BAA for US Users

Last modified: May 20, 2024

This Business Associate Addendum (BAA) defines an agreement between Quip Medical Inc., a Business Associate, and Yourself as a Covered Entity that seeks to use the Service (Quip). This BAA delineates each party’s obligations regarding the use of the Service regarding PHI, as per the requirements of HIPAA.

By using the Service, You agree to the terms of this BAA. Please do not download or use the Service if You do not agree to the terms outlined in this document.

Interpretation and Definitions

Interpretation

Words for which the initial letter is capitalized have meanings as defined below. The following definitions shall have the same meaning regardless of whether they appear in singular or plural form.

Definitions

  • HIPAA” refers to the United States Health Insurance Portability and Accountability Act of 1996 and any associated amendments.

  • Business Associate” refers to a Business Associate as defined under 45 CFR 160.103.

  • Covered Entity” refers to a Covered Entity as defined under 45 CFR 160.103.

  • PHI” refers to Protected Health Information as defined under 45 CFR 160.103.

  • Unsecured PHI” refers to Unsecured Protected Health Information as defined under 45 CFR 164.402.

  • Breach” refers to a Breach as defined under 45 CFR 164.402.

  • Disclosure” refers to a Disclosure as defined under 45 CFR 160.103.

  • Required By Law” refers to the concept of Required By Law as defined under 45 CFR 164.103.

  • Secretary” refers to the Secretary of the United States Health and Human Services, as defined under 45 CFR 160.163.

  • Incident” refers to a Security Incident as defined under 45 CFR 164.304.

  • Subcontractor” refers to a Subcontractor as defined under 45 CFR 160.163.

  • Company” (referred to as either "the Company", "Us", “We”, or "Our" in this document) refers to Quip Medical Inc.

  • Service” refers to the Quip application.

  • User” (referred to as a “User”, “You”, or “Your” in this document) refers to the individual that is directly operating the Service, or the legal entity on behalf of which an individual is operating the Service.

Obligations

We agree to:

  1. Not use or disclose PHI other than as permitted or required by this BAA or as Required By Law;

  2. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or Disclosure of PHI other than as provided for by this Agreement;

  3. Report to You any use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured PHI as required at 45 CFR 164.410, and any security Incident of which it becomes aware, within 60 calendar days of the discovery of such an Incident;

  4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Us agree to the same restrictions, conditions, and requirements that apply to Us with respect to such information;

  5. Make available PHI in a designated record set to You as necessary to satisfy Your obligations under 45 CFR 164.524, given such PHI is individually identifiable as belonging to the individual submitting the request;

  6. Make any amendment(s) to PHI in a designated record set as directed or agreed to by You pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Your obligations under 45 CFR 164.526, given such PHI is individually identifiable as belonging to the individual submitting the request;

  7. Maintain and make available the information required to provide an accounting of Disclosures to You as necessary to satisfy Your obligations under 45 CFR 164.528; and

  8. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with HIPAA.

Permitted Use and Disclosure of PHI

  1. Unless otherwise agreed upon by both Us and You, We may only use or disclose PHI as outlined in Our Privacy Policy or as Required By Law.

  2. We may use or disclose PHI as required to remain consistent with Your necessary policies and procedures.

  3. We may use or disclose PHI for management and administrative purposes, or to carry out Our legal responsibilities.

Permissible Requests

You shall not request Us to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by You, except in the case where such use or Disclosure is either administrative in nature or is required to fulfill Our legal responsibilities.

Term and Termination

  1. Term: The Term of this Agreement shall be effective as of the date at which You first download and/or use the Service, and shall terminate either when You cease all use and possession of the Service or on the date at which this contract is terminated for cause as per point (b) of this section.

  2. Termination for Cause: Either party may terminate this BAA if the other party Breaches or violates any of the material terms laid out in this Agreement. In such a situation, the non-breaching party must provide 10 days’ written notice to the breaching party, and this Agreement shall terminate at the end of this notice period if the Breach or violation is not cured by said date. If a cure is not reasonably possible, the non-breaching party may immediately terminate this BAA without providing a written notice. If termination is not reasonably possible, the non-breaching party may report the Breach or violation to the Secretary, subject to all applicable legal privileges.

  3. Following Termination: Upon termination of this Agreement for any reason, We shall:

    1. Retain only the PHI that is necessary for Us to carry out management and administration or to carry out Our legal responsibilities;

    2. Destroy any remaining PHI that We otherwise possess in any form;

    3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or Disclosure of any PHI that is retained, other than as provided for in this Section, for as long as We retain any PHI;

    4. Not use or disclose the PHI retained by Us other than for the purposes for which such PHI was retained and subject to the same conditions set out in this Agreement which applied prior to termination; and

    5. Destroy any PHI retained by Us when it is no longer needed by Us for Our management and administration or to carry out Our legal responsibilities.

  4. Survival: The obligations of business associate under this Section shall survive the termination of this Agreement.

Miscellaneous

  1. Regulatory References: A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

  2. Amendment: Amendment to this Agreement from time to time is permitted for compliance with the requirements of the HIPAA Rules and any other applicable law.