Business Associate Agreement
This Business Associate Agreement (the “Agreement”) is incorporated into the Subscription Agreement (the “Subscription Agreement”) by and between the entity that has licensed Ping Identity Corporation products or services (“Covered Entity”) and Ping Identity Corporation (“Business Associate”), to the extent that the Subscription Agreement or the relevant Order Form thereunder incorporates this Agreement by reference. This Agreement is effective as of the date of execution of the Subscription. This Agreement is applicable only to the extent that Covered Entity operates in the United States.
To the extent (if any) that Business Associate receives or has access to any Protected Health Information (“PHI”) provided by Covered Entity in the course of performing services under the Agreement, or creates and receives such information on behalf of Covered Entity in order to perform such services, Covered Entity wishes to ensure that Business Associate will appropriately safeguard PHI consistent with applicable law, to the extent (if any) that any information received by or created by Business Associate is PHI.
NOW THEREFORE, Covered Entity and Business Associate agree as follows to ensure that Business Associate will appropriately safeguard PHI (to the extent if at all that Business Associates receives or creates such PHI) consistent with applicable law:
1. Definitions
The parties agree that the capitalized terms, when used in this Agreement, shall have the meanings as set forth in the HIPAA Rules, which shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. The HIPAA Privacy Rule is the Standards for Privacy of Individually Identifiable Health Information at 45 CFR, part 160 and part 164, subparts A and E. The HIPAA Security Rule is the HIPAA Security Standards (45 C.F.R. Parts 160 and 164, Subpart C). The HIPAA Breach Notification Rule is the Notification in the Case of Breach of Unsecured Protected Health Information, as set forth at 45 CFR Part 164 Subpart D.
2. Specific definitions
(a) Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in this agreement shall mean Ping Identity.
(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in this agreement shall mean Customer
3. Obligations and Activities of Business Associate
Business Associate agrees to:
(a) Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law; Business Associate shall use, request and/or disclose PHI only to the extent necessary to satisfy Business Associate's obligations under the Agreement. Such use, disclosure or request of PHI shall utilize a limited data set if practicable or otherwise the minimum necessary PHI to accomplish the intended result of the use, disclosure or request.
(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;
(c) Report to Covered Entity any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including Breaches of Unsecured PHI as required at 45 CFR 164.410, and any Security Incident impacting Covered Entity’s ePHI of which it becomes aware. Such reports shall be made consistent with the provisions of the HIPAA Rules and where feasible shall be provided no later than 15 days from discovery;
(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the substantially similar restrictions, conditions, and requirements that apply to the Business Associate with respect to such PHI;
(e) To the extent (if any) that Business Associate maintains a Designated Record Set, make available PHI in the designated record set to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;
(f) To the extent (if any) that Business Associate maintains a Designated Record Set make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;
(g) Maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528 in response to a request from an Individual;
(h) To the extent (if any) the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s);
(i) Make its internal practices, books, and records available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Rules;
(j) In the event Covered Entity notifies Business Associate of an Individual’s restriction request granted pursuant to 45 CFR §164.522 that would restrict a use or disclosure otherwise permitted by this Agreement, Business Associate shall comply with the terms of the restriction request.
(k) Business Associate shall have procedures in place to mitigate, to the maximum extent practicable, any deleterious effect from any use or disclosure of PHI in violation of this Agreement or applicable law.
4. Permitted Uses and Disclosures by Business Associate
(a) Business Associate may only use or disclose PHI as necessary to perform the obligations set forth in this Agreement and in the Subscription Agreement.
(b) Business Associate may use or disclose PHI as required by law.
(c) Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity except for the specific uses and disclosures set forth below.
(d) Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
(e) Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
(f) Business Associate may provide Data Aggregation services relating to the services under this Agreement with respect to the Covered Entity if permitted by the Agreement.
5. Permissible Requests by Covered Entity
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
6. Termination
(a) Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason (which shall be governed solely by the provisions of the Agreement), Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
- Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities and in accordance with its data retention policies, subject to continued compliance with the Agreement;
- Upon written request, return to covered entity or, if agreed to by covered entity, delete or destroy the remaining PHI that the Business Associate still maintains in any form, other than log and backup files that are retained in accordance with Business Associate’s data retention policy;
- Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI;
- Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out above under “Permitted Uses and Disclosures By Business Associate” which applied prior to termination; and
- Upon written request, return to covered entity or, if agreed to by covered entity, delete or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities, other than log and backup files that are retained in accordance with Business Associate’s data retention policy.
(b) Survival. The obligations of Business Associate under this Exhibit shall survive the termination of the Agreement to the extent that any PHI is maintained by Business associate following termination.
7. Miscellaneous Terms
(a) Amendment. Covered Entity and Business Associate agree that amendment of this Agreement may be required to ensure that Covered Entity and Business Associate comply with changes in state and federal laws and regulations relating to the privacy, security, and confidentiality of PHI under the HIPAA Rules, and that the parties shall cooperate to reasonably assure such compliance.
(b) No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended or shall be deemed to confer upon any person other than Covered Entity and Business Associate, and their respective successors and assigns, any rights, obligations, remedies, or liabilities.