Effective Date: February 2022
This Business Associate Addendum (this “BAA”) is subject to the underlying services agreement between Alight (referred to herein as “Business Associate”) and Client (the “Services Agreement”). Client enters into this BAA on behalf of itself and its group health plan(s) (each such group health plan, a “Covered Entity” and, together with Client and Business Associate, each a “Party” and collectively the “Parties”). This BAA is intended to facilitate compliance with HIPAA Laws (as defined below) with respect to any PHI (as defined below) that Business Associate may create, receive, maintain or transmit in connection with the functions, activities and services that Business Associate performs for Client under the Services Agreement. In consideration of the mutual covenants contained herein, and other valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
Section 1. Definitions.
1.1. Capitalized terms used but not otherwise defined herein shall have the meanings ascribed thereto in the Services Agreement. Any capitalized terms used but not otherwise defined herein or in the Services Agreement shall have the meanings ascribed thereto under HIPAA Laws, including the following terms: Authorization; Breach; Data Aggregation; Designated Record Set; Individual; Required By Law; Secretary; Security Incident; and Subcontractor. The terms “use”, “disclose” and “discovery”, and derivations thereof, although not capitalized, shall also have the meanings ascribed thereto under HIPAA Laws.
1.2. “HIPAA Laws” means (a) the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), (b) the privacy standards at 45 C.F.R. Part 160 and Subparts A and E of Part 164 (the “Privacy Rule”), (c) the security standards at 45 C.F.R. Parts 160 and 162 and Subparts A and C of Part 164 (the “Security Rule”), (d) the notification standards at 45 C.F.R. Subpart D of Part 164 (the “Notification Rule”) and (e) Subtitle D of the Health Information Technology for Economic and Clinical Health Act, Division A, Title XIII of Pub. L. No. 111-5, and its implementing regulations (the “HITECH Act”) and the regulations promulgated thereunder, including the HIPAA omnibus final rule. Any reference herein to a section of the Code of Federal Regulations, the Privacy Rule, the Security Rule or any other section of HIPAA Laws means such section, as amended from time to time.
1.3. “PHI” means “protected health information”, “ePHI” means “electronic protected health information” and “Unsecured PHI” means “unsecured protected health information”, in each case, as defined under the HIPAA Laws but only to the extent created, received, maintained or transmitted by Business Associate on behalf of Covered Entity. For the avoidance of doubt, PHI, ePHI and Unsecured PHI shall not include “employment records” as provided under HIPAA Laws.
Section 2. Obligations of Business Associate.
2.1. Permissible Uses and Disclosures. Business Associate agrees to not use or disclose PHI other than as permitted or required by this BAA or as Required by Law.
2.2. Safeguards. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI by Business Associate other than as provided for by this BAA. Business Associate agrees to implement administrative, physical and technical safeguards, and policies and procedures, to reasonably and appropriately protect the confidentiality, integrity and availability of ePHI as required by the Security Rule.
2.3. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate resulting from a use or disclosure of PHI by Business Associate in violation of this BAA.
2.4. Reporting Impermissible Uses and Disclosures. Business Associate agrees to report to Covered Entity any use or disclosure of PHI by Business Associate not permitted or required by this BAA of which Business Associate becomes aware.
2.5. Reporting Security Incidents. Business Associate agrees to report to Covered Entity any Security Incident of which Business Associate becomes aware. The Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of Security Incidents that do not result in unauthorized access, use or disclosure of PHI (including pings and other broadcast attacks on Business Associate’s firewall, port scans, denial-of-service attacks or any combination of the above) for which further notice shall not be required.
2.6. Reporting Breaches. Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI of which it becomes aware without unreasonable delay and in no case later than 5 days after discovery of such Breach. Any such report shall include, to the extent possible, the identification of each Individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed during such Breach. In addition, Business Associate agrees to provide any other available information with respect to any such Breach that is reasonably requested by Covered Entity for purposes of providing notification to affected Individuals as required under the Notification Rule, including, to the extent possible, the date of such Breach, the date of discovery of such Breach, the types of Unsecured PHI involved in such Breach and a brief description of what Business Associate is doing to investigate such Breach, to mitigate harm to affected Individuals and to protect against any such further Breaches.
2.7. Subcontractors. Business Associate agrees to ensure that any Subcontractor that creates, receives, maintains or transmits PHI on behalf of Business Associate agrees to the same or substantially similar restrictions and conditions that apply to Business Associate under this BAA with respect to such PHI.
2.8. Governmental Audits. Business Associate agrees to make its internal practices, books and records, including policies and procedures, relating to the use and disclosure of PHI available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule. Covered Entity agrees to notify Business Associate in writing within 10 days of receiving any such request from the Secretary.
2.9. Accounting of Disclosures. Business Associate agrees to maintain information as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures pursuant to 45 C.F.R. § 164.528. Upon written request by Covered Entity, Business Associate agrees to make available, within 45 days of receiving such written request, any such information to Covered Entity (or, at Covered Entity’s direction, the applicable Individual) to the extent necessary for Covered Entity to comply with its obligations under 45 C.F.R. § 164.528. If Business Associate receives a request from an Individual for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528, Business Associate agrees to promptly notify Covered Entity of such request and, unless otherwise directed by Covered Entity, to make available to such Individual, within 60 days of receiving such request, the information regarding such accounting in its possession in accordance with such request and HIPAA Laws. For the avoidance of doubt, if, during the period covered by any accounting, Business Associate has made multiple disclosures to the same person or entity (including a Covered Entity) for a single purpose, Business Associate may provide Covered Entity or the Individual (as applicable) (a) the information required by 45 C.F.R. § 164.528(b)(2) for the first such disclosure, (b) the frequency, periodicity or number of such disclosures and (c) the date of the last such disclosure.
2.10. Access to PHI. Upon written request by Covered Entity, Business Associate agrees to make available, within 20 days of receiving such written request, any PHI in its possession that is contained in a Designated Record Set to Covered Entity (or, at Covered Entity’s direction, the applicable Individual) to the extent necessary for Covered Entity to comply with its obligations under 45 C.F.R. § 164.524. If Business Associate receives a request from an Individual to make PHI available pursuant to 45 C.F.R. § 164.524, Business Associate agrees to promptly notify Covered Entity of such request and, unless otherwise directed by Covered Entity, to make available to such Individual, within 30 days of receiving such request, any PHI in its possession that is contained in a Designated Record Set for such Individual in accordance with such request and HIPAA Laws.
2.11. Amending PHI. Upon written request by Covered Entity, Business Associate agrees to amend, within 45 days of receiving such written request, any PHI in its possession that is contained in a Designated Record Set to the extent necessary for Covered Entity to comply with its obligations under 45 C.F.R. § 164.526. If Business Associate receives a request from an Individual to amend PHI pursuant to 45 C.F.R. § 164.526, Business Associate agrees to promptly notify Covered Entity of such request and, unless otherwise directed by Covered Entity, to amend, within 60 days of receiving such request, any PHI in its possession that is contained in a Designated Record Set for such Individual in accordance with such request and HIPAA Laws; provided that, if such Individual requests that Business Associate make an amendment that Business Associate is not permitted to make pursuant to the terms of the Services Agreement, then Business Associate shall refer such Individual to the Covered Entity.
2.12. Minimum Necessary. When using or disclosing PHI or when requesting PHI, Business Associate agrees to make reasonable efforts to limit such PHI to the minimum necessary to accomplish the intended purpose of such use, disclosure or request as required by 45 C.F.R. § 164.502(b). Business Associate will determine what constitutes the minimum necessary to accomplish the intended purpose of such use, disclosure or request in accordance with the relevant provisions of HIPAA Laws (including 45 C.F.R. § 164.514(d)) and related guidance issued by the Secretary.
2.13. Covered Entity’s Obligations. To the extent Business Associate is to carry out Covered Entity’s obligation under the Privacy Rule, Business Associate agrees to comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
Section 3. Permitted Uses and Disclosures by Business Associate.
3.1. Business Associate may use or disclose PHI (a) as permitted or required by the Services Agreement provided that such use or disclosure would not violate the requirements of the Privacy Rule if done by Covered Entity or Client, on behalf of Covered Entity, (b) as permitted or required by this BAA, (c) as Required by Law or (d) as otherwise directed by Covered Entity or Client, on behalf of Covered Entity.
3.2. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
3.3. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate if such disclosures are (a) Required by Law or (b) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to such person, and such person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3.4. Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
3.5. Business Associate may de-identify PHI, provided that the de-identification process conforms to the requirements of 45 C.F.R. § 164.514(b).
3.6. Business Associate may use and disclose PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
Section 4. Obligations of Covered Entity.
4.1. Covered Entity or Client shall notify Business Associate of any limitation(s) in the respective notice of privacy practices that Covered Entity produces in accordance with the Privacy Rule and any changes or limitations to such notice under 45 C.F.R. § 164.520 to the extent that such change or limitation may affect Business Associate’s use or disclosure of PHI.
4.2. Covered Entity or Client shall notify Business Associate of any changes in or revocation of permission by an Individual to use or disclose PHI to the extent that such change or revocation may affect Business Associate’s use or disclosure of PHI.
4.3. Covered Entity or Client shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522 to the extent that such restriction may affect Business Associate’s use or disclosure of PHI; provided that neither Covered Entity nor Client shall agree to any such restrictions unless legally required to do so.
4.4. Covered Entity or Client shall obtain all Authorizations necessary for any use or disclosure of PHI as contemplated under the Services Agreement.
4.5. Neither Covered Entity nor Client shall request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA Laws.
4.6. Client hereby represents and warrants that it has all requisite power and authority to enter into this BAA on behalf of Covered Entity and to perform all of Covered Entity’s obligations hereunder.
Section 5. Designated Third Parties. In connection with the Services Agreement, Covered Entity or Client may direct Business Associate to disclose certain PHI to, or receive certain PHI from, certain third parties with whom Covered Entity or Client has a relationship (other than Business Associate’s Subcontractors), including third party administrators, consultants, brokers, auditors, successor administrators or insurers, and stop-loss carriers, and/or data warehouse vendors, and data analytics and/or data integration vendors as applicable (“Designated Third Parties”). Covered Entity shall enter into and maintain an appropriate business associate agreement with each Designated Third Party, and any PHI disclosed by Business Associate to, or otherwise held by, any such Designated Third Party, shall be governed by the terms of such business associate agreement (or any other applicable agreement between Covered Entity or Client and such Designated Third Party). Business Associate shall not have any liability for the acts or omissions of any Designated Third Party.
Section 6. Term and Termination.
6.1. Term; Effect of Termination. The term of this BAA shall commence as of the effective date of the Services Agreement and shall continue until the earlier of (a) the termination of the Services Agreement in accordance with the terms thereof and (b) the termination of this BAA for cause in accordance with the terms hereof; provided that this BAA shall terminate as to any Covered Entity upon termination of such Covered Entity by Client. The rights and obligations of the Parties which, by their nature, should survive termination or expiration of this BAA, shall survive such termination or expiration.
6.2. Termination for Cause. Upon Covered Entity’s or Business Associate’s knowledge of a material breach of this BAA by the other Party, the non-breaching Party shall notify the breaching Party of such material breach. If such material breach is not cured within 60 days of the breaching Party’s receipt of such notice (or within such longer period as the non-breaching Party may agree), or if cure is not possible, the non-breaching Party may terminate this BAA and the related portion of the Services Agreement upon written notice to the breaching Party. If termination is not feasible, the non-breaching party may report the breach to the Secretary in accordance with 45 C.F.R 164.504(e)(1)(ii).
6.3. Obligations Upon Termination. Upon termination of this BAA for any reason, Business Associate shall return or destroy all PHI that Business Associate still maintains in any form and retain no copies of such information; provided that, if Business Associate determines that the return or destruction of any PHI is not feasible (e.g., because such PHI is necessary for its proper management and administration or to carry out its legal responsibilities), Business Associate may retain such PHI, in which case Business Associate shall continue to apply the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction of such PHI infeasible, for so long as Business Associate maintains such PHI.
Section 7. Miscellaneous.
7.1. Entire Agreement. This BAA is an amendment to, and shall be deemed incorporated into and a part of, the Services Agreement. Except as expressly provided in this BAA, all of the terms and provisions of the Services Agreement are and will remain in full force and effect and are hereby ratified and confirmed by the Parties. This BAA, together with the Services Agreement, constitutes the sole and entire agreement of the Parties with respect to the subject matter hereof and thereof, and supersedes all prior and contemporaneous understandings, agreements, representations and warranties, both written and oral, with respect to such subject matter. For the avoidance of doubt, all claims and liabilities arising from or related to this BAA shall be brought under and subject to the terms of the Services Agreement, including any provisions therein regarding indemnification, limitation of liability, dispute resolution, choice of law or choice of forum.
7.2. Severability. If any provision of this BAA, or the application thereof to any person, place or circumstance, shall be held by a court of competent jurisdiction to be invalid, void or unenforceable, the remainder of this BAA and such provision as applied to other persons, places or circumstances shall remain in full force and effect and such invalid, void or unenforceable provision shall be enforced to the fullest extent permitted by law.
7.3. Amendment; Waiver. The Parties agree to take such reasonable actions as are necessary to amend this BAA from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of HIPAA Laws. This BAA may not be amended or otherwise modified unless such amendment or modification is set forth in writing, identified as amendment or modification of this BAA and signed by an authorized representative of each of the Parties. No provision of this BAA may be waived unless such waiver is set forth in writing, identified as a waiver of this BAA and signed by an authorized representative of the waiving Party. Except as otherwise provided in this BAA, no failure or delay by a Party in exercising any right under this BAA shall operate as a waiver thereof, nor shall any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any other right.
7.4. Assignment. Neither Party may assign this BAA or any of its rights herein without the prior written consent of the non-assigning Party and any purported assignment without such consent shall be void and unenforceable; provided that each Party may, without obtaining such consent, assign this BAA as part of an assignment pursuant to and in accordance with the Services Agreement.
7.5. No Third Party Beneficiaries. This BAA shall be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns and nothing herein, express or implied, is intended to or shall confer upon any other person any legal or equitable right, benefit or remedy of any nature whatsoever under or by reason of this BAA.
7.6. Relationship of the Parties. The relationship between the Parties is that of independent contractors and this BAA will not establish any agency, partnership, joint venture, fiduciary, franchise or employment relationship between the Parties (or between one Party and a representatives of the other Party). Neither Party by virtue of this BAA shall have any right, power or authority, express or implied, to bind the other Party.
7.7. Force Majeure; Excused Performance. Notwithstanding anything to the contrary in this BAA, Business Associate shall not be liable for, nor be deemed to be in breach of this BAA as a result of, any failure to comply with its obligations hereunder or any other act or omission attributable to (a) any failure by Client or Covered Entity to comply with its obligations hereunder or under HIPAA Laws, (b) any act or omission of any Designated Third Party or other vendor or representative of Client or Covered Entity (other than Business Associate and its Subcontractors and other vendors and representatives) or (c) any act of God or other act or circumstance beyond the reasonable control of Business Associate; provided that each of the Parties shall use commercially reasonable efforts to mitigate the effects of any of the foregoing circumstances.
7.8. Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with HIPAA Laws. If any use or disclosure of PHI by Business Associate or Client under the Services Agreement would be invalidated by the terms and provisions of this BAA, the terms of the Services Agreement will be interpreted by substituting Covered Entity for Client (where appropriate) in order for such use or disclosure to be valid under this BAA. Unless the express context otherwise requires, the words “hereof”, “herein”, “hereunder” and words of similar import refer to this BAA as a whole and not to any particular provision of this BAA, references to a specific section refer to the sections in this BAA unless otherwise expressly provided and the words “include”, “including” and words of similar import shall be deemed to be followed by the words “without limitation”. The captions or headings in this BAA are for convenience only and shall not be considered a part of or affect the construction or interpretation of any provision of this BAA.
7.9. Notices. Any notice or other communication that is required to be provided to Covered Entity hereunder may be made to Client in accordance with the notice provisions set forth in the Services Agreement.