hc1 Insights™ Business Associate Agreement, April 21, 2025
This Business Associate Agreement (“BAA”) is made by and between hc1 Insights, Inc. (“Business Associate”) and ________________ (“Covered Entity”) and effective as of ________________, 20__ (the “BAA Effective Date”). In this BAA, Covered Entity and Business Associate are each a “Party” and, collectively, are the “Parties”.
BACKGROUND
A. Covered Entity is a “covered entity” as defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the “HITECH Act” (as defined below) and the related regulations promulgated by “HHS” (as defined below) (collectively, “HIPAA”), including, without limitation, the Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Parts 160 and 164 (the “HIPAA Rules”) and, as such, is required to comply with HIPAA Rule provisions regarding the confidentiality and privacy of “Protected Health Information” (as defined below).
B. The Parties have entered into or will enter into one or more agreements under which Business Associate
provides or will provide certain specified services and/or functions to Covered Entity (collectively, the “Underlying
Agreement(s)”).
C. In providing services and functions pursuant to the Underlying Agreement(s) Business Associate has or will have access to Protected Health Information and so is or will become a “business associate” (as such term is
defined under the HIPAA Rules) of Covered Entity.
D. The Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including, without limitation, the HIPAA Rules.
E. The Parties intend to protect the privacy and provide for the security of Protected Health Information
created or received by Business Associate pursuant to the terms of this BAA, the HIPAA Rules and other applicable
laws.
AGREEMENT
NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Underlying Agreement(s) in reliance on this BAA, the Parties agree as follows:
1. Definitions. For purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1 below. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the HIPAA Rules.
A. “Breach Notification Rule” means the portion of the HIPAA Rules set forth in Subpart D of 45 CFR Part 164.
B. “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as a business associate of Covered Entity, the combining of such PHI by Business Associate with protected health information received by Business Associate in its capacity as a business associate of one or more other covered entities, to permit data analyses that relate to the Health Care Operations of the respective covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.
C. “Data Breach” means the acquisition, access, use, or disclosure of Unsecured PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as “breach” is defined in 45 C.F.R. § 164.402.
D. “Derivative Work” means a new or modified work that is based on or derived from a preexisting work, including, without limitation, a work that: (i) includes substantially most or all of the preexisting work (provided the resulting Derivative Work includes new or original content), (ii) uses trade secrets or other proprietary information with respect to such preexisting work, (iii) is created by an algorithm or other automated/artificial intelligence process, and/or (iv) is a collection, aggregation, or compilation of information fixed in any tangible media.
E. “Designated Record Set” has the meaning given to such term under the Privacy Rule, including 45 CFR §164.501.
F. “Electronic PHI” means any PHI maintained in or transmitted by “electronic media” as defined in 45 CFR §160.103.
G. “Health Care Operations” has the meaning given to that term in 45 CFR §164.501.
H. “HHS” means the U.S. Department of Health and Human Services.
I. “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
J. “Individual” has the same meaning given to that term in 45 CFR §160.103 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
K. “Privacy Rule” means that portion of the HIPAA Rules set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
L. “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §160.103, limited to the protected health information created, maintained, transmitted, accessed or received by Business Associate from or on behalf of Covered Entity.
M. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system of Business Associate or any of its Subcontractors.
N. “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
O. “Underlying Agreement” has the meaning set forth above in the recitals and shall include, without limitation, any software agreement, end user license agreement or master services agreement, whether entered into prior to, on or after the BAA Effective Date, pursuant to which or in connection with which Business Associate creates, maintains, transmits, accesses or receives PHI during the term of this BAA.
P. “Unsecured Protected Health Information” or “Unsecured PHI” means any PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h).
2. Use and Disclosure of PHI.
A. Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the functions and services described in the Underlying Agreement(s), and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or the Underlying Agreement(s), or as Required by Law.
B. Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are Required By Law; or (ii) Business Associate obtains, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate promptly of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.
C. Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted in the Underlying Agreements, as permitted under the Privacy Rule, or as Required by Law. When using or disclosing PHI or when requesting PHI, Business Associate shall make reasonable efforts to limit the use, disclosure or request of the PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request, to the extent the minimum necessary requirement under 45 CFR §164.502(b) applies.
D. Business Associate may use and disclose PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
E. Business Associate may de-identify PHI and may use, disclose and create Derivative Works from the de-identified information for any lawful purposes, including, without limitation, to aggregate, process and commercialize portions or the entirety of such de-identified information, all in accordance with 45 C.F.R. §164.514(a)-(c) and other applicable law. This Subsection E shall survive termination of this BAA.
F. Business Associate may use PHI to provide Data Aggregation services as permitted by the Privacy Rule.
3. Safeguards Against Misuse of PHI. Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Underlying Agreement(s) or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate agrees to take reasonable steps to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.
4. Reporting Disclosures of PHI and Security Incidents. Business Associate will report to Covered Entity any use or disclosure of PHI by or on behalf of Business Associate not provided for by this BAA of which it becomes aware, and Business Associate agrees to report to Covered Entity any Security Incident adversely affecting Electronic PHI of Covered Entity of which it becomes aware. Business Associate agrees to report any such event within 15 business days of becoming aware of the event. Covered Entity and Business Associate hereby agree that actual or attempted Security Incidents that fail to result in the unauthorized use or disclosure of Electronic PHI, such as pings and other broadcast attacks on the Business Associate’s firewall, port scans, unsuccessful log-on attempts, and denials of service occur, and that this constitutes Business Associate’s report and notification to Covered Entity of such events, and that no further reporting of such unsuccessful Security Incidents is required under this BAA.
5. Reporting Breaches of Unsecured PHI. Business Associate will notify Covered Entity in writing promptly upon the Discovery of any Data Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than twenty (20) business days after Discovery of a Data Breach of Unsecured PHI.
6. Mitigation of Disclosures of PHI. Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or Subcontractors in violation of the requirements of this BAA.
7. Agreements with Subcontractors. Business Associate will ensure that any of its Subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to substantially the same restrictions and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity.
8. Access to PHI by Individuals. Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner designated by Covered Entity to enable Covered Entity to respond to an Individual’s request for access to PHI under 45 CFR §164.524. This Section 8 and Section 9 will apply only to PHI maintained by Business Associate in a Designated Record Set.
9. Amendment of PHI. Upon request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as reasonably directed by Covered Entity in accordance with procedures established by 45 CFR §164.526. Any request by Covered Entity to amend such information will be completed by Business Associate within twenty (20) business days of Covered Entity’s request.
10. Accounting of Disclosures.
A. Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of such disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.
B. Business Associate will furnish to Covered Entity information collected in accordance with this Section, within twenty (20) business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528.
11. Availability of Books and Records. Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA Rules, and this BAA.
12. Responsibilities of Covered Entity. With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees to:
A. Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI;
B. Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI;
C. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI;
D. Obtain any consent, authorization or permission that may be required by HIPAA Rules or otherwise Required by Law prior to furnishing PHI to Business Associate; and
E. Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
13. Term and Termination.
A. This BAA will become effective on the BAA Effective Date and will continue in effect until all obligations of the Parties have been met under the Underlying Agreement(s) and under this BAA, including, without limitation, so long as Business Associate holds PHI for access by Covered Entity.
B. A Party (“Non-Breaching Party”) may terminate this BAA if the other Party (“Breaching Party”) has materially breached this BAA and fails to cure such breach within thirty (30) days after written notice from the Non-Breaching Party of such breach. The Non-Breaching Party may exercise this right to terminate by providing written notice of termination to the Breaching Party, stating the failure to cure the breach of this Agreement that provides the basis for the termination. Any such termination will be effective immediately or at such later date specified in the notice of termination.
C. Upon termination of this BAA, all PHI maintained by Business Associate will be returned to Covered Entity or destroyed by Business Associate, provided that Business Associate may retain PHI as necessary to perform its obligations to Covered Entity or maintain PHI for access by Covered Entity in accordance with any Underlying Agreement(s). If return or destruction of the PHI is not feasible, in Business Associate’s reasonable judgment, Business Associate will extend the protections of this BAA to such information for as long as Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Subsection 13.C. will survive any termination of this BAA.
14. Effect of BAA.
A. This BAA is a part of and subject to the terms of the Underlying Agreement(s).
B. This BAA is intended to apply to all uses and disclosures of PHI by Business Associate as a business associate of Covered Entity during the term of this BAA, whether such PHI was created prior to or during the term of this BAA, and shall supersede, as of the BAA Effective Date, any prior business associate agreement between the Parties.
C. Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.
15. Regulatory References. A reference in this BAA to a section in HIPAA or HIPAA Rules means the section as in effect or as amended at the time.
16. Notices. All notices, requests and demands or other communications to be given under this BAA to a Party will be made via either first class mail, registered or certified or express courier, or electronic mail to the Party’s address given below:
A. If to Covered Entity, to:
[Covered Entity]
[mailing address]
[email address]
Attn:
B. If to Business Associate, to:
hc1 Insights, Inc.
6100 Technology Center Drive, Building K
Indianapolis, Indiana 46278
legal@hc1.com
Attn: Chief Privacy Officer
17. Amendments. This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties.
18. Amendment to Comply with Law. The Parties hereby acknowledge that laws relating to electronic data security and privacy are rapidly evolving and that amendment of this BAA may be required to provide for different or additional procedures to ensure compliance with such developments. The Parties agree to negotiate in good faith to amend this BAA and/or the Underlying Agreement(s) as necessary to comply with HIPAA Rules or any changes to HIPAA.
19. Interpretation. The interpretation of this BAA and the resolution of any disputes arising under this BAA shall be governed by the laws of the state of Indiana, provided that this BAA shall be interpreted as broadly as necessary to implement and comply with HIPAA Rules and other applicable laws and regulations.
IN WITNESS WHEREOF, the Parties execute this BAA as of the BAA Effective Date.
hc1 Insights, Inc. ________________________________
“Business Associate” “Covered Entity”
By: __________________________ By: __________________________
Print Name: _____________________ Print Name: __________________________
Title: __________________________ Title: __________________________
Date: __________________________ Date: __________________________