RAPIDSCALE BUSINESS ASSOCIATE AGREEMENT

Last updated May 30, 2024. Replaces all prior versions.

PLEASE READ THIS RAPIDSCALE BUSINESS ASSOCIATE AGREEMENT CAREFULLY AS IT IS INCORPORATED BY REFERENCE INTO THE RAPIDSCALE TERMS AND CONDITIONS WHERE APPLICABLE AND CONSTITUTES A LEGALLY BINDING AGREEMENT THAT CONTAINS IMPORTANT INFORMATION REGARDING CUSTOMER’S LEGAL RIGHTS AND REMEDIES. EXCEPT AS EXPRESSLY PROVIDED HEREIN, CUSTOMER ACKNOWLEDGES AND AGREES THAT RAPIDSCALE MAY CHANGE THIS RAPIDSCALE BUSINESS ASSOCIATE AGREEMENT AT ANY TIME AS SET FORTH HEREIN. 

  1. Definitions.

(A) All capitalized terms in this RapidScale Business Associate Agreement (“Agreement”) that are used but not otherwise defined in the RapidScale Terms and Conditions or this Agreement shall have the same meaning as in the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations at 45 C.F.R. parts 160 to 164 (collectively, “HIPAA”).

(B) “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).

(C) “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 164 subpart E.

(D) “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103 that is received, created, maintained, or transmitted by RapidScale on behalf of Customer.

(E) “Security Rule” shall mean the Security Standards for Protection of Electronic Protected Health Information at 45 C.F.R. part 164 subpart C.

  1. Applicability.

(A) This Agreement shall only apply to the extent that Customer is a Covered Entity or Business Associate under HIPAA and RapidScale creates, receives, maintains, or transmits Protected Health Information on Customer’s behalf.

  1. Permitted Uses and Disclosures by RapidScale.

(A) Except as otherwise limited in this Agreement, RapidScale may Use or Disclose Protected Health Information in its possession to perform the Service, provided that such Use or Disclosure would not violate HIPAA if done by Customer.

(B) Except as otherwise limited in this Agreement, RapidScale may Use Protected Health Information for the proper management and administration of RapidScale or to carry out the legal responsibilities of RapidScale.

(C) Except as otherwise limited in this Agreement, RapidScale may Disclose the Protected Health Information in its possession to a third party for the proper management and administration or to fulfill any legal responsibilities of RapidScale, provided that: (1) the Disclosure is Required by Law; or (2) RapidScale has received from the third party reasonable written assurances that: (i) the information will remain confidential and will be Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the party; and (ii) the third party will notify RapidScale of any instances of which it becomes aware in which the confidentiality of the information has been breached.

  1. Obligations and Activities of RapidScale.

(A) RapidScale shall not Use or Disclose Protected Health Information other than as permitted or required by this Agreement or as Required by Law.

(B) RapidScale agrees to use appropriate Administrative, Physical, and Technical Safeguards and comply, where applicable, with the Security Rule with respect to Electronic Protected Health Information, to prevent Use or Disclosure of the Protected Health Information other than as provided for by this Agreement. The Parties agree that the Service is premised on a shared security model and RapidScale is not responsible for safeguards that Customer is responsible for configuring as part of the use of the Service.

(C) RapidScale agrees to otherwise comply with the applicable requirements of the Security Rule.

(D)  RapidScale will report to Customer without unreasonable delay and in no case later than sixty (60) calendar days after discovery: (1) Any Use or Disclosure of Protected Health Information not provided for by this Agreement, including Breaches of Unsecured Protected Health Information. The notification requirements under this Section are subject to a delay in accordance with 45 C.F.R. § 164.412 when requested by law enforcement.

(E) RapidScale will report to Customer without unreasonable delay and in no case later than sixty (60) days after discovery, any successful Security Incident involving Electronic Protect Health Information of which RapidScale becomes aware of in which there is a successful unauthorized access, Use, Disclosure, modification or destruction of information or interference with system operations in an Information System in a manner that risks the Confidentiality, Integrity, or Availability of such information.  Notice is hereby provided and no further notice will be provided, for unsuccessful attempts at such unauthorized access, Use Disclosure, modification, or destruction, such as pings, and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.

(F) The Parties acknowledge that RapidScale generally does not view or access Customer Content and therefore does not know the nature of Electronic Protected Health Information in any of Customer’s accounts.  As such, it is generally not possible for RapidScale to provide information about the identities of the Individuals who may have been affected, or a description of the types of Electronic Protected Health Information that may have been involved in any Security Incident, impermissible Use or Disclosure, or Breach. Customer agrees that RapidScale may provide notice of a Security Incident, Breach or Impermissible Use or Disclosure to any email addresses on record with RapidScale that are associated with Customer’s account.  Customer shall handle all breach notifications to Individuals, the U.S. Department of Health and Human Services, and the media, as may be required by HIPAA.

(G) RapidScale agrees to ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on RapidScale’s behalf agree in writing to the restrictions at least as stringent as those found in this Agreement, and agree to implement reasonable and appropriate safeguards to protect Protected Health Information.

(H) RapidScale agrees to make its internal practices, books, and records relating to the Use and Disclosure of Protected Health Information received from, or created or received by RapidScale on behalf of Customer, available to the Secretary of the Department of Health and Human Services (“Secretary”) for the purposes of the Secretary determining compliance with HIPAA. Nothing in this Section shall be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information.

(I) RapidScale, upon request by Customer, will make Protected Health Information in a Designated Record Set available to Customer as necessary to allow Customer to comply with its obligations to provide access to Individuals of their health information as required by 45 C.F.R. § 164.524. The Parties agree that Customer will make Protected Health Information available under this Section through the availability of the Service on which the Customer stores the Protected Health Information.

(J) RapidScale, upon request by Customer, will make Protected Health Information in a Designated Record Set available to Customer and will incorporate any amendments to such information as instructed by Customer as necessary to allow Customer to comply with its amendment obligations as required by 45 C.F.R. § 164.526. The Parties agree that Customer will make Protected Health Information available and incorporate amendments to Protected Health Information under this Section through the availability of the Service on which the Customer stores the Protected Health Information.

(K) RapidScale will maintain and, upon request by Customer, provide Customer with the information necessary for Customer to provide an Individual with an accounting of Disclosures as required by 45 C.F.R. § 164.528. The Parties acknowledge that RapidScale generally does not view or access Customer Content and therefore is unlikely to be able to provide a description of the Protected Health Information involved in any Disclosure.  To the extent that any Disclosure of Protected Health Information is initiated by Customer through the use of the Service, Customer is responsible for accounting for such Disclosure.

(L) To the extent that RapidScale is to carry out one or more of Customer’s obligations under the Privacy Rule, RapidScale shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligations. The Parties agree that they do not intend for RapidScale to carry out any of Customer’s obligations under the Privacy Rule.

  1. Obligations of Customer

(A) Customer will not agree to any restriction request or place any restrictions in any notice of privacy practices that would cause RapidScale to violate this Agreement or any applicable law.

(B) Customer acknowledges that RapidScale offers numerous Service options that can be used to implement certain Administrative, Technical and Physical Safeguards that are required by HIPAA. Customer is solely responsible for selecting and utilizing the appropriate Service options required for it to comply with HIPAA, including but not limited to (i) appropriately configuring encryption in accordance with the Secretary of HHS’ Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, available at https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html, as it may be updated from time-to-time and as may be made available on any successor or related site designated by HHS, (ii) utilize the highest level of audit logging in connection with your use of the Services, (iii) not including Electronic Protected Health Information in any Service that is not adequately configured for the same, and (iv) maintain the maximum retention of logs in connection with your use of the Services. To the extent a required safeguard is not indicated on a service order, Customer represents and warrants to RapidScale that Customer will independently implement the safeguard as and when required by HIPAA. Except as specifically described on a Service Order, RapidScale shall not be responsible for backing up any Protected Health Information, providing a disaster recovery site, implementing intrusion detection and prevention software, or providing Customer with user monitoring and access controls, data logging, or log auditing and retention.

(C) Customer warrants that it has obtained any necessary consents, authorizations and other permissions that may be required under applicable law prior to placing Customer Content, including without limitation, Electronic Protected Health Information in a Service.

(D) Customer will not request or cause RapidScale to make a Use of Disclosure of Electronic Protected Health Information that does not comply with any applicable law or this Agreement.

(E) NOTWITHSTANDING ANYTHING IN THE AGREEMENT TO THE CONTRARY, IN NO EVENT WILL RAPIDSCALE OR ITS SERVICE SUPPLIERS, OR THEIR RESPECTIVE EMPLOYEES, AGENTS OR REPRESENTATIVES BE LIABLE FOR UNAUTHORIZED ACCESS TO OR DISCLOSURE OR LOSS OF UNENCRYPTED ELECTRONIC PROTECTED HEALTH INFORMATION (BY, E.G., HACKING OR MALWARE INTO RAPIDSCALE’S OR CUSTOMER’S TRANSMISSION FACILITIES, PREMISES OR EQUIPMENT), OR FOR UNAUTHORIZED ACCESS TO CUSTOMER’S DATA FILES, PROGRAMS, PROCEDURES OR INFORMATION.

  1. Termination.

(A) This Agreement becomes effective on the Effective Date and shall terminate upon the termination of the RapidScale Terms and Conditions.

(B) A material breach of this Agreement shall constitute a material breach of the RapidScale Terms and Conditions.

(C) Upon termination of the Agreement, RapidScale shall return or destroy all Protected Health Information.

(D) In the event that RapidScale determines that returning or destroying the Protected Health Information is infeasible, then RapidScale shall extend the protections of this Agreement to such Protected Health Information and limit further Uses and Disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for as long as RapidScale maintains such Protected Health Information.