Developer Business Associate Addendum

This HIPAA Business Associate Addendum (“BAA” or “Addendum”) applies to any use of the Developer Services and the DataQ Platform involving Protected Health Information (“PHI”) by Developers that are Covered Entities or Business Associates under HIPAA, and are incorporated into the Developer Terms of Service. This BAA is effective on the date you begin using the Developer Services (“Effective Date”).

Together with the Developer Terms, this BAA satisfies the requirements of HIPAA and the rules and regulations thereunder, including the HIPAA Privacy Rule and HIPAA Security Rule, as amended (together, the “HIPAA Regulations”). Capitalized terms which are used but not defined in this BAA are defined by the Developer Terms or have the meaning set forth in the HIPAA Regulations.

  1. Obligations and Activities of DataQ:
    1. DataQ agrees to not use or disclose PHI other than as permitted or required by this BAA, agreements executed with the Client, or as required by Applicable Law, to comply with applicable requirements of the HIPAA Regulations in all material respects, and to use appropriate safeguards to prevent use or disclosure of PHI that is not permitted by this
    2. DataQ agrees to report to you any use or disclosure of PHI not permitted by this BAA, including, without limitation, Breaches of Unsecured Protected Health Information as required at 45 C.F.R. 164.410, and any Security Incident within five (5) business days of it becoming You acknowledge and agree that this Section A(2) constitutes notice by DataQ to you of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents for which no additional notice to you is required. Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on DataQ’ firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as such incidents do not result, to the extent DataQ is aware, in unauthorized access, use or disclosure of Electronic PHI.
    3. DataQ agrees to take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to DataQ) of a Breach of Unsecured Protected Health Information or Security Incident or any use or disclosure of PHI by DataQ in material violation of this BAA or
    4. DataQ agrees to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of DataQ agree in writing to provide the same material level of protections for PHI as apply to DataQ under this
    5. DataQ agrees to make PHI in a Designated Record Set available to you within five (5) business days of a confirmed request, as necessary to satisfy your obligations under 45 F.R. § 164.524.
    6. DataQ agrees to make any amendment(s) to PHI contained in a Designated Record Set as directed or agreed to by you or to take other measures as necessary to satisfy your obligations under 45 C.F.R. § 164.526 within five (5) business days of a confirmed
    7. DataQ agrees to maintain and make available to you the information required to provide an accounting of disclosures within five (5) business days of our receipt of a confirmed request, as necessary to satisfy your obligations under 45 F.R. § 164.528.
    8. To the extent that DataQ is to carry out one or more of your obligations under Subpart E of 45 F.R. Part 164, DataQ agrees to comply with the requirements of Subpart E that apply to you in the performance of such obligations.
    9. DataQ agrees to make its internal practices, books, and records available to the Secretary for purposes of determining compliance with HIPAA
    10. DataQ will follow the HIPAA Minimum Necessary Standard in its use or disclosure of PHI in providing the Developer Services.
  2. Permitted Uses and Disclosures by DataQ:
    1. DataQ may use or disclose PHI to perform the Developer Services as authorized under the Developer Terms, permitted by the Client, or as otherwise required by Applicable Law.
    2. DataQ may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by you, except that DataQ may use or disclose PHI for the proper management and administration of DataQ or to carry out our legal responsibilities, provided that, with respect to disclosures which are required by third-party legal process, DataQ obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or applicable legal process, or for the purposes for which it was disclosed to the person, and the person notified DataQ of any instances of which it is aware in which the confidentiality of the information has been breached,
  3. Obligations of Developer:
    1. You agree to use the Developer Services and to use and disclose PHI to DataQ only as permitted in your published notice of privacy practices
    2. You must notify DataQ of any changes in, or revocation of,
      the permission by an Individual to use or disclose their PHI, to the extent that such changes may affect DataQ’ use or disclosure of PHI.
    3. You must notify DataQ of any restriction on the use or disclosure of PHI that you have agreed to or is required to abide by under 45 C.F.R.§ 164.522, to the extent that such restriction may affect DataQ’ use or disclosure of PHI
    4. Except with respect to uses and disclosures by DataQ of PHI under Section A(2) above, you shall not request DataQ to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by you.
  4. Term and Termination:
    1. Term. The Term of this BAA begins on the Effective Date and, as provided in Section 10(e) of the Developer Terms, ends immediately and automatically upon termination of  the Developer Terms for any reason; subject, however, to continuation of obligations as set forth in Section D(2)(c) below.
    2. Disposition of PHI Upon Termination. Upon termination of this BAA for any reason, DataQ shall:
      1. Retain only that PHI which is necessary for DataQ to continue its proper management and administration or to carry out its legal responsibilities;
      2. Subject to subsection (a) above, return to you or your designee (to the extent permitted by HIPAA) or delete the remaining PHI that DataQ still maintains in any form so that it is no longer accessible; provided, however, DataQ shall not be required to return or delete PHI for a Patient to the extent return or destruction is not feasible, including, for example, PHI contained and commingled in the Common Patient Record where DataQ has another Developer with a relationship with such Patient using the DataQ Platform;
      3. To the extent return or deletion is not feasible, DataQ shall (a) extend the protections of this BAA to such PHI and continue to use appropriate safeguards and comply with applicable HIPAA requirements to provide use or disclosure of the PHI, other than as provided in this Section, for as long as DataQ retains said PHI; and (b) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for as long as DataQ retains said PHI;
      4. Not use or disclose PHI retained by DataQ other than for the purposes for which such PHI was retained and subject to the same conditions set out in Section A above, which applied prior to termination; and
      5. Delete PHI retained by DataQ when it is no longer needed by DataQ for its proper management and administration or to carry out its legal responsibilities or maintained in the Common Patient Record on behalf of another Developer.
  5. Miscellaneous:
    1. Amendment. DataQ may update or amend this BAA from time to time to enable it to better administer or provide the Developer Services or to comply with the requirements of HIPAA in accordance with Section A(1)(c) of the Developer Terms.
    2. Interpretation & Order of Precedence. Any ambiguity in this BAA shall be resolved to permit compliance with HIPAA. In the event that it is impossible to comply with both the Developer Terms and this BAA, the provisions of this BAA shall control with respect to those provisions of the BAA that expressly This BAA shall supersede and replace any prior DataQ BAAs between the parties, with respect to any actions of DataQ after the Effective Date.
Scroll to Top