This Business Associate Agreement ("Agreement") is entered into as of _________________ ("Effective Date") by and between:
Covered Entity: ___________________________________ ("Covered Entity")
Business Associate: OpenCage GmbH ("OpenCage") (German company registration: Berlin (Charlottenburg) HRB 272249).
Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations.
2.1 Permitted Uses and Disclosures. OpenCage may use or disclose Protected Health Information ("PHI") only as permitted by this Agreement or as required by law, and shall not use or disclose PHI in any manner that would constitute a violation of HIPAA if so used or disclosed by Covered Entity.
2.2 Safeguards. OpenCage shall implement appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement, including implementing administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI.
OpenCage's API makes available various privacy options, most notably the use of an optional no_record=1 parameter. Covered Entity is advised to make full use of these options, and bears sole responsibility for failure to do so.
2.3 Reporting. OpenCage shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI, within thirty (30) days of becoming aware of such breach or improper use or disclosure.
2.4 Subcontractors. OpenCage shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of OpenCage agree to the same restrictions and conditions that apply to OpenCage with respect to such PHI.
2.5 Access to PHI. OpenCage shall provide access to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements of 45 CFR § 164.524.
2.6 Amendment of PHI. OpenCage shall make any amendments to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 CFR § 164.526.
2.7 Accounting of Disclosures. OpenCage shall document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 CFR § 164.528.
2.8 Access to Records. OpenCage shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA.
3.1 Notice of Privacy Practices. Covered Entity shall notify OpenCage of any limitation(s) in its Notice of Privacy Practices, to the extent that such limitation may affect OpenCage's use or disclosure of PHI.
3.2 Permission to Use or Disclose. Covered Entity shall notify OpenCage of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect OpenCage's use or disclosure of PHI.
3.3 Restrictions. Covered Entity shall notify OpenCage of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
4.1 Term. This Agreement shall become effective on the Effective Date and shall terminate when Covered Entity ceases to be a customer of OpenCage.
4.2 Termination for Breach. Upon either party's knowledge of a material breach by the other party, the non-breaching party shall either:
- Provide an opportunity for the breaching party to cure the breach and terminate this Agreement if the breaching party does not cure the breach within thirty (30) days; or
- Immediately terminate this Agreement if cure is not possible.
4.3 Effect of Termination. Upon termination of this Agreement, OpenCage shall return or destroy all PHI received from Covered Entity or created or received by OpenCage on behalf of Covered Entity. If return or destruction is not feasible, OpenCage shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.
5.1 Regulatory References. A reference in this Agreement to a section in HIPAA or the HIPAA regulations means the section as in effect or as amended.
5.2 Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA and the HITECH Act.
5.3 Survival. The respective rights and obligations of Business Associate under Section 4.3 shall survive the termination of this Agreement.
5.4 GDPR. As a European entity OpenCage is bound by the EU's General Data Protection Agreement (GDPR).
5.4 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits OpenCage to comply with GDPR.
5.5 Governing Law. This Agreement shall be governed by the laws of Germany and ___________________.
COVERED ENTITY:
Name: _________________________________
Title: _________________________________
Signature: _____________________________ Date: _____________
OpenCage GmbH:
Name: _________________________________
Title: Geschäftsführer(Manageing Director)___________
Signature: _____________________________ Date: _____________