Canada (EN)
Alight HIPAA Business Associate Addendum
Effective Date: March 2026
This Business Associate Addendum (this “BAA”) is subject to the underlying services agreement between Alight (referred to herein as “Business Associate”) and Client (the “Services Agreement”). Client enters into this BAA on behalf of itself and its group health plan(s) (each such group health plan, a “Covered Entity” and, together with Client and Business Associate, each a “Party” and collectively the “Parties”). This BAA is intended to facilitate compliance with HIPAA Laws (as defined below) with respect to any PHI (as defined below) that Business Associate may create, receive, maintain or transmit in connection with the services (“Services”) that Business Associate performs for Client under the Services Agreement. In consideration of the mutual covenants contained herein, and other valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
Section 1. Definitions.
1.1. Capitalized terms used but not otherwise defined herein shall have the meanings ascribed thereto in the Services Agreement. Any capitalized terms used but not otherwise defined herein or in the Services Agreement shall have the meanings ascribed thereto under HIPAA Laws, including the following terms: Authorization; Breach; Data Aggregation; Designated Record Set; Individual; Required By Law; Secretary; Security Incident; and Subcontractor. The terms “use”, “disclose” and “discovery”, and derivations thereof, although not capitalized, shall also have the meanings ascribed thereto under HIPAA Laws.
1.2. “HIPAA Laws” means (a) the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), (b) the privacy standards at 45 C.F.R. Part 160 and Subparts A and E of Part 164 (the “Privacy Rule”), (c) the security standards at 45 C.F.R. Parts 160 and 162 and Subparts A and C of Part 164 (the “Security Rule”), (d) the notification standards at 45 C.F.R. Subpart D of Part 164 (the “Notification Rule”) and (e) Subtitle D of the Health Information Technology for Economic and Clinical Health Act, Division A, Title XIII of Pub. L. No. 111-5, and its implementing regulations (the “HITECH Act”) and the regulations promulgated thereunder, including the HIPAA omnibus final rule. Any reference herein to a section of the Code of Federal Regulations, the Privacy Rule, the Security Rule or any other section of HIPAA Laws means such section, as amended from time to time.
1.3. “PHI” means “protected health information”, “ePHI” means “electronic protected health information” and “Unsecured PHI” means “unsecured protected health information”, in each case, as defined under the HIPAA Laws but only to the extent created, received, maintained or transmitted by Business Associate on behalf of Covered Entity. For the avoidance of doubt, PHI, ePHI and Unsecured PHI shall not include “employment records” as provided under HIPAA Laws.
Section 2. Obligations of Business Associate.
2.1. Permissible Uses and Disclosures. Business Associate agrees to not use or disclose PHI other than as permitted or required by this BAA or as Required by Law.
2.2. Safeguards. Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this BAA. Business Associate agrees to implement administrative, physical and technical safeguards, and policies and procedures, to reasonably and appropriately protect the confidentiality, integrity and availability of ePHI as required by the Security Rule.
2.3. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate resulting from a use or disclosure of PHI by Business Associate or any of its Subcontractors in violation of this BAA.
2.4. Reporting Impermissible Uses and Disclosures. Business Associate agrees to promptly report to Covered Entity any use or disclosure of PHI by Business Associate or any of its Subcontractors not permitted or required by this BAA of which Business Associate becomes aware.
2.5. Reporting Security Incidents. Business Associate agrees to promptly report to Covered Entity any Security Incident of which Business Associate becomes aware. The Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of Security Incidents that do not result in unauthorized access, use or disclosure of PHI (including pings and other broadcast attacks on Business Associate’s firewall, port scans, denial-of-service attacks or any combination of the above) for which further notice shall not be required.
2.6. Reporting Breaches.
2.6.1. Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI of which it becomes aware without unreasonable delay and in no case later than 48 hours after discovery (as defined in the HITECH Act) of such Breach. Any such report shall include, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed during such Breach. In addition, Business Associate agrees to provide any other available information with respect to any such Breach that is reasonably requested by Covered Entity from to time to time for purposes of investigating the Breach and providing notification to affected Individuals as required under the Notification Rule, including, to the extent possible, the date of such Breach, the date of discovery of such Breach, the types of Unsecured PHI involved in such Breach and a brief description of what Business Associate is doing to investigate such Breach, to mitigate harm to affected Individuals and to protect against any such further Breaches.
2.6.2. Except as otherwise required by applicable law, Business Associate shall not notify any third party (including any affected Individuals, the media (as defined in the HITECH Act) or the Secretary) of a Breach unless requested to do so by Covered Entity. If requested by Covered Entity, Business Associate will provide notification to relevant parties as required, and in accordance with, the Notification Rule or other HIPAA Laws. Prior to providing any such notice, Business Associate shall provide Covered Entity with the opportunity to review such notice. If Covered Entity and Business Associate cannot agree on the contents of such notice, then Business Associate will be relieved of its obligation to provide such notice notwithstanding anything to the contrary in this Section.
2.7. Subcontractors. Business Associate agrees to ensure that any Subcontractor that creates, receives, maintains or transmits PHI on behalf of Business Associate agrees to the same or substantially similar restrictions, conditions and requirements that apply to Business Associate under this BAA with respect to such PHI.
2.8. Governmental Audits. Business Associate agrees to make its internal practices, books and records, including policies and procedures, relating to the use and disclosure of PHI available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule. Covered Entity agrees to notify Business Associate in writing within 10 days of receiving any such request from the Secretary.
2.9. Accounting of Disclosures. Business Associate agrees to maintain information as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures pursuant to 45 C.F.R. § 164.528. Upon written request by Covered Entity, Business Associate agrees to make available, within 45 days of receiving such written request, any such information to Covered Entity (or, at Covered Entity’s direction, the applicable Individual) to the extent necessary for Covered Entity to comply with its obligations under 45 C.F.R. § 164.528. If Business Associate receives a request from an Individual for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528, Business Associate agrees to promptly notify Covered Entity of such request and, unless otherwise directed by Covered Entity, to make available to such Individual, within 60 days of receiving such request, the information regarding such accounting in its possession in accordance with such request and HIPAA Laws. For the avoidance of doubt, if, during the period covered by any accounting, Business Associate has made multiple disclosures to the same person or entity (including a Covered Entity) for a single purpose, Business Associate may provide Covered Entity or the Individual (as applicable) (a) the information required by 45 C.F.R. § 164.528(b)(2) for the first such disclosure, (b) the frequency, periodicity or number of such disclosures and (c) the date of the last such disclosure.
2.10. Access to PHI. Upon written request by Covered Entity, Business Associate agrees to make available, within 20 days of receiving such written request, any PHI in its possession that is contained in a Designated Record Set to Covered Entity (or, at Covered Entity’s direction, the applicable Individual) to the extent necessary for Covered Entity to comply with its obligations under 45 C.F.R. § 164.524. If Business Associate receives a request from an Individual to make PHI available pursuant to 45 C.F.R. § 164.524, Business Associate agrees to promptly notify Covered Entity of such request and, unless otherwise directed by Covered Entity, to make available to such Individual, within 30 days of receiving such request, any PHI in its possession that is contained in a Designated Record Set for such Individual in accordance with such request and HIPAA Laws.
2.11. Amending PHI. Upon written request by Covered Entity, Business Associate agrees to amend, within 45 days of receiving such written request, any PHI in its possession that is contained in a Designated Record Set to the extent necessary for Covered Entity to comply with its obligations under 45 C.F.R. § 164.526. If Business Associate receives a request from an Individual to amend PHI pursuant to 45 C.F.R. § 164.526, Business Associate agrees to promptly notify Covered Entity of such request and, unless otherwise directed by Covered Entity, to amend, within 60 days of receiving such request, any PHI in its possession that is contained in a Designated Record Set for such Individual in accordance with such request and HIPAA Laws; provided that, if such Individual requests that Business Associate make an amendment that Business Associate is not permitted to make pursuant to the terms of the Services Agreement, then Business Associate shall refer such Individual to the Covered Entity.
2.12. Minimum Necessary. When using or disclosing PHI or when requesting PHI, Business Associate agrees to make reasonable efforts to limit such PHI to the minimum necessary to accomplish the intended purpose of such use, disclosure or request as required by 45 C.F.R. § 164.502(b). Business Associate will determine what constitutes the minimum necessary to accomplish the intended purpose of such use, disclosure or request in accordance with the relevant provisions of HIPAA Laws (including 45 C.F.R. § 164.514(d)) and related guidance issued by the Secretary.
2.13. Limitation on the Sale of PHI. Business Associate shall comply with the prohibition on the sale of Electronic Health Records and PHI set forth in 42 U.S.C. § 17935(d).
2.14. Limitation on Marketing and Fundraising. Business Associate shall not use and disclose PHI for marketing purposes unless directed by or agreed to by Covered Entity and in accordance with 45 C.F.R. 164.508(a)(3). Business Associate shall not use or disclose PHI for fundraising purposes unless otherwise expressly directed by or agreed to by Covered Entity and in accordance with HIPAA Laws (including 45 C.F.R. 164.514(f)). For the avoidance of doubt, any use or disclosure of PHI to perform the Services shall not be deemed to be a violation of this Section.
2.15. Reproductive Health Care. Business Associate shall comply with the terms and conditions of the Privacy Rule designed to support reproductive health care privacy, including the attestation requirements of 45 CFR § 164.509(b)(1).
2.16. Covered Entity’s Obligations. To the extent Business Associate is to carry out Covered Entity’s obligation under the Privacy Rule, Business Associate agrees to comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
2.17. Other Limitations and Restrictions. Business Associate shall comply with (a) any limitation in the respective notice of privacy practices that Covered Entity produces in accordance with the Privacy Rule and any changes or limitations to such notice under 45 C.F.R. § 164.520 and (b) any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, in each case, to the extent that such limitation or restriction may affect Business Associate’s use or disclosure of PHI. If any such limitation or restriction would result in more than a de minimis increase in Business Associate’s costs to perform the Services, the Parties agree to use good faith efforts to modify the fees payable under the Services Agreement to accommodate such increased costs.
2.18. Civil and Criminal Penalties. Business Associate acknowledges that it may be liable under the civil and criminal enforcement provisions under HIPAA Laws for any failure to comply with HIPAA Laws.
Section 3. Permitted Uses and Disclosures by Business Associate.
3.1. Business Associate may use or disclose PHI (a) as permitted or required by the Services Agreement provided that such use or disclosure would not violate the requirements of the Privacy Rule if done by Covered Entity or Client, on behalf of Covered Entity, (b) as permitted or required by this BAA, (c) as Required by Law or (d) as otherwise directed by Covered Entity or Client, on behalf of Covered Entity.
3.2. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
3.3. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate if such disclosures are (a) Required by Law or (b) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to such person, and such person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
Section 4. Obligations of Covered Entity.
4.1. Covered Entity or Client shall notify Business Associate of any limitation(s) in the respective notice of privacy practices that Covered Entity produces in accordance with the Privacy Rule and any changes or limitations to such notice under 45 C.F.R. § 164.520 to the extent that such change or limitation may affect Business Associate’s use or disclosure of PHI.
4.2. Covered Entity or Client shall notify Business Associate of any changes in or revocation of permission by an Individual to use or disclose PHI to the extent that such change or revocation may affect Business Associate’s use or disclosure of PHI.
4.3. Covered Entity or Client shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522 to the extent that such restriction may affect Business Associate’s use or disclosure of PHI; provided that neither Covered Entity nor Client shall agree to any such restrictions unless legally required to do so.
4.4. Covered Entity or Client shall obtain all Authorizations necessary for any use or disclosure of PHI as contemplated under the Services Agreement.
4.5. Neither Covered Entity nor Client shall request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA Laws.
4.6. Client hereby represents and warrants that it has all requisite power and authority to enter into this BAA on behalf of Covered Entity and to perform all of Covered Entity’s obligations hereunder.
Section 5. Designated Third Parties. In connection with the Services Agreement, Covered Entity or Client may direct Business Associate to disclose certain PHI to, or receive certain PHI from, certain third parties with whom Covered Entity or Client has a relationship (other than Business Associate’s Subcontractors), including third party administrators, consultants, brokers, auditors, successor administrators or insurers, and stop-loss carriers, and/or data warehouse vendors, and data analytics and/or data integration vendors as applicable (“Designated Third Parties”). Covered Entity shall enter into and maintain an appropriate business associate agreement or other appropriate agreement with each Designated Third Party, and any PHI disclosed by Business Associate to, or otherwise held by, any such Designated Third Party, shall be governed by the terms of such business associate agreement (or any other applicable agreement between Covered Entity or Client and such Designated Third Party). Business Associate shall not have any liability for the acts or omissions of any Designated Third Party.
Section 6. Term and Termination.
6.1. Term; Effect of Termination. The term of this BAA shall commence as of the effective date of the Services Agreement and shall continue until the earlier of (a) the termination of the Services Agreement in accordance with the terms thereof and (b) the termination of this BAA for cause in accordance with the terms hereof; provided that this BAA shall terminate as to any Covered Entity upon termination of such Covered Entity by Client. The rights and obligations of the Parties which, by their nature, should survive termination or expiration of this BAA, shall survive such termination or expiration.
6.2. Termination for Cause. Upon Covered Entity’s or Business Associate’s knowledge of a material breach of this BAA by the other Party, the non-breaching Party shall notify the breaching Party of such material breach. If such material breach is not cured within 30 days of the breaching Party’s receipt of such notice (or within such longer period as the non-breaching Party may agree), or if cure is not possible, the non-breaching Party may terminate this BAA and the related portion of the Services Agreement upon written notice to the breaching Party. If termination is not feasible, the non-breaching party may report the breach to the Secretary in accordance with 45 C.F.R 164.504(e)(1)(ii).
6.3. Obligations Upon Termination. Upon termination of this BAA for any reason, Business Associate shall return or destroy all PHI that Business Associate still maintains in any form and retain no copies of such information; provided that, if Business Associate determines that the return or destruction of any PHI is not feasible (e.g., because such PHI is necessary for its proper management and administration or to carry out its legal responsibilities), Business Associate may retain such PHI, in which case Business Associate shall continue to apply the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction of such PHI infeasible, for so long as Business Associate maintains such PHI.
Section 7. Miscellaneous.
7.1. Amendment. The Parties agree to take such reasonable actions as are necessary to amend this BAA from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of HIPAA Laws.
7.2. Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with HIPAA Laws. If any use or disclosure of PHI by Business Associate or Client under the Services Agreement would be invalidated by the terms and provisions of this BAA, the terms of the Services Agreement will be interpreted by substituting Covered Entity for Client (where appropriate) in order for such use or disclosure to be valid under this BAA. For the avoidance of doubt, all claims and liabilities arising from or related to this BAA shall be brought under and subject to the terms of the Services Agreement, including any provisions therein regarding indemnification, limitation of liability, force majeure, dispute resolution, choice of law or choice of forum.
* * * * *