Last Updated August 7, 2023
This HIPAA Business Associate Addendum (“BAA” or “Addendum”) applies to any use of the Builder Services and the Zus Platform involving Protected Health Information (“PHI”) by Builders that are Covered Entities or Business Associates under HIPAA, and are incorporated into the Builder Terms of Service (“Builder Terms”). This BAA is effective on the date you begin using the Builder Services (“Effective Date”).
Together with the Builder Terms, this BAA satisfies the requirements of HIPAA and the rules and regulations thereunder, including the HIPAA Privacy Rule and HIPAA Security Rule, as amended (together, the “HIPAA Regulations”). Capitalized terms which are used but not defined in this BAA are defined by the Builder Terms or have the meaning set forth in the HIPAA Regulations.
- Obligations and Activities of Zus:
- Zus agrees to not use or disclose PHI other than as permitted or required by this BAA or as required by Applicable Law, to comply with applicable requirements of the HIPAA Regulations in all material respects, and to use appropriate safeguards to prevent use or disclosure of PHI that is not permitted by this BAA.
- Zus agrees to report to you any use or disclosure of PHI not permitted by this BAA, including, without limitation, Breaches of Unsecured Protected Health Information as required at 45 C.F.R. 164.410, and any Security Incident within five (5) business days of it becoming of aware. You acknowledge and agree that this Section A(2) constitutes notice by Zus to you of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents for which no additional notice to you is required. Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on Zus’ firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as such incidents do not result, to the extent Zus is aware, in unauthorized access, use or disclosure of Electronic PHI.
- Zus agrees to take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Zus) of a Breach of Unsecured Protected Health Information or Security Incident or any use or disclosure of PHI by Zus in material violation of this BAA or HIPAA.
- Zus agrees to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Zus agree in writing to provide the same material level of protections for PHI as apply to Zus under this BAA.
- Zus agrees to make PHI in a Designated Record Set available to you within five (5) business days of a confirmed request, as necessary to satisfy your obligations under 45 C.F.R. § 164.524.
- Zus agrees to make any amendment(s) to PHI contained in a Designated Record Set as directed or agreed to by you or to take other measures as necessary to satisfy your obligations under 45 C.F.R. § 164.526 within five (5) business days of a confirmed request.
- Zus agrees to maintain and make available to you the information required to provide an accounting of disclosures within five (5) business days of our receipt of a confirmed request, as necessary to satisfy your obligations under 45 C.F.R. § 164.528.
- To the extent that Zus is to carry out one or more of your obligations under Subpart E of 45 C.F.R. Part 164, Zus agrees to comply with the requirements of Subpart E that apply to you in the performance of such obligations.
- Zus agrees to make its internal practices, books, and records available to the Secretary for purposes of determining compliance with HIPAA.
- Zus will follow the HIPAA Minimum Necessary Standard in its use or disclosure of PHI in providing the Builder Services.
- Permitted Uses and Disclosures by Zus:
- Zus may use or disclose PHI to perform the Builder Services as authorized under the Builder Terms, or as otherwise required by Applicable Law.
- Zus may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by you, except that Zus may use or disclose PHI for the proper management and administration of Zus or to carry out our legal responsibilities, provided that, with respect to disclosures which are required by third-party legal process, Zus obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or applicable legal process, or for the purposes for which it was disclosed to the person, and the person notified Zus of any instances of which it is aware in which the confidentiality of the information has been breached.
- Obligations of Builder:
- You agree to use the Builder Services and to use and disclose PHI to Zus only as permitted in your published notice of privacy practices.
- You must notify Zus of any changes in, or revocation of, the permission by an Individual to use or disclose their PHI, to the extent that such changes may affect Zus use or disclosure of PHI.
- You must notify Zus of any restriction on the use or disclosure of PHI that you have agreed to or is required to abide by under 45 C.F.R. 164.522, to the extent that such restriction may affect Zus use or disclosure of PHI.
- Except with respect to uses and disclosures by Zus of PHI under Section A(2) above, Customer shall not request Zus to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by Customer.
- Term and Termination:
- Term. The Term of this BAA begins on the Effective Date and, as provided in Section 10(e) of the Builder Terms, ends immediately and automatically upon termination of the Builder Terms for any reason; subject, however, to continuation of obligations as set forth in Section 4(2)(c) below.
- Disposition of PHI Upon Termination. Upon termination of this BAA for any reason, Zus shall:
- Retain only that PHI which is necessary for Zus to continue its proper management and administration or to carry out its legal responsibilities;
- Subject to subsection (a) above, return to you or your designee (to the extent permitted by HIPAA) or delete the remaining PHI that the Zus still maintains in any form so that it is no longer accessible; provided, however, Zus shall not be required to return or delete PHI for a Patient to the extent return or destruction is not feasible, including, for example, PHI contained and commingled in the Common Patient Record where Zus has another Builder with a relationship with such Patient using the Zus Platform;
- To the extent return or deletion is not feasible, Zus shall (a) extend the protections of this BAA to such PHI and continue to use appropriate safeguards and comply with applicable HIPAA requirements to provide use or disclosure of the PHI, other than as provided in this Section, for as long as Zus retains PHI; and (b) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for as long as Zus retains PHI;
- Not use or disclose PHI retained by Zus other than for the purposes for which such PHI was retained and subject to the same conditions set out in Section A above, which applied prior to termination; and
- Delete PHI retained by Zus when it is no longer needed by Zus for its proper management and administration or to carry out its legal responsibilities or maintained in the Common Patient Record on behalf of another Builder.
- Survival. The obligations of Zus under this Section D shall survive the termination of this BAA.
- BAA Miscellaneous:
- Amendment. Zus may update or amend this BAA from time to time to enable it to better administer or provide the Builder Services or to comply with the requirements of HIPAA in accordance with Section A(1)(c) of the Builder Terms.
Interpretation & Order of Precedence. Any ambiguity in this BAA shall be resolved to permit compliance with HIPAA. In the event that it is impossible to comply with both the Builder Terms and this BAA, the provisions of this BAA shall control with respect to those provisions of the BAA that expressly conflict. This BAA shall supersede and replace any prior Zus BAAs between the parties, with respect to any actions of Zus after the Effective Date.