For a downloadable version, please click the button below:

This Business Associate Agreement (the "Agreement") is entered into as of [Date], by and between [Covered Entity Name], a [State of Incorporation/Organization, including country] entity, with its principal place of business at [Covered Entity Address, including country] ("Covered Entity"), and Doodle AG, a Swiss based entity, with its principal place of business at Werdstrasse 21, 8004 Zurich, Switzerland ("Business Associate"). Covered Entity and Business Associate are each a “Party” and together the “Parties”.

This Agreement is incorporated into the Master Services Agreement and the Individual Orders entered into by the Covered Entity and the Business Associate.

Recitals

A. Covered Entity is a "covered entity" or “business associate” of a covered entity as each is defined under the Health Information Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations, including the HIPAA Privacy and Security Rules (co122llectively, "HIPAA Rules").

B. Business Associate provides certain services to Covered Entity under Individual Orders under a Master Services Agreement that may, from time to time, involve the creation, receipt, maintenance, or transmission of Protected Health Information ("PHI") on behalf of Covered Entity.

C. The Parties intend to comply with the HIPAA Rules, including the requirements for a business associate contract as set forth in 45 C.F.R. § 164.314(a) and § 164.504(e).

• Breach: As defined in 45 C.F.R. § 164.402.

• Data Aggregation: As defined in 45 C.F.R. § 164.501.

• Electronic Protected Health Information (ePHI): means Protected Health Information that is ePHI, as defined in 45 C.F.R. § 160.103.

• Master Services Agreement (or MSA): means the Master Services Agreement between Covered Entity and Business Associate which was signed on [insert date of latest signature]

• Effective Date of Master Services Agreement: has the meaning ascribed to it under the MSA.

• Individual Order: has the meaning ascribed to it under the MSA.

• Protected Health Information (PHI): As defined in 45 C.F.R. § 160.103 but limited to the information created, received, maintained, or transmitted by Business Associate for, from, or on behalf of Covered Entity.

• Security Rule: The standards, requirements, and implementation specifications found at 45 C.F.R. Part 160 and Part 164, Subpart C.

• Privacy Rule: The standards, requirements, and implementation specifications found at 45 C.F.R. Part 160 and Part 164, Subpart E.

• Unsecured Protected Health Information: As defined in 45 C.F.R. § 164.402.

Any terms not defined herein shall have the meaning ascribed to them under the HIPAA Rules.

• 2.1. Permitted Uses and Disclosures. Business Associate may use or disclose PHI only as necessary to perform the functions, activities, or services for Covered Entity as specified in the Master Services Agreement and any underlying Individual Order(s) between the Parties, or as required by law.

• 2.2. Management and Administration. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. Disclosures for these purposes are permitted only if the disclosures are required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

• 2.3. Data Aggregation. Business Associate may use PHI to provide Data Aggregation services relating to the health care operations of Covered Entity as permitted or required to perform the functions, activities, or services set forth in the underlying Individual Order(s) between the Parties.

• 2.4 De-Identification. Business Associate may use PHI to create de-identified data as permitted under the Master Services Agreement or any Individual Order(s) between the Parties, provided that such use of PHI satisfies the de-identification standards set forth in the HIPAA Privacy Rule.

• 3.1. Safeguards. Business Associate agrees to use appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement. Business Associate shall comply with the applicable requirements of the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) with respect to ePHI.

• 3.2. Minimum Necessary. Business Associate shall, to the extent practicable, limit its use and disclosure of PHI to the minimum necessary amount to accomplish the intended purpose.

• 3.3. Reporting of Breaches and Unpermitted Disclosures. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware. This includes, but is not limited to, breaches of unsecured PHI as required by 45 C.F.R. § 164.410. Business Associate shall provide such notification without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. The notification must include, to the extent possible, the identification of each individual whose unsecured PHI was involved and any other information required for Covered Entity to fulfill its breach notification obligations under the HIPAA Rules.

• 3.4. Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate with respect to such information.

• 3.5. Covered Entity Obligations. Business Associate shall, to the extent it carries out one or more of Covered Entity's obligations under the HIPAA Privacy Rule, comply with the requirements of the HIPAA Privacy Rule that apply to Covered Entity in performing such obligation.

• 3.6 Individual Rights. 

• To the extent Business Associate maintains PHI in a designated record set for Covered Entity, Business Associate shall make available such PHI:

• for Access by Covered Entity as required by 45 C.F.R. § 164.524.

• for Amendment by Covered Entity (or, at the direction of Covered Entity, to incorporate amendments to PHI) as required by 45 C.F.R. § 164.526.

• Provide an accounting of disclosures as required by 45 C.F.R. § 164.528.

• 3.6. Availability of Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received on behalf of, Covered Entity available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules. 

• 3.7. Offshoring. Business Associate may engage in offshoring operations involving PHI in connection with the functions, activities, and services as set forth in the Master Services Agreement and any Individual Order(s) between the Parties.

4.1. Permitted Disclosures. Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices, or any changes to, or revocation of, permission by an individual to use or disclose PHI, to the extent that such limitations may affect Business Associate's use or disclosure of PHI.

• 5.1. Applicability. This Agreement exclusively applies to the processing of PHI by Business Associate and Covered Entity under Individual Orders, if, to the extent and for so long as such processing is governed by the HIPAA Rules, to the exclusion of any other processing of data by either Business Associate and/or Covered Entity.

• 5.2. Term. This Agreement shall be effective as of the Effective Date of the Master Services Agreement and shall automatically terminate at the later of a) term of the MSA or b) term of the last of the Individual Orders.

• 5.3. Termination for Cause. Covered Entity may terminate this Agreement immediately if it determines that Business Associate has violated a material term of the Agreement.

• 5.4. Effect of Termination. Upon termination of this Agreement for any reason, Business Associate shall stop providing services involving PHI under existing Individual Order(s) and shall return to Covered Entity or destroy all PHI received from, or created or received on behalf of, Covered Entity that Business Associate still maintains in any form. Business Associate shall retain no copies of such information. If return or destruction is not feasible (including if there is a legal/regulatory retention obligation), Business Associate shall extend the protections of this Agreement to the PHI and limit its further use and disclosure to those purposes that make the return or destruction of the information infeasible. For the sake of clarity, termination of this Agreement for any reason does not automatically end/terminate the Master Services Agreement and/or any Individual Order(s), which continue in accordance with their terms (except that Business Associate is not obliged anymore to provide and shall stop to provide services involving PHI under existing Individual Order(s)) and Covered Associate shall continue to pay the fees as set forth under the Individual Order(s).

• 6.1. Conflict. In the event of any conflict or inconsistency between the terms of this Agreement and the terms of the MSA and/or any Individual Order, the terms of this Agreement shall prevail with respect solely to the terms and conditions set forth in this Agreement. 

• 6.2. Amendments. This Amendment shall not be modified except by a written instrument signed by the Parties (this form requirement also applies to any amendment to this clause 6.2). To the extent that it is determined by any competent authority that the Agreement is insufficient to comply with the HIPAA Rules, Covered Entity and Business Associate agree to cooperate in good faith to amend the Agreement or enter into further mutually agreeable agreements in an effort to comply with the HIPAA Rules.

• 6.3. Liability: Each Party’s liability arising out of or related to this Agreement, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the MSA.

• 6.4. No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

• 6.5. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with the HIPAA Rules.

• 6.6. Governing Law and Venue. The laws of the State of New York shall govern the validity, constructions, enforcement, and interpretation of this Agreement, unless otherwise specified herein except for the conflict of laws provisions thereof.  All claims, disputes and other matters in question arising out of this Agreement, or the breach thereof, shall be decided by proceedings instituted and litigated in a court of competent jurisdiction in the State of New York, and the Parties hereto expressly consent to the venue and jurisdiction of such court.

IN WITNESS WHEREOF, the Parties hereto have executed this Agreement as of the date first written above.

[Covered Entity Name]

By: ___________________________

Name: _________________________

Title: _________________________

Doodle AG

By: ___________________________

Name: _________________________

Title: _________________________

By: ___________________________

Name: ____________________________

Title: _______________________________