Business Associate Agreement ("BAA")
Effective Date: October 5, 2023
BUSINESS ASSOCIATE AGREEMENT
This business associate agreement is made between Kismet, Inc. (“Kismet” herein) and the organization identified and entered into Kismet’s systems (“Customer” herein). The effective date of this agreement shall be the date of Customer’s signature below.
RECITALS
Customer is a HIPAA Covered Entity or Business Associate. Customer and Kismet will engage in a business relationship in which Kismet provides certain Services to Customer. In this relationship, Kismet may receive, use, maintain, disclose, or otherwise process PHI as a Business Associate for or on behalf of Customer in the course of performing such Services.
The parties to this agreement hereby agree as follows:
1. Definitions. All capitalized terms used but not otherwise defined in this agreement will have the meaning ascribed to them by the HIPAA Laws.
“Affiliate” means, with respect to a party, any entity that directly or indirectly controls, is controlled by or is under common control with that party. For purposes of this agreement, “control” means an economic or voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such entity.
“HIPAA Laws” collectively mean the Health Insurance Portability and Accountability Act, and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, including, without limitation, the Standards for Privacy of Individually Identifiable Health Information, C.F.R. at Title 45, Parts 160 and 164 (the “Privacy Rule”), and the Standards for the Security of Electronic PHI, C.F.R. at Title 45, Parts 160 and 164 (the “Security Rule”) as modified, supplemented, and amended from time to time.
"PHI” has the meaning specified in 45 C.F.R. § 160.103 of HIPAA, limited to such protected health information that is received by Kismet from, or created, received, maintained, or transmitted by Kismet on behalf of, Customer through Customer’s use of the Services pursuant to this agreement. All references to PHI in this agreement will include Electronic PHI, as applicable under the HIPAA Laws.
“Security” or “Security Measures” mean the administrative, physical, and technical safeguards and documentation requirements specified in the Security Rule.
“Services” means the unified communications services or other services provided by Kismet to Customer by contract whereby Kismet is creating, receiving, maintaining, or transmitting PHI.
“Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Kismet’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, use, or disclosure of PHI.
2. Permitted Uses and Disclosures of PHI
2.1. Performance of the Agreement for Kismet Services Kismet shall not Use or Disclose PHI other than as permitted or required by this agreement or as Required by law. Kismet may Use or Disclose PHI to perform functions, activities, or services for or on behalf of the Customer in connection with the Services including, without limitation, the provision of maintenance and support services, provided such Use or Disclosure would not violate HIPAA Laws if done by the Customer, unless expressly permitted as set forth below in Section 2.2. Except as otherwise limited by this Agreement, Kismet may also Use PHI to aggregate data as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B) and use and disclose such aggregated data to others; and Use PHI to create de-identified Health Information in accordance with the HIPAA “Privacy Rule” as described in 45 C.F.R. § 164.514(b).
2.2. Management, Administration, and Legal Responsibilities Except as otherwise limited in this agreement, Kismet may Use and Disclose PHI for the proper management and administration of Kismet, or to carry out the legal responsibilities of Kismet, or both provided that any Disclosure may occur only if: (a) Required by law; or (b) Kismet obtains reasonable assurances from the person to whom the PHI is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by law or for the purpose for which it was Disclosed to the person, and the person notifies Kismet of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.
3. Responsibilities with Respect to PHI
3.1. Kismet’s Responsibilities Kismet agrees to the following:
3.1.1. Limitations on Use, Disclosure, and Sale Kismet will only use the minimum PHI for the proper management and administration of Kismet’s business specific purposes, or to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1). Kismet shall not engage in the sale of PHI.
3.1.2. Safeguards Kismet shall: (a) use reasonable and appropriate safeguards to prevent inappropriate Use and Disclosure of PHI other than as provided for in this agreement; and (b) comply with the applicable requirements of 45 C.F.R. Part 164 Subpart C of the Security Rule.
3.1.3. Subcontractors Kismet may use Subcontractors to fulfill its obligations under this agreement. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, Kismet shall require its Subcontractors who create, receive, maintain, or transmit PHI on behalf of Kismet to agree in writing to:
(a) substantively the same or more stringent restrictions and conditions that apply to Kismet with respect to such PHI;
(b) appropriately safeguard the PHI; and
(c) comply with the applicable requirements of 45 C.F.R. Part 164 Subpart C of the Security Rule.
3.1.4. Reporting to Customer Kismet shall report to Customer:
(a) any Use or Disclosure of PHI that is not permitted or required by this agreement, of which Kismet becomes aware;
(b) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents will be given; or
(c) any Breach of Customer’s Unsecured PHI that Kismet may discover (in accordance with 45 C.F.R. § 164.410 of the Breach Notification Rule).
3.1.5. Notifications Notifications under Section 3.1.4 will be provided by Kismet as follows:
(a) for any unauthorized Use or Disclosure of PHI, notification will be made without unreasonable delay, but in no event more than fifteen (15) business days after Kismet’s discovery thereof;
(b) for a Security Incident that affects PHI, other than an Unsuccessful Security Incident, notification will be made without unreasonable delay, but in no event more than ten (10) business days thereof; and
(c) for a Breach, notification will be made without unreasonable delay, but in no event more than ten (10) business days after Kismet’s discovery of a Breach.
3.1.6. Disclosures to the Secretary Kismet shall make internal practices, books, and records relating to the Use and Disclosure of PHI available to the Customer or the Secretary in a time and manner designated by the Customer or the Secretary, for the purposes of the Secretary determining Customer’s or Kismet’s compliance with the HIPAA Laws. Nothing in this Section 3.1.6 waives any applicable attorney client privilege, work product, confidentiality, or other proprietary right or legal protection.
3.1.7. Access and Amendment The Services do not include the ability to create or maintain a Designated Record Set. If the Customer requires access to or amendment of a Designated Record Set, Customer shall directly perform such actions, without the assistance of Kismet.
3.1.8. Accounting of Disclosures Kismet, at the request of Customer, shall make available to Customer, and in the time and manner designated as reasonably requested by Customer, such information relating to Disclosures made by Kismet as required for Customer to make any requested accounting of Disclosures in accordance with 45 C.F.R. § 164.528.
3.1.9. Privacy Rule and Security Rule Compliance Kismet shall comply with the Privacy Rule in the performance of its obligations under this agreement with respect to the Services, to the extent the Privacy Rule expressly applies to Kismet under this agreement or as Required by Law. Kismet shall comply with the Security Rule with respect to PHI.
3.2. Customer’s Responsibilities
3.2.1. No Impermissible Requests Customer shall not request Kismet to Use or Disclose PHI in any manner that would not be permissible under HIPAA Laws if done by a Covered Entity (unless permitted by HIPAA Laws for a Business Associate).
3.2.2. Contact Information for Notices Customer hereby agrees that any reports, notification, or other notice by Kismet pursuant to this agreement may be made electronically to the Customer contact specified on record in Customer’s account information. Customer shall ensure that such contact information remains up to date during the term of this agreement. Failure to submit and maintain current contact information may delay Kismet’s ability to provide Breach notification under this agreement.
3.2.3. Safeguards and Appropriate Use of PHI Customer shall take reasonable steps to limit the PHI made available through the use of the Services to the minimum necessary. Customer is responsible for implementing appropriate privacy and security safeguards to protect its PHI in compliance with the HIPAA Laws. Without limitation, it is Customer’s obligation to exclude PHI from information Customer submits to technical support personnel through a technical support request. Customer is solely responsible for ensuring the PHI it transmits via Kismet may be legally disclosed to the communications recipient(s).
3.2.4. Permission from Individuals To the extent consent is legally required, Customer shall obtain consent for the sharing of PHI from each Individual whose PHI is to be transmitted, created, maintained, or otherwise made available to Kismet and/or its Subcontractors through the use of a particular Service. Customer shall not permit an Individual’s PHI to be used with any Service for which consent is required until such consent has been granted and documented appropriately in Customer records, in accordance with applicable legal requirements. Customer shall provide written documentation confirming receipt of such consent as contemplated in this section if reasonably requested by Kismet in connection with a regulatory audit or other legal process.
3.2.5. Communicating Changes to Kismet Customer shall notify Kismet of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Kismet’s use or disclosure of PHI.
3.2.6. Communicating Restrictions to Kismet Customer shall notify Kismet of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Kismet’s use or disclosure of PHI.
3.2.7. Communicating Restrictions in Notices of Privacy Practices to Kismet Customer shall notify Kismet of any limitation(s) in any applicable notice of privacy practices in accordance with 45 C.F.R. Section § 164.520, to the extent that such limitation may affect Kismet’s use or disclosure of PHI.
4. Term and Termination.
4.1. Term The term of this agreement begins as of the date of acceptance set forth below and terminates automatically upon termination of all Services that require a business associate agreement under the HIPAA Laws, unless terminated sooner by Customer or Kismet in accordance with Section 4.2.
4.2. Termination for Breach
4.2.1. Termination by Customer for Breach Upon Customer’s knowledge of a material breach of this agreement by Kismet, Customer shall either:
(a) Provide an opportunity for Kismet to cure the breach or end the violation within a reasonable time specified by Customer and, if Kismet does not cure the breach or end the violation timely, terminate this agreement and the associated Services;
(b) Immediately terminate this agreement and the associated Services if Kismet has breached a material term of this agreement and cure is not possible; or
(c) If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary.
4.2.2. Termination by Kismet for Breach If Kismet knows of a pattern of activity or practice of the Customer that constitutes a material breach or violation of the Customer’s obligations under this agreement, Kismet must take reasonable steps to notify Customer to cure the material breach or end the violation. If the steps are unsuccessful, Kismet may terminate this agreement.
5. Post-Termination Obligations
5.1. Return, Destruction, or Retention of PHI Upon Termination Except as provided in Section 5.2 below, upon any termination or expiration of this agreement, Kismet shall return or destroy all PHI received from Customer, or created or received by Kismet on behalf of Customer. The parties intend for this provision to apply to PHI that is in the possession of Subcontractors or agents of Kismet. Kismet shall retain no copies of the PHI. Notwithstanding the foregoing, Kismet may retain a copy of PHI received from, or created or received by Kismet for or on behalf of Customer as necessary for Kismet to continue its proper management and administration or to carry out its legal responsibilities, provided that Kismet extends the protections of this agreement to such PHI.
5.2. Notice When Return or Destruction is Infeasible In the event that Kismet determines that returning or destroying the PHI is infeasible, Kismet shall notify Customer of the conditions that make return or destruction infeasible. Kismet shall extend the protections of this agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Kismet maintains such PHI.
6. Limitation of Liability KISMET’S TOTAL AND AGGREGATE LIABILITY TO CUSTOMER FOR ALL DAMAGES ARISING OUT OF OR IN CONNECTION WITH A BREACH OF THIS AGREEMENT CAUSED BY KISMET WILL NOT EXCEED TEN THOUSAND DOLLARS OR THE TOTAL PAYMENTS RECEIVED BY KISMET FROM FOR THE TWELVE (12) MONTHS PRECEDING THE CLAIM, WHICHEVER IS LESSER. THIS LIMITATION APPLIES TO ALL CAUSES OF ACTION, INCLUDING, WITHOUT LIMITATION, BREACH OF CONTRACT, MISREPRESENTATIONS, NEGLIGENCE, STRICT LIABILITY AND OTHER TORTS. THESE LIMITATIONS APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY. KISMET SHALL NOT BE LIABLE FOR ANY LOSS OF USE OF DATA OR DESTRUCTION OF DATA, OR FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES.
7. Notices For legal notices under this agreement to be effective, including without limitation any Breach notification, the party providing notice must do so in writing and deliver the notice via electronic mail to the following addresses:
(a) If to Kismet, to privacy@kismethealth.com; Attention: Privacy Officer. A copy of all notices must be sent to legal@kismethealth.com, and
(b) If to Customer, to the contact information specified on record in Customer’s account information with a copy to the address in the introductory paragraph to this agreement.
8. Miscellaneous
8.1. No Agency Relationship The parties do not intend for this agreement to create an express or implicit agency relationship in accordance with federal or state common law of agency. Each party is intended to be an independent contractor and no agency
8.2. No Third-Rights or Remedies This agreement does not and is not intended to confer any enforceable rights or remedies upon any person other than Kismet and Customer.
8.3. References A reference in this agreement to a section in the Privacy Rule or Security Rule means the section that is currently in effect.
8.4. Assignment No party may assign its rights or delegate any of its obligations under this agreement without the prior written consent of the other party, except that all rights and obligations may be assigned and transferred without such consent to an Affiliate, to a successor by merger, or to the acquirer of all or substantially all of the assets of the assigning party. Any purported assignment or transfer in violation of this section is null and void. No party may unreasonably withhold, condition, or delay consent to an assignment. This agreement is binding upon, and inures to the benefit of, the parties and their respective permitted successors and assigns.
8.5. Amendments; Waiver Without undue delay, the parties shall take such action as is necessary to amend this agreement from time to time to allow for Customer and Kismet to comply with the requirements of the HIPAA Laws. No amendment or modification of this agreement will be deemed binding unless set forth in a written instrument, duly executed by the parties. No provision in this agreement may be waived, except pursuant to a writing executed by the party against whom the waiver is sought to be enforced.
8.6. Ambiguity The parties intend that any ambiguity in this agreement will be resolved and interpreted as closely as possible to meet the intent of the parties and to permit Customer and Kismet to comply with HIPAA Laws.
8.7. Merger; Conflicts The parties intend for this agreement to constitute the final agreement between the parties, and that it is the complete and exclusive expression of the parties’ agreement on the matters contained in this agreement. All prior or contemporaneous writings, negotiations, and discussions between the parties with respect to its subject matter are expressly merged and superseded by this agreement. In entering into this agreement, neither party has relied upon any statement, representation, warranty, or agreement of the other party except for those expressly contained in this agreement. In the event of a conflict between any other agreement between the parties and this agreement with respect to the subject matter of this agreement the terms of this agreement will control.
8.8. Severability If any provision of this agreement is determined to be invalid, illegal, or unenforceable, the parties do not intend for this determination to affect or impair the validity, legality, and enforceability of the remaining provisions of this agreement in any way.
8.9. Counterparts This agreement may be executed in one or more counterparts. Each counterpart will be an original, but all such counterparts will constitute a single instrument.
8.10. Governing Law; Forum Selection The laws of the State of California, without giving effect to its conflict of laws principles, govern all matters arising out of or relating to this agreement, including, without limitation, its validity, interpretation, construction, performance, and enforcement. Any party bringing a legal action or proceeding against any other party arising out of or relating to this agreement must bring the legal action or proceeding under the exclusive and mandatory jurisdiction of the courts located in San Francisco, California.
8.11. Electronic and Digital Signatures This agreement may be signed electronically, whether by digital signature, typed name, click acceptance of the agreement, or any other electronic means. Any signature made electronically is the legally binding equivalent of an original, handwritten signature.
8.12. Survival All sections of this agreement which, by their nature, should survive termination will survive termination.