Menu

Business Associate Agreement

Version 1.1

Effective February 9, 2023

This Business Associate Agreement (“BAA”) is entered into by and between Identity Theft Guard Solutions, Inc. d/b/a IDX, a ZeroFox company (“Business Associate”) and the counterparty accepting this BAA (“Covered Entity”) (each, a “Party” as applicable, and collectively, the “Parties”) by virtue of the Covered Entity signing and accepting the IDX Master Privacy Services Agreement (the “Service Agreement”), whereby Business Associate has agreed to provide certain identity protection services (“Services”) to Covered Entity.

  1. Definitions.
    1. All capitalized term used but not defined herein shall have the meaning set forth in the HIPAA Rules.
    2. The following terms are specifically defined as follows:
      1. Business Associate” has the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the Party to this BAA, shall mean Identity Theft Guard Solutions, Inc. d/b/a IDX.
      2. Covered Entity” has the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the Party to this BAA, shall mean the customer identified as the Covered Entity in the preamble to this Agreement.
      3. HIPAA Rules” means, with respect to the federal Health Insurance Portability and Accountability Act of 1996, Pub. Law 101-191, as amended from time to time, and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (as applicable).
      4. Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, Use or Disclosure of Covered Entity’s electronic protected health information “ePHI.”
  2. Obligations and Activities of Business Associate.
    1. Business Associate agrees not to Use or Disclose PHI received or created by Business Associate except as permitted by this BAA, the Service Agreement, or as Required by Law.
    2. Business Associate agrees to use appropriate safeguards, and to comply with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA, the Service Agreement, or as Required by Law.
    3. Business Associate agrees to report to Covered Entity any Use or Disclosure of PHI not provided for by this BAA of which it becomes aware, including a Breach of Unsecured PHI as required under 45 C.F.R. §164.410, and any Security Incident of which it becomes aware. Notwithstanding the foregoing, the Parties acknowledge and agree that this Section 2(c) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required.
    4. Business Associate agrees, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to obtain from any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate pursuant to this BAA and the Service Agreement, reasonable assurance that Subcontractor will adhere to restrictions and conditions that apply to Business Associate through this BAA with respect to such PHI as required by the HIPAA Rules.
    5. Business Associate Agrees to make amendment(s) to PHI maintained in a Designated Record Set (if any), as requested by the Covered Entity or an individual (as applicable) pursuant to 45 C.F.R. §164.526, or take other measures as reasonably necessary to enable Covered Entity to satisfy its obligations under 45 C.F.R. §164.526.
    6. Business Associate agrees to make available, at the request of Covered Entity, PHI that is maintained in a Designated Record Set (if any) as necessary to allow Covered Entity to satisfy its obligations under 45 C.F.R. §164.524.
    7. Business Associate agrees to maintain and make available to Covered Entity the information required to provide an accounting of Disclosures, as reasonably necessary to satisfy Covered Entity’s obligations under 45 C.F.R. §164.528.
      1. For clarity, with respect to the forgoing Section 2(e)-(g), in no case shall Business Associate be responsible for responding directly to any Individual who submits a request to Business Associate pursuant to 45 CFR §164.524; provided that Business Associate shall promptly forward such request to Covered Entity in accordance with Section 2(e)-(g).
    8. To the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).
    9. Business Associate agrees to make its internal practices, books, and records, regarding the Use and Disclosure of PHI created or received by the Business Associate on behalf of the Covered Entity available to the Secretary for purposes of the Secretary determining compliance with the HIPAA Rules.
  3. Permitted Uses and Disclosures by Business Associate.
    1. Business Associate may not Use or Disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity.
    2. Business Associate may Use and Disclose PHI:
      1. To perform the Services set forth in the Service Agreement and as otherwise set forth in this BAA;
      2. As Required by Law, including to report violations of law to appropriate Federal and State authorities;
      3. For the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate;
      4. To provide Data Aggregation services to Covered Entity; and
      5. To de-identify the PHI in accordance with 45 CFR 164.514(a)-(c), (after which the information shall not longer be considered PHI and shall not be subject to the terms of this BAA).
    3. Any permitted Use or Disclosure under Section 3(b)(i)-(iv) shall be consistent with the minimum necessary requirements set forth in the HIPAA Rules.
  4. Obligations of Covered Entity.
    1. During the Term of this BAA, Covered Entity shall:
      1. Provide Business Associate with a copy of its Notice of Privacy Practices;
      2. Notify Business Associate of any limitations in its Notice of Privacy Practices, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI;
      3. Notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI;
      4. Not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity (other than as permitted pursuant to Section 3(b)(iii)-(iv), above); and
      5. Comply with all HIPAA requirements applicable to Covered Entity.
  5. Term and Termination.
    1. Term. The Term of this BAA shall commence as of the Effective Date of the Service Agreement and, except for the rights and obligations set forth in this BAA specifically surviving termination, shall terminate upon the termination or expiration of the last Service Agreement, unless otherwise earlier terminated for cause in accordance with this Section 5.
    2. Termination by Covered Entity. In addition to any termination provisions set forth in the applicable Service Agreement, Covered Entity may terminate this BAA if Covered Entity determines, in good faith and after reasonable investigation, that Business Associate has violated a material term of this BAA, and Business Associate has failed to cure such material breach or end the violation within thirty (30) days of notice by Covered Entity of such alleged breach.
    3. Termination by Business Associate. In addition to and notwithstanding any termination provisions set forth in the applicable Service Agreement, Business Associate may terminate this BAA if Business Associate determines, in good faith and after reasonable investigation, that Covered Entity has violated a material term of this BAA, and Covered Entity has failed to cure such material breach or end the violation within thirty (30) days of notice by Business Associate of such alleged breach.
    4. Effect of Termination. Upon termination or expiration of this BAA for any reason, Business Associate, with respect to any PHI received from Covered Entity or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
      1. Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities (if any);
      2. Return to Covered Entity or destroy, at Covered Entity’s expense, the remaining PHI that the Business Associate still maintains in any form that is not necessary to carry out Section 5(d)(i);
      3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to ePHI to prevent Use or Disclosure of the PHI, other than as provided for in this Section 5(d), for as long as Business Associate retains the PHI;
      4. Not Use or Disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at Section 3(b)(iii) which applied prior to termination; and
      5. Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration, or to carry out its legal responsibilities.
  6. Miscellaneous.
    This BAA is governed by, and will be construed in accordance with, the laws of the State that govern the Services Agreement. Any action relating to this BAA must be commenced within two years after the date upon which the cause of action accrued. This BAA may only be assigned in connection with an assignment of the Services Agreement. If any part of a provision of this BAA is found illegal or unenforceable, it will be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this BAA will not be affected. All notices relating to the Parties’ legal rights and remedies under this BAA will be provided in writing to a Party, will be sent to its address set forth in the Services Agreement, or to such other address as may be designated by that Party by notice to the sending Party, and will reference this BAA. This BAA may be modified, or any rights under it waived, only by a written agreement executed by the authorized representatives of the Parties. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for the Parties to comply with the requirements of applicable law. This BAA is the complete and exclusive agreement between the Parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications, and understandings (written and oral) regarding its subject matter. Any ambiguity in this BAA shall be resolved in favor of the meaning that permits the Parties to comply with applicable law and any current regulations promulgated thereunder. Any failure of a Party to exercise or enforce any of its rights under this BAA will not act as a waiver of such rights.