Important. This BAA is not auto-active. CapchaCloud is not a HIPAA-covered service by default. This BAA only takes effect after both parties execute it via the Enterprise contracting process. Do not transmit PHI through the Service until a counter-signed BAA is in place.
Questions: support@serviceautomations.ai (subject: “HIPAA BAA”).
BAA Effective Date: As of the date of last signature below (“BAA Effective Date”)
Business Associate: Service Automations LLC, d/b/a CapchaCloud (“Business Associate” or “CapchaCloud”)
Covered Entity / Customer: The customer entity identified in the executed signature block (“Covered Entity” or “Customer”)
This Business Associate Agreement supplements and is incorporated into the Principal Agreement between the parties governing Customer’s use of the CapchaCloud service.
A. Customer is a Covered Entity or Business Associate as defined under HIPAA, HITECH, and the implementing regulations at 45 C.F.R. Parts 160, 162, and 164 (collectively, the “HIPAA Rules”).
B. Customer wishes to engage CapchaCloud to perform services that may involve the creation, receipt, maintenance, or transmission of Protected Health Information (“PHI”).
C. Both parties intend to comply with the HIPAA Rules.
Capitalized terms not defined here have the meanings given in the HIPAA Rules. The following also apply: “Breach” has the meaning at 45 C.F.R. §164.402. “Designated Record Set” has the meaning at 45 C.F.R. §164.501. “Electronic PHI” or “ePHI” has the meaning at 45 C.F.R. §160.103. “Protected Health Information” or “PHI” has the meaning at 45 C.F.R. §160.103, limited to PHI Created, Received, Maintained, or Transmitted by CapchaCloud from, to, or on behalf of Customer under the Principal Agreement. “Required by Law” has the meaning at 45 C.F.R. §164.103. “Secretary” means the Secretary of the U.S. Department of Health and Human Services or designee.
2.1 CapchaCloud will Use and Disclose PHI only: (a) as necessary to perform the services described in the Principal Agreement; (b) as Required by Law; (c) for the proper management and administration of CapchaCloud’s business, provided that any Disclosure is Required by Law or CapchaCloud obtains reasonable assurances from the recipient that the PHI will remain confidential and used only as Required by Law or for the purposes disclosed, and that the recipient will notify CapchaCloud of any Breach; (d) to provide Data Aggregation services relating to the Health Care Operations of Customer, if requested by Customer; (e) to de-identify PHI in accordance with 45 C.F.R. §164.514(a)-(c); (f) to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. §164.502(j)(1).
2.2 CapchaCloud will not Use or Disclose PHI in any manner that would violate the HIPAA Rules if done by Customer.
2.3 No Sale; No Marketing. CapchaCloud will not Sell PHI or Use or Disclose PHI for Marketing, except as expressly permitted under the HIPAA Rules and authorized by Customer in writing.
3.1 CapchaCloud will implement appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI it Creates, Receives, Maintains, or Transmits on behalf of Customer, in accordance with the Security Rule (45 C.F.R. Part 164, Subpart C) and HITECH.
3.2 The technical and organizational measures in the Data Processing Addendum (Annex 2) and the Trust Center represent CapchaCloud’s baseline safeguards, supplemented as needed for ePHI.
3.3 CapchaCloud will use appropriate safeguards to prevent Use or Disclosure of PHI other than as provided by this BAA.
4.1 Security Incidents. CapchaCloud will report to Customer any Security Incident of which it becomes aware. Unsuccessful and routine attempts at intrusion of which CapchaCloud is aware will be deemed reported by this section without further notice, and CapchaCloud will provide additional information on request.
4.2 Unauthorized Use or Disclosure. CapchaCloud will report to Customer any Use or Disclosure of PHI not permitted by this BAA of which it becomes aware, without unreasonable delay.
4.3 Breach Notification. CapchaCloud will notify Customer of a Breach of Unsecured PHI without unreasonable delay and in no event later than thirty (30) days after Discovery of the Breach (or earlier where required to enable Customer’s compliance with 45 C.F.R. §164.404). The notice will include, to the extent then known: identification of Individuals affected where feasible; description of what happened; types of Unsecured PHI involved; steps Individuals should take; steps CapchaCloud is taking; contact information for questions or HHS notification.
4.4 Customer is responsible for notifying affected Individuals, the Secretary, and the media as required by 45 C.F.R. §§164.404, 164.406, 164.408. CapchaCloud will reasonably cooperate.
CapchaCloud will ensure that any subcontractor that Creates, Receives, Maintains, or Transmits PHI on behalf of CapchaCloud agrees in writing to the same restrictions and conditions that apply to CapchaCloud under this BAA. CapchaCloud will provide Customer with a list of Subcontractors that handle PHI on request.
6.1 Access. CapchaCloud will, within thirty (30) days of Customer’s written request, make PHI in a Designated Record Set held by CapchaCloud available to Customer (or, if directed, to the Individual) as necessary to enable Customer to meet its obligations under 45 C.F.R. §164.524.
6.2 Amendment. CapchaCloud will make PHI in a Designated Record Set available for amendment, and incorporate amendments to PHI as directed by Customer, within thirty (30) days of Customer’s written request, as necessary to enable Customer to meet its obligations under 45 C.F.R. §164.526.
6.3 Accounting of Disclosures. CapchaCloud will document Disclosures of PHI as required to enable Customer to respond to an Individual’s request for an accounting under 45 C.F.R. §164.528. Upon Customer’s written request, CapchaCloud will make this documentation available within thirty (30) days.
6.4 Restrictions and Confidential Communications. CapchaCloud will comply with Customer-directed restrictions and confidential communication requirements under 45 C.F.R. §§164.522.
CapchaCloud will make its internal practices, books, and records relating to the Use and Disclosure of PHI received from, or Created, Received, Maintained, or Transmitted on behalf of, Customer available to the Secretary, in a time and manner designated by the Secretary, for purposes of determining Customer’s compliance with the HIPAA Rules.
CapchaCloud will mitigate, to the extent practicable, any harmful effect that is known to CapchaCloud of a Use or Disclosure of PHI by CapchaCloud in violation of this BAA.
9.1 Customer will not request CapchaCloud to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Customer (except as permitted under §2 for Data Aggregation, management and administration, or de-identification).
9.2 Customer will notify CapchaCloud of (a) any limitations in its Notice of Privacy Practices; (b) any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, to the extent such changes affect CapchaCloud’s permitted Uses or Disclosures; (c) any restriction to the Use or Disclosure of PHI that Customer has agreed to or is required to abide by.
9.3 Customer is responsible for using the Service in a manner consistent with applicable HIPAA Rules and other applicable law, and for properly configuring features (retention, allowed origins, webhook destinations, etc.) accordingly.
10.1 Term. This BAA is effective as of the BAA Effective Date and continues until terminated.
10.2 Termination for Breach. Either party may terminate this BAA on thirty (30) days’ written notice to the other party in the event of a material breach of this BAA that the breaching party fails to cure within the notice period. If cure is not feasible, the non-breaching party may immediately terminate, or report the breach to the Secretary, as required by 45 C.F.R. §164.504(e)(1)(ii).
10.3 Effect of Termination. Upon termination of this BAA for any reason, CapchaCloud will, with respect to PHI it received from or Created, Received, Maintained, or Transmitted on behalf of Customer: (a) retain only that PHI which is necessary for CapchaCloud to continue its proper management and administration or to carry out legal responsibilities; (b) return or destroy the remaining PHI that CapchaCloud still maintains in any form; (c) continue to use appropriate safeguards and comply with this BAA with respect to ePHI to prevent Use or Disclosure of the PHI, other than as provided in (a), for as long as CapchaCloud retains the PHI; (d) not Use or Disclose the PHI retained other than for the purposes for which it was retained and subject to the same conditions that applied prior to termination; (e) return or destroy the retained PHI when it is no longer needed for the purposes for which it was retained. If return or destruction is infeasible, CapchaCloud will notify Customer in writing of the conditions making return or destruction infeasible, and the protections in (c)–(e) above will continue indefinitely.
The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for the parties to comply with the requirements of the HIPAA Rules or other applicable law.
The obligations of CapchaCloud under §10.3 (Effect of Termination) survive termination of this BAA.
In the event of conflict between this BAA and the Principal Agreement or the Data Processing Addendum, this BAA controls with respect to PHI subject to HIPAA. In the event of ambiguity in this BAA, the parties will resolve the ambiguity in a manner that allows Customer to comply with the HIPAA Rules.
CapchaCloud’s liability under or in connection with this BAA is subject to the limitation and exclusion of liability provisions in the Principal Agreement, which apply in aggregate across the Principal Agreement, the DPA, and this BAA, except where applicable law (including HITECH) prohibits such limitation.
Each party will indemnify, defend, and hold harmless the other from and against any losses arising from the indemnifying party’s material breach of this BAA, subject to the indemnity provisions of the Principal Agreement.
Any ambiguity in this BAA will be resolved to permit Customer to comply with the HIPAA Rules. References to “HIPAA Rules” include subsequent regulations promulgated under HIPAA or HITECH.
This BAA may be executed in counterparts, including electronic signatures, each of which has the same legal effect as a manuscript signature.
Service Automations LLC
By: ___________________
Name: Adam F. Woodward
Title: Member
Date: _________
Covered Entity / Customer
By: ___________________
Name: _____________
Title: _____________
Date: _________
End of BAA.