Business Associate Agreement
This is the standard form Business Associate Agreement ("BAA") that Glace Technologies Inc. ("Glace" or "Business Associate") enters into with each healthcare practice or organization ("Customer" or "Covered Entity") before Glace creates, receives, maintains, or transmits protected health information on the Customer's behalf. It is published here for transparency. The BAA executed between Glace and your organization is the binding version and controls if it differs from this page. To execute a BAA with Glace, contact contact@glace.sh.
This BAA is entered into to enable the parties to comply with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, together with their implementing regulations at 45 CFR Parts 160 and 164, each as amended ("HIPAA"). Where Customer is itself a business associate of a covered entity, Glace acts as Customer's subcontractor and the obligations of this BAA apply to Glace as a subcontractor business associate.
1. Definitions
Capitalized terms used but not defined in this BAA have the meanings given in HIPAA. In this BAA:
- "Protected Health Information" or "PHI" means individually identifiable health information, as defined at 45 CFR 160.103, that Glace creates, receives, maintains, or transmits on behalf of Customer, and includes electronic PHI ("ePHI").
- "Breach" means the acquisition, access, use, or disclosure of Unsecured PHI in a manner not permitted by HIPAA that compromises the security or privacy of the PHI, as defined at 45 CFR 164.402.
- "Security Incident" has the meaning at 45 CFR 164.304. "Unsuccessful Security Incidents" means activity such as pings, port scans, denial of service attempts that do not result in unauthorized access, and failed log-in attempts, in each case that does not result in unauthorized access to, or acquisition, use, disclosure, modification, or destruction of, PHI.
- "Services" means the services Glace provides to Customer under the applicable services agreement, order form, or the Glace Terms of Service (the "Underlying Agreement").
2. Permitted Uses and Disclosures
Glace will not use or disclose PHI other than as permitted or required by this BAA or as Required by Law. Subject to those limits, Glace may use and disclose PHI:
- To provide the Services to and for Customer, consistent with the minimum necessary standard.
- For the proper management and administration of Glace and to carry out Glace's legal responsibilities, provided that any disclosure for these purposes is Required by Law or is made subject to written assurances of confidentiality and breach notification from the recipient as required by 45 CFR 164.504(e)(4).
- To provide Data Aggregation services relating to the health care operations of Customer as permitted by 45 CFR 164.504(e)(2)(i)(B).
- To de-identify PHI in accordance with 45 CFR 164.514(a) through (c), and to use de-identified data for Glace's lawful business purposes, including to operate, maintain, develop, and improve Glace's products, services, and models, provided that de-identified data will not be associated with or attributed to Customer or its patients. Information de-identified in accordance with that standard is no longer PHI and is not governed by this BAA. Glace will not attempt to re-identify de-identified data and will contractually require any recipient of de-identified data to commit to the same.
3. Prohibited Uses and Disclosures
- Glace will not sell PHI, and will not receive direct or indirect remuneration in exchange for PHI, except as permitted by 45 CFR 164.502(a)(5)(ii).
- Glace will not use or disclose PHI for marketing or fundraising purposes, and will not use PHI for Glace's own advertising or promotion.
- Glace will request, use, and disclose only the minimum necessary PHI to accomplish the intended purpose, consistent with 45 CFR 164.502(b) and applicable guidance.
4. Safeguards
Glace will use appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided for by this BAA, and will comply with the applicable requirements of the HIPAA Security Rule, 45 CFR Part 164 Subpart C, with respect to ePHI. These safeguards are designed to protect the confidentiality, integrity, and availability of ePHI and include measures such as encryption of ePHI in transit and at rest, access controls that limit PHI access to workforce members who need it to provide the Services, audit logging, a written risk analysis and risk management program, an incident response and contingency plan, and workforce HIPAA training. Glace will respond to Customer's reasonable written inquiries about its security program.
5. Reporting to Customer
- Breaches of Unsecured PHI. Glace will notify Customer of a Breach of Unsecured PHI without unreasonable delay and in no event later than ten (10) business days after discovery, consistent with 45 CFR 164.410. The notice will include, to the extent known and reasonably available, the identification of each individual affected, a description of what happened, the types of PHI involved, the date of the Breach and of its discovery, and the steps Glace is taking to investigate and mitigate harm. Glace will supplement the notice as additional information becomes available.
- Security Incidents and impermissible uses. Glace will report to Customer any use or disclosure of PHI not permitted by this BAA, and any Security Incident, of which it becomes aware. The parties acknowledge that Unsuccessful Security Incidents occur routinely, and this paragraph serves as ongoing notice of them; no separate reporting of Unsuccessful Security Incidents is required.
- Mitigation. Glace will mitigate, to the extent practicable, any harmful effect known to Glace of a use or disclosure of PHI in violation of this BAA.
6. Subcontractors
Glace will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Glace agrees in writing to restrictions and conditions at least as protective as those that apply to Glace under this BAA, including compliance with the Security Rule for ePHI, as required by 45 CFR 164.502(e)(1)(ii) and 164.308(b). Glace remains responsible for its subcontractors' handling of PHI. A current list of subcontractors that may process PHI is available on request at contact@glace.sh. Glace's artificial intelligence model providers are engaged under terms that prohibit them from using Customer PHI to train their models and that require deletion or non-retention of PHI consistent with the Services.
7. Individual Rights
Glace's services are not designed for Glace to maintain Designated Record Sets on Customer's behalf; Customer's records remain in Customer's own systems. To the extent Glace nonetheless holds relevant PHI:
- Glace will, within fifteen (15) business days of Customer's written request, make available to Customer the PHI known to Glace and reasonably available as necessary for Customer to respond to an individual's request for access under 45 CFR 164.524, and will incorporate amendments as directed by Customer under 45 CFR 164.526.
- Glace will document and, within fifteen (15) business days of Customer's written request, provide the information known to Glace and reasonably available for Customer to respond to a request for an accounting of disclosures under 45 CFR 164.528.
- If an individual contacts Glace directly with a request regarding their PHI, Glace will promptly forward the request to Customer rather than respond directly, unless Required by Law.
- Glace will comply with restrictions on the use or disclosure of PHI to which Customer has agreed, and with confidential communication requirements, of which Customer notifies Glace, to the extent they affect Glace's handling of PHI.
- To the extent Glace is to carry out one or more of Customer's obligations under the Privacy Rule, Glace will comply with the requirements of the Privacy Rule that apply to Customer in the performance of those obligations.
8. Availability to HHS
Glace will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Glace on behalf of, Customer available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA.
9. Customer Obligations
- Customer will notify Glace of any limitation in Customer's notice of privacy practices, any changes in or revocation of an individual's permission to use or disclose PHI, and any restriction on the use or disclosure of PHI that Customer has agreed to, in each case to the extent it may affect Glace's use or disclosure of PHI.
- Customer will not request that Glace use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer, except as permitted for Data Aggregation and management and administration as described above.
- Customer is responsible for obtaining any consents and authorizations from individuals that are required for Glace to provide the Services, as further described in the Glace Terms of Service.
10. Term and Termination
This BAA takes effect on the effective date of the Underlying Agreement, or on the date PHI is first made available to Glace if earlier, and continues until the Underlying Agreement terminates and all PHI is returned or destroyed. Either party may terminate this BAA and the Underlying Agreement if the other party materially breaches this BAA and fails to cure the breach within thirty (30) days of written notice, or immediately if the breach is incapable of cure.
Upon termination, Glace will return or destroy all PHI that it still maintains in any form, within thirty (30) days, except that PHI residing in routine system backups may be destroyed on Glace's scheduled backup deletion cycle, with the protections of this BAA continuing to apply until destruction. If return or destruction is otherwise infeasible, or if retention is required by law, Glace will extend the protections of this BAA to the retained PHI and will limit further uses and disclosures to the purposes that make return or destruction infeasible, for as long as the PHI is retained. De-identified data that is no longer PHI is not subject to return or destruction. The obligations of this Section and of Sections 5 and 8 survive termination.
11. Changes in Law
The parties will negotiate in good faith to amend this BAA as necessary to comply with changes to HIPAA or other applicable law, including any final rule amending the HIPAA Security Rule. If the parties cannot agree on an amendment required for compliance, either party may terminate the portions of the Services that cannot be performed in compliance with the changed law.
12. Miscellaneous
- All PHI is and remains the property of Customer or the relevant covered entity. Glace acquires no ownership rights in PHI.
- Any ambiguity in this BAA will be interpreted to permit compliance with HIPAA.
- With respect to PHI, this BAA controls over any conflicting term of the Underlying Agreement or the Glace Terms of Service. Nothing in the Underlying Agreement limits either party's obligations under this BAA.
- Nothing in this BAA creates rights in any third party, including any individual whose PHI is processed.
Contact
To execute this BAA, request our subcontractor list, or ask questions about our HIPAA program, contact contact@glace.sh.