This is the standard form Business Associate Agreement ("BAA") that Glace Technologies Inc. ("Glace" or "Business Associate") enters into with each healthcare practice or organization ("Customer" or "Covered Entity") before Glace creates, receives, maintains, or transmits protected health information on the Customer's behalf. It is published here for transparency. The BAA executed between Glace and your organization is the binding version and controls if it differs from this page. To execute a BAA with Glace, contact contact@glace.sh.

This BAA is entered into to enable the parties to comply with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, together with their implementing regulations at 45 CFR Parts 160 and 164, each as amended ("HIPAA"). Where Customer is itself a business associate of a covered entity, Glace acts as Customer's subcontractor and the obligations of this BAA apply to Glace as a subcontractor business associate.

1. Definitions

Capitalized terms used but not defined in this BAA have the meanings given in HIPAA. In this BAA:

2. Permitted Uses and Disclosures

Glace will not use or disclose PHI other than as permitted or required by this BAA or as Required by Law. Subject to those limits, Glace may use and disclose PHI:

3. Prohibited Uses and Disclosures

4. Safeguards

Glace will use appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided for by this BAA, and will comply with the applicable requirements of the HIPAA Security Rule, 45 CFR Part 164 Subpart C, with respect to ePHI. These safeguards are designed to protect the confidentiality, integrity, and availability of ePHI and include measures such as encryption of ePHI in transit and at rest, access controls that limit PHI access to workforce members who need it to provide the Services, audit logging, a written risk analysis and risk management program, an incident response and contingency plan, and workforce HIPAA training. Glace will respond to Customer's reasonable written inquiries about its security program.

5. Reporting to Customer

6. Subcontractors

Glace will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Glace agrees in writing to restrictions and conditions at least as protective as those that apply to Glace under this BAA, including compliance with the Security Rule for ePHI, as required by 45 CFR 164.502(e)(1)(ii) and 164.308(b). Glace remains responsible for its subcontractors' handling of PHI. A current list of subcontractors that may process PHI is available on request at contact@glace.sh. Glace's artificial intelligence model providers are engaged under terms that prohibit them from using Customer PHI to train their models and that require deletion or non-retention of PHI consistent with the Services.

7. Individual Rights

Glace's services are not designed for Glace to maintain Designated Record Sets on Customer's behalf; Customer's records remain in Customer's own systems. To the extent Glace nonetheless holds relevant PHI:

8. Availability to HHS

Glace will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Glace on behalf of, Customer available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA.

9. Customer Obligations

10. Term and Termination

This BAA takes effect on the effective date of the Underlying Agreement, or on the date PHI is first made available to Glace if earlier, and continues until the Underlying Agreement terminates and all PHI is returned or destroyed. Either party may terminate this BAA and the Underlying Agreement if the other party materially breaches this BAA and fails to cure the breach within thirty (30) days of written notice, or immediately if the breach is incapable of cure.

Upon termination, Glace will return or destroy all PHI that it still maintains in any form, within thirty (30) days, except that PHI residing in routine system backups may be destroyed on Glace's scheduled backup deletion cycle, with the protections of this BAA continuing to apply until destruction. If return or destruction is otherwise infeasible, or if retention is required by law, Glace will extend the protections of this BAA to the retained PHI and will limit further uses and disclosures to the purposes that make return or destruction infeasible, for as long as the PHI is retained. De-identified data that is no longer PHI is not subject to return or destruction. The obligations of this Section and of Sections 5 and 8 survive termination.

11. Changes in Law

The parties will negotiate in good faith to amend this BAA as necessary to comply with changes to HIPAA or other applicable law, including any final rule amending the HIPAA Security Rule. If the parties cannot agree on an amendment required for compliance, either party may terminate the portions of the Services that cannot be performed in compliance with the changed law.

12. Miscellaneous

Contact

To execute this BAA, request our subcontractor list, or ask questions about our HIPAA program, contact contact@glace.sh.