THIS CUSTOMER BUSINESS ASSOCIATE AGREEMENT (the “Agreement”) is entered into effective as of the date accepted by Covered Entity (“Effective Date”), by and between Web.com Group, Inc., with a principal place of business at 12808 Gran Bay Parkway West, Jacksonville, FL 32258, on behalf of itself and its companies, affiliates and subsidiaries (“Business Associate”) and Customer (“Customer” or “Covered Entity”).
WHEREAS, Customer has engaged Business Associate to provide certain services to Customer (the “Services”) as set forth in certain services agreement(s) between Business Associate and Customer (the “Underlying Agreements”), which may involve the Use and Disclosure of Protected Health Information and Electronic Protected Health Information (collectively, “PHI”); and
WHEREAS, Business Associate and Customer are required to protect the privacy of and provide for the security of PHI Disclosed to Business Associate in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), Public Law 111-005, and the regulations promulgated thereunder; 45 C.F.R. Parts 160 and Part 164, Subparts A, C, D and E (Subpart E, together with the definitions in Subpart A is known as the “Standards for Privacy of Individually Identifiable Health Information” (the “Privacy Rule”) and Subpart C, together with the definitions in Subpart A, is known as the “Security Standards for the Protection of Electronic Protected Health Information” (the “Security Rule”) Subpart D, together with the definitions in Subpart A is known as the “Breach Notification Rule” (“Breach Notification Rule”) (the Privacy Rule, Breach Notification Rule and the Security Rule are collectively called the “HIPAA Regulations”); and
WHEREAS, the HIPAA Regulations require Customer to enter into a Business Associate Agreement with Business Associate containing certain requirements for Business Associates as detailed in the HIPAA Regulations with respect to Business Associate’s creation, receipt, maintenance or transmission of PHI received for or from Customer; and
NOW, THEREFORE, in consideration of the mutual promises and other consideration contained herein, the sufficiency of which is hereby acknowledged, the parties agree as follows:
1. Definitions Unless otherwise defined herein, capitalized terms have the definitions given to them in the HIPAA Regulations.
2. Permitted Uses and Disclosures.
2.1. Pursuant to this Agreement, Business Associate may Use and Disclose PHI created, received, maintained or transmitted for or from Customer to provide the Services, or as otherwise permitted under this Agreement. Business Associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Customer.
2.2. Business Associate may also Use PHI it creates, receives, maintains or transmits for or from Customer as required for Business Associate’s proper management and administration (including, but not limited to, Business Associate’s internal operations and refinement of its business methods) or to carry out Business Associate’s legal responsibilities. Business Associate may Disclose such PHI as necessary for Business Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities if (i) the Disclosure is Required by Law, or (ii) Business Associate obtains reasonable assurance, evidenced by written contract, from any person or entity to which Business Associate will Disclose such PHI that the person or organization will (a) hold the PHI in confidence and Use or further Disclose the PHI only for the purpose for which Business Associate Disclosed it to the person or organization or as Required by Law, and (b) notify Business Associate (who will in turn notify Customer as described in Section 6 below) of any instance of which the person or organization becomes aware in which the Confidentiality of such PHI was Breached.Business Associate may also Use PHI it creates, receives, maintains or transmits for or from Customer as required for Business Associate’s proper management and administration (including, but not limited to, Business Associate’s internal operations and refinement of its business methods) or to carry out Business Associate’s legal responsibilities. Business Associate may Disclose such PHI as necessary for Business Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities if (i) the Disclosure is Required by Law, or (ii) Business Associate obtains reasonable assurance, evidenced by written contract, from any person or entity to which Business Associate will Disclose such PHI that the person or organization will (a) hold the PHI in confidence and Use or further Disclose the PHI only for the purpose for which Business Associate Disclosed it to the person or organization or as Required by Law, and (b) notify Business Associate (who will in turn notify Customer as described in Section 6 below) of any instance of which the person or organization becomes aware in which the Confidentiality of such PHI was Breached.
2.3. To the extent that Business Associate is to carry out any of Customer’s obligations that are regulated by HIPAA, Business Associate shall comply with the HIPAA requirements that apply to Customer in the performance of such obligation.
3. Minimum Necessary Information. To the extent required by the HIPAA Regulations, Business Associate shall Use and Disclose on behalf of Customer only the minimum amount of PHI necessary to provide the Services. Minimum Necessary shall have the meaning ascribed to it in the HIPAA Regulations or in any later guidance issued by the Secretary of Health and Human Services (“HHS”).
4. Information Safeguards. Business Associate will use appropriate administrative, technical and physical safeguards consistent with the size and complexity of Business Associate’s operations, and comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to PHI in electronic form, to prevent Use or Disclosure of PHI other than as provided for by this Agreement.
5. Customer Representations
5.1. Customer shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by Customer.
5.2. Customer represents that it has obtained any necessary consents and Authorizations from any patients to which the PHI pertains to enable Business Associate to provide the Services hereunder.
5.3. Customer shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Customer under 45 C.F.R. 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
5.4. Customer shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI
5.5. Customer shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Customer has agreed to or is required to abide by under 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
6. Incident Reporting. Business Associate shall report to Customer any Use or Disclosure of PHI not provided for by the Agreement of which it becomes aware, including Breaches of Unsecured PHI as required at 45 C.F.R. 164.410, and any Security Incident of which it becomes aware, provided, however, that for purposes of this Security Incident reporting requirement, the term “Security Incident” shall not include inconsequential incidents that occur on a daily basis, such as scans, “pings” or other unsuccessful attempts to penetrate computer networks or servers containing electronic PHI maintained by Business Associate.
7. Subcontractors. Business Associate may use subcontractors to perform the Services hereunder. Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information in accordance with 45 C.F.R. 164.502(e)(1)(iii) and 45 C.F.R. 164.308(b)(2) to the extent applicable.
8. Availability of Books and Records. Business Associate shall permit the Secretary and other regulatory and accreditation authorities to audit Business Associate’s internal practices, books and records at reasonable times as they pertain to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity in order to ensure that Covered Entity or Business Associate is in compliance with the requirements of the Privacy Rule.
9. Patient Rights.
9.1. Business Associate acknowledges that the HIPAA Regulations require Customer to provide patients with a number of privacy rights. To assist Customer Entity in complying with these requirements, Business Associate agrees to the following:
9.1.1. Patient Access. To the extent required by the HIPAA Regulations, Business Associate will make available PHI in a Designated Record Set, if a Designated Record Set is maintained by Business Associate, to the Customer as necessary to satisfy Customer’s obligations under 45 C.F.R. 164.524.
9.1.2. Amendment. To the extent required by the HIPAA Regulations, Business Associate shall make any amendment(s) to PHI in a Designated Record Set, if a Designated Record Set is maintained by Business Associate, as directed or agreed to by Customer pursuant to 45 C.F.R. 164.526.
9.1.3. Accounting of Disclosures. To the extent required by the HIPAA Regulations, Business Associate will maintain and make available the information required to provide an Accounting of Disclosures to the Customer as necessary to satisfy Customer’s obligations under 45 C.F.R. 164.528.
9.2. Requests Received by Business Associate. If Business Associate receives a patient request for PHI held by Business Associate on behalf of Customer, or receives a patient request to exercise any other patient rights, Business Associate shall notify Customer of such request and forward the request to Customer. Business Associate shall then assist Customer in responding to the request, in accordance with the above provisions.
10. Term and Termination.
10.1 Term. The term of this Agreement shall continue until termination of all of the Underlying Agreements or termination by either party in accordance with Section 10.2.
10.2 Material Breach. Where either party has knowledge of a material breach of this Agreement by the other party and cure is possible, the non-breaching party shall provide the breaching party with an opportunity to cure. Where said breach is not cured within ten (10) business days of the breaching party’s receipt of notice from the non-breaching party of said breach, the non-breaching party shall, if feasible, terminate this Agreement and the portion(s) of the Underlying Agreement affected by the breach. Where either party has knowledge of a material breach by the other party and cure is not possible, the non-breaching party shall, if feasible, terminate this Agreement and the portion(s) of the Underlying Agreement affected by the breach.
10.3 Return of Destruction of PHI. Upon termination, cancellation, expiration or other conclusion of this Agreement, for any reason, Business Associate shall, if feasible, return or destroy all PHI, in whatever form or medium, which Business Associate created or received for or from Customer. To the extent that Business Associate decides that any return or destruction of PHI is not feasible, the parties agree that the requirements set forth in this Agreement with respect to the PHI shall survive termination of this Agreement, and Business Associate shall extend the protections of this Agreement to such PHI and shall not use or disclose such PHI other than for the purposes for which such PHI was retained and subject to the same conditions, restrictions and limitations set out in this Agreement, for as long as Business Associate maintains such PHI.
11. Limitation of Liability IN NO EVENT SHALL BUSINESS ASSOCIATE’S LIABILITY FOR ANY BREACH OF THIS AGREEMENT EXCEED THE AMOUNT OF FEES PAID BY CUSTOMER TO BUSINESS ASSOCIATE FOR THE SERVICES FOR THE PERIOD OF THREE (3) MONTHS PRIOR TO THE OCCURRENCE OF SUCH BREACH. WITHOUT LIMITATION TO THE FOREGOING, BUSINESS ASSOCIATE SHALL NOT BE RESPONSIBLE OR HELD LIABLE FOR ANY CONSEQUENTIAL, SPECIAL, PUNITIVE, EXEMPLARY, INDIRECT OR INCIDENTAL LOSSES OR DAMAGES RELATED TO THE SUBJECT MATTER HEREOF OR FOR ANY BREACH OF THIS AGREEMENT, EVEN IF BUSINESS ASSOCIATE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
12.1. Notice All notices, requests, demands and other communications required or permitted to be given or made under this Agreement shall be in writing, shall be effective upon receipt or attempted delivery, and shall be sent by (i) personal delivery; (ii) certified or registered United States mail, return receipt requested; (iii) overnight delivery service with proof of delivery; or (iv) electronic mail. Notices shall be sent to the addresses below. Neither party shall refuse delivery of any notice hereunder. Either party may change its address by delivery of notice of such change pursuant to this Section 12.1.
CUSTOMER: At Customer’s address on record with Business Associate.
Web.com Group, Inc.
12808 Gran Bay Parkway West
Jacksonville, FL 32258
ATTN: HIPAA Privacy Officer
12.2. Waiver. No failure on the part of either party to exercise, and no delay in exercising, any right or remedy hereunder shall operate as a waiver thereof; nor shall any single or partial exercise of any right or remedy hereunder preclude any other right or remedy or further exercise thereof or the exercise of any other right or remedy granted herein.
12.3. Assignment. Business Associate shall have the right to assign its rights and obligations hereunder to any entity that is an affiliate or successor of Business Associate, without the prior approval of Customer.
12.4. Severability. Any provision of this Agreement that is determined to be invalid or unenforceable will be ineffective to the extent of such determination without invalidating the remaining provisions of this Agreement or affecting the validity or enforceability of such remaining provisions.
12.5. Entire Agreement; No Third Party Beneficiaries. This Agreement constitutes the complete agreement between Business Associate and Customer relating to the matters specified in this Agreement, and supersedes all prior representations or agreements, whether oral or written, with respect to such matters. No oral modification or waiver of any of the provisions of this Agreement shall be binding on either party. No obligation on either party to enter into any transaction is to be implied from the execution or delivery of this Agreement. This Agreement is for the benefit of, and shall be binding upon the parties, their affiliates and respective successors and assigns. No third party shall be considered a third-party beneficiary under this Agreement, nor shall any third party have any rights as a result of this Agreement.
12.6. Governing Law. This Agreement shall be governed by and interpreted in accordance with the laws of the State of Florida, excluding its conflicts of law provisions. Venue for any dispute relating to this Agreement shall be in Duval County, Florida.
12.7. Nature of Agreement; Independent Contractor. Nothing in this Agreement shall be construed to create (i) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, or (ii) a relationship of employer and employee between the parties. Business Associate is an independent contractor, and not an agent of Customer.
12.8. Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same agreement. In proving this Agreement, it shall not be necessary to produce or account for more than one such counterpart signed by the party against whom enforcement is sought. All facsimile signatures (whether transmitted by telecopier, electronic mail or otherwise) shall be treated as originals under this Agreement.
12.9. Interpretation, Changes in Law. Any ambiguity in this Agreement shall be resolved to permit Customer and Business Associate to comply with the HIPAA Regulations. Upon the effective date of any final regulation or amendment to final regulations promulgated by HHS, this Agreement shall automatically amend such that the obligations they impose on Business Associate and Customer remain in compliance with these regulations and guidance.
12.10. Survival. The following Sections shall survive termination of this Agreement; Sections 10, 11, 12.
IN WITNESS WHEREOF, the parties enter into this Agreement, to become effective as of the later of the dates set forth below.
ACCEPTED BY CUSTOMER:
Customer Name: ___________________________
ACCEPTED BY WEB.COM GROUP, INC:
Signed: HIPAA Privacy Officer