Official OnRamp Business Associate Agreement
This HIPAA Business Associate Agreement (this “BAA“) is made by and between (“Customer“) and OnRamp Access, LLC (“OnRamp,” and together with Customer, the “Parties“).
- Purpose. The purpose of this BAA is to comply with the business associate requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“) and implementing regulations, 45 C.F.R. Part 160 and Part 164, as may be amended, including the Privacy Rule, the Security Rule and the Breach Notification Rule (together, the “Rules”) and to identify the specific responsibilities of Customer and OnRamp in achieving this compliance. Unless otherwise defined in this BAA, capitalized terms have the meanings given in the above-referenced HIPAA statute and regulations.
- Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103.
- Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103.
- HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
- Catch-All. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
- Relationship. OnRamp and Customer have entered into a contractual relationship (the “Contracts“) whereby OnRamp provides data center services (“Services“) and may create, receive, maintain, or transmit Protected Health Information (“PHI”) from or on behalf of Customer in the course of providing these Services for Customer. As provided in the Rules, PHI shall include, when applicable, Electronic Protected Health Information (“EPHI”). OnRamp’s access to and manipulation of PHI will be limited to system level backup and transfer of system level files and databases between systems and media for the purpose of performing offsite backups of the PHI and for the purpose of transferring of PHI to new or replacement infrastructure. OnRamp will not be involved with developing, maintaining or supporting systems related to the manipulation of individual PHI, the processing of PHI (as for billing, diagnostic or other purposes) or the access of PHI (by patients, doctors, etc.). As such, OnRamp shall be responsible, in general, for the maintenance of the physical facility, the supporting computing network and the compute infrastructure (servers, firewalls, etc.) included in the Services up to and including making the operating systems of such devices available unless otherwise specified in the Contracts. Customer shall be responsible, in general, for controlling access to the systems and for providing an appropriate level of protection for the confidentiality, availability and integrity of the PHI by choosing appropriate administrative, physical and technical safeguards to protect the systems and implementing these choices by specific direction to OnRamp as necessary.
- OnRamp’s Obligations. OnRamp agrees to:
- Not use or disclose PHI other than as permitted or required by this BAA, the Contracts, or as required by law;
- Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to EPHI, to prevent use or disclosure of PHI other than as provided for by the Contracts;
- Report to Customer any use or disclosure of PHI not provided for by the Contracts of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware. As a business associate of Customer, OnRamp shall only have the responsibility of notifying Customer. Customer shall then conduct further notification of others as may be required by law;
- In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of OnRamp agree to the same restrictions, conditions, and requirements that apply to OnRamp with respect to such information;
- Perform any of the Services in the Contracts to facilitate Customer making available PHI in a designated record set as necessary to satisfy Customer’s obligations under 45 CFR 164.524;
- Perform any of the Services in the Contracts to facilitate Customer making any amendment(s) to PHI in a designated record set as pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR 164.526;
- Maintain and make available the information required to provide an accounting of disclosures to the Customer as necessary to satisfy Customer’s obligations under 45 CFR 164.528;
- To the extent OnRamp is to carry out one or more of Customer’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Customer in the performance of such obligation(s); and
- Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
- OnRamp’s Obligations – Limits and Payment. OnRamp shall not be responsible to respond directly to an individual request for access to PHI, an amendment to PHI, or an accounting of disclosures of PHI received directly by OnRamp, but shall make such PHI or information available to Customer in a manner consistent with the Services chosen by Customer in the Contracts and Customer shall respond to the individual request as may be required by law. Any Services performed by OnRamp for the purpose of satisfying OnRamp’s obligations contained in this BAA shall be paid for by Customer in accordance with the Contracts.
- Customer’s Obligations. Customer agrees to:
- Examine and understand the characteristics of the Services provided by OnRamp and to consider how those Services will appropriately contribute to the Customer’s overall protection of the confidentiality, availability and integrity of the Customer’s PHI;
- Maintain overall responsibility for ensuring that appropriate administrative, physical and technical security safeguards are implemented on a “system wide” basis to appropriately protect all PHI accessed, manipulated or maintained by OnRamp or at an OnRamp facility on the behalf of Customer;
- Implement appropriate encryption and other media handling and sanitization measures for all compute, storage and transmission media located at OnRamp that is exposed or otherwise used to handle PHI including hard drives, backup tapes, network transmission media, Internet access and private line access;
- Maintain appropriate administrative controls to ensure that OnRamp is notified immediately using OnRamp’s then standard procedures of additions to, changes to or deletions from the list of Customer personnel authorized to physically or electronically access Customer’s infrastructure containing EPHI at OnRamp;
- If the Services include the use of computers, firewalls or other devices provided by OnRamp for the use of Customer in the maintenance, use or storage of EPHI, give OnRamp specific instructions concerning the operating systems, settings, automatic updating (or manual updating) and other configuration details to appropriately protect the EPHI contained, manipulated or protected by those systems;
- Ensure that proper electronic authentication procedures are implemented on any devices provided in the Services by OnRamp to Customer;
- Create and maintain systems to discriminate between authorized and unauthorized electronic users of its systems and EPHI;
- Ensure that proper encryption of EPHI is performed during transmission of EPHI through OnRamp’s network or other media located in or transmitting from an OnRamp facility or OnRamp provided infrastructure;
- Ensure that all EPHI stored on Customer’s behalf on OnRamp infrastructure, to include servers, Storage Area Networks and backup media is encrypted appropriately as required by law;
- Ensure that all EPHI is encrypted appropriately before OnRamp performs backups for offsite storage.
- Permitted Uses and Disclosures by OnRamp.
- OnRamp may only use or disclose PHI to perform functions or activities necessary to deliver the Services for, or on behalf of, Customer as specified in the Contracts.
- OnRamp may use or disclose PHI as required by law.
- OnRamp agrees to make uses and disclosures and requests for protected health information consistent with Customer’s minimum necessary policies and procedures.
- OnRamp may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Customer except for the specific uses and disclosures set forth below.
- OnRamp may use protected health information for the proper management and administration of OnRamp or to carry out the legal responsibilities of OnRamp.
- OnRamp may disclose PHI for the proper management and administration of OnRamp or to carry out the legal responsibilities of OnRamp, provided the disclosures are required by law, or OnRamp obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies OnRamp of any instances of which it is aware in which the confidentiality of the information has been breached.
- OnRamp may provide data aggregation services relating to the health care operations of Customer.
- Term and Termination.
- Term and Termination. This BAA will become effective on the date it is executed by both Parties. Unless terminated sooner pursuant to this Section 8, this BAA shall remain in effect for the duration of all Services provided by OnRamp and for so long as OnRamp shall remain in possession of any PHI received from Customer, or created or received by OnRamp on behalf of Customer, unless Customer has agreed in accordance with Section 8(c) that it is infeasible to return or destroy all PHI.
- Termination for Cause. If Customer determines that a material term of this BAA has been violated, it will give written notice detailing such violation to OnRamp. OnRamp shall have 30 days to provide a remedy for the listed violations. If Customer determines that, after 30 days from the issuance of the written notice, OnRamp has not remedied the violation, Customer may terminate this BAA.
- Effect of Termination. Upon termination of this BAA, OnRamp will recover any PHI relating to this BAA in the possession of its subcontractors, agents, or representatives. OnRamp will return to Customer or destroy all such PHI plus all other PHI relating to the BAA in its possession, and will retain no copies. If OnRamp believes that it is not feasible to return or destroy the PHI as described above, OnRamp shall notify Customer in writing. The notification shall include: (i) a statement that OnRamp has determined that it is infeasible to return or destroy the PHI in its possession, and (ii) the specific reasons for such determination. If Customer agrees in its sole discretion that OnRamp cannot feasibly return or destroy the PHI, OnRamp will ensure that any and all protections, requirements and restrictions contained in this BAA will be extended to any PHI retained after the termination of the BAA, and that any further uses and/or disclosures will be limited to the purposes that make the return or destruction of the PHI infeasible. If Customer’s PHI is contained on an OnRamp managed backup service, Customer agrees that it is infeasible to immediately destroy the PHI and that OnRamp shall be allowed to maintain the PHI until the backup media is appropriately overwritten or destroyed in the normal course of maintaining the backup media.
- Survival. The respective rights and obligations of the Parties under Sections 7, 11 and 13 will survive termination of the BAA indefinitely.
- Amendments. This BAA and the Contracts constitute the entire agreement between the Parties with respect to its subject matter. It may not be modified, nor will any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties.
- No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors and permitted assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever
- Limitation of Liability; No Warranty. Nothing express or implied in this BAA shall modify the Limitations of Liability, indemnification clauses, insurance requirements, warranties offered, Service Level Agreements or other terms and conditions contained in the Contracts. If there is any ambiguity or conflict between this BAA and the Contracts, the meaning expressed in the Contracts shall prevail.
- Notices. Any notice to be given under this BAA to a Party shall be made via U.S. Mail, commercial courier or hand delivery to such Party at its address given below, and/or via facsimile to the facsimile telephone number listed below, or to such other address or facsimile number as shall hereafter be specified by notice from the Party. Any such notice shall be deemed given when so delivered to or received at the proper address.
If to OnRamp, to:
2916 Montopolis Dr., Suite 300
Austin TX 78741
Fax: 512.476.2878If to Customer, to:
- Independent Contractors. The relationship between OnRamp and Customer is an independent contractor relationship. None of the provisions of this BAA shall be construed to create an agency, partnership, employer/employee, master/servant or joint venture relationship between the parties. IN WITNESS WHEREOF, each of the Parties has caused this BAA to be executed in its name and on its behalf as of the date executed below by both Parties.
OnRamp Access, LLC