If Customer is a Covered Entity or a Business Associate and includes Protected Health Information in Customer Data or Motivity.net Data, execution of a license agreement included in the Motivity.net Terms of Service (“Agreement”) will incorporate the terms of this HIPAA Business Associate Agreement (“BAA”) into that Agreement. If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control. A signed copy can be obtained by contacting privacy@motivity.net.
1. Definitions
All capitalized terms used but not otherwise defined in this agreement will have the meaning ascribed to them by HIPAA Laws.
“Affiliate” means, with respect to a party, any entity that directly or indirectly controls, is controlled by or is under common control with that party. For purposes of this agreement, “control” means an economic or voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such entity.
“HIPAA Laws” collectively mean the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, including, without limitation, the Standards for Privacy of Individually Identifiable Health Information, C.F.R. at Title 45, Parts 160 and 164 (the “Privacy Rule”), and the Standards for the Security of Electronic PHI, C.F.R. at Title 45, Parts 160 and 164 (the “Security Rule”) as modified, supplemented, and amended from time to time.
"PHI” has the meaning specified in 45 C.F.R. § 160.103, limited to such protected health information that is received by Motivity from, or created, received, maintained, or transmitted by Motivity on behalf of, Company through Company’s use of the Services pursuant to this agreement. All references to PHI in this agreement will include Electronic PHI, as applicable under HIPAA Laws.
“Security” or “Security Measures” mean the administrative, physical, and technical safeguards and documentation requirements specified in the Security Rule.
“Services” mean the unified communications services or other services provided by Motivity to Company by contract whereby Motivity is creating, receiving, maintaining, or transmitting PHI.
“Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Motivity’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of PHI.
2. Permitted Uses and Disclosures of PHI
2.1. Performance of Motivity Services
Motivity shall not Use or make a Disclosure of PHI other than as permitted or required by this agreement or as Required by law. Motivity may Use or make a Disclosure of PHI to perform functions, activities, or services for or on behalf of Company in connection with the Services including, without limitation, the provision of maintenance and support services, provided such Use or Disclosure would not violate HIPAA Laws if done by Company, unless expressly permitted as set forth below in Section 2.2 (“Management, Administration, and Legal Responsibilities”).
2.2. Management, Administration, and Legal Responsibilities
Except as otherwise limited in this agreement, Motivity may Use and make Disclosures of PHI for the proper management and administration of Motivity service, or to carry out the legal responsibilities of Motivity, or both, provided that any Disclosure may occur only if: (a) Required by law; or (b) Motivity obtains reasonable assurances from the third party to whom the Disclosure or Use of the PHI is made that it will be held confidentially and subject to additional Disclosures only as Required by law or for the purpose for which the Disclosure of PHI was made to the third party, and the third party notifies Motivity of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.
3. Responsibilities with Respect to PHI
3.1. Motivity’s Responsibilities Motivity agrees to the following:
3.1.1. Limitations on Use, Disclosure, and Sale
Motivity will only use the minimum necessary PHI for the proper management and administration of Motivity’s business specific purposes, to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1), or both. Motivity shall not engage in the sale of PHI.
3.1.2. Safeguards
Motivity shall: (a) use reasonable and appropriate safeguards to prevent inappropriate Use and Disclosure of PHI other than as provided for in this agreement; and (b) comply with the applicable requirements of 45 C.F.R. Part 164 Subpart C of the Security Rule.
3.1.3. Subcontractors
Motivity may use Subcontractors to fulfill its obligations under this agreement. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Motivity shall require its Subcontractors who create, receive, maintain, or transmit PHI on behalf of Motivity to agree in writing to:
- (a) substantively the same or more stringent restrictions and conditions that apply to Motivity with respect to such PHI;
- (b) appropriately safeguard the PHI; and
- (c) comply with the applicable requirements of 45 C.F.R. Part 164 Subpart C of the Security Rule.
3.1.4. Reporting to Company
Motivity shall report to Company:
- (a) any Use or Disclosure of PHI that is not permitted or required by this agreement, of which Motivity becomes aware;
- (b) any Security Incident that affects PHI and of which Motivity becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents will be given; and
- (c) any Breach of Company’s Unsecured PHI that Motivity may discover (in accordance with 45 C.F.R. § 164.410 of the Breach Notification Rule).
3.1.5. Notification
Notifications under Section 3.1.4 (“Reporting to Company”) will be provided by Motivity as follows:
- (a) for any unauthorized Use or Disclosure of PHI, notification will be made without unreasonable delay, but in no event more than fifteen (15) business days after Motivity’s discovery thereof;
- (b) for a Security Incident that affects PHI, other than an Unsuccessful Security Incident, notification will be made without unreasonable delay, but in no event more than ten (10) business days thereof; and
- (c) for a Breach, notification will be made without unreasonable delay, but in no event more than ten (10) business days after Motivity’s discovery of a Breach.
3.1.6. Disclosures to the Secretary
Motivity shall make its internal practices, books, and records relating to the Use and Disclosure of PHI available to Company or the Secretary in a time and manner designated by Company or the Secretary, for the purposes of the Secretary determining Company’s or Motivity’s compliance with HIPAA Laws. Nothing in this Section 3.1.6 (“Disclosures to the Secretary”) waives any applicable attorney client privilege, work product, confidentiality, or other proprietary right or legal protection.
3.1.7. Access and Amendment
The Services do not include the ability to create or maintain a Designated Record Set. If Company requires access to or amendment of a Designated Record Set, Company shall directly perform such actions, without the assistance of Motivity.
3.1.8. Accounting of Disclosures
Motivity, at the request of Company, shall make available to Company, and in the time and manner designated as reasonably requested by Company, such information relating to Disclosures made by Motivity as required for Company to make any requested accounting of Disclosures in accordance with 45 C.F.R. § 164.528.
3.1.9. Privacy Rule and Security Rule Compliance
Motivity shall comply with the Privacy Rule in the performance of its obligations under this agreement with respect to the Services, to the extent the Privacy Rule expressly applies to Motivity under this agreement or as prescribed by law. Motivity shall comply with the Security Rule with respect to PHI.
4. Term and Termination
4.1. Term
The term of this BAA begins on the effective date of the Order and terminates automatically upon termination of all Services that require a business associate agreement under HIPAA Laws, unless terminated sooner by Company or Motivity in accordance with Section 4.2 (“Termination for Breach”).
4.2. Termination for Breach
4.2.1. Termination by Company for Breach
Upon Company’s knowledge of a material breach of this agreement by Motivity, Company shall either:
- (a) Provide an opportunity for Motivity to cure the breach or end the violation within a reasonable time specified by Company and, if Motivity does not cure the breach or end the violation timely, terminate this agreement and the associated Services; or
- (b) Immediately terminate this agreement and the associated Services if Motivity has breached a material term of this agreement and cure is not possible.
4.2.2. Termination by Motivity for Breach
If Motivity knows of a pattern of activity or practice of Company that constitutes a material breach or violation of Company’s obligations under this agreement, Motivity must take reasonable steps to notify Company to cure the material breach or end the violation. If the steps are unsuccessful, Motivity may terminate this agreement.
5. Post-Termination Obligations
5.1. Return, Destruction, or Retention of PHI
Upon Termination Except as provided in Section 5.2 (“Notice When Return or Destruction is Infeasible”) below, upon any termination or expiration of this agreement, Motivity shall return or destroy all PHI received from Company, or created or received by Motivity on behalf of Company in accordance with Motivity’s data deletion policies and procedures. The parties intend for this provision to apply to PHI that is in the possession of Subcontractors or agents of Motivity. Motivity shall retain no copies of the PHI. Notwithstanding the foregoing, Motivity may retain a copy of PHI received from, or created or received by Motivity for or on behalf of, Company as necessary for Motivity to continue its proper management and administration or to carry out its legal responsibilities, provided that Motivity extends the protections of this agreement to such PHI.
5.2. Notice When Return or Destruction is Infeasible
In the event that Motivity determines that returning or destroying PHI is infeasible, Motivity shall notify Company of the conditions that make return or destruction infeasible. Motivity shall extend the protections of this agreement to such PHI and limit any further Use and Disclosure of such PHI to those purposes that make the return or destruction infeasible, for so long as Motivity maintains such PHI.
6. Limitation of Liability and Exclusion of Consequential Damages
MOTIVITY’S TOTAL AND AGGREGATE LIABILITY TO COMPANY FOR ALL OBLIGATIONS AND DAMAGES ARISING OUT OF OR IN CONNECTION WITH A BREACH OF THIS AGREEMENT CAUSED BY MOTIVITY WILL NOT EXCEED THE TOTAL PAYMENTS RECEIVED BY MOTIVITY FROM COMPANY FOR THE SERVICES IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM. THIS LIMITATION APPLIES TO ALL CAUSES OF ACTION IN THE AGGREGATE, INCLUDING, WITHOUT LIMITATION, BREACH OF CONTRACT, MISREPRESENTATIONS, NEGLIGENCE, STRICT LIABILITY AND OTHER TORTS. THESE LIMITATIONS APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY. MOTIVITY SHALL NOT BE LIABLE FOR ANY LOSS OF USE OF DATA OR DESTRUCTION OF DATA, OR FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES.
7. Limitation of Liability and Exclusion of Consequential Damages
For legal notices under this agreement to be effective, including without limitation any Breach notification, the party providing notice must do so in writing and deliver the notice via electronic mail to the following addresses:
- (a) If to Motivity, to privacy@motivity.net; Attention: Privacy Officer. A copy of all notices must be sent to privacy@motivity.net.
- (b) If to Company, to the contact information specified on record in Company’s account information.
8. Miscellaneous
8.1. No Agency Relationship
The parties do not intend for this agreement to create an express or implicit agency relationship in accordance with federal or state common law of agency. Each party is intended to be an independent contractor and no agency relationship is created under this agreement.
8.2. No Third-Party Rights or Remedies
This agreement does not and is not intended to confer any enforceable rights or remedies upon any person other than Motivity and Company.
8.3. References
A reference in this agreement to a section in the Privacy Rule or Security Rule means the section that is currently in effect.
8.4. Assignment
No party may assign its rights or delegate any of its obligations under this agreement without the prior written consent of the other party, except that all rights and obligations may be assigned and transferred without such consent to an Affiliate, to a successor by merger, or to the acquirer of all or substantially all of the assets of the assigning party. Any purported assignment or transfer in violation of this Section 8.4 (“Assignment”) is null and void. No party may unreasonably withhold, condition, or delay consent to an assignment. This agreement is binding upon, and inures to the benefit of, the parties and their respective permitted successors and assigns.
8.5. Amendments; Waiver
Without undue delay, the parties shall take such action as is necessary to amend this agreement from time to time to allow for Company and Motivity to comply with the requirements of HIPAA Laws. No amendment or modification of this agreement will be deemed binding unless set forth in a written instrument, duly executed by the parties. No provision in this agreement may be waived, except pursuant to a writing executed by the party against whom the waiver is sought to be enforced.
8.6. Ambiguity
The parties intend that any ambiguity in this agreement will be resolved and interpreted as closely as possible to meet the intent of the parties and to permit Company and Motivity to comply with HIPAA Laws.
8.7. Merger; Conflicts
The parties intend for this agreement to constitute the final agreement between the parties, and that it is the complete and exclusive expression of the parties’ agreement on the matters contained in this agreement. All prior or contemporaneous writings, negotiations, and discussions between the parties with respect to its subject matter are expressly merged and superseded by this agreement. In entering into this agreement, neither party has relied upon any statement, representation, warranty, or agreement of the other party except for those expressly contained in this agreement. In the event of a conflict or inconsistency between this and any other agreement between the parties with respect to the subject matter of this agreement, the terms of this agreement will control to the extent necessary to resolve the conflict or inconsistency.
8.8. Severability
If any provision of this agreement is determined to be invalid, illegal, or unenforceable, the parties do not intend for this determination to affect or impair the validity, legality, and enforceability of the remaining provisions of this agreement in any way.
8.9. Counterparts; Signatures
This agreement may be executed in one or more counterparts. Each counterpart will be an original, but all such counterparts will constitute a single instrument. The signatures to this agreement may be shared by fax or scanned PDF attachment via email or completed electronically or digitally, and any fax or scan of an original signature or an electronic or digital signature appearing on this agreement are the same as an original, wet handwritten signature for the purposes of validity, enforceability, and admissibility.
8.10.Governing Law; Forum Selection
The laws of the State of Washington, without giving effect to its conflict of laws principles, govern all matters arising out of or relating to this agreement, including, without limitation, its validity, interpretation, construction, performance, and enforcement. Any party bringing a legal action or proceeding against any other party arising out of or relating to this agreement must bring the legal action or proceeding under the exclusive and mandatory jurisdiction of the courts located in Washington.
8.11.Survival
All sections of this agreement which, by their nature, should survive termination will survive termination, including, without limitation, Section 5.1 (“Return, Destruction, or Retention of PHI Upon Termination”), Section 5.2 ("Notice When Return or Destruction is Infeasible") and Section 6 ("Limitations of Liability and Exclusion of Consequential Damages”).
Each party, either individually or as a duly authorized representative, accepts the terms in this agreement. For a signed copy, please email privacy@motivity.net.