If Customer is a Business Associate (“Business Associate”) and includes Protected Health Information in its Customer Personal Data uploaded through the Harmonic Security Data Protection Service (the “Service”), this HIPAA Business Associate Subcontractor Agreement (“BASA”) is incorporated upon execution of Harmonic Subscription Agreement or the Harmonic End User License Agreement (each “Service Agreement”) that incorporates the Harmonic Data Processing Agreement (“DPA”). If there is any conflict between a provision in the Service Agreement or the DPA and a provision in the Agreement, this Agreement will control. Capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as ascribed to those terms in the HIPAA Rules (“HIPAA”) and the HITECH Act (the “HITECH Act”) 

WITNESSETH

WHEREAS, Business Associate is a business associate as such term is defined under HIPAA and as such is required to comply with the requirements thereof regarding the confidentiality and privacy of Protected Health Information; and

WHEREAS, Subcontractor and Business Associate have entered into or will enter into that certain Harmonic Subscription Agreement or the Harmonic End User License Agreement (collectively, “Service Agreement”), pursuant to which Subcontractor may receive Protected Health Information for or on behalf of Business Associate; and

WHEREAS, Subcontractor is providing services pursuant to the Service Agreement and may receive limited Protected Health Information for or on behalf of Business Associate, Subcontractor shall become a business associate of Business Associate, as such term is defined under HIPAA, and will therefore have obligations regarding the confidentiality and privacy of Protected Health Information that Subcontractor receives from or on behalf of, Business Associate.

NOW THEREFORE, in consideration of the mutual covenants, promises, and agreements contained herein, the parties hereto agree as follows:

1. DEFINITIONS. For the purposes of this BASA, capitalized terms shall have the meanings ascribed to them below. All capitalized terms used but not otherwise defined herein will have the meaning ascribed to them by HIPAA.

2. “Protected Health Information” or “PHI” is any information, whether oral or recorded in any form or medium that is created, received, maintained, or transmitted by Subcontractor for or on behalf of Business Associate, that identifies an individual or might reasonably be used to identify an individual and relates to: (i) the individual’s past, present or future physical or mental health; (ii) the provision of health care to the individual; or (iii) the past, present or future payment for health care.“

3. Secretary” shall refer to the Secretary of the U.S. Department of Health and Human Services.

4. “Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). This definition applies to both hard copy PHI and electronic PHI.

2. OBLIGATIONS OF SUBCONTRACTOR.

1. General Compliance with Law
‍
‍Subcontractor warrants that it, its agents and its subcontractors: (i) shall use or disclose PHI only in connection with fulfilling its duties and obligations under this BASA and the Service Agreement; (ii) shall not use or disclose PHI other than as permitted or required by this BASA or required by law; (iii) shall not use or disclose PHI in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by Business Associate; and (iv) shall only use and disclose the minimum necessary PHI for its specific purposes.

2. Use and Disclosure of Protected Health Information

Subject to the restrictions set forth throughout this BASA, Subcontractor may use the information received from Business Associate if necessary for (i) the proper management and administration of Subcontractor; or (ii) to carry out the legal responsibilities of Subcontractor.

Subject to the restrictions set forth in throughout this BASA, Subcontractor may disclose PHI for the proper management and administration of Subcontractor, provided that: (i) disclosures are required by law, or (ii) Subcontractor obtains reasonable assurances from the person or entity to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies the Subcontractor of any instances of which it is aware in which the confidentiality of the information has been breached.

Subcontractor acknowledges that, as between Subcontractor and Business Associate, all PHI shall be and remain the sole property of Business Associate, including any and all forms thereof developed by Subcontractor in the course of its fulfillment of its obligations pursuant to the BASA and Service Agreement.

Subcontractor is permitted, for Data Aggregation purposes to the extent permitted under HIPAA, to use, disclose, and combine PHI created or received on behalf of Business Associate by Subcontractor pursuant to this BASA with PHI, as defined by 45 C.F.R. § 160.103, received by Subcontractor in its capacity as a business associate of other business associates, to permit data analyses that relate to the Health Care Operations of the respective covered entities. 

Subcontractor may de-identify any and all PHI created or received by Subcontractor under this BASA.  Once PHI has been de-identified pursuant to 45 C.F.R. § 164.514(b), such information is no longer Protected Health Information and no longer subject to this BASA.

3. Covered Entity Obligations

To the extent that Subcontractor is to carry out any covered entity obligations that are regulated by HIPAA that Business Associate has assumed, Subcontractor shall comply with the HIPAA requirements that apply to the Business Associate in the performance of such obligation. 

4. Safeguards

Subcontractor shall employ appropriate administrative, technical, and physical safeguards, consistent with the size and complexity of Subcontractor’s operations, to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this BASA. Subcontractor shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this BASA.

5. Availability of Books and Records

Subcontractor shall permit the Secretary and other regulatory and accreditation authorities to audit Subcontractor’s internal practices, books, and records at reasonable times as they pertain to the use and disclosure of PHI in order to ensure that Business Associate and/or Subcontractor is in compliance with the requirements of HIPAA.

6. Individuals’ Rights to Their PHI

1. Access to Information

To the extent Subcontractor maintains PHI in a Designated Record Set, in order to allow Business Associate to respond to a request by an Individual for access to PHI pursuant to 45 CFR Section 164.524, Subcontractor, within ten (10) business days upon receipt of written request by Business Associate, shall make available to Business Associate such PHI. In the event that any Individual requests access to PHI directly from Subcontractor, Subcontractor shall forward such request to Business Associate within five (5) business days.

Business Associate will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Subcontractor will make no such determinations. Except as Required by Law, only Business Associate will be responsible for releasing PHI to an Individual pursuant to such a request. Any denial of access to PHI determined by Business Associate pursuant to 45 CFR Section 164.524, and conveyed to Subcontractor by Business Associate, shall be the responsibility of Business Associate, including resolution or reporting of all appeals and/or complaints arising from denials.

2. Amendment of Information

To the extent Subcontractor maintains PHI in a Designated Record Set, in order to allow Business Associate to respond to a request by an Individual for an amendment to PHI, Subcontractor shall, within ten (10) business days upon receipt of a written request by Business Associate, make available to Business Associate such PHI. In the event that any Individual requests amendment of PHI directly from Subcontractor, Subcontractor shall forward such request to Business Associate within five (5) business days.

Business Associate will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment to PHI and Subcontractor will make no such determinations. Any denial of amendment to PHI determined by Business Associate pursuant to 45 CFR Section 164.526, and conveyed to Subcontractor by Business Associate, shall be the responsibility of Business Associate, including resolution or reporting of all appeals and/or complaints arising from denials.

Within ten (10) business days of receipt of a request from Business Associate to amend an individual’s PHI in the Designated Record Set, Subcontractor shall incorporate any approved amendments, statements of disagreement, and/or rebuttals into its Designated Record Set as required by 45 CFR Section 164.526.

3. Accounting of Disclosures

In order to allow Business Associate to respond to a request by an Individual for an accounting pursuant to 45 CFR Section 164.528, Subcontractor shall, within ten (10) business days of a written request by Business Associate for an accounting of disclosures of PHI about an Individual, make available to Business Associate such PHI. At a minimum, Subcontractor shall provide Business Associate with the following information: (a) the date of the disclosure; (b) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (c) a brief description of the PHI disclosed; and

4. a brief statement of the purpose of such disclosure. In the event that any Individual requests an accounting of disclosures of PHI directly from Subcontractor, Subcontractor shall forward such request to Business Associate within five (5) business days. Business Associate will be responsible for preparing and delivering an accounting to Individual. Subcontractor shall implement an appropriate record keeping process to enable it to comply with the requirements of this BASA.

7. Disclosure to Subcontractors and Agents
‍
Notwithstanding anything to the contrary in the Services Agreement or this BASA, Subcontractor, subject to the restrictions set forth in this provision, may use subcontractors to fulfill its obligations under this BASA. Subcontractor shall obtain and maintain a written agreement with each subcontractor or agent that has or will have access to PHI, which is received from, or created or received by, Subcontractor for or on behalf of Business Associate, pursuant to which such subcontractor and agent agrees to be bound by the same restrictions, terms, and conditions that apply to Subcontractor under this BASA with respect to such PHI.

8. Reporting Obligations

In the event of a Breach of any Unsecured PHI that Subcontractor accesses, maintains, retains, modifies, records, or otherwise holds or uses on behalf of Business Associate, Subcontractor shall report such Breach to Business Associate as soon as practicable, but in no event later than ten (10) business days after the date the Breach is discovered. Notice of a Breach shall include, to the extent such information is available: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach; (ii) the date of the Breach, if known, and the date of discovery of the Breach; (iii) the scope of the Breach; and (iv) the Subcontractor’s response to the Breach.

In the event of a use or disclosure of PHI that is improper under this BASA but does not constitute a Breach, Subcontractor shall report such use or disclosure to Business Associate within ten (10) business days after the date on which Subcontractor becomes aware of such use or disclosure.

In the event of any successful Security Incident, Subcontractor shall report such Security Incident in writing to Business Associate within ten (10) business days of the date on which Subcontractor becomes aware of such Security Incident. The parties acknowledge that unsuccessful Security Incidents that occur within the normal course of business shall not be reported pursuant to this BASA. Such unsuccessful Security Incidents include, but are not limited to, port scans or “pings,” and unsuccessful log-on attempts, broadcast attacks on Subcontractor’s firewall, denials of service or any combination thereof if such incidents are detected and neutralized by Subcontractor’s anti- virus and other defensive software and not allowed past Subcontractor’s firewall.

Subcontractor will identify and respond internally to any suspected or known Breach of any Unsecured PHI, Security Incident or other improper use or disclosure of PHI, and will mitigate, to the extent practicable, their harmful effects, document their outcomes, and provide documentation of any successful Security Incident and Breach of any Unsecured PHI to Business Associate upon request.

3. OBLIGATIONS OF BUSINESS ASSOCIATE.

1. Permissible Requests

Business Associate shall not request Subcontractor to use or disclose PHI in any manner that would violate applicable federal and state laws if such use or disclosure were made by Business Associate. Business Associate may request Subcontractor to disclose PHI directly to another party only for the purposes allowed by HIPAA and the HITECH Act.

2. Notifications

Business Associate shall notify Subcontractor of any limitation in any applicable notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Subcontractor’s use or disclosure of PHI.

Business Associate shall notify Subcontractor of any changes in, or revocation of, permission by individual to use or disclose PHI, to the extent that such changes may affect Subcontractor’s use or disclosure of PHI.

Business Associate shall notify Subcontractor of any restriction to the use or disclosure of PHI that Business Associate has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Subcontractor’s use or disclosure of PHI.

3. Consents and Authorizations

Business Associate represents and warrants that at all times during this BASA: (i) it possesses all consents and authorizations necessary to engage Subcontractor for the purposes stated herein and to share or provide access to PHI as contemplated hereunder; and (ii) it is not subject to any legal or contractual obligation, including its contracts with covered entity customers, that conflicts with, restricts or otherwise limits its ability to fulfill its obligations hereunder or Subcontractor’s rights and obligations hereunder.  

4. TERM AND TERMINATION.

1. General Term and Termination

This BASA shall become effective on the Effective Date set forth above and shall terminate upon the termination or expiration of the Service Agreement and when all PHI provided by either party to the other, or created or received by Subcontractor on behalf of Business Associate is, in accordance with this Section, destroyed, returned to Business Associate, or protections are extended.

2. Material Breach

Where either party has knowledge of a material breach by the other party, the non-breaching party shall provide the breaching party with an opportunity to cure. Where said breach is not cured to the reasonable satisfaction of the non-breaching party within twenty (20) business days of the breaching party’s receipt of notice from the non-breaching party of said breach, the non-breaching party shall, if feasible, terminate this BASA and the portion(s) of the Service Agreement affected by the breach. Where either party has knowledge of a material breach by the other party and cure is not possible, the non-breaching party shall, if feasible, terminate this BASA and the portion(s) of the Service Agreement affected by the breach.

3. Return or Destruction of PHI

Upon termination of this BASA for any reason, Subcontractor shall: (i) if feasible as determined by Subcontractor, return or destroy all PHI received from, or created or received by Subcontractor for or on behalf of Business Associate that Subcontractor or any of its subcontractors and agents still maintain in any form, and Subcontractor shall retain no copies of such information; or (ii) if Subcontractor determines that such return or destruction is not feasible, extend the protections of this BASA to such information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible, in which case Subcontractor’s obligations under this Section shall survive the termination of this BASA. 

5. MISCELLANEOUS.

1. Amendment

If any of the regulations promulgated under HIPAA or the HITECH Act are amended or interpreted in a manner that renders this BASA inconsistent therewith, the parties shall amend this BASA to the extent necessary to comply with such amendments or interpretations.

2. Interpretation

Any ambiguity in this BASA shall be resolved to permit the parties to comply with HIPAA and the HITECH Act.

3. Conflicting Terms

In the event that any terms of this BASA conflict with any terms of the Service Agreement, the terms of this BASA shall govern and control.

4. Notices

Any notices pertaining to this BASA shall be given in writing and shall be deemed duly given when personally delivered to a Party or a Party’s authorized representative as listed below or sent by means of a reputable overnight carrier, or sent by means of certified mail, return receipt requested, postage prepaid. Notices shall be deemed given upon receipt. Any notice or other communication by either party to the other shall be in writing and shall be given in accordance with the notice provisions of the Service Agreement.

5. Severability

The provisions of this BASA shall be severable, and if any provision of this BASA shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BASA shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.

IN WITNESS WHEREOF, each of the undersigned has duly executed this BASA on behalf of the party and on the date set forth below.

BUSINESS ASSOCIATE:
By:
Print: 
Title: 
Date:S
UBCONTRACTOR:
By: 
Print: 
Title: 
Date: