This Business Associate Agreement (“BAA”) is entered into between enAble Games LLC, a Delaware limited liability company (“Business Associate” or “Enable Games”) and the customer that has accepted the terms set forth (“Covered Entity”) and is hereby incorporated into, and made a part of, the End User License Agreement entered into by the parties and available at https://www.enablegames.com/eula/ (the “Agreement”). All capitalized terms used in this BAA which are not defined herein shall have the meanings set forth in the Agreement or HIPAA (as defined in Section 1 below), respectively.
BY CHECKING THE BOX INDICATING THAT YOU HAVE READ AND ACCEPT THE TERMS SET FORTH HEREIN YOU HEREBY ACCEPT THE TERMS OF THIS BAA. COVERED ENTITIES ARE RESPONSIBLE FOR ENSURING THAT THEIR PARTICULAR USE OF ENABLE GAMES PRODUCTS AND SERVICES ARE COMPLIANT WITH HIPAA, THE HITECH ACT AND OTHER APPLICABLE LAWS AND REGULATIONS.
Covered Entity and Business Associate mutually agree to the terms of this BAA in order to comply with the HIPAA Rules, as defined below.
This BAA will be applicable only (i) to the extent Enable Games meets, with respect to Covered Entity and Covered Entity’s use the Enable Games services, the definition of a Business Associate; and (ii) only to materials received by Enable Games that constitute Protected Health Information (as defined in Section 1 below).
1.1. “Breach” has the same meaning as the term “Breach” in 45 CFR 164.402.
1.2. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5) (the “HITECH Act”) and the federal regulations (“HIPAA Rules”) published at 45 CFR parts 160 and 164.
1.3. “Individual” has the same meaning as the term “Individual” in 45 CFR 160.103 and includes a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g) or other applicable law.
1.4. “Protected Health Information” has the same meaning as that term as defined in 45 CFR 160.103, but limited to information created, received, maintained or transmitted by Business Associate on behalf of Covered Entity.
1.5. “Secure” means to render unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of the HITECH Act.
1.6. “Successful Security Incident” means any Security Incident (as defined in 45 CFR 164.304) that results in the unauthorized use, access, disclosure, modification or destruction of electronic Protected Health Information.
2.1. Business Associate will satisfy and comply with the HIPAA Rules concerning the confidentiality, privacy, and security of Protected Health Information that apply to business associates.
2.2. Business Associate will not use or disclose Protected Health Information except as permitted or required by this BAA or as Required by Law.
2.3. Business Associate may use and disclose Protected Health Information if that use or disclosure is in compliance with the applicable requirement of 45 CFR 164.504(e).
2.4. Business Associate will mitigate to the extent practicable any harmful effect resulting from a Successful Security Incident involving Protected Health Information or any use or disclosure of Protected Health Information in violation of the requirements of this BAA, the HIPAA Rules, or other applicable law.
2.5. Business Associate will ensure that any agent, including a subcontractor, to whom it provides Protected Health Information agrees in writing to comply with the HIPAA Rules through a business associate or similar agreement with respect to that information.
2.6. Business Associate will not request from Covered Entity nor disclose to its affiliates, subsidiaries, agents and subcontractors or other third parties, more than the minimum necessary Protected Health Information to perform or fulfill a specific function required or permitted hereunder.
2.7. Business Associate will report any use or disclosure of Protected Health Information not permitted by this BAA and any Successful Security Incident (each a “Potential Breach”) to Covered Entity promptly, but in no event later than within ten (10) business days, after it is discovered (within the meaning of 45 CFR 164.410(a)(2)). Such report shall be made to the to contacts identified by Customer pursuant to Section 3.6 of this BAA. Business Associate shall provide the information concerning the Potential Breach as required by 45 CFR 164.410(c) to determine whether a Breach has occurred, including Business Associate’s own risk assessment to determine whether a Breach has occurred. If that information is not available to Business Associate at the time the Potential Breach is required to be reported to Covered Entity, Business Associate will provide that information to Covered Entity promptly as it becomes available. Covered Entity and Business Associate will mutually determine whether a Breach has occurred. Business Associate will maintain complete records regarding the Potential or actual Breach for the period required by 45 CFR 164.530(j). Business Associate will not be required to report unsuccessful Security Incidents. Both parties acknowledge that there are likely to be a significant number of meaningless or unsuccessful attempts to access the systems and services utilized by Business Associate, which make real-time reporting impractical for both parties.
2.8. Business Associate will make accessible to Covered Entity, within ten (10) business days of receipt of a request from Covered Entity, such Protected Health Information relating to an individual held by Business Associate or its agents or subcontractors in a Designated Record Set in accordance with 45 CFR 164.524. In the event any Individual requests access to his or her Protected Health Information directly from Business Associate, Business Associate will, within five (5) business days of receipt of that request, forward the request to Covered Entity.
2.9. Business Associate will make accessible to Covered Entity, within ten (10) business days of receipt of a request from Covered Entity, such Protected Health Information as is covered by such request so that Covered Entity may make any requested amendment(s) to Protected Health Information held by Business Associate or any agent or subcontractor in a Designated Record Set in accordance with 45 CFR 164.526. In the event any individual requests an amendment to his or her Protected Health Information directly from Business Associate, Business Associate will within five (5) business days of receipt thereof, notify Covered Entity of the request.
2.10. Within ten (10) business days after Business Associate, its agents or subcontractors makes any disclosure of Protected Health Information for which an accounting may be required under 45 CFR 164.528, Business Associate will provide in writing to the to contacts identified by Customer pursuant to Section 3.6 of this BAA, the information related to that disclosure as would be required to respond to a request by an Individual for an accounting in accordance with 45 CFR 164.528. In the event any Individual requests an accounting of disclosures under 45 CFR 164.528(a) directly from Business Associate, Business Associate will, within ten (10) business days of receipt of that request, forward the request to Covered Entity.
2.11. Business Associate will make its internal practices, books, and records relating to the use and disclosure of Protected Health Information available to the Secretary of Health and Human Services or her/his designees or other authorized government authorities in a time and manner mutually agreed upon or as required by those governmental authorities, for purposes of determining compliance with the HIPAA Rules.
2.12. Business Associate will maintain documentation of its obligations hereunder to the extent and for the period required by the HIPAA Rules, including 45 CFR 164.530(j).
3.1. Covered Entity will limit disclosure and access to the minimum amount of Protected Health Information, to the minimum number of personnel for the minimum of amount of time necessary for Business Associate to accomplish the intended purpose of that use, disclosure, or request, respectively.
3.2. Covered Entity will notify Business Associate of any restriction on the use or disclosure of Protected Health Information that Covered Entity has agreed to or must comply with in accordance with 45 C.F.R. § 164.522, to the extent that the restriction may affect Business Associate’s use or disclosure of Protected Health Information.
3.3. Covered Entity will provide Business Associate with notice of any changes to or revocation of permission by an Individual to use or disclose Protected Health Information, if those changes may affect Business Associate’s permitted uses or disclosures, within a reasonable period of time after Covered Entity becomes aware of those changes to or revocation of permission.
3.4. Covered Entity will maintain and comply with policies and procedures to avoid the unauthorized or otherwise improper disclosure of Protected Health Information to Business Associate.
3.5. Covered Entity will implement appropriate administrative, physical, and technical safeguards to prevent the unauthorized use and disclosure of Protected Health Information, and to protect the confidentiality, integrity, and availability of Electronic Protected Health Information, as required by the HIPAA Rules. Without limiting the foregoing, Covered Entity will comply with the requirements of 45 CFR 164.308, 164.310, 164.312, and 164.316, as may be amended and interpreted in guidance from time to time. Furthermore, Covered Entity will protect all Protected Health Information stored in or transmitted using the Business Associate services in accordance with the Secretary of HHS’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html as it may be updated from time to time, and as may be made available on any successor or related site designated by HHS.
4.1. Business Associate will implement appropriate administrative, physical, and technical safeguards to prevent the unauthorized use and disclosure of Protected Health Information, and to protect the confidentiality, integrity, and availability of Electronic Protected Health Information, as required by the HIPAA Rules. Without limiting the foregoing, Business Associate will comply with the requirements of 45 CFR 164.308, 164.310, 164.312, and 164.316, as may be amended and interpreted in guidance from time to time.
4.2. Business Associate will conduct periodic reviews of its security safeguards to ensure they are appropriate and operating as intended.
4.3. Documentation of Business Associate’s security assessments will be retained by Business Associate for the period Required by Law.
5.1. Business Associate will not use or disclose Protected Health Information other than as permitted or required by this BAA or as Required by Law. Subject to those limitations set forth in this BAA, Business Associate may use and disclose Protected Health Information as necessary in order to provide its services as described in the applicable Agreement.
5.2. Subject to the limitations set forth in this BAA, Business Associate may use Protected Health Information if necessary for its proper management and administration or to carry out its legal responsibilities. In addition, Business Associate may disclose Protected Health Information as necessary for its proper management and administration or to carry out its legal responsibilities provided that:
5.2.1. that disclosure is Required By Law; or
5.2.2. (1) Business Associate obtains reasonable assurances, in the form of a written agreement, from the person to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person; and (2) the person will immediately notify Business Associate (which will immediately notify Covered Entity in accordance with Section 2 above) of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached.
6.1. The term of this BAA will continue for so long as the applicable Agreement remains in effect, except that (i) Section 6.3 will survive after the termination of the applicable Agreement for as long as Business Associate retains any Protected Health Information; and (ii) any provision that by its nature survives termination will so survive.
6.2. Effect of Termination. Except as provided in Section 6.3, upon termination of the applicable Agreement for any reason, the effect of that termination on data in Business Associate’s possession will be governed by the applicable Agreement.
6.3. In the event that returning or destroying the Protected Health Information is impractical upon termination, Covered Entity will bear the cost of storage of that Protected Health Information for as long as storage by Business Associate is required. This Section 6.3 does not require Business Associate to segregate any Protected Health Information from other information maintained by Covered Entity on Business Associate’s servers and Business Associate may comply with this requirement by returning or destroying all of the information maintained on its servers by Covered Entity.
7.1. The parties will take action as is necessary to amend this BAA from time to time to comply with the requirements of any HIPAA Rules; provided, however, that if any amendment of the HIPAA Rules or guideline from the Department of Health and Human Services would materially increase the cost of Business Associate providing service under the applicable Agreement, then Business Associate will have the option to terminate the applicable Agreement on thirty (30) days advance notice or such shorter notice as specified in the applicable Agreement. In the event of that termination, Business Associate will refund any applicable unused prepaid fees.
7.2. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended, and as of its effective date.
7.3. Any ambiguity in this BAA shall be resolved to permit compliance with the HIPAA Rules.
7.4. The terms and conditions of this BAA shall override and control any conflicting term or condition of the applicable Agreement. All non-conflicting terms and conditions of the applicable Agreement remain in full force and effect.
7.5. Within 15 business days of a written request by Covered Entity, Business Associate will provide Covered Entity with detailed information as may be reasonably requested by Covered Entity from time to time regarding Business Associate’s compliance with its use or disclosure of Protected Health Information pursuant to this BAA for the purpose of determining whether Business Associate has complied with this BAA, HIPAA, and HITECH; provided, however, that (i) disclosure of that information would not violate Business Associate’s reasonable privacy or data security policies and, (ii) Covered Entity will make these requests no more than annually unless it is in response to a specific security incident.
7.6. Relationship of Parties. It is expressly agreed that Business Associate and its affiliates, including its employees and subcontractors, are performing the services under this BAA as independent contractors for Covered Entity. Neither Business Associate nor of its affiliates, officers, directors, employees or subcontractors is an employee or agent of Covered Entity. Nothing in this BAA will be construed to create (i) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, or (ii) an agency relationship for purposes of the HITECH Act.