BUSINESS ASSOCIATE AGREEMENT
(the "BA Agreement") is incorporated by reference into and made a part of the Doximity Terms of Service, and is entered into by and between Doximity, Inc. ("Doximity" or "we") and the applicable healthcare provider that has agreed to the Terms of Service ("Provider"); provided, however, that the terms of this BA Agreement apply only if and solely to the extent that Doximity receives, creates, maintains, or transmits Protected Health Information relating to patients of Provider in connection with the Covered Services (defined below) that Doximity, as a Business Associate, performs for or on behalf of Provider, as a Covered Entity. Doximity, in its capacity as a Business Associate is referred to herein as "Business Associate", and Provider, in his/her/its capacity as a Covered Entity, is referred to herein as "Covered Entity."
WHEREAS, the Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act, and the regulations promulgated thereunder (collectively, "HIPAA"), protect the confidentiality of health information; and
WHEREAS, in order to comply with the business associate requirements of HIPAA, a Business Associate and a Covered Entity must enter into an agreement that governs the uses and disclosures of such confidential health information by the Business Associate.
NOW, THEREFORE, in consideration of the foregoing recitals, the mutual promises and covenants set forth herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
- For purposes of this BA Agreement, the following terms shall have the following meanings:
- "Breach" when capitalized, shall have the meaning as the term "breach" in 45 C.F.R. 164.402; with respect to all other uses of the word "breach" in this BA Agreement, the word shall have its ordinary contract meaning.
- "Business Associate" shall generally have the same meaning as the term "business associate" in 45 C.F.R. § 160.103.
- "Covered Entity" shall generally have the same meaning as the term "covered entity" in 45 C.F.R. § 160.103.
- "Covered Services" shall mean the services performed by Doximity for or on behalf of Provider as a Covered Entity in connection with Provider’s use of the Doximity Tools that causes Doximity to receive, create, maintain or transmit PHI and establishes a Business Associate relationship between such Covered Entity and Doximity.
- "Doximity Tools" shall mean the communication tools that Doximity makes available to its members through the Service (as defined in the Terms of Service) and identifies as appropriately secure for the communication of Protected Health Information.
- "Electronic Protected Health Information" or "ePHI" shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. 160.103, and is limited to ePHI created, received, maintained or transmitted by Doximity for, or on behalf of, or from Covered Entity in connection with Doximity’s provision of the Covered Services. ePHI shall not include (i) education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (iii) employment records held by a Covered Entity in its role as employer.
- "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
- "HITECH Act" shall mean the Health Information Technology for Economic and Clinical Health Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009, effective February 17, 2009.
- "Individual" shall have the meaning as the term "individual" in 45 C.F.R. 160.103, and shall include a personal representative in accordance with 45 C.F.R. 164.502(g).
- "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164, Subparts A, D, and E, as currently in effect.
- "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 C.F.R. § 160.103 and is limited to PHI created, received, maintained or transmitted by Doximity for, or on behalf of, or from Covered Entity in connection with Doximity’s provision of the Covered Services. "Protected Health Information" shall not include (i) education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (iii) employment records held by a Covered Entity in its role as employer.
- "Required by Law" shall have the same meaning as the term "required by law" in 45 C.F.R. 164.103.
- "Secretary" shall mean the Secretary of the U.S. Department of Health and Human Services or any office or person within the U.S. Department of Health and Human Services to which/whom the Secretary has delegated his or her authority to administer the Privacy Rule and the Security Rule, such as the Director of the Office for Civil Rights.
- "Security Incident" shall have the same meaning as the term "security incident" in 45 C.F.R. § 164.304.
- "Security Rule" shall mean Security Standards for the Protection of Electronic Protected Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A and C.
- "Subcontractor" shall have the meaning as the term "subcontractor" in 45 C.F.R. §160.103.
- "Unsecured Protected Health Information" shall have the same meaning as the term "unsecured protected health information" in 45 C.F.R. 164.402, and is limited to the PHI created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity.
- All references to "days" in this BA Agreement shall mean calendar days. Capitalized terms used not defined herein shall have the meanings ascribed to them in the Privacy Rule or Security Rule.
2.Business Associate Obligations.
- 2.1General.Business Associate agrees not to use or disclose PHI other than as permitted or required by this BA Agreement or as Required By Law.
- 2.2Appropriate Safeguards.Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent any use or disclosure of PHI other than as provided for by this BA Agreement.
- 2.3Subcontractors.Business Associate agrees, in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information. For avoidance of doubt, this section does not apply to service providers that only provide data transmission services, including storage of PHI necessary and incident to such transmission (i.e., the "conduit" exception).
- 2.4Reporting of Unauthorized Use or Disclosures.
- 2.4.1Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, port scans, unsuccessful login attempts, denial of service attacks, or interception of encrypted information where the key is not compromised, or any combination of the above.
- 2.4.2Business Associate shall report to Covered Entity any Breach of Unsecured PHI of which it becomes aware within thirty (30) days of "discovery" within the meaning of the HITECH Act. Such notice shall include, to the extent such information is known to the Business Associate, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information that Covered Entity is required to include in its notification required under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter if and as such information becomes available.
- 2.4.3Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BA Agreements.
- 2.4.4For all reporting obligations under this BA Agreement, the parties acknowledge that, due to the nature of the Covered Services, Business Associate may not know the nature of the PHI or the identities of the Individuals about whom the PHI relates. Accordingly, Business Associate may be limited in its ability to provide information regarding the identities of the Individuals who may have been affected by a Security Incident or Breach, or in its ability to provide detailed information regarding what PHI was affected by a Security Incident or Breach.
- 2.5Internal Practices, Books and Records.Business Associate shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary, for purposes of determining and facilitating Business Associate's and Covered Entity's compliance with the Privacy Rule and Security Rule.
- 2.6Access to Protected Health Information.
- 2.6.1Within ten (10) days of a request by Covered Entity, Business Associate shall make Protected Health Information in a Designated Record Set available to Covered Entity in order for Covered Entity to comply with its obligations under 45 C.F.R. 164.524 to provide Individuals with access to their Protected Health Information.
- 2.6.2Business Associate shall notify Covered Entity within five (5) days of receiving a request from an Individual to access Protected Health Information. Following receipt of such notice from Business Associate, Covered Entity shall handle such request from the Individual.
- 2.7Amendments to Protected Health Information.
- 2.7.1Within ten (10) days of a request by Covered Entity, Business Associate shall make Protected Health Information in a Designated Record Set available to Covered Entity in order for Covered Entity to comply with its obligations under 45 C.F.R. 164.526 to provide Individuals the right to amend their Protected Health Information.
- 2.7.2Business Associate shall notify Covered Entity within five (5) days of receiving a request from an Individual to amend Protected Health Information. Following receipt of such notice from Business Associate, Covered Entity shall handle such request from the Individual.
- 2.8Accounting of Disclosures.
- 2.8.1Within twenty (20) days of a request by Covered Entity, Business Associate shall provide Covered Entity with an accounting of all disclosures of Protected Health Information, other than disclosures excepted from the Privacy Rule accounting requirement under 45 C.F.R. 164.528(a)(1)(i)-(ix), in order for Covered Entity to comply with its obligations under 45 C.F.R. 164.528 to provide Individuals with an accounting of disclosures of their Protected Health Information.
- 2.8.2Such accounting shall include, with respect to each disclosure: the date of the disclosure; the name (and address, if known) of the entity or person receiving the Protected Health Information; a description of the Protected Health Information disclosed; a statement of the purpose of the disclosure; and any other information the Secretary may require under 45 C.F.R. 164.528 (collectively, "Disclosure Information").
- 2.8.3Notwithstanding Section 2.8.2, for repetitive disclosures of Protected Health Information that Business Associate makes for a single purpose to the same person or entity, Business Associate may record: (a) the Disclosure Information for the first of these repetitive disclosures; (b) the frequency, periodicity or number of these repetitive disclosures made during the accounting period; and the date of the last of these repetitive disclosures.
- 2.8.4Business Associate shall notify Covered Entity within ten (10) days of receiving a request from an Individual for an accounting of disclosures of Protected Health Information. Following receipt of such notice from Business Associate, Covered Entity shall handle such request from the Individual.
3.Permitted Uses and Disclosures.
- 3.1General.Business Associate agrees to use and disclose PHI only in a manner consistent with this BA Agreement, the Privacy Rule, or Security Rule, and in connection with providing the Covered Services.
- 3.2Management, Administration and Legal Responsibilities.Business Associate may use and disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities.
- 3.3Legal Requirements.Business Associate may use or disclose PHI as Required By Law. If Business Associate receives a court order, subpoena, or governmental request for documents or other information containing Protected Health Information, if legally permissible, Business Associate will use reasonable efforts to notify Covered Entity of the receipt of the request within ten (10) business days to provide Covered Entity an opportunity to respond. Business Associate may comply with such order, subpoena, or request as Required by Law or permitted by law.
- 3.4Reporting Violations of Law.Consistent with the requirements of 45 C.F.R. 164.502(j)(1), Business Associate may disclose PHI to report violations of law or professional or clinical standards to appropriate federal and state authorities.
4.Covered Entity Obligations.
- 4.1Notice of Privacy Practices.Covered Entity shall notify Business Associate of limitation(s) in its Notice of Privacy Practices, to the extent such limitation affects Business Associate's use or disclosure of PHI.
- 4.2Individual Permission.Covered Entity shall notify Business Associate of any changes in or revocation of permission by an Individual to use or disclose PHI, to the extent such changes or revocation affect Business Associate's permitted or required uses or disclosures of PHI.
- 4.3Restrictions.Covered Entity shall notify Business Associate of restriction(s) in the use or disclosure of PHI that Covered Entity has agreed to, to the extent such restriction affects Business Associate's permitted uses or disclosures of PHI.
- 4.4Consents and Authorizations.Covered Entity represents and warrants that any and all consents, authorizations, or other permissions necessary under the Privacy Rule or other applicable law (including state law) for the transmission of PHI in connection with the Covered Services and for the uses and disclosures specified in this BA Agreement have been properly secured.
- 4.5Marketing.Covered Entity represents and warrants that it has obtained any and all authorizations from Individuals as necessary for any use or disclosure of PHI for its Marketing in connection with the Covered Services, unless the related communication is made without any form of remuneration (i) to describe medical services or products; (ii) for treatment of the Individual; or (iii) for case management or care coordination for the Individual or to direct or recommend alternate treatments, therapies, providers or settings.
- 4.6Permissible Requests by Covered Entity.Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164.
5.Term and Termination.
- 5.1Term.The term of this BA Agreement shall commence on and this BA Agreement shall be effective as of the date that Provider agrees to the Doximity Terms of Service by electronically registering as a Doximity member, and shall continue in effect for as long as Provider is registered as a Doximity member, or until termination as provided in this Section 5.
- 5.2Termination for Cause.In the event either party determines that the other has materially breached a term of this BA Agreement, and such breach continues for thirty (30) days after written notice of such breach has been received, the party claiming a breach shall have the right to terminate this BA Agreement. Upon termination of this BA Agreement, Doximity may immediately terminate Provider’s Doximity membership.
- 5.3Effect of Termination.The parties hereby acknowledge that Business Associate’s return or destruction of PHI is not feasible, and therefore, Business Associate may retain a copy of such Protected Health Information provided that: (i) the provisions of this Agreement shall continue to apply to any such information retained following termination of this Agreement; and (ii) Business Associate shall limit uses and disclosures of such PHI to those purposes that make the return or destruction thereof not feasible, for as long as Business Associate maintains such PHI.
- 6.1Regulatory References.A reference in this BA Agreement to a section in HIPAA, the HITECH Act, the Privacy Rule, or the Security Rule means the section as in effect or as amended at the time.
- 6.2Survival.The respective rights and obligations of the parties under Section 5.3 of this BA Agreement shall survive the termination of this BA Agreement.
- 6.3Interpretation.Any ambiguity in this BA Agreement shall be resolved in favor of a meaning that permits the parties to comply with the Privacy Rule and Security Rule. Except to the extent specified by this BA Agreement, all of the terms and conditions governing Provider’s use of the Covered Services specified in the Terms of Service shall be and remain in full force and effect, and in the event of any inconsistency or conflict between this BA Agreement and such terms and conditions, this BA Agreement shall govern and control.
- 6.4Amendment.This BA Agreement is incorporated by reference into and made a part of the Terms of Service, and as such may be amended by Doximity as described therein, subject to applicable law.
- 6.5Independent RelationshipNone of the provisions of this BA Agreement are intended to create, nor will they be deemed to create, any relationship between the parties other than that of independent parties contracting with each other as independent contractors solely for the purposes of effecting the provisions of this BA Agreement and the terms and conditions governing Covered Entity's use of the Covered Services.
We may provide notices via postings on
www.doximity.com. All notices under this BA Agreement shall be sent in writing by traceable carrier to the addresses indicated below or such other address as a party may indicate with at least ten (10) days' prior written notice to the other party. Doximity may provide notices to Covered Entity under this BA Agreement at the email address specified below. Notices will be effective upon receipt. Any notices that do not comply with this section shall have no legal effect.
ADDRESSES FOR NOTICES
ATTN: Legal Department
500 3rd St., Suite 510
San Francisco, CA 94107
FOR COVERED ENTITY:
The notice address for Covered Entity is the email address or physical address associated with Provider’s Doximity member account.
- 6.7Choice of Law and Jurisdiction.This BA Agreement, as well as all related disputes, shall be governed by and construed in accordance with the laws of the State of California, without giving effect to its conflict of law provisions, regardless of from where you access the Covered Services. You agree that the exclusive place of jurisdiction for all disputes or claims relating to this BA Agreement is San Francisco County, California, or the United States District Court for the Northern District of California, except as otherwise agreed by the parties or as described in the Arbitration Agreement set forth in the Terms of Service.