This Addendum (the “BAA”) is incorporated by reference into the terms of the ProMonitoring Agreement (the “Services Agreement”) signed by Company and the ProMonitoring Provider pertaining to the Services provided by Company to the ProMonitoring Provider. Capitalized terms not otherwise defined herein have the meaning ascribed to such terms in the HIPAA privacy and security laws and regulations, as amended, including the HITECH Act.
1. Applicability. This BAA applies to ProMonitoring Provider and Company with respect to PHI provided to Company by or on behalf of ProMonitoring Provider (including by ProMonitoring Provider end users) in connection with the Services. This BAA is intended to comply with the requirement to have a business associate agreement in 45 CFR 164.502(e) and other applicable rules. The parties agree to promptly revise this BAA to comply with changes in legal requirements.
2. Permitted Use and Disclosure of PHI.
a. Except as otherwise stated in this BAA, Company may use and disclose PHI only (i) as permitted or required by the Services Agreement and/or this BAA or (ii) as Required by Law. Company is permitted to deidentify the PHI. Company will comply with the minimum necessary requirements in any use or disclosure.
b. Company may use and disclose PHI for its proper management and administration and to carry out its legal responsibilities, provided that any disclosure of PHI for such purposes may only occur if (i) Required by Law; or (ii) Company obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Company will be notified of any Breach or Security Incident.
3. ProMonitoring Provider Obligations. ProMonitoring Provider will not request that Company use or disclose PHI in any manner that would not be permissible under HIPAA if done by ProMonitoring Provider (unless expressly permitted under HIPAA for a Business Associate). ProMonitoring Provider will promptly notify Company of any new or additional restrictions to be imposed on ProMonitoring Provider’s PHI, and of any revocations of permission by any individual with respect to use or disclosure of PHI.
4. Appropriate Safeguards. Company will use appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI it receives, maintains, processes or transmits for the ProMonitoring Provider.
5. Reporting and Related Obligations.
a. Company will promptly notify ProMonitoring Provider of (i) any Security Incident of which Company becomes aware, subject to Section 5(c); and (ii) any Breach that Company discovers, provided that any notice for Breach will be made promptly and without unreasonable delay, and in no case later than 60 calendar days after discovery. Notifications made under this section will describe, to the extent reasonably possible, details of a Breach, including steps taken to mitigate the potential risks and steps Company recommends ProMonitoring Provider take to address the Breach. Company will reasonably cooperate with the ProMonitoring Provider in investigation of any Breach.
b. Company will send any applicable notifications to the notification email address provided by ProMonitoring Provider in the Services Agreement or via direct communication with ProMonitoring Provider.
c. Notwithstanding Section 5(a), this Section 5(c) will be deemed as notice to ProMonitoring Provider that Company periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification, or destruction of information, or interference with the general operation of Company’s systems and the Services. ProMonitoring Provider acknowledges and agrees that even if such events constitute a Security Incident, Company will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this Section 5(c).
6. Subcontractors. Company will take appropriate measures to ensure that any Subcontractors used by Company to perform its obligations under the Services Agreement that require access to PHI on behalf of Company are bound by written obligations that provide the same material level of protection for PHI as this BAA. To the extent Company uses Subcontractors in its performance of obligations hereunder, Company will remain responsible for their performance as if performed by Company.
7. Access and Amendment. Company will make PHI in its possession available in a manner sufficient with meeting ProMonitoring Provider’s obligations under 45 CFR 164.524, and amend such PHI in order to satisfy ProMonitoring Provider’s obligations under 45 CFR 164.526.
8. Accounting of Disclosures. Company will document disclosures of PHI by Company and provide an accounting of such disclosures to ProMonitoring Provider as and to the extent required of a Business Associate under HIPAA.
9. Access to Records. To the extent required by law, and subject to all applicable legal privileges, Company will make its internal practices, books, and records concerning the use and disclosure of PHI received from ProMonitoring Provider, or created or received by Company on behalf of ProMonitoring Provider, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.
10. Expiration and Termination.
a. This BAA will terminate on the earlier of (i) a permitted termination in accordance with Section 10(b), or (ii) the expiration or termination of the Services Agreement.
b. If either party materially breaches this BAA, the non-breaching party may terminate this BAA on 10 days’ written notice to the breaching party unless the breach is cured within the 10-day period. If a cure under this Section 10(b) is not reasonably possible, the non-breaching party may immediately terminate this BAA, or if neither termination nor cure is reasonably possible under this Section 10(b), the non-breaching party may report the violation to the Secretary, subject to all applicable legal privileges.
11. Return/Destruction of Information. On termination of the Services Agreement, Company will return or destroy all PHI received from ProMonitoring Provider, or created or received by Company on behalf of ProMonitoring Provider; provided, however, that if such return or destruction is not feasible, Company will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
12. Miscellaneous.
a. Survival. Sections 11 (Return/Destruction of Information) and 12 (Miscellaneous) will survive termination or expiration of this BAA.
b. Effects of Addendum. To the extent this BAA conflicts with the remainder of the Services Agreement, this BAA will govern. This BAA is subject to the ProMonitoring Provider Terms and Conditions, including, without limitations, the sections relating to "Governing Law", “Dispute Resolution” and “Limitation of Liability.” Except as expressly modified or amended under this BAA, the terms of the Services Agreement remain in full force and effect.
LAST UPDATED: 6/12/25
.svg){kind=icon}
