, it:
(a) will configure and operate the DermDetect HIPAA Services only in accordance with DermDetect’s HIPAA documentation, available at https://www.DermDetect.com/about/trust-center/DermDetect-hipaa-documentation.html.
(b) will not upload PHI to any service that is not designated as a DermDetect HIPAA Service. DermDetect does not act as a Business Associate with respect to any services other than the DermDetect HIPAA Services.
(c) has included, and will include, in the Customer’s Notice of Privacy Practices required by the Privacy Rule, a provision stating that the Customer may disclose Protected Health Information for health care operations and payment purposes. Upon request, Customer will provide DermDetect with a copy of Customer’s Notice of Privacy Practices, as well as any changes to such Notice.
(d) has provided to DermDetect notice of any limitation(s) in Customer’s Privacy Practices to the extent such limitation(s) may affect DermDetect’s performance of services for Customer or use or disclosure of Protected Health Information.
(e) will provide, upon the reasonable request of DermDetect, copies of any consent, authorization, acknowledgment or permission by an Individual to use or disclose Protected Health Information which may affect DermDetect’s performance of services for Customer or use or disclosure of Protected Health Information.
(f) has obtained, and will obtain, from Individuals consents, authorizations and other permissions (if any) necessary or required by laws applicable to Customer for DermDetect and Customer to fulfill their respective obligations and under this BA Agreement.
(g) will provide DermDetect with any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, if such changes affect DermDetect's performance of services for Customer or use or disclosure of Protected Health Information.(h)will notify DermDetect of any restriction to the use or disclosure of Protected Health Information that it has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect DermDetect’s use or disclosure of Protected Health Information.
(i) will, upon request of DermDetect, notify DermDetect of the name of and contact information for the privacy official designated by Customer in accordance with 45 CFR §164.530.
5.Permissible Requests by Customer. Customer shall not request DermDetect to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Customer, except as set forth in Section 3(b) above.
6.Term and Termination
(a)Term This BA Agreement shall remain in effect for so long as the Underlying Agreement is in effect between Customer and DermDetect for DermDetect to perform activities or services for or on behalf of Customer. Upon the termination of any such Underlying Agreement, this BA Agreement automatically terminates without notice.
(b)Termination for Breach Customer shall have the right to terminate this BA Agreement upon any material breach of this BA Agreement; provided, however, that prior to any such termination, Customer shall provide DermDetect with notice of the existence of an alleged material breach and provide DermDetect an opportunity to cure the alleged material breach. In the event DermDetect fails to cure the material breach within thirty (30) days of receipt of written notice, Customer may thereafter immediately terminate this BA Agreement.
(c)Effect of Termination.
(i) Except as provided in paragraph (ii) of this Section, upon termination of this BA Agreement for any reason, DermDetect shall return or destroy all Protected Health Information received from Customer, or created or received by DermDetect on behalf of Customer, or convert such Protected Health Information to a de-identified format consistent with the Privacy Rule. This provision shall also apply to Protected Health Information that is in the possession of subcontractors or agents of DermDetect. DermDetect shall retain no copies of the Protected Health Information.
(ii) In the event that DermDetect determines that returning or destroying the Protected Health Information is infeasible, DermDetect shall provide to Customer notification of the conditions that make return or destruction infeasible. DermDetect shall extend the protections of the BA Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as DermDetect maintains such Protected Health Information. The parties agree that to the extent that DermDetect is Required by Law to maintain copies of Protected Health Information, return of such Protected Health Information shall be deemed infeasible and DermDetect shall have the right to retain such Protected Health Information as Required by Law; provided, however, that DermDetect shall only use or disclose such Protected Health Information for the purposes of and as Required by Law. The respective rights and obligations of DermDetect under Section 6 of this BA Agreement shall survive the termination of this BA Agreement.
- Miscellaneous
(a) Regulatory References. A reference in this BA Agreement to a section in the Privacy Rule or the Security Rule means the section as in effect or as amended, and for which compliance is required.
(b) Amendment. The Parties agree to take such action as is reasonably necessary to amend this BA Agreement from time to time as is necessary for Customer or DermDetect, as applicable, to comply with the requirements of HIPAA.
(c) Survival. The respective rights and obligations of DermDetect under Section 6 of this BA Agreement shall survive the termination of this BA Agreement.
(d) Interpretation. Any ambiguity in this BA Agreement shall be resolved in favor of a meaning that permits Customer or DermDetect, as applicable, to comply with HIPAA. Any conflict between the terms of this BA Agreement and any other agreement relating to the same subject matter, which is the Business Associate requirements under HIPAA, shall be resolved so that the terms of this BA Agreement supersede and replace the relevant terms of any such other agreement.
(e) No Beneficiary. There are no third-party beneficiaries to this BA Agreement, including but not limited to any Individuals who are subject of the Protected Health Information.
(f) Governing Law. Except to the extent that HIPAA or other federal law applies, the governing law and jurisdiction to resolve any dispute that arises with respect to this BA Agreement are as specified in the Underlying Agreement.
(g) Integration. This BA Agreement is the sole and complete agreement between the parties relating to obligations under HIPAA, and supersedes any prior agreements, understandings, and communications relating thereto. Notwithstanding the foregoing, the Underlying Agreements shall govern all other terms between the parties including without limitation, terms related to the services provided, payment obligations, and limitation of liability with respect to both the Underlying Agreements and this BA Agreement.
(h)Severability. The provisions of this BA Agreement shall be severable, and if any provision of this BA Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BA Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.