This Business Associate Agreement (“BAA”) is between You, a user of GSI’s secure messaging services, and Galvatech Solutions, Inc. (“GSI”). To the extent GSI is acting as a business associate, this BAA governs Your use of the GSI secure messaging services, and is incorporated into the Terms of Use, available at https://www.galvatechsol.com/terms. In this BAA, “You” and “Covered Entity” mean the same thing, and “GSI” and “Business Associate” also mean the same thing.
You understand and agree that by using GSI’s secure messaging services, You are hereby agreeing to the terms of this BAA as set forth herein, in addition to the Terms of Use. In the case of any conflict between the Terms of Use and this BAA, the BAA will control the relevant content.
This Business Associate Agreement is only applicable to you if you use GSI’s free services, and do not use or pay for any other GSI services. If You pay for any other GSI service, then the Product Order (or Subscriber Agreement) and Business Associate Agreement signed in conjunction with that arrangement governs Your relationship with GSI. If You work for an entity that signed a Product Order (or Subscriber Agreement) with GSI, then the Business Associate Agreement signed in conjunction with that Product Order (or Subscriber Agreement), as well as the executed Product Order (or executed Subscriber Agreement), control Your relationship with GSI. In all cases, if you use any GSI services, the Terms of Use govern Your use of GSI’s services.
- Definitions. Capitalized terms used without definition herein shall have the respective meanings assigned to them under the Health Insurance Portability and Accountability Act of 1996 and the privacy, security, breach notification and other rules promulgated thereunder (collectively “HIPAA”) or in the MSA.
- Permitted Uses and Disclosures. Business Associate may use or disclose PHI to perform the services and as otherwise permitted therein, as permitted herein and as Required by Law. Business Associate may not use or disclose PHI if such use or disclosure would violate the Privacy Rule if done by Covered Entity.
- Minimum Necessary. Both Parties agree they shall not use or disclose more than the minimum amount of PHI necessary to accomplish the intended purpose of the permitted use or disclosure. Both Parties agree to comply with any guidance issued by the Secretary with respect to what constitutes minimum necessary.
- Activities by Business Associate. Business Associate shall:
- Not use or disclose PHI other than as permitted or required by this Agreement, except that Business Associate may use and disclose PHI for the following purposes: (a) the proper management and administration of Business Associate, (b) to carry out the legal responsibilities of Business Associate, (c) to provide data aggregation services relating to the health care operations of the Covered Entity, and (d) to de-identify PHI received or created by Business Associate in accordance with HIPAA, and such de-identified information shall no longer be subject to this Agreement and may be used and disclosed on Business Associate’s own behalf in accordance with the de-identification requirements of the Privacy Rule. Notwithstanding the foregoing, if Business Associate discloses PHI for the proper management and administration of Business Associate and such disclosures are not Required by Law, Business Associate must first obtain reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person agrees to notify Business Associate of any breaches of the confidentiality of the information of which such person becomes aware.
- Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement.
- Implement administrative, physical, and technical safeguards (including written policies and procedures) that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity as required by the Security Rule. In addition, Business Associate shall comply with Sections 164.308, 164.310, 164.312, 164.314, and 164.316 of the Security Rule in the same manner that such sections apply to covered entities with respect to Business Associate’s use or disclosure of PHI.
- Report to Covered Entity any: (a) use or disclosure of PHI not provided for by this Agreement without unreasonable delay, but in no case later than ten (10) days after it is Discovered by Business Associate; or (b) Security Incident of which Business Associate becomes aware; provided however, that the parties acknowledge and agree that this Section 4.4 constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewalls, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
- Require that any subcontractor, that creates, receives, maintains or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions and conditions that apply to Business Associate in this Agreement related to such information, including compliance with Sections 164.308, 164.310, 164.312, 164.314, and 164.316 of the Security Rule and compliance with the applicable provisions of the Privacy Rule.
- At the request of Covered Entity, provide access to PHI in a Designated Record Set in order for Covered Entity to meet the requirements under 45 CFR § 164.524.
- At the request of Covered Entity, make available to Covered Entity PHI for amendment and, if requested by Covered Entity, incorporate any amendment(s) to PHI in accordance with 45 CFR § 164.526.
- Make available the information required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
- Make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with HIPAA.
- Comply with all requirements of the Health Information Technology for Economic and Clinical Health Act under the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”) that relate to security or privacy and that the HITECH Act makes applicable to business associates, and all such requirements are incorporated into this Agreement by reference for such purposes.
- To the extent that Business Associate is to carry out an obligation of Covered Entity under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.
- Obligations of Covered Entity
- Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR § 164.520 to the extent that such limitation may affect Business Associate’s use or disclosure of PHI or Business Associate’s obligations under applicable law or regulation with respect thereto.
- Notification of Changes Regarding Individual Permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI to the extent that such changes may affect Business Associate’s use or disclosure of PHI or Business Associate’s obligations under applicable law or regulation with respect thereto.
- Notification of Restrictions to Use or Disclosure of PHI. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522 to the extent that such restriction may affect Business Associate’s use or disclosure of PHI or Business Associate’s obligations under applicable law or regulation.
- Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible for Covered Entity under HIPAA, the HITECH Act or any other applicable law or regulation.
- Term and Termination.
- Term. The term of this Agreement shall commence as of the date You log into Your account with the GSI secure messaging services, and shall terminate when You email support@galvatechsol.com requesting to close Your GSI secure messaging account. If it is infeasible to destroy PHI, protections are extended to such information in accordance with the termination provisions in this Section 6.iii of this Agreement.
- Termination for Cause. In the event a party has knowledge of a material breach by the other, such party may either: (a) provide an opportunity for the breaching party to cure the breach or end the violation and terminate this Agreement and the MSA if the breaching party does not cure the breach within thirty (30) days; or (b) immediately terminate this Agreement and the MSA if cure of the breach is not possible.
- Effect of Termination.
- Except as provided in Section 6.iii.2 or otherwise required by applicable law or regulation, upon termination of this Agreement, for any reason, Business Associate shall, for a period of thirty (30) days after such termination, retain all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, and shall return all such PHI to Covered Entity (in accordance with the Agreement) if Covered Entity requests such return within such thirty (30) day period. If Covered Entity does not request return of such PHI within such thirty (30) day period, Business Associate shall destroy all such PHI and retain no copies of such PHI. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
- In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon the determination by Business Associate that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible for so long as Business Associate maintains such PHI.
- Indemnification. You agree to indemnify and hold GSI, its directors, officers, employees and agents harmless from any and all liabilities, claims, damages, loss and costs (including reasonable attorneys' fees) related to (i) any violation under HIPAA or other applicable law resulting from your use of the GSI secure messaging services, (ii) arising due to Your or Users’ communications or disclosures with patients or other outside individuals or entities on or through the GSI secure messaging services, or (iii) Your or Users’ breach of any obligation, representation or warranty made in this Business Associate Agreement. Indemnified claims include, without limitation, claims arising out of or related to GSI’s own negligence.
- Limitation of Liability. THE LIABILITY OF GSI FOR ANY LOSSES OR DAMAGE, WHETHER DIRECT OR INDIRECT, ARISING OUT OF THIS BAA FROM ANY CAUSE WHATSOEVER, INCLUDING WITHOUT LIMITATION ANY CAUSE OF ACTION SOUNDING IN CONTRACT, TORT, PRODUCT LIABILITY, OR STRICT LIABILITY, SHALL BE LIMITED TO ACTUAL, DIRECT DAMAGES INCURRED. IN NO EVENT SHALL SUCH LIABILITIES EXCEED AN AMOUNT EQUAL TO THE TOTAL AMOUNT OF ALL SUBSCRIPTION FEES PAID BY YOU TO GSI DURING THE TERM OF THIS MSA. GSI SHALL NOT BE LIABLE FOR LOST PROFITS OR OTHER CONSEQUENTIAL DAMAGES OR COVER DAMAGES, EVEN IF SUCH PARTY WAS ADVISED (ACTUALLY OR CONSTRUCTIVELY) OF THE POSSIBILITY OF SAME. UNDER NO CIRCUMSTANCES SHALL GSI BE LIABLE HEREUNDER FOR SPECIAL DAMAGES, GENERAL DAMAGES, INCIDENTAL DAMAGES, INDIRECT DAMAGES, OR EXEMPLARY OR PUNITIVE DAMAGES. GSI WILL HAVE NO LIABILITY TO YOU OF ANY KIND IN CONNECTION WITH YOUR USE OF THE SERVICES TO COMMUNICATE WITH PATIENTS OR TO COORDINATE A PATIENT’S MEDICAL CARE.
- Miscellaneous. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of HIPAA, the HITECH Act, and other applicable law or regulation. The respective rights and obligations of the parties under Section 13.3 of this Agreement shall survive the termination of this Agreement. Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, any rights, remedies, obligations or liabilities whatsoever upon any person other than Covered Entity, Business Associate and their respective successors or assigns. This Agreement expressly supersedes and replaces any prior HIPAA business associate agreement between the parties. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits each party to comply with HIPAA, the HITECH Act and any other applicable law or regulation.