Bloom offers a free signed Business Associate Agreement (BAA) to any covered entity using our products. A copy of the BAA follows. If you’d like your organization to sign a BAA with Bloom please contact a member of our staff.
BUSINESS ASSOCIATE ADDENDUM
Capitalized terms used but not otherwise defined in the Service Agreement or this Addendum shall have the same meaning as those terms in final regulations relating to privacy and security of individually identifiable health information at 45 CFR parts 160, 162, and 164 implementing the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”), as each may be amended from time to time.
A. HIPAA Rules—means, collectively, the Breach Notification Rule, Privacy Rule, and Security Rule.
B. Internal Material—means BloomAPI’s documented internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI created, received, maintained, or transmitted by, BloomAPI for or on behalf of Subscriber
II. Obligations and Activities of BloomAPI
A. BloomAPI will not use or disclose PHI other than as necessary to render Services, as permitted or required by this Addendum, or as Required by Law.
B. BloomAPI will (1) use appropriate safeguards (a) to prevent use or disclosure of PHI other than as provided for by this Addendum, and (b) to appropriately protect the confidentiality, integrity, and availability of PHI; and (2) comply, where applicable, with the Security Rule with respect to PHI.
C. BloomAPI will report to Subscriber any use or disclosure of PHI that is not permitted by this Addendum, including but not limited to any successful Security Incident and any Breach of Unsecured PHI. Any such report shall be made within thirty (30) calendar days after BloomAPI Discovers such impermissible use or disclosure or Breach, unless law enforcement requests a delay in such notice as permitted under 45 CFR § 164.412. Following notice to Subscriber of any Breach of Unsecured PHI, BloomAPI will provide information required by 45 CFR § 164.404(c), if available, that would permit Subscriber to comply with its notice obligations. BloomAPI is under no other obligation to make any report of a Breach of Unsecured PHI, including to any individual, state, federal, or other government agency or attorney general, or the media.
D. Subscriber and BloomAPI acknowledge and agree that unsuccessful Security Incidents include but are not limited to: (i) unsuccessful attempts to penetrate computer networks or services maintained by BloomAPI; (ii) immaterial incidents such as “pinging,” or “denial of services” attacks, port scans, unsuccessful log-on attempts; and (iii) any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. This paragraph constitutes notice to Subscriber of such activity and no further notification shall be required regarding unsuccessful Security Incidents.
E. BloomAPI will ensure that any of its Subcontractors that create, receive, maintain or transmit PHI for or on behalf of BloomAPI agree in writing to comply with the Security Rule and substantially similar restrictions and conditions to those that apply through this Addendum to BloomAPI with respect to such PHI or ePHI.
F. Upon request by the Secretary, BloomAPI will make available to the Secretary BloomAPI’s Internal Material for use by the Secretary in determining whether Subscriber or BloomAPI is in compliance with the HIPAA Rules.
G. BloomAPI will document any disclosures of PHI and to provide to Subscriber, within thirty (30) calendar days after request, information related to such disclosures as is necessary for Subscriber to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
H. BloomAPI will provide to Subscriber, within fifteen (15) calendar days after request, all PHI that is part of a Designated Record Set as necessary for Subscriber to respond to an Individual’s request for access to PHI pursuant to 45 CFR § 164.524. If PHI subject to this paragraph is maintained electronically, BloomAPI will provide the PHI in the electronic form and format requested by Subscriber, if it is readily producible in such form and format; if the PHI is not readily producible by BloomAPI in the requested form and format, BloomAPI will provide the PHI to Subscriber in a readable electronic form as agreed by Subscriber and BloomAPI.
I. Within thirty (30) calendar days after receipt of written instructions from Subscriber, BloomAPI will incorporate any amendment to PHI that is part of a Designated Record Set agreed to by Subscriber pursuant to 45 CFR § 164.526.
J. To the extent that BloomAPI carries out any of Subscriber’s obligations under the Privacy Rule in the Service Agreement, BloomAPI will comply with the requirements of the Privacy Rule that would apply to Subscriber in the performance of such obligations.
III. Permitted Uses and Disclosures by BloomAPI
A. Except as otherwise permitted or limited by this Addendum, BloomAPI may use or disclose PHI to render Services to or on behalf of Subscriber, provided that such use or disclosure would not violate the HIPAA Rules if made by Subscriber.
B. BloomAPI may use PHI for the proper management and administration of BloomAPI and to carry out the legal responsibilities of BloomAPI.
C. BloomAPI may disclose PHI for the proper management and administration of BloomAPI or to carry out BloomAPI’s legal responsibilities, provided that (1) such disclosures are Required by Law, or (2) BloomAPI obtains reasonable assurances from the recipient of the PHI (a) that the PHI will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the recipient; and (b) that the recipient will notify BloomAPI of any instances of which the recipient is aware in which the confidentiality of the PHI has been breached. Any disclosure of PHI by BloomAPI under this provision will not create a Subcontractor relationship with the entity to which the disclosure is made and BloomAPI will not be required to obtain a business associate agreement with such entity.
D. BloomAPI may disclose PHI for any purpose under 45 CFR § 164.512 and to report violations of law to state and federal authorities under 45 CFR § 164.502(j).
E. BloomAPI may de-identify PHI in accordance with 45 CFR § 164.514. Once de-identified the information is no longer PHI and will become the property of BloomAPI.
F. BloomAPI may use and disclose PHI to provide Data Aggregation services to Subscriber.
IV. Obligations of Subscriber
A. Subscriber shall notify BloomAPI of any limitations in the Subscriber’s Notice of Privacy Practices, to the extent such limitations may affect BloomAPI’s use or disclosure of PHI.
B. Subscriber shall notify BloomAPI of any changes in, or revocation of, permission granted by any Individual to use or disclose PHI, to the extent such changes or revocations may affect BloomAPI’s use or disclosure of PHI.
C. Subscriber shall notify BloomAPI of any (1) restrictions on the use or disclosure of PHI; or (2) requests for confidential communications that Subscriber has agreed to in accordance with 45 CFR § 164.522, to the extent such restrictions may affect BloomAPI’s use or disclosure of PHI.
D. All notifications to BloomAPI under this Section IV of this Addendum shall include such detail as BloomAPI reasonably requires in order to honor the limitations, restrictions, or requests for confidential communications.
V. Permissible Requests by Subscriber
Subject to Section III of this Addendum, Subscriber shall not request BloomAPI to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if made by Subscriber.
VI. Term and Termination
A. This Addendum shall terminate when the Service Agreement terminates.
B. Termination for Cause: Upon either party’s knowledge of a breach of a material term of this Addendum by the other party, the non-breaching party shall notify the breaching party of such breach and:
Provide an opportunity for the breaching party to cure the breach and, if the breaching party does not cure the breach within thirty (30) days after the non-breaching party gives notice, terminate this Addendum; or
Immediately terminate this Addendum if the breaching party has breached a material term of this Addendum and cure is not possible.
C. Effect of Termination:
Upon termination of this Addendum for any reason, BloomAPI shall return all PHI to Subscriber or destroy all PHI.
If BloomAPI, in its sole discretion, determines that returning or destroying the PHI is infeasible, BloomAPI shall extend the protections of this Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make return or destruction infeasible, for so long as BloomAPI retains such PHI.
D. If BloomAPI determines that it is not reasonably able (1) to comply with any final new or amended provision of the HIPAA Rules, or (2) to accommodate any restrictions or limitations to which Subscriber has agreed pursuant to Section III, BloomAPI may terminate this Addendum (and the Service Agreement) upon notice to Subscriber.
A. A reference in this Addendum to a section in the HIPAA Rules means the section as in effect or amended, if such amendment is final and the Compliance Date for such amendment has passed.
B. The rights and obligations of BloomAPI under Section VI(C)(2) of this Addendum shall survive the termination of this Addendum.
C. Nothing in this Addendum confers on any person other than BloomAPI and Subscriber any rights, remedies, obligations, or liabilities.
D. If any provision of this Addendum is held by a court of competent jurisdiction to be illegal, invalid, or unenforceable, the remaining provisions of this Addendum shall not be affected.
E. A waiver by BloomAPI or Subscriber of any requirement of this Addendum shall not be construed as a continuing waiver, a waiver of any other requirement, or a waiver of any right or remedy otherwise available.
F. Any notice required by this Addendum shall be provided to the address below, using a national courier service for next business day delivery, fax, or by email. An address for notice may be changed by giving notice as required by this paragraph.
G. To the extent not preempted by federal law, the parties agree that the laws of the State of Washington shall apply. The parties agree further that jurisdiction and venue for any dispute relating to this Addendum will rest exclusively in Federal and State courts located in King County, Washington.
H. Indemnity: Except as provided in subsection (J), below, each party agrees to defend, indemnify, and hold the other party harmless from and against any and all losses, liabilities, damages, expenses, and costs (“Losses”) from any third-party claim, suit, action, or proceeding (each a “Claim”) to the extent that such Losses arise directly from the other party’s material breach of this Addendum, willful misconduct, or gross negligence.
I. Limitation of Liability:
IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY LOSS OF USE, REVENUE, OR PROFIT OR FOR ANY CONSEQUENTIAL, INDIRECT, INCIDENTAL, EXEMPLARY, SPECIAL OR PUNITIVE DAMAGES WHETHER ARISING OUT OF BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE AND WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
IN NO EVENT WILL EITHER PARTY’S LIABILITY ARISING OUT OF OR RELATED TO THIS ADDENDUM, WHETHER ARISING OUT OF OR RELATED TO BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), UNDER THE INDEMNITY, OR OTHERWISE, EXCEED THE AGGREGATE FEES PAID TO BLOOMAPI HEREUNDER WITHIN THE LAST TWELVE-MONTH PERIOD.
Last Updated: April 25, 2018