This Business Associate Agreement (“Agreement”) is entered into as of the effective date described on the Signature Page of this Agreement (the “Effective Date”) by and between the (“Business Associate”) and RingCentral, Inc. and/or one or more of its affiliates or subsidiaries (“RingCentral”) (each a “Party” and collectively the “Parties”).
WHEREAS, RingCentral is a Business Associate to certain clients that are Covered Entities or Business Associates (“Clients”) and Vendor is a Subcontractor to RingCentral with respect to such Clients.
WHEREAS, on or around the date of this Agreement or shortly thereafter, RingCentral and Business Associate entered (or will enter) into a contract or contracts for the provision of services (the Current Contract(s)”);
WHEREAS, the Parties contemplate that they may enter additional agreements in the future pursuant to which Business Associate may provide services to RingCentral (“Future Contracts”);
WHEREAS, in connection with the Current Contracts(s) and the Future Contracts (collectively, the “Vendor Contracts” and individually, a “Vendor Contract”), Business Associate may, on RingCentral’s behalf, access, use, create, receive, transmit, maintain, and/or disclose Protected Health Information (“PHI”).
WHEREAS, RingCentral and Business Associate intend to protect the privacy and provide for the security of PHI and/or ePHI disclosed to Business Associate and comply with the requirements of the Health Insurance Portability and Accountability Act of 1996, (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (“HITECH Act”), and the final regulations to such Acts that the U.S. Department of Health and Human Services (“HHS”) has promulgated and set forth in 45 CFR Parts 160, 162, and 164 (collectively, the “HIPAA Rules”);
NOW, THEREFORE, in consideration of the mutual promises below and in the Vendor Contracts, in consideration of the exchange of information pursuant to this Agreement, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, and intending to be legally bound hereby, the Parties agree as follows:
I. Definitions.
- A. “Breach” has the meaning given to such term at 45 C.F.R. § 164.402.
- B. “Discovery” shall mean the first day on which an Incident (as defined herein) is known to Business Associate (including any person that is an employee, officer, or Subcontractor of Business Associate), or should reasonably have been known to Business Associate, to have occurred.
- C. “Incident” shall have the meaning provided under Section II.F.
- D. “Individual” shall have the same meaning as the term “Individual” in 45 C.F.R. §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).
- E. “Protected Health Information” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R. §160.103, limited to the information created, received, transmitted, or maintained by Business Associate on behalf of or for RingCentral. For purposes of this Agreement, “Protected Health Information” or “PHI” shall collectively refer to Protected Health Information, Electronic Protected Health Information (“ePHI”) as defined in 45 C.F.R. § 160.103, and “Personal Information” as defined below.
- F. Personal Information (“PII”), also known as “Personally Identifiable Information,” “Personal Data,” and similar terms, shall have the meaning provided under state law. For purposes of this Agreement, Personal Information shall include any data elements that identify an individual or that could be used to identify an individual, including but not limited to an individual’s first name or initial and last name in combination with one or more of the following data elements: social security number; driver’s license or state issued identification number; credit or debit card number; medical information (such as an individual’s condition, treatment, or payment information); financial information, such as checking account or other account number (either in combination with a required security code, access code, or password that would permit access to the account, or alone if the account does not require such an access code); or other identifying information, such as email addresses and usernames in combination with passwords or security questions, date of birth, mother’s maiden name, digital signature, passport number, fingerprint or other biometric data, an insurance policy number, employment information, employment history, an employer, student, tribal, or military identification numbers.
- G. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.
- H. “Security Incident” shall have the meaning provided in 45 C.F.R. § 164.304.
- I. Terms used but not otherwise defined in this Agreement shall have the same meaning as given to those terms in the HIPAA Rules. A regulatory reference in this Agreement means the section as in effect or as amended, and for which compliance is required.
II. Business Associate’s Obligations.
- A. Permitted Use and Disclosure of PHI. Business Associate shall use and disclose PHI only as permitted by this Agreement or as Required By Law. To the extent that Business Associate is to carry out one or more of RingCentral’s or a Client’s obligation(s) under the HIPAA Rules, Business Associate shall comply with the provisions in the HIPAA Rules that would apply to RingCentral or the Client in the performance of such obligation(s). Business Associate is only permitted to:
- 1. Use or disclose PHI to perform its obligations and functions under the Vendor Contracts, provided that Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the HIPAA Rules if done by RingCentral;
- 2. Use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities;
- 3. Disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, if such disclosure is Required By Law, or if Business Associate obtains (i) reasonable written assurances from the recipient that the recipient will keep the PHI confidential, and will use or further disclose the PHI only as Required By Law or for the purpose for which it was disclosed to the recipient, and (ii) a written agreement from such third party to immediately notify Business Associate of any instance of which the recipient is aware in which the confidentiality of the PHI has been breached;
- 4. Use PHI to provide Data Aggregation services to RingCentral as permitted by 45 CFR § 164.504(e)(2)(i)(B) to the extent specified in the Vendor Contracts;
- B. Safeguards. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that Business Associate creates, receives, maintains, uses, discloses, or transmits on behalf of RingCentral, as required by the HIPAA Rules. Business Associate shall comply with the requirements in 45 C.F.R. Part 164, subpart C. In addition, Business Associate shall remain familiar with current threats to PHI as they evolve and reasonably and appropriately take steps to mitigate those threats. Once a year at minimum, or upon request, Business Associate shall provide RingCentral with a HIPAA Compliance report issued by a third-party to ensure Business Associate meets HIPAA requirements.
- C. Minimum Necessary. Business Associate, and its agents and subcontractors, shall request, use and disclose only the minimum necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure (as described in 45 C.F.R. § 164.502(b) and § 164.514(d)). To the extent practicable, all uses and disclosures must be restricted to information in a Limited Data Set (as described in 45 C.F.R. § 164.514(e)(2)).
- D. Prohibited Uses and Disclosures. Business Associate shall not use or disclose PHI for any purpose other than as specifically permitted by this Agreement. Specifically, but without limitation, Business Associate (a) shall not use or disclose PHI for fundraising or marketing purposes, (b) shall not disclose PHI to a health plan for payment or health care operations purposes if the patient has requested a special restriction on disclosure and has paid out of pocket in full for the health care item or services to which the PHI solely relates, and (c) shall not directly or indirectly receive remuneration in exchange for PHI (except if submission of PHI to RingCentral is necessary for RingCentral to pay Business Associate for performing services under the Vendor Contracts, or with RingCentral’s consent and as permitted by 42 U.S.C. § 17935(d)(2)).
- E. Agents & Subcontractors. Business Associate agrees to ensure that any agent or subcontractor to whom it provides PHI agrees in writing to the same restrictions and conditions that apply through this Agreement to Business Associate.
- F. Incident Reporting, Mitigation, and Remediation: Business Associate shall report to RingCentral any of the following immediately after Discovery by Business Associate or any Subcontractor: (i) any acquisition, access, use or disclosure of PHI not provided for in this Agreement or the Vendor Contracts; (ii) any Security Incident involving PHI; (iii) any Breach of Unsecured PHI; and (iv) any loss, destruction, alteration, or other event in which PHI cannot be accounted for (collectively, an “Incident”). Business Associate shall implement reasonable systems for the Discovery and prompt reporting of any Incidents and shall train Business Associate personnel regarding the requirements under this Agreement.
- 1. Reporting Requirements. Business Associate shall report the information described below to RingCentral immediately following Discovery of an Incident:
- ⅰ. the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, disclosed, lost, altered, destroyed, or otherwise unaccounted for;
- ⅱ. the date of the Incident;
- ⅲ. the date of the Discovery of the Incident;
- ⅳ. a description of the types of PHI that were involved; and
- ⅴ. any other details reasonably requested by RingCentral.
- 2. Risk Assessment. In the event of an Incident, Business Associate shall assist RingCentral in performing (or at RingCentral’s direction, perform) a risk assessment to determine if there is a low probability that the PHI has been compromised, consistent with and in coordination with any investigation that RingCentral undertakes. To enable RingCentral to make a determination whether or not there is a low probability that PHI has been compromised, Business Associate, and any Subcontractor of Business Associate, shall promptly undertake a risk assessment in coordination with RingCentral that addresses the following factors and provide the results of such risk assessment to RingCentral:
- ⅰ. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- ⅱ. whether the PHI was actually acquired or viewed;
- ⅲ. the unauthorized person who used the PHI or to whom the disclosure was made; and
- ⅳ. the extent to which the risk to the PHI has been mitigated.
- 3. Breach Determination & Notification. RingCentral shall make the ultimate determination, in its sole discretion, whether there has been a Breach and if so, whether the required notifications, including to Individuals, third parties, the media, and regulators (such as the Secretary and state regulators), will be provided by RingCentral or Business Associate. In the event that RingCentral requires that Business Associate provide such notifications regarding a Breach, any such notices must be approved, in advance, by RingCentral. RingCentral’s approval shall also be required for the manner of delivering notice of a Breach.
- 4. Record Requirements. Business Associate shall maintain complete records regarding any Incident for the period required by 45 C.F.R. § 164.530(j) or such longer period Required By Law, and shall make such records available to RingCentral promptly upon request, but in no event later than within five (5) business days.
- 5. Mitigation & Remediation. Business Associate shall mitigate, to the extent practicable and at its cost, any harmful effects from any Incident (including steps to protect the operating environment). Business Associate also shall take prompt steps designed to prevent the recurrence of any Incident, including any action required by applicable federal and state laws and regulations. All such efforts shall be subject to the RingCentral’s prior written approval. Business Associate must document a corrective action plan, including information on measures that were taken to halt and/or contain the Incident, and provide such documentation to RingCentral immediately upon request. Business Associate must comply with this provision regardless of any actions taken by RingCentral.
- 6. Ongoing Assistance: Business Associate shall make itself and any employees, subcontractors, or agents assisting Business Associate in the performance of its obligations available to RingCentral at no cost to RingCentral to testify as witnesses, or otherwise, in the event of an Incident that results in litigation or administrative proceedings against RingCentral, its directors, officers, agents or employees, or against DHCS, based upon a claimed violation of laws relating to security and privacy or arising out of this Agreement.
- 1. Reporting Requirements. Business Associate shall report the information described below to RingCentral immediately following Discovery of an Incident:
- G. Identification of Employees. Business Associate shall maintain a current list of its employees, agents, and Subcontractors with access to PHI provided by RingCentral. Upon request, Business Associate shall provide such list to RingCentral within a reasonable amount of time.
- H. Access to PHI. To the extent that Business Associate possesses an applicable Designated Record Set, and within a reasonable amount of time (but not to exceed five (5) days) of receipt of a request from RingCentral to access such PHI, Business Associate shall transmit such information to RingCentral. If an Individual requests access to PHI directly from Business Associate, Business Associate will forward such a request in writing to RingCentral within a reasonable amount of time (but not to exceed five (5) days). RingCentral will be responsible for making all determinations regarding the granting or denial of an Individual’s request, and Business Associate shall make no such determinations. If Business Associate maintains PHI in electronic form, Business Associate shall provide such information in electronic format to RingCentral if requested.
- I. Amendment of PHI. To the extent that Business Associate possesses an applicable Designated Record Set, Business Associate agrees to make any amendment(s) to PHI that RingCentral directs or agrees to, pursuant to 45 C.F.R. § 164.526, in the time and manner designated by RingCentral. Within a reasonable amount of time of receipt of a request by an Individual to Business Associate to amend PHI (but not to exceed five (5) days), Business Associate shall forward to RingCentral any such requests in writing. RingCentral shall be responsible for making all determinations regarding amendments to PHI, and Business Associate shall make no such determinations.
- J. Accounting of Disclosures. Business Associate shall document such disclosures of PHI as would be required for RingCentral to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. Business Associate agrees to implement a process that allows for an accounting to be collected and maintained by Business Associate and its agents or Subcontractors for (6) years prior to the request. In addition, Business Associate agrees that:
- 1. Within a reasonable amount of time of receipt of a notice from RingCentral requesting an accounting of PHI disclosures (but not to exceed five (5) days), Business Associate shall provide RingCentral with records of such disclosures containing information as outlined in 45 C.F.R. §164.528(b).
- 2. Within a reasonable amount of time of receipt of a request by an Individual to Business Associate for an accounting of disclosures of PHI (but not to exceed five (5) days), Business Associate shall forward to RingCentral any such requests in writing. RingCentral shall be responsible for providing an accounting of PHI disclosures to the Individual. Business Associate will not provide an accounting of its disclosures directly to the Individual.
- K. Government Access. Upon request, Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI available to RingCentral and to the Secretary to the extent required for determining RingCentral’s compliance with the HIPAA Rules. Business Associate shall concurrently provide RingCentral with a copy of any PHI that Business Associate provides pursuant to any governmental inquiry.
- L. Indemnification. Business Associate (“Indemnitor”), at its own expense, agrees to defend, indemnify and hold harmless RingCentral and any of RingCentral’s affiliates, subsidiaries, directors, officers, employees, representatives, and agents (“Indemnitee”) from and against any claim, demand, cause of action, class action, cross-claim, arbitration, judgment, liability, damage, fines, penalties, public relations expenses, government investigation or inquiry, remediation and mitigation efforts regardless of whether required by law (including but not limited to notification letters, credit monitoring services, identity theft insurance, reimbursement for credit freezes, fraud resolution services, identity restoration services, toll free information services for affected Individuals, and any similar service that entities make available to impacted Individuals in the event of an Incident), and costs and expenses relating thereto (including but not limited to costs and expenses of defense, settlement, adjudication, dismissal, expert fees, court costs, investigation expenses, discovery costs, time of Indemnitee personnel, and reasonable attorneys’ fees, costs and disbursements of legal counsel) arising from, related to, or in connection with any Incident involving PHI in Indemnitor’s possession, custody, or control, or any other breach of this Agreement. Indemnitor’s liability under this Agreement shall include direct, indirect, incidental, or consequential, exemplary, punitive, or special damages of any kind or nature whatsoever. This indemnity shall not be construed to limit Indemnitee’s rights, if any, to common law indemnity.
The obligations of Indemnitor under this Agreement to defend, indemnify and hold harmless Indemnitee shall be subject to the following: (a) the Indemnitee shall provide the Indemnitor with prompt notice of the claim giving rise to such obligation; provided, however, that any failure or delay in giving such notice shall only relieve the Indemnitor of its obligation to defend, indemnify and hold the Indemnitee harmless to the extent it reasonably demonstrates that its defense or settlement of the claim or suit was adversely affected thereby; (b) the Indemnitor shall have control of the defense and of all negotiations for settlement of such claim or suit; provided, however, that the Indemnitee shall select counsel for such defense reasonably acceptable to Indemnitor with such consent not unreasonably withheld, delayed or conditioned and Indemnitor shall not settle any claim unless such settlement completely and forever releases the Indemnitee from all liability with respect to such claim and unless the Indemnitee consents to such settlement in writing (which consent shall not be unreasonably withheld); and (c) the Indemnitee shall cooperate with the Indemnitor in the defense or settlement of any such claim or suit; provided, however, that the Indemnitee shall be reimbursed for all reasonable out-of-pocket expenses incurred in providing any cooperation requested by the Indemnitor. Subject to clause (b) above, the Indemnitee may also participate in the defense of any claim or suit in which the Indemnitee is involved at its own expense. - M. State Law. Business Associate shall comply with applicable state law confidentiality, privacy, security, document retention, and breach notification requirements involving PI. Notwithstanding any provision to the contrary, the provisions of this Agreement shall apply equally with respect to PI as they do to PHI; provided, however, that to the extent that state law is more stringent than the HIPAA Rules or the terms of this Agreement, Business Associate agrees to comply with the requirement that provides more privacy and security protection to PI.
- N. Standard Transactions. To the extent Business Associate conducts Standard Transaction(s) on behalf of RingCentral, Business Associate shall, without limitation, comply 45 C.F.R. Part 162, and shall not: (a) Change the definition, data condition or use of a data element or segment in a standard; (b) Add any data elements or segments to the maximum defined data set; (c) Use any code or data elements that are either marked “not used” in the standard’s implementation specification or are not in the standard’s implementation specification(s); or (d) Change the meaning or intent of the standard’s implementation specifications.
- O. Information Regarding Drug or Alcohol Abuse. To the extent that Business Associate receives, stores, processes, or otherwise deals with any substance abuse disorder information, Business Associate agrees that (i) Business Associate is fully bound by the Confidentiality of Substance Use Disorder Patient Records set forth in 42 C.F.R. Part 2, and (ii) if necessary, Business Associate will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by the 42 C.F.R. Part 2 regulations. For purpose of this Section II.O, all terms shall have the meanings provided in 42 C.F.R. Part 2.
III. RingCentral’s Obligations.
- A. Notice of Change in Privacy Practices. To the extent known to RingCentral, RingCentral shall notify Business Associate of any limitation(s) in RingCentral’s notice of privacy practices in accordance with 45 C.F.R. §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
- B. Notice of Change in Permissions. To the extent known to RingCentral, RingCentral shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
- C. Notice of Change in Use. To the extent known to RingCentral, RingCentral shall notify Business Associate of any restriction on the use or disclosure of PHI that RingCentral has agreed to in accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- D. Appropriate Requests. RingCentral shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by RingCentral.
IV. Term and Termination.
- A. Term. This Agreement shall become effective on the Effective Date and shall terminate at the time of the termination or expiration of all Vendor Contracts, or earlier as provided herein.
- B. Termination for Cause. If RingCentral reasonably determines, in its sole discretion, that Business Associate has materially breached this Agreement, RingCentral may:
- 1. Provide Business Associate with thirty (30) days written notice of the alleged material breach and an opportunity to cure the breach, immediately after which time this Agreement and any Vendor Contracts under which Business Associate may create, receive, transmit, use, disclose, or maintain PHI for or on behalf of RingCentral shall be automatically terminated if the breach is not cured; or
- 2. Immediately terminate this Agreement
- C. Effect of Termination. Upon termination or expiration of this Agreement, Business Associate shall, at RingCentral’s option, return to RingCentral or destroy all PHI in Business Associate’s possession, and/or in the possession of any Subcontractor or agent of Business Associate. Business Associate shall not retain any copies of the PHI. In the event that return or destruction of the PHI is not feasible, Business Associate shall provide to RingCentral notification of the conditions that make return or destruction of the PHI not feasible, and RingCentral and Business Associate shall determine the terms and conditions under which Business Associate may retain the PHI. In such case, Business Associate shall extend the protections of this Agreement to such PHI that is not returned or destroyed, and limit further uses and disclosures of such PHI to those purposes that make the return or destruction not feasible, for as long as Business Associate maintains such PHI. If RingCentral elects destruction of the PHI, Business Associate shall certify in writing to RingCentral that such PHI has been destroyed.
V. Miscellaneous.
- A. Amendments. The Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representative of the Parties. The Parties shall amend this Agreement from time to time as is necessary to achieve and maintain compliance with the HIPAA Rules.
- B. Interpretation. Any ambiguity in this Agreement shall be resolved to permit the Parties to comply with the HIPAA Rules and relevant state laws.
- C. Choice of Law. This Agreement shall be governed by the laws of the state of California without regard to conflict of laws principles thereof.
- D. Audits, Inspection and Enforcement. Upon request and with reasonable prior notice by RingCentral, Business Associate and its agents shall allow RingCentral to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies and procedures relating to the use or disclosure of PHI pursuant to this Agreement or for the purpose of determining whether Business Associate is in compliance with its obligations under this Agreement.
- E. Relationship to Agreements with RingCentral. In the event that a provision of this Agreement is contrary to a provision of any other agreement between Business Associate and RingCentral (including any inconsistences in defined or capitalized terms), this Agreement shall control.
- F. Survival. Business Associate’s obligations under Sections II and IV.C of this Agreement shall survive the termination of this Agreement.
- G. Waiver. No delay or omission by RingCentral in exercising any right or power under this Agreement shall impair such right or power or be construed to be a waiver thereof. Any decision by RingCentral not to enforce a breach of this Agreement shall not be construed to be a waiver of any succeeding breach thereof.
- H. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than RingCentral, Business Associate and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever.
- I. Data Ownership. Business Associate acknowledges that, between the Parties, RingCentral is the owner of all PHI and/or ePHI that RingCentral discloses to Business Associate, or that Business Associate receives from, or creates, maintains, transmits, uses, or discloses on behalf of or in the name of, RingCentral.
- J. Due Diligence. Business Associate shall exercise due diligence and shall take reasonable steps to ensure that it remains in compliance with this Agreement and is in compliance with the applicable HIPAA Rules and state laws, and that its agents, Subcontractors, and vendors comply with this Agreement.
- K. Judicial or Administrative Proceeding. Business Associate shall notify RingCentral if it is named as a defendant in a criminal proceeding for a violation of the HIPAA Rules.
- L. Entire Agreement. This Agreement constitutes the entire agreement between the Parties with respect to its subject matter and merges, integrates and supersedes all prior and contemporaneous agreements, addenda and understandings between the Parties, whether written (including within any Services Agreements) or oral, concerning its subject matter.