Watch our CX Summit Livestream Watch Now
Register to Experience The New CX Register Now
2025 Forrester TEI Highlights Five9 Impact See Results
NEW 2025 Business Leaders CX Report Download Now

Customer Business Associate Agreement

Last Updated date with September 24, 2025

This Business Associate Agreement (this “BAA”), effective as of the Effective Date of the Agreement, forms the Parties’ agreement with regard to the Parties’ obligations under HIPAA (defined below) under the agreement between Customer and Five9 (“MSA”) or the required Five9 pass-through terms contained or incorporated into the agreement between Customer and the Five9 authorized reseller (the MSA as such Five9 pass-through terms, as applicable, shall be referred to herein as the “Agreement”). This BAA may refer to Customer and Five9 each as a “Party” and collectively as the “Parties”. This BAA is incorporated into, and forms a part of, the Agreement. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control. This BAA replaces and supersedes any and all prior business associate agreements between the Parties.

1. Definitions.

Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.

“HIPAA” collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.

2. Applicability.

This BAA applies to the extent Customer is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI via the Services and to the extent Five9, as a result, is deemed under HIPAA to be acting as a Business Associate or, when Customer is itself a Business Associate, a Subcontractor of Customer.

Both Parties shall comply with all applicable federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Privacy Rule, and both Parties intend to protect the privacy and provide for the security of PHI disclosed to Five9 pursuant to the terms of this BAA, HIPAA and other applicable laws.

3. Permitted Use and Disclosure of Protected Health Information.

  1. Performance of the Agreement. Except as otherwise limited in this BAA, Five9 may Use and Disclose PHI for, or on behalf of, Customer as specified in the Agreement and any applicable Service Order; provided that any such Use or Disclosure would not Violate HIPAA if done by Customer, unless expressly permitted under Section 3.b below.
     
  2. Management, Administration, and Legal Responsibilities. Except as otherwise limited in this BAA, Five9 may Use and Disclose PHI for the proper management and administration of Five9 and/or to carry out the legal responsibilities of Five9, provided that any Disclosure may occur only if: (i) Required by Law; or (ii) Five9 obtains written reasonable assurances from the person to whom the PHI is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person, and the person notifies Five9 of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.

4. Five9 Responsibilities with Respect to Protected Health Information.

To the extent Five9 is acting as a Business Associate or a Subcontractor of Customer, Five9 agrees to the following:

  1. Limitations on Use and Disclosure. Five9 shall not Use and/or Disclose the PHI other than as permitted or required by the Agreement, any applicable Service Order, and/or this BAA or as otherwise Required by Law. Five9 shall not disclose, capture, maintain, scan, index, transmit, share or Use PHI for any activity not authorized under the Agreement, any applicable Service Order, and/or this BAA. Five9 shall Use, Disclose, and/or request the minimum necessary PHI to accomplish the intended purpose of such Use, Disclosure, or request.
     
  2. Safeguards. Five9 shall: (1) use reasonable and appropriate safeguards to prevent Use and Disclosure of PHI other than as permitted in Section 3 herein; and (2) comply with the applicable requirements of the Security Rule.
     
  3. Reporting. Five9 shall report to Customer: (1) any Use and/or Disclosure of PHI that is not permitted or required by this BAA of which Five9 becomes aware; (2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (3) any Breach of Unsecured Protected Health Information that Five9 may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than seventy-two (72) hours after Five9’s discovery of a Breach. 
    For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Five9’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of PHI.
     
  4. Subcontractors. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, Five9 shall require its Subcontractors who create, receive, maintain, or transmit PHI on behalf of Five9 to agree in writing to: (1) restrictions and conditions no less restrictive than those that apply to Five9 with respect to such PHI; (2) appropriately safeguard the PHI; and (3) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. Five9 remains responsible for its Subcontractors’ compliance with obligations in this BAA.
     
  5. Disclosure to the Secretary. To the extent required by law, and subject to all applicable legal privileges, Five9 will make its internal practices, books, and records concerning the Use and Disclosure of PHI received from Customer available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.
     
  6. Access. In the event Five9 authorizes and maintains PHI in a Designated Record Set, then at the written request of Customer, Five9 shall within fifteen (15) days make access to such PHI available to Customer in accordance with 45 CFR § 164.524 of the Privacy Rule.
     
  7. Amendment. Subject to Section 4f above, if Five9 authorizes and maintains PHI in a Designated Record Set, then at the written request of Customer, Five9 shall within fifteen (15) days make available such PHI to Customer for amendment and incorporate any reasonably requested amendment in the PHI in accordance with 45 CFR § 164.526 of the Privacy Rule.
     
  8. Accounting of Disclosure. At the written request of Customer, Five9 shall within thirty (30) days make available to Customer such information relating to Disclosures made by Five9 as required for Customer to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.

5. Customer Responsibilities with Respect to Protected Health Information.

  1. Safeguards. Customer shall use appropriate safeguards to prevent against unauthorized Use or Disclosure of PHI, including, without limitation, ordering encryption services, and as otherwise required under HIPAA or HITECH.
     
  2. No Impermissible Requests. Customer shall not request Five9 to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a Business Associate).

6. Term and Termination.

  1. Term. This BAA shall continue in effect until the earlier of (1) termination by a Party for breach as set forth in Section 6.b below, or (2) expiration of the Agreement.
     
  2. Termination for Breach. Upon written notice, either Party may immediately terminate the Agreement and this BAA if the other Party is in material breach or default of any obligation in this BAA. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice.
     
  3. Return, Destruction, or Retention of Protected Health Information Upon Termination. Upon written request of Customer, Five9 shall return or destroy all PHI in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Agreement, in all cases subject to any retention required by law. If it is not feasible to return or destroy any portions of the PHI upon such request, then Five9 shall extend the protections of this BAA, without limitation, to such PHI and limit any further Use or Disclosure of the PHI to those purposes that make the return or destruction infeasible for the duration of the retention of the PHI. The provisions of this Section 6.c will survive termination or expiration of this BAA.

 

View Demo Icon

View Demo
Get a Quote Icon

Get a Quote
Chat Icon

Chat