BUSINESS ASSOCIATE ADDENDUM
Last Updated: August 29, 2024
This Business Associate Addendum (“BAA”) is an Attachment that is incorporated by reference into the Agreement by and between Credo Health Solutions Holdings, Inc., and all of its affiliated entities, including without limitation Credo Health Solutions Inc. and Medical Records Exchange LLC d/b/a Chartfast LLC (collectively, “Credo”) and the Customer identified in the Order Form (“Customer”), when Credo is acting in the capacity of a Business Associate or Subcontractor Business Associate. Customer and Credo agree to the terms and conditions of this BAA to comply with the rules on handling Protected Health Information (defined below). For clarity, this BAA is part of the Agreement and the Master Terms and Conditions, and it applies to all other Attachments and Order Forms between Credo and Customer (collectively, the “Agreement”). Credo and Customer are each a “party” and collectively the “parties” to this BAA.
1. IN GENERAL
1.1 Order of Priority. This BAA shall supersede and replace any prior business associate agreement between the parties after the Effective Date of the Agreement. The parties each acknowledge and agree that in the event of a conflict between any term or condition set forth in this BAA and any term or condition set forth in another Attachment, this BAA will govern with respect to the subject matter herein, except to the extent that another Attachment expressly amends this BAA.
1.2 Definitions. Unless otherwise provided, all capitalized terms in this Business Associate Addendum will have the same meaning as provided in the HIPAA or the Agreement. Any ambiguity in this BAA shall be resolved to permit compliance with HIPAA. The terms “use,” “disclose” and “discovery,” or derivations thereof, although not capitalized, shall also have the same meanings set forth in HIPAA. For purposes of this BAA, the following capitalized terms have the following meanings:
“Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in HIPAA at 45 C.F.R. § 160.103, except limited to the PHI received from Customer, or created, maintained or received on behalf of Customer.
“Individual” shall have the same meaning as the term “individual” in HIPAA at 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with HIPAA at 45 C.F.R. § 164.502(g).
“Subcontractor” shall have the same meaning as the term “subcontractor” in 45 C.F.R. § 160.103, except limited to any such individual or entity who creates, receives, maintains, or transmits PHI on behalf of Credo.
1.3 Amendment. Credo may update or amend this BAA from time to time to enable it to better administer or provide the Credo Services or as is necessary to comply with the requirements of the HIPAA and any other applicable law. Credo will provide Customer with email notification of any material changes to this BAA. In case of changes to this BAA, Credo will only make changes if permitted by HIPAA and applicable law, which will take effect ninety (90) calendar days after email notification. If Customer does not wish to accept changes to the BAA, Customer must stop using the Credo Services (including without limitation the Credo Platform) and may terminate this Agreement upon thirty (30) calendar days’ written notice to Credo.
1.4 Interpretation. The subject headings in this BAA are solely for convenience and shall not be used to alter or interpret the contents of this BAA. Any ambiguity of this BAA shall be resolved to permit compliance with HIPAA.
2. OBLIGATIONS AND ACTIVITIES OF CREDO
2.1 Legal Compliance. Credo agrees to not use or disclose PHI other than as permitted or required by this BAA or as Required By Law.
2.2 Safeguards. Credo agrees use appropriate safeguards and comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to Electronic PHI, to prevent use or disclosure of the PHI other than as provided for by this BAA.
2.3 Reporting. Credo agrees to report to the Customer any use or disclosure of PHI not provided for by this BAA. Credo agrees to report to the Customer any Breaches of Unsecured PHI as required at 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware within ten (10) business days. The parties acknowledge and agree that this Section 2.3 constitutes notice by Credo to Customer of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents for which no additional notice to Customer shall be required. Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on Credo’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as such incidents do not result, to the extent Credo is aware, in unauthorized access, use or disclosure of Electronic PHI. Credo agrees to take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Credo) of a Breach of Unsecured PHI or successful Security Incident or any use or disclosure of PHI by Credo in material violation of this BAA or HIPAA. In the event that Customer is required by HIPAA to notify individuals of a data breach that is caused by Credo: (a) Credo will reimburse Customer for any reasonable costs or expenses that Customer incurs for notification to affected or potentially affected individuals; and (b) Credo will pay the costs of one year of credit monitoring offeree to affected individuals.
2.4 Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Credo agrees to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Credo agree in writing to the same restrictions, conditions, and requirements that apply to Credo under this BAA with respect to such PHI.
2.5 Individual Rights.
(a) Applicability. To the extent Credo or its Subcontractors do not maintain PHI in a Designated Record Set for Customer, the individual access and amendment requirements of this Section 2.5 may not apply to Credo or its Subcontractors.
(b) Individual Access to PHI. Credo agrees to make available PHI in a Designated Record Set to Customer as necessary to satisfy Customer’s obligations under 45 C.F.R. § 164.524.
(c) Amendment of PHI. Credo agrees to make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Customer pursuant to 45 C.F.R. § 164.526 or take other measures as necessary to satisfy Customer’s obligations under 45 C.F.R. § 164.526.
(d) Accounting of PHI. Credo agrees to maintain and make available the information required to provide an accounting of disclosures to Customer as necessary to satisfy Customer’s obligations under 45 C.F.R. § 164.528.
2.6 Delegation of Responsibility. To the extent that Credo is to carry out one or more of Customer’s obligations under Subpart E of 45 C.F.R. Part 164, Credo agrees to comply with the requirements of Subpart E that apply to Customer in the performance of such obligations.
2.7 Access to Books and Records. Credo agrees to make its internal practices, books, and records available to the Secretary of HHS, or the designee of the Secretary of HHS, for purposes of determining compliance with HIPAA.
3. PERMITTED USES AND DISCLOSURES BY CREDO
3.1 General Use and Disclosure Provision. Credo may only use and disclose PHI as permitted by this BAA, the Agreement, and as necessary to perform the Services in the Agreement.
3.2 Specific Use and Disclosure Provisions.
(a) Credo may use and disclose PHI as permitted or Required by Law.
(b) To the extent applicable, Credo will request, use and disclose the minimum amount of PHI necessary to accomplish the intended purposes of the request, use or disclosure in accordance with 45 C.F.R. § 164.502(b).
(c) Credo may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Customer, except for the Specific Uses and Disclosures set forth in this Section 3.2(d)-(g) below.
(d) Credo may use PHI for the proper management and administration of the Credo or to carry out the legal responsibilities of Credo.
(e) Credo may disclose PHI for the proper management and administration of the Credo or to carry out the legal responsibilities of the Credo, provided the disclosures are Required By Law, or Credo obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the person, and the person notified Credo of any instances of which it is aware in which the confidentiality of the information has been breached.
(f) Credo may provide Data Aggregation services in accordance with 45 C.F.R. § 164.501.
(g) Credo is authorized to use PHI to de-identify the PHI in accordance with 45 C.F.R. § 164.502(d) and 164.514(a)-(c). Credo may use and disclose de-identified PHI as permitted or required by law.
(h) Credo is authorized to create Limited Data Sets in accordance with 45 C.F.R. § 164.514 and to use and disclose such Limited Data Set(s) as permitted by 45 C.F.R. § 164.514(e) and the Agreement.
3.3 Third-Party Recipients. Notwithstanding anything to the contrary, Credo will have no responsibility for safeguarding PHI once it has been delivered to the destination and/or third-party recipient, or the acts or omissions of such third-party recipient.
4. OBLIGATIONS OF CUSTOMER
4.1 No Voluntary Restrictions. Customer shall not voluntarily limit or restrict its ability to use or disclose PHI to the extent that such a limitation or restriction would affect Credo’s permitted uses or disclosures of PHI. In the event Customer grants such a restriction, Customer shall: (a) immediately notify of the restriction; and (b) cease providing Credo with PHI that is subject to such restrictions. To the best of Customer’s knowledge, there are no such restrictions as of the date of this BAA.
4.2 Revocation of Permission. Customer shall notify Credo of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Credo’s use or disclosure of PHI.
4.3 No Impermissible Request. Except with respect to uses and disclosures by Credo of PHI under Section 3.2(d)-(g) above, Customer shall not request Credo to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer. In addition, Customer will not send unencrypted PHI to Credo in any form.
4.4 No Liability. Should Customer breach this Section 4, Credo will not be responsible for damages arising out of or relating to the breach.
5. TERM AND TERMINATION; SURVIVAL
5.1 Term and Termination. This BAA is effective as of the Effective Date of the Agreement and shall continue until terminated as provided for in this BAA. Upon written notice, Customer may terminate this BAA upon material breach of this BAA by Credo, provided that Customer provides Credo with written notice of the breach and affords Credo the opportunity to cure the breach or end the violation within thirty (30) calendar days of the date of such notice. This BAA otherwise terminates concurrently with the termination of the Agreement.
5.2 Effect of Termination. Upon termination of this BAA for any reason, Credo shall: (a) retain only that PHI which is necessary for Credo to continue its proper management and administration or to carry out its legal responsibilities or for which Credo otherwise determines that return or destruction is infeasible; (b) return to Customer or Customer’s designee (to the extent permitted by HIPAA) or destroy the remaining PHI that Credo still maintains in any form; (c) continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to Electronic PHI that is retained to prevent the unauthorized use or disclosure of the PHI for as long as Credo retains PHI; and (d) not use or disclose PHI retained by Credo other than for the purposes for which such PHI was retained and subject to the same conditions set out in Section 3 above, which applied prior to termination. The obligations of Credo under this BAA Section 5.2 shall survive termination of this BAA.