Get Started
Close

Business Associate Agreement

This BUSINESS ASSOCIATE AGREEMENT (the “BAA”) is incorporated by reference into the Client Services Order Form (the “Order Form”), effective as of the date of the Order Form (the “Effective Date”), by and between the Client identified in the Order Form (“Company), on behalf of its group health plan (the “Plan”), and Sequoia Benefits and Insurance Services, LLC d/b/a Sequoia Group (“Business Associate). Each of Company and Business Associate are referred to herein individually as “Party” and collectively as the “Parties”. This BAA supersedes and replaces any prior Business Associate Agreements and related amendments thereto between the Parties. In the event that any terms of this BAA conflict with any terms of the Agreement (as defined below), the terms of this BAA shall govern and control over the conflicting term in the Agreement. All other nonconflicting terms of the Agreement shall remain valid and enforceable.

RECITALS

WHEREAS, Company maintains the Plan that provides certain group health plan benefits to certain of Company’s employees, former employees, and their eligible dependents, if any;

WHEREAS, Business Associate performs or will perform certain services for the Plan subject to an agreement between the Parties that authorizes the processing of Protected Health Information (with the Order Form, the “Agreement“);

WHEREAS, in the course of performing services for the Plan, Business Associate may have access to, create, maintain, and/or otherwise use and/or disclose Protected Health Information (as defined below); and

WHEREAS, the Parties desire to set forth their respective obligations with respect to Protected Health Information (as defined below) pursuant to the Health Insurance Portability and Accountability Act of 1996, as it may be amended from time to time, and the regulations promulgated at 45 C.F.R. Parts 160-164 (collectively, “HIPAA”), to the extent applicable to any services Business Associate performs for the Plan.

NOW THEREFORE, Company and Business Associate agree as follows:

 

  1. Definitions
    The following terms have the following meaning when used in this BAA:
    1. Breach means that term as defined in 45 C.F.R. § 164.402.
    2. Designated Record Set means that term as defined in 45 C.F.R. § 164.501.
    3. Electronic Protected Health Information means Protected Health Information that is transmitted or maintained in electronic media, including, but not limited to, hard drives, disks, on the internet, or on an intranet.
    4. HHS means the Department of Health and Human Services.
    5. Individual means that term as defined in 45 C.F.R. § 160.103, and includes a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
    6. Privacy Rule means the privacy requirements in HIPAA, as set forth in 45 C.F.R. Part 160, and Subparts A and E of 45 C.F.R. Part 164.
    7. Protected Health Information (or PHI) means that term as defined in 45 C.F.R. § 160.103, except limited to the information created, received or maintained by Business Associate from or on behalf of the Plan.
    8. Required by Law means that term as defined in 45 C.F.R. § 164.103.
    9. Secretary means the Secretary of the Department of Health and Human Services or his/her designee.
    10. Security Incident means that term as defined in 45 C.F.R. § 164.304.
    11. Security Rule means the security requirements set forth in HIPAA, as set forth in 45 C.F.R. Part 160, and Subparts A and C of 45 C.F.R. Part 164.
    12. Subcontractor means that term as defined in 45 C.F.R. § 160.103, except limited to any such person or entity that receives, maintains, creates or transmits PHI for Business Associate.
    13. Transaction means that term as defined in 45 C.F.R. § 160.103.
    14. Unsecured Protected Health Information means that term as defined in 45 C.F.R. § 164.402.

    Any capitalized term not specifically defined herein will have the same meaning as set forth in 45 C.F.R. Parts 160 and 164, where applicable. The terms “use,” “disclose” and “discovery,” or derivations thereof, although not capitalized, shall also have the meanings set forth in HIPAA.

  1. Obligations and Activities of Business Associate
    This BAA applies only to the extent the Plan is a “covered entity” as that term is defined by HIPAA. To the extent applicable to any services Business Associate performs for the Plan, Business Associate will:
    1. Not use or disclose PHI other than as permitted or required by this BAA, the Agreement, or as Required by Law.
    2. Document and use appropriate administrative, technical and physical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of PHI other than as provided for by this BAA or the Agreement.
    3. With respect to any use or disclosure of Unsecured Protected Health Information not permitted by the Privacy Rule that is caused solely by Business Associate’s failure to comply with one or more of its obligations under this BAA, the Plan hereby delegates to Business Associate the responsibility for determining when any such incident is a Breach. In the event of a Breach, Business Associate will notify Company in writing of: (i) any use or unauthorized disclosure of PHI by Business Associate or any Subcontractor that is contrary to this BAA including, without limitation, any Breach of Unsecured Protected Health Information; or (ii) any Security Incident; provided, however, the Parties acknowledge that unsuccessful incidents (e.g., pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts) occur within the normal course of business and the Parties stipulate and agree that this paragraph constitutes notice by Business Associate to Company for such unsuccessful incidents. If there is a Breach of Unsecured Protected Health Information, Business Associate will:
      1. Notify Company in writing of the Breach without unreasonable delay, and in no event more than sixty (60) days after discovery of the Breach, and provide to the extent known to Business Associate (i) a list of all Individuals affected by the Breach, and (ii) any other available information that the Plan is required to include in notifications to such Individuals pursuant to 45 C.F.R. § 164.404(c). In the event any such information is not available when Company is notified of the Breach, Business Associate will provide such information to Company as soon as it becomes available; and
      2. Reasonably cooperate with Company to notify: (i) Individuals whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed without authorization; (ii) the media, as required by 45 C.F.R. § 164.406; and (iii) the Secretary as required by 45 C.F.R. § 164.408(b) if the legal requirements for media or HHS notification are triggered by the circumstances of such Breach, provided that Business Associate will not initiate any such notifications without providing notice to Company.
    4. Establish procedures for mitigating, and follow those procedures and so mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or by any Subcontractor that is contrary to this BAA.
    5. Ensure that any Subcontractor that creates, receives, maintains or transmits PHI on behalf of Business Associate enters into a written agreement whereby the Subcontractor agrees to the same material restrictions, conditions and requirements that apply to Business Associate with respect to such information, in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2).
    6. To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow Company to respond to a request by an Individual for access to PHI pursuant to 45 C.F.R. § 164.524, Business Associate shall, promptly upon receipt of written request by Company, make available to Company such PHI.
      1. If any Individual requests access to PHI directly from Business Associate, Business Associate shall promptly forward such request to Company.
      2. Company will be responsible for determining whether to grant or deny an Individual’s request for PHI and Business Associate will make no such determinations. Except as Required by Law, only Company will be responsible for determining the release of PHI to an Individual pursuant to such a request. Any denial of access to PHI determined by Company pursuant to 45 C.F.R. § 164.524, and conveyed to Business Associate by Company, shall be the responsibility of Company, including resolution or reporting of all appeals and/or complaints arising from denials.
    7. To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow Company to respond to a request by an Individual for an amendment to PHI, Business Associate shall, promptly upon receipt of a written request by Company, make available to Company such PHI.
      1. If any Individual requests amendment of PHI directly from Business Associate, Business Associate shall promptly forward such request to Company.
      2. Company will be responsible for determining whether to grant or deny an Individual’s request for an amendment to PHI and Business Associate will make no such determinations. Any denial of amendment to PHI determined by Company pursuant to 45 C.F.R. § 164.526, and conveyed to Business Associate by Company, shall be the responsibility of Company, including resolution or reporting of all appeals and/or complaints arising from denials.
      3. Promptly after receipt of a request from Company to amend an individual’s PHI in the Designated Record Set, Business Associate shall incorporate, or make available PHI for Company to incorporate, any approved amendments, statements of disagreement, and/or rebuttals into its Designated Record Set as required by 45 C.F.R. § 164.526.
    8. Maintain and make available to the Plan or, as directed by the Plan, to an Individual, as soon as practicable, the information required for the Plan to satisfy their obligations pursuant to 45 C.F.R. § 164.528 to respond to a request for an accounting of disclosures of PHI.
    9. Comply with the requirements of Subpart E of 45 C.F.R. Part 164 that are applicable to the Plan, if Business Associate is to carry out one or more of the Plan’s obligations under Subpart E.
    10. In the event Business Associate transmits or receives a Transaction on behalf of the Plan, Business Associate will comply with all applicable provisions of the HIPAA standards for electronic transactions and code sets (the “EDI Standards”). Business Associate will also ensure that any Subcontractor that transmits or receives a Transaction on its behalf does so in accordance with the EDI Standards.
    11. Make its internal practices, books, and records available to the Secretary or the Plan for purposes of a review and assessment of the Plan’s compliance with HIPAA.
    12. Not engage in the Sale of PHI or otherwise receive direct or indirect remuneration in exchange for the PHI of an Individual, unless Business Associate or the Plan has obtained a valid authorization from the Individual, consistent with the requirements under 45 C.F.R. § 164.508.
  1. Permitted Uses and Disclosures by Business Associate
    1. Business Associate may only use or disclose PHI as necessary to perform functions, activities, or services for, or on behalf of, the Plan, provided that such use or disclosure would not violate the Privacy Rule if done by the Plan or the minimum necessary policies and procedures of the Plan, or as otherwise expressly provided in this Section 3.
    2. Business Associate may de-identify PHI. Once PHI has been de-identified pursuant to 45 CFR 164.514(b), such information is no longer PHI and no longer subject to this BAA.
    3. Business Associate may use or disclose PHI as Required by Law.
    4. Any use or disclosure of PHI by Business Associate will be in compliance with the minimum necessary policies and procedures of the Plan, and with the minimum necessary requirements of HIPAA. Company agrees that Business Associate may rely on Company’s instructions to determine if uses and disclosures meet this minimum necessary requirement.
    5. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Plan, except that Business Associate may do the following:
      1. Use PHI for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate.
      2. Disclose PHI for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate, provided that the disclosures are Required by Law, or Business Associate obtains reasonable written assurances from the person or entity receiving the information (each a “Recipient”) that the information will remain confidential, and be used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the Recipient; and the Recipient notifies the Business Associate of any instances of which the Recipient is aware in which the confidentiality of the information has been breached.
      3. Use PHI to provide data aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B) that relate to the Health Care Operations of the Plan.
    6. Business Associate may use PHI to report violations of law to the appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
  1. Obligations of the Plan
    The Plan will:
    1. Notify Business Associate of any limitations in the Plan’s Notice of Privacy Practices under 45 C.F.R. § 164.520, to the extent any such limitation may affect Business Associate’s use or disclosure of PHI.
    2. Notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
    3. Notify Business Associate of any restriction on the use or disclosure of PHI that the Plan has agreed to or are required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. In the event that the Plan takes action as described in Section 4(a), Section 4(b), or this Section 4(c), Business Associate will decide which restrictions or limitations it will administer. In addition, if those limitations or restrictions materially increase Business Associate’s cost of providing services under the Agreement or this BAA, the Plan will reimburse Business Associate for such increase in cost.
    4. Not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by the Plan.
  1. Term and Termination
    1. The term of this BAA begins on the Effective Date and ends on the date that the Agreement terminates in accordance with its terms, as expressly authorized by Section 5(b) below, or when all PHI has been disposed of in compliance with the terms of this BAA, whichever occurs later.
    2. Where either Party has knowledge of a material breach by the other Party, the non-breaching Party shall provide the breaching Party with an opportunity to cure. Where said breach is not cured to the reasonable satisfaction of the non-breaching Party within twenty (20) business days of the breaching Party’s receipt of notice from the non-breaching Party of said breach, the non-breaching Party shall, if feasible, terminate this BAA and the portion(s) of the Agreement affected by the material breach.
    3. Upon termination of this BAA for any reason, Business Associate will (and will ensure that its Subcontractors that have had access to PHI will):
      1. If reasonably feasible as determined by Business Associate, destroy all PHI received from, or created or received by Business Associate for or on behalf of Company that Business Associate or any of its subcontractors and agents still maintain in any form, and Business Associate shall retain no copies of such information except in accordance with HIPAA; or
      2. If Business Associate determines that such destruction is not feasible, extend the protections of this BAA to such information and limit further uses and disclosures to those purposes that make the destruction of the PHI infeasible, in which case Business Associate’s obligations under this Section 5(c)(2) shall survive the termination of this BAA.
  1. Miscellaneous
    1. Regulatory References. A reference in this BAA to a section in the Privacy Rule, the Security Rule, or to any other regulation promulgated under HIPAA means the section as in effect or as amended.
    2. Survival. Sections 2, 3, 5(c) and 6 of this BAA shall survive the termination of this BAA.
    3. Interpretation. Any ambiguity in this BAA will be resolved to permit the Plan to comply with the Privacy Rule, Security Rule and other provisions of HIPAA.
    4. Effect. This BAA shall be binding upon, and shall inure to the benefit of, Company, the Plan and Business Associate, and their respective successors, assigns, administrators and other legal representatives.
    5. No Third Party Beneficiary. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Company, the Plan and Business Associate, and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
    6. Independent Contractors. Nothing contained herein shall be deemed or construed by the Parties or by any third party to create a relationship of employer and employee, principal and agent, or joint venture of the Parties, it being understood and agreed that Business Associate provides services to Company and the Plan hereunder as an independent contractor; Business Associate retains full and complete control over its performance under this BAA; and Company and the Plan have no authority to direct or control Business Associate’s conduct or activities in connection with this BAA.
    7. Governing Law. The construction, interpretation and performance of this BAA and all transactions under this BAA shall be governed and enforced pursuant to the laws of the State of California except as such laws are preempted by any provision of federal law, including by ERISA or HIPAA. The parties will attempt in good faith promptly by negotiations to resolve any dispute or controversy arising out of or relating to the BAA. In the event the parties are unable to settle such controversy amicably through negotiations, the dispute will be submitted to binding arbitration before the American Arbitration Association before a single arbitrator in accordance with the Rules of the American Arbitration Association provided that: (i) the prevailing party, as determined by the arbitrator, shall be entitled to an award from the losing party for the prevailing party’s attorney’s fees and costs; (ii) discovery may be conducted pursuant to California Code of Civil Procedure Paragraph 1283.05; (iii) the arbitrator’s judgment will be final and binding upon the parties, except that it may be challenged on the grounds of fraud or gross misconduct; and (iv) the arbitration will be held in San Mateo County, California. Judgment upon any decision in arbitration may be entered in any court of competent jurisdiction.
    8. Severability. In the event any provision of this BAA is rendered invalid or unenforceable under any new or existing law or regulation, or declared null and void by any court of competent jurisdiction, the remaining provisions of this BAA shall remain in full force and effect if they reasonably can be given effect.
    9. Notices. All notices to be given pursuant to the terms of this BAA shall be in writing and shall be deemed given five (5) business days after being sent by certified mail, return receipt requested, postage prepaid or one (1) business day after being sent by reputable overnight mail delivery or by email to the other Party, at the address or email address set forth in the Agreement or at such other address or email address as a Party may designate from time to time.
      If to the Company, notice may be sent to the address or e-mail address Sequoia has on record.If to the Business Associate, notice shall be sent to:
      Attn: Legal Department
      Sequoia Benefits and Insurance Services, LLC
      1850 Gateway Drive, Suite 700
      San Mateo, CA 94404
      Email: Legal@sequoia.com
    10. Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for the Plan to comply with the requirements of HIPAA.
    11. Counterparts. This BAA may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies thereof shall be deemed to be originals.

If the Parties have not otherwise agreed to Sequoia’s Services General Terms and Conditions, all services provided by Sequoia and/or Business Associate are subject to Sequoia’s Services General Terms and Conditions, which can be found at https://www.sequoia.com/legal/terms-services/ and are incorporated herein by reference.