Business Associate Agreement

Last Update: December 15, 2017

This HIPAA Business Associate Agreement (“BAA”) is by and between Cato Systems, LLC (“Cato Systems”) and the Customer. This BAA is incorporated into the Terms of Service Agreement (the “Services Agreement”) between Cato Systems and Customer.

Customer must have an existing Services Agreement in place for this BAA to be valid and effective. Together with the Services Agreement, this BAA will govern each party’s respective obligations regarding Protected Health Information.

You represent and warrant that (i) you have the full legal authority to bind Customer to this BAA, (ii) you have read and understand this BAA, and (iii) you agree, on behalf of Customer, to the terms of this BAA. If you do not have legal authority to bind Customer, or do not fully agree to these terms, please do not create an account or use the Covered Services.

1. Definitions.

Any capitalized terms not defined herein will have the meaning given to them in HIPAA, the HITECH Act or the applicable agreement between Cato Systems and the Customer.

“Business Associate” has the definition given to it under HIPAA and for purposes of this BAA refers to Cato Systems.
“Covered Entity” has the definition given to it under HIPAA and for purposes of this BAA refers to Customer.
“Covered Functions” has the definition given to it under HIPAA and for purposes of this BAA means the list of functionalities within the Covered Services as set forth on Attachment 1, as may be updated from time to time by Cato Systems by posting a revised version on its website at https://prod.catosys.com.
“HIPAA” means the Health Information Portability and Accountability Act of 1996 and the rules and the regulations thereunder, as amended.
“HITECH Act” or “HITECH” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.
“Protected Health Information” or “PHI” has the definition given to it under HIPAA and for purposes of this BAA applies to Customer’s data to the extent Cato Systems has access to it in connection with Customer’s permitted use of Covered Functions.
“Security Breach” means any Breach or Security Incident, as defined under HIPAA and the HITECH Act, resulting in an actual unauthorized use or disclosure of unsecured PHI caused by Cato Systems or its representatives under this BAA.
“Covered Services” means the Cato Systems services set forth in Attachment 2, as may be updated from time to time by Cato Systems by posting a revised version on its website at https://prod.catosys.com.
“Customer” has the meaning assigned to it in the Service Agreement.

2. Applicability.

This BAA applies to the extent Customer is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI via a Covered Function and to the extent Cato Systems, as a result, is deemed under HIPAA to be acting as a Business Associate or an agent or subcontractor of a Business Associate. Customer acknowledges that this BAA does not apply to, or govern, any other Cato Systems product, service, or feature not part of a Covered Function.

3. Permitted Use and Disclosure.

a. By Cato Systems.
i. Except as otherwise set forth in this BAA, Cato Systems may use and disclose PHI only as specified in the Services Agreements and under this BAA.
ii. In addition, Cato Systems may use and disclose PHI for the proper management and administration of Cato Systems’ business and to carry out the legal responsibilities of Cato Systems, provided that any disclosure of PHI for such purposes may only occur if: (1) required by applicable law; or (2) Cato Systems obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Cato Systems will be notified of any Security Breach.
iii. Cato Systems has no obligation to protect PHI under this BAA to the extent Customer creates, receives, maintains, or transmits such PHI outside of the Covered Functions.

b. By Customer.
i. Customer may use the Services to create, receive, maintain, or transmit PHI via Covered Function (and only within Covered Functions and no other functions of the Services).
ii. Customer will not request Cato Systems or the Services to use or disclose PHI in any manner that would not be permissible under HIPAA if done by a Covered Entity itself (unless expressly permitted under HIPAA for a Business Associate).
iii. In connection with Customer’s management and administration of the Services to Customer’s end users, Customer is responsible for using the available security controls within the Services to support its HIPAA compliance requirements.

4. Appropriate Safeguards.

Cato Systems and Customer will use appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI, and as otherwise required under HIPAA, with respect to the Covered Function.

5. Reporting.

a. Cato Systems will promptly notify Customer following the discovery of a Security Breach in the most expedient time possible under the circumstances, consistent with the legitimate needs of applicable law enforcement and applicable laws, and after taking any measures necessary to determine the scope of the Security Breach and to restore the reasonable integrity of the Services system.
b. To the extent practicable, Cato Systems will use commercially reasonable efforts to mitigate any further harmful effects of a Security Breach.
c. Cato Systems will send any applicable Security Breach notifications to the notification email address provided by Customer in the Services Agreement or via direct communication with the Customer.
d. For clarity, Customer, and not Cato Systems, is responsible for managing whether Customer’s end users are authorized to share, disclose, create, and/or use PHI with Covered Functions of the Services and Cato Systems will have no obligations relating thereto.
e. This Section 5 will be deemed as notice to Customer that Cato Systems periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification or destruction of information, or interference with the general operation of Cato Systems’ information systems and the Services and even if such events constitute a Security Incident as that term is defined under HIPAA, Cato Systems will not provide any further notice regarding such unsuccessful attempts.

6. Agents and Subcontractors.

Cato Systems will take appropriate measures to ensure that any agents and subcontractors used by Cato Systems to perform its obligations under the Services Agreements that require access to PHI on behalf of Cato Systems are bound by written obligations that provide the same material level of protection for PHI as this BAA. To the extent Cato Systems uses agents and subcontractors in its performance of obligations hereunder, Cato Systems will remain responsible for their performance as if performed by Cato Systems.

7. Accounting Rights.

Cato Systems will make available to Customer the PHI via the Covered Services so Customer may fulfill its obligation to give individuals their rights of access, amendment, and accounting in accordance with the requirements under HIPAA. Customer is responsible for managing its use of the Covered Services to appropriately respond to such individual requests.

8. Access to Records.

To the extent required by law, and subject to applicable attorney client privileges, Cato Systems will make its internal practices, books, and records concerning the use and disclosure of PHI received from Customer, or created or received by Cato Systems on behalf of Customer, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.

9. Term and Termination.

a. This BAA will expire upon the earlier of (i) a permitted termination in accordance with Section 9(b) below or (ii) the expiration or termination of the Services Agreement.
b. Upon thirty (30) days written notice, either Party may terminate this BAA if the other Party is in material breach or default of any obligation in this BAA. Any such notice will provide the receiving Party with ten (10) business days to cure a material breach or default.
c. If this BAA is terminated earlier than the Services Agreement, Customer may continue to use the Services in accordance with the Services Agreement, but must delete any PHI it maintains in the Services and cease to further create, receive, maintain, or transmit such PHI to Cato Systems.

10. Return/Destruction of Information.

Upon termination of the Services Agreements, Cato Systems will return or destroy all PHI received from Customer, or created or received by Cato Systems on behalf of Customer; provided, however, that if such return or destruction is not feasible, Cato Systems will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

11. Miscellaneous.

a. Survival. Section 10 (Return/Destruction of Information) will survive termination or expiration of this BAA.
b. Effects of Amendment. To the extent of any conflict or inconsistency between the terms of this BAA and the remainder of the Services Agreement, the terms of the Services Agreement will govern. This BAA is subject to the “Governing Law” section in the Services Agreement. Except as expressly modified or amended under this BAA, the terms of the Services Agreement remain in full force and effect.

12. Effective Date

This BAA is effective as of the first date that Customer accesses or uses the Covered Services.

13. Acceptance

Customer confirms its acceptance of this BAA by accessing or using the Covered Services.

Attachment 1
List of Covered Functions

All functions of each of the Services listed in Attachment 2.

Attachment 2
List of Covered Services

All services specifically listed at
https://prod.catosys.com/hipaa-covered-services