Supplier Business Associate Agreement
Last updated May 16, 2024
This Business Associate Agreement (this “BAA”) forms the Parties’ agreement with regard to the Parties’ obligations under HIPAA (defined below) under the Master Services Agreement or other agreement(s) governing the provision of services (the “Services”) between Supplier (“Supplier”) and Five9, Inc., having offices at 3001 Bishop Drive, Suite 350, San Ramon, California 94583 USA (“Five9”), for the purchase of Services from Supplier (“Agreement”), which is incorporated by reference. Supplier and Five9 are collectively referred to as the “Parties.”
This BAA is effective as of the date that the Agreement between the Parties is executed or as otherwise determined by the Parties. If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control. This BAA replaces and supersedes any and all prior business associate agreements between the Parties.
1. Definitions.
Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.
“Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.
“Breach” has the definition given to it in 45 CFR § 164.402 of HIPAA.
“Business Associate” has the definition given to it in 45 CFR § 160.103 of HIPAA.
“Covered Entity” has the definition given to it in 45 CFR § 160.103 of HIPAA.
“Designated Record Set” has the definition given to it in 45 CFR § 164.501 of HIPAA.
“Disclosure” and its variants have the definitions consistent with the definition given to “disclosure” in 45 CFR § 160.103 of HIPAA.
“HIPAA” collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.
“Individual” has the definition given to it in 45 CFR § 160.103 of HIPAA.
“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR § 160 and § 164, Subparts A and E.
“Protected Health Information” or “PHI” has the definition given to it in 45 CFR § 160.103 of HIPAA.
“Required by Law” has the definition given to in 45 CFR § 164.103 of HIPAA.
“Security Incident” has the definition given to it in 45 CFR § 164.304 of HIPAA.
“Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information found at 45 CFR § 160 and § 164, Subparts A and C.
“Subcontractor” has the definition given to it in 45 CFR § 160.103 of HIPAA.
“Unsecured Protected Health Information” has the definition given to it in 45 CFR § 164.402 of HIPAA.
“Use” has the definition given to it in 45 CFR § 160.103 of HIPAA.
2. Applicability.
This BAA applies to the extent Five9 is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI via the Services and to the extent Supplier, as a result, is deemed under HIPAA to be acting as a Subcontractor.
Both Parties shall comply with all applicable federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Privacy Rule, and both Parties intend to protect the privacy and provide for the security of PHI disclosed to Supplier pursuant to the terms of this BAA, HIPAA and other applicable laws.
3. Permitted Use and Disclosure of Protected Health Information.
a. Performance of the Agreement. Except as otherwise limited in this BAA, Supplier may Use PHI for, or on behalf of, Five9 as specified in the Agreement and any applicable Service Order; provided that any such Use or Disclosure would not violate HIPAA if done by Supplier, unless expressly permitted under Section 3.b below.
b. Management, Administration, and Legal Responsibilities. Except as otherwise limited in this BAA, Supplier may Use and Disclose PHI for the proper management and administration of Supplier and/or to carry out the legal responsibilities of Supplier, provided that any Disclosure may occur only if: (1) Required by Law; or (2) Supplier obtains written reasonable assurances from the person to whom the PHI is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person, and the person notifies Supplier of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.
4. Supplier Responsibilities with Respect to Protected Health Information.
To the extent Supplier is acting as a Business Associate or a Subcontractor of Five9, Supplier agrees to the following:
a. Limitations on Use and Disclosure. Supplier shall not Use and/or Disclose the PHI other than as permitted or required by the Agreement, any applicable Service Order, and/or this BAA or as otherwise Required by Law. Supplier shall not disclose, capture, maintain, scan, index, transmit, share or Use PHI for any activity not authorized under the Agreement, any applicable Service Order, and/or this BAA. Supplier shall Use, Disclose, and/or request the minimum necessary PHI to accomplish the intended purpose of such Use, Disclosure, or request.
b. Safeguards. Supplier shall: (1) use reasonable and appropriate safeguards to prevent Use and Disclosure of PHI other than as permitted in Section 3 herein; and (2) comply with the applicable requirements of the Security Rule.
c. Reporting. Supplier shall report to Five9: (1) any Use and/or Disclosure of PHI that is not permitted or required by this BAA of which Supplier becomes aware; (2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (3) any Breach of Unsecured Protected Health Information that Supplier may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than seventy-two (72) hours after Supplier’s discovery of a Breach.
For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Supplier’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of PHI.
d. Subcontractors. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, Supplier shall require its Subcontractors who create, receive, maintain, or transmit PHI on behalf of Supplier to agree in writing to: (1) restrictions and conditions no less restrictive than those that apply to Supplier with respect to such PHI; (2) appropriately safeguard the PHI; and (3) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. Supplier remains responsible for its Subcontractors’ compliance with obligations in this BAA.
e. Disclosure to the Secretary. To the extent required by law, and subject to all applicable legal privileges, Supplier will make its internal practices, books, and records concerning the Use and Disclosure of PHI received from Five9 available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.
f. Access. In the event Supplier maintains PHI in a Designated Record Set, then at the written request of Five9, Supplier shall within fifteen (15) days make access to such PHI available to Five9 in accordance with 45 CFR § 164.524 of the Privacy Rule.
g. Amendment. Subject to Section 4f above, if Supplier maintains PHI in a Designated Record Set, then at the written request of Five9, Supplier shall within fifteen (15) days make available such PHI to Supplier for amendment and incorporate any reasonably requested amendment in the PHI in accordance with 45 CFR § 164.526 of the Privacy Rule.
h. Accounting of Disclosure. At the written request of Five9, Supplier shall within thirty (30) days make available to Five9 such information relating to Disclosures made by Supplier as required for Five9 to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.
5. Five9 Responsibilities with Respect to Protected Health Information
a. Safeguards. Five9 shall use appropriate safeguards to prevent against unauthorized Use or Disclosure of PHI, and as otherwise required under HIPAA or HITECH.
b. No Impermissible Requests. Five9 shall not request Supplier to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a Business Associate).
6. Term and Termination.
a. Term. This BAA shall continue in effect until the earlier of (1) termination by a Party for breach as set forth in Section 6.b below, or (2) expiration of the Agreement.
b. Termination for Breach. Upon written notice, either Party may immediately terminate the Agreement and this BAA if the other Party is in material breach or default of any obligation in this BAA. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice.
c. Return, Destruction, or Retention of Protected Health Information Upon Termination. Upon written request of Five9, Supplier shall return or destroy all PHI in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Agreement, in all cases subject to any retention required by law. If it is not feasible to return or destroy any portions of the PHI upon such request, then Supplier shall extend the protections of this BAA, without limitation, to such PHI and limit any further Use or Disclosure of the PHI to those purposes that make the return or destruction infeasible
for the duration of the retention of the PHI. The provisions of this Section 6.c will survive termination or expiration of this BAA.
7. Miscellaneous.
a. Interpretation. The Parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Except where this BAA conflicts with the Agreement, all other terms and conditions of the Agreement remain unchanged.
b. Waiver. A waiver with respect to one event shall not be construed as continuing, as a bar to, or as a waiver of any right or remedy as to subsequent events.
c. Notification. Any reports, notifications, or other notices under this BAA will be in accordance with the notice provisions in the Agreement.
d. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
8. Severability.
In the event that any provision of this BAA is found to be invalid or unenforceable, the remainder of this BAA shall not be affected thereby, but rather the remainder of this BAA shall be enforced to the greatest extent permitted by law.
9. Governing Law.
This BAA shall be governed by and construed in accordance with the laws of the State of California.