Business Associate Addendum

HIPAA Rules and Obligations

This Business Associate Addendum (this “Addendum”) is an agreement between R-Stor, Inc. (“R-Stor”) and you or the entity you represent (“you” or “your”) and are collectively known as the (“Party or Parties”), and is an Addendum to the R-Stor Master Services Agreement by and between you and R-Stor, or another agreement between you and R-Stor governing the contractual relationship with R-Stor (“Agreement”).  This Addendum supplements and is made a part of the R-Stor Terms and Conditions available at Terms and Conditions.

This Addendum takes effect with respect to the HIPAA Rules (as defined below) on the Effective Date (“Effective Date”) of the Agreement. For purposes of this Addendum, You or Your is considered the “Covered Entity” and R-Stor is considered a “Business Associate” of such Covered Entity.

The parties hereby agree as follows:

  1. Applicability and Definitions. This Addendum applies only to the HIPAA Account. The “HIPAA Account” means the account enforced under the Agreement that uses HIPAA eligible services to store or transmit any “protected health information” as defined in 45 C.F.R. §160 and Subparts A and E of Part 164 to which you have applied the required security configurations specified in the list of HIPAA Eligible Services (defined below), if any, and in Section 4.3 of this Addendum. You acknowledge that this Addendum does not apply to any other accounts you may have now or in the future, and that any of your accounts that do not satisfy all of the HIPAA Account requirements are not subject to this Addendum. Unless otherwise expressly defined in this Addendum, all capitalized terms in this Addendum will have the meanings set forth in the Agreement or in HIPAA. “HIPAA” means the Administrative Simplification Subtitle of the Health Insurance Portability and Accountability. Act of 1996, as amended by Subtitle D of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, and their implementing regulations. “HIPAA Eligible Services” means only the services listed at [Add List of R-Stor Products that can be effected by HIPAA and keep updated list on internet], subject to any required security configurations applicable to such Services or functionality of such Services described at such location, as may be updated by R-Stor from time to time. R-Stor may, in its sole discretion, add or remove Services or functionality of any of the Services to or from the HIPAA Eligible Services. R-Stor will not be obligated to provide notice under the prior sentence if the removal is necessary to address an emergency or threat to the security or integrity of R-Stor, respond to claims, litigation, or loss of license rights related to third-party intellectual property rights, or comply with the law or requests of a government entity. “PHI” means “protected health information” as defined in 45 C.F.R. § 160.103 that is received by R-Stor from or on behalf of you and that is in a HIPAA Account.
  2. Permitted and Required Uses and Disclosures
    • 2.1. R-Stor agrees that it shall not, and that its directors, officers, employees, contractors and agents shall not, use or further disclose PHI other than as permitted or required by this Addendum or as Required By Law.
    • 2.2. R-Stor agrees to use appropriate safeguards in accordance with the HIPAA rules to prevent use or disclosure of the PHI other than as provided for by this Addendum.
  3. Obligations of R-Stor
    • 3.1. R-Stor Obligations Conditioned on Appropriate Configurations. For any of your accounts other than the HIPAA Account, R-Stor does not act as a business associate under HIPAA and will have no obligations under this Addendum.
    • 3.2. Limit on Uses and Disclosures. R-Stor will use or disclose PHI only as permitted by this Addendum or as required by law, provided that any such use or disclosure would not violate HIPAA if done by a Covered Entity, unless permitted under HIPAA for a Business Associate.
    • 3.3. Safeguards. R-Stor will use reasonable and appropriate safeguards to prevent Use or Disclosure of the PHI other than as provided for by this Addendum, consistent with the requirements of Subpart C of 45 C.F.R. § 164 (with respect toe electronic PHI) as determined by R-Stor and as reflected in the Agreement.
    • 3.4. Reporting. For all reporting obligations under this Addendum, the parties acknowledge that, because R-Stor does not know the nature of PHI contained in any of your accounts, it will not be possible for R-Stor to provide information about the identities of the Individuals who may have been affected, or a description of the type of information that may have been subject to a Security Incident, Impermissible Use or Disclosure, or Breach.
      • 3.4.1. Reporting of Impermissible Uses and Disclosures. R-Stor will report to you any use or disclosure of PHI not permitted or required by this Addendum of which R-Stor becomes aware.
      • 3.4.2. Reporting of Security Incidents. R-Stor will report to you on no less than a quarterly basis any Security Incidents involving PHI of which R-Stor becomes aware in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
      • 3.4.3. Reporting of Breaches. R-Stor will report to you any Breach of your Unsecured PHI that R-Stor may discover to the extent required by 45 C.F.R. § 164.410. R-Stor will make such report without unreasonable delay, and in no case later than sixty (60) calendar days after discovery of such Breach.
    • 3.5. Subcontractors. R-Stor will ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of R-Stor agree to restrictions and conditions at lease as stringent as those found in this Addendum, and agree to implement reasonable and appropriate safeguards to protect PHI.
    • 3.6. Access to PHI. R-Stor will make PHI in a Designated Record Set available to you for amendment and incorporate any amendments to the PHI, as may reasonable be requested by you in accordance with 45 C.F.R. § 164.526.
    • 3.7. Accounting of Disclosures. R-Stor will make available to you the information required to provide an accounting of Disclosures in accordance with 45 C.F.R. § 164.528 of which R-Stor is aware, if requested by you. Because R-Stor cannot readily identify which individuals are identified or what types of PHI are included in Content you or any End User (a) run on the Services, (b) cause to interface with the Services, or (c) upload to the Services under your account or otherwise transfer, process, use or store in connection with your account (“Customer Content”), you will be solely responsible for identifying which individual, if any, may have been included in Customer Content that R-Stor has disclosed and for providing a brief description of the PHI disclosed.
    • 3.8. Internal Records. R-Stor will make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the U.S. department of Health and Human Services (“HHS”) for purposes of determining your compliance with HIPAA. Nothing in this section will waive any applicable privilege or protection, including with respect to trade secrets and confidential commercial information.
  4. Your Obligations
    • 4.1. Identification of the HIPAA Account. By clicking an “Accept R-Stor BAA and Designate HIPAA Account” button (or other electronic means made available by R-Stor for such purpose) presented with this Addendum, you have identified the account that you used to log in to R-Stor Services to accept this Addendum as an account that contains “protected health information” as defined in 45 C.F.R. § 160.103.
    • 4.2. Appropriate Use of the HIPAA Account. You are responsible for implementing appropriate privacy and security safeguards in order to protect your PHI in compliance with HIPAA and this Addendum. Without limitation, you will (a) not include protected health information (as defined in 45 C.F.R. § 160.103) in any Services that are not HIPAA Eligible Services that are not HIPAA Eligible Services, (b) utilize the highest level of audit logging in connection with your use of all HIPAA Eligible Services, and (c) maintain the maximum retention of logs in connection with your use of all HIPAA Eligible Services.
    • 4.3. Appropriate Configurations. You are solely responsible for configuring, and will configure, the HIPAA Account, as follows:
      • 4.3.1. Encryption. You must encrypt all PHI stored in or transmitted using the Services in accordance with the Secretary of HHS’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, available at https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html as it may be updated from time to time, and as may be made available on any successor or related site designated by HHS.
    • 4.4. Necessary Consents. You warrant that you have obtained any necessary authorizations, consents, and other permissions that may be required under applicable law prior to placing Customer Content, including without limitation PHI, in relation to R-Stor Services.
    • 4.5. Restrictions on Disclosures. You will not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause R-Stor to violate this Addendum or any applicable law.
    • 4.6. Compliance with HIPAA. You will not request or cause R-Stor to make a Use or Disclosure of PHI in a manner that does not comply with HIPAA or this Addendum.
  5. Term and Termination
    • 5.1. The term of this Addendum will commence on the Addendum Effective Date and will remain in effect with respect to the HIPAA Account until the earlier of (a) the termination of the Agreement, or (b) termination of this Addendum by either party as set forth in Section 5.2 below.
    • 5.2. Termination. You have the right to terminate this Addendum for any reason upon notice to R-Stor by logging in to R-Stor Services under the HIPAA Account and clicking a “Terminate BAA for this Account” button (or other electronic means made available by R-Stor for such purpose). R-Stor has the right to terminate this Addendum for any reason upon ninety (90) days prior written notice to you. A material breach of this Addendum will be treated as a material breach of the Agreement.
    • 5.3. Effect of Termination. At termination of this Addendum, R-Stor, if feasible, will return or destroy all PHI that R-Stor still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of this Addendum to the information and limit further Uses and Disclosures to those purposes that make the return or destruction of the information infeasible. The parties acknowledge that it is not feasible for R-Stor to destroy or return PHI upon termination of this Addendum. Termination of this Addendum will not terminate any other R-Stor Business Associate Addendum(s) then in place between you and R-Stor with respect to any account other than the HIPAA Account, and such other R-Stor Business Associate Addendum(s) will remain in effect until terminated in accordance with their respective terms.
  6. No Agency Relationship. As set forth in the Agreement, nothing in this Addendum is intended to make either party an agent of the other. Nothing in this Addendum is intended to confer upon you the right or authority to control R-Stor’s conduct in the course of R-Stor complying with the Agreement and Addendum.
  7. Nondisclosure. You agree that the terms of this Addendum are not publicly known and constitute R-Stor Confidential Information under the Agreement.
  8. Entire Agreement; Conflict. Except as amended by this Addendum, the Agreement will remain in full force and effect. This Addendum, together with the Agreement as amended by this Addendum: (a) is intended by the parties as a final, complete and exclusive expression of the terms of their agreement; and (b) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof, except that if the HIPAA Account is joined as a member account in an organization using R-Stor Services (or any successor service offered by R-Stor) for which there is an applicable R-Stor Organizations Business Associate Addendum (an “R-Stor Organizations BAA”) in place, then this Addendum will not supersede such R-Stor Organizations BAA. While an RStor Organizations BAA is in effect with respect to the HIPAA Account, it will apply to the HIPAA Account instead of this Addendum. If there is a conflict between the Agreement, this Addendum, or any other amendment or addendum to the Agreement or this Addendum, the document later in time will prevail, except that while an R-Stor Organizations BAA is in effect with respect to the HIPAA Account, it will control over this Addendum. R-Stor will not be bound by, and specifically objects to, any term, condition or other provision which is different from or in addition to the provisions of this Addendum (whether or not it would materially alter this Addendum) and which is submitted by you in any order, receipt, acceptance, confirmation, correspondence or other document.
  9. Modification. From time to time, R-Stor may modify the terms of the R-Stor Business Associate Addendum that it offers to its customers, but no modification or amendment of any portion of this Addendum will be effective unless in writing and accepted by you and by R-Stor, which acceptance may be made electronically through R-Stor Services or through other electronic means made available by R-Stor for such purpose.