Last Updated: January 27th, 2021 with PHI usage and breach disclosure timeline clarifications
This Trillian HIPAA Business Associate Agreement ("BAA") forms part of the Trillian Customer Agreement available at https://trillian.im/legal/customer-agreement/ or other written or electronic agreement between Cerulean and Customer (the "Agreement") if: (i) Customer is a Covered Entity (as defined below) or Business Associate (as defined below); (ii) Customer includes PHI (as defined below) in its Customer Data (as defined in the Agreement); and (iii) Customer has purchased a paid subscription to the Enterprise version of the Business Trillian Services (as defined in the Agreement) and remains continuously on a paid subscription to the same. The parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Except as expressly modified or amended under this BAA, the terms of the Agreement remain in full force and effect. If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control.
|Unless you meet the eligibility requirements above, you acknowledge that Cerulean is not a Business Associate (as defined below) of yours and that you must not disclose, transmit, or otherwise process any PHI (as defined below) via or through the Trillian Services.|
Capitalized terms used but not defined in this BAA have the meanings set forth in the Agreement. In this BAA, unless stated otherwise:
- "Breach" has the meaning given to it by 45 CFR § 164.402.
- "Breach Notification Rule" means the "Standards for Breach Notification for Unsecured Protected Health Information," 45 CFR Part 164, Subpart D, as may be revised from time to time by the Secretary, including the HITECH Omnibus Rule.
- "Business Associate" has the meaning given to it by 45 CFR § 160.103.
- "Covered Entity" has the meaning given to it by 45 CFR § 160.103.
- "Designated Record Set" has the meaning given to it by 45 CFR § 164.500.
- "HIPAA" means, collectively, the Breach Notification Rule, Privacy Rule, Security Rule, and HITECH Omnibus Rule.
- "HITECH Omnibus Rule" means the Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act, 78 Federal Register 5566 (January 25, 2013).
- "Individual" means the person who is the subject of PHI and includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
- "PHI" has the same meaning as the term "protected health information" in 45 CFR §160.103, limited to the information created, maintained or received by Cerulean from or on behalf of Customer; provided that when Customer stores information locally on its own Electronic Media (as defined in HIPAA), such information is not PHI and is not covered by this BAA.
- "Privacy Rule" means the "Standards for Privacy of Individually Identifiable Health Information," 45 CFR Part 160 and Part 164, Subparts A and E, as may be revised from time to time, including the HITECH Omnibus Rule.
- "Required by Law" has the same meaning given to it in 45 CFR § 164.103.
- "Secretary" means the Secretary of the United States Department of Health and Human Services.
- "Security Breach" means any Breach of Unsecured PHI or Security Incident of which Cerulean becomes aware.
- "Security Incident" has the same meaning given to it in 45 CFR § 164.304.
- "Security Rule" means the "Security Standards for the Protection of Electronic Protected Health Information," 45 CFR Part 160, Subpart A, and Part 164, Subparts A and C, as may be revised from time to time, including the HITECH Omnibus Rule.
- "Subcontractor" has the same meaning giving to it in 45 CFR §160.103.
- "Unsecured PHI" means PHI that is not secured through the use of a technology or methodology that renders such PHI unusable, unreadable or indecipherable to unauthorized individuals as specified in 45 CFR §164.402.
2. Roles and Responsibilities
Cerulean acknowledges and agrees that to the extent that it receives and maintains PHI, it is a Business Associate of Customer for purposes of HIPAA and this BAA. It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Customer and Cerulean under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this BAA will be construed to make or render Cerulean an agent of Customer.
3. Cerulean's Obligations
3.1. Permitted Uses of PHI.
Cerulean will not use PHI other than as permitted by this BAA. Cerulean may use PHI: (i)
in connection with the performance, management and administration of the Trillian Services; (ii)
for the proper management and administration of Cerulean's business; (iii)
to carry out Cerulean's legal responsibilities; (iv)
to report violations of law consistent with 45 CFR § 164.502(j); and (v)
to the extent and for any purpose authorized by an Individual under 45 CFR §164.508. Notwithstanding the foregoing sentence, Cerulean will not use PHI in any manner that violates the Privacy Rule, or that would violate the Privacy Rule if so used by Customer (except for the purposes specified under 45 CFR § 164.504(e)(2)(i) relating to the proper management and administration of Cerulean and relating to data aggregation services).
3.2. Permitted Disclosures of PHI.
Cerulean will not disclose PHI other than as permitted by this BAA. Cerulean may disclose PHI: (i)
in connection with the performance, management and administration of the Trillian Services; (ii)
to report violations of law consistent with 45 CFR § 164.502(j); and (iii)
to the extent and for any purpose authorized by an Individual under 45 CFR §164.508. In addition, Cerulean may also disclose PHI to a third party for the proper management and administration of Cerulean's business and to carry out Cerulean's legal responsibilities; provided, that the disclosure is Required by Law, or Cerulean obtains, prior to the disclosure (i)
reasonable assurances from the third party that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the third party, and (ii)
an agreement from the third party that the third party will notify Cerulean immediately of any instances in which it knows the confidentiality of the information has been breached. Notwithstanding the foregoing, Cerulean will not disclose PHI in any manner that violates the Privacy Rule, or that would violate the Privacy Rule if so disclosed by Customer (except for the purposes specified under 45 CFR § 164.504(e)(2)(i) relating to the proper management and administration of Cerulean and relating to data aggregation services).
3.3. Minimum Necessary.
To the extent required by the Privacy Rule, Cerulean will only use and/or disclose the minimum amount of PHI necessary to accomplish the intended purpose of the use and/or disclosure. For this purpose, the determination of what constitutes the minimum necessary amount of PHI will be determined in accordance with Section 164.502(b) of the Privacy Rule; provided, however, that Customer and Cerulean hereby agree that it is not practicable to limit the use and/or disclosure of PHI to a limited data set.
3.4. Appropriate Safeguards.
Cerulean will maintain and use appropriate and commercially reasonable safeguards to prevent use and/or disclosure of PHI other than as permitted or required in this BAA.
Cerulean will take appropriate measures to ensure that any Subcontractors used by Cerulean to perform its obligations under the Agreement that require access to PHI on behalf of Cerulean are bound by written obligations that provide the same material level of protection for PHI as this BAA. To the extent Cerulean uses Subcontractors in its performance of obligations hereunder, Cerulean will remain responsible for their performance as if performed by Cerulean.
3.6. Certain HITECH Omnibus Rules.
Cerulean will not (a) engage in activities that constitute "marketing" involving "financial remuneration" as each of those terms are defined in 45 CFR § 164.501 or (b) receive any remuneration, directly or indirectly, for the sale or exchange of PHI, unless Cerulean first obtains the applicable Individual authorizations.
3.7. Access and Amendment.
Customer acknowledges and agrees that Customer is solely responsible for the form and content of PHI maintained by Customer within the Trillian Services, including whether Customer maintains such PHI in a Designated Record Set within the Trillian Services. Cerulean will provide Customer with access to Customer's PHI via the Trillian Services so that Customer may fulfill its obligations under HIPAA with respect to Individuals' rights of access and amendment but will have no other obligations to Customer or any Individual with respect to the rights afforded to Individuals by HIPAA with respect to Designated Record Sets, including rights of access or amendment of PHI. Customer is responsible for managing its use of the Trillian Services to appropriately respond to such Individual requests.
3.8. Accounting of Disclosures.
Cerulean will document disclosures of PHI by Cerulean and provide an accounting of such disclosures to Customer as and to the extent required of a Business Associate under HIPAA and in accordance with the requirements applicable to a Business Associate under HIPAA.
3.9. Access by Secretary.
To the extent Required by Law, and subject to applicable attorney client privileges, Cerulean will make its internal practices, books, policies, protocols and records concerning the use and disclosure of PHI available to the Secretary for the purpose of the Secretary determining compliance with HIPAA.
3.10.1. Notice of Security Breach.
Subject to Section 3.10.3, Cerulean will, within ten (10) business days, notify Customer following Cerulean's discovery of a Security Breach in accordance with HIPAA and in the most expedient time possible under the circumstances, consistent with the legitimate needs of applicable law enforcement and applicable laws, and after taking any measures Cerulean deems necessary to determine the scope of the Security Breach and to restore the reasonable integrity of Cerulean's systems.
To the extent practicable, Cerulean will use commercially reasonable efforts to mitigate any further harmful effects of a Security Breach caused by Cerulean.
3.10.3. Unsuccessful Security Breaches.
Notwithstanding Section 3.10.1, this Section 3.10.3 will be deemed as notice to Customer that Cerulean periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification or destruction of information, or interference with the general operation of Cerulean's information systems and the Trillian Services. Customer acknowledges and agrees that even if such events constitute a Security Incident as that term is defined under HIPAA, Cerulean will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this Section 3.10.3.
4. Customer's Obligations
4.1. Authorized Users.
Customer is solely responsible for managing whether Customer's Authorized Users are authorized to share, disclose, create, and/or use PHI within the Trillian Services.
Customer warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and/or other applicable law for the disclosure of PHI to Cerulean. Customer will notify Cerulean of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Cerulean's use or disclosure of PHI. Customer will not agree to any restriction on the use or disclosure of PHI under 45 CFR § 164.522 that restricts Cerulean's use or disclosure of PHI under the Agreement unless such restriction is Required by Law.
4.3. Appropriate Safeguards and Use of PHI.
Customer is responsible for implementing appropriate privacy and security safeguards to protect its PHI in compliance with HIPAA. Without limitation, it is Customer's obligation to not include PHI in information Customer submits to technical support personnel through a technical support request or to community support forums. Cerulean does not act as, or have the obligations of, a Business Associate under HIPAA with respect to Customer Data once it is sent to or from Customer outside the Trillian Services over the public Internet, or if Customer fails to follow applicable instructions regarding physical media transported by a common carrier. In addition, it is Customer's obligation to implement the privacy and security controls recommended by Cerulean in its HIPAA compliance guidelines available at https://trillian.im/help/best-practices-for-hipaa-compliance/
5. Term and Termination
This BAA will continue in effect until the earlier of (i)
a permitted termination in accordance with Section 5.2 below, or (ii)
the expiration or termination of the Agreement.
5.2. Termination for Breach.
Upon written notice, either party may immediately terminate the Agreement and this BAA if the other party is in material breach or default of any obligation in this BAA. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice.
5.3. Return, Destruction, or Retention of PHI Upon Termination.
Upon expiration or termination of the Agreement, Cerulean will return or destroy all PHI received from Customer, or created or received by Cerulean on behalf of Customer; provided, however, that if such return or destruction is not feasible, Cerulean will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.