HIPAA Business Associate Agreement
Last updated: December 10, 2019
The HIPAA Business Associate Agreement (“HIPAA BAA”) is a legal agreement made between you (“you” or “your”) and Square, Inc. and its affiliates (“Square,” “we,” “our,” or “us”) for the purpose of implementing the requirements of HIPAA to support the parties’ compliance requirements under HIPAA. The “Agreement” refers to the General Terms of Service entered into between you and Square governing your use of Square’s mobile applications, websites, software, hardware, and other products and services (collectively, the “Services”). Together with the Agreement, this HIPAA BAA will govern each party’s respective obligations regarding Protected Health Information (defined below).
You represent and warrant that: (i) you have full legal authority to enter into this HIPAA BAA, (ii) you have read and understand this HIPAA BAA, and (iii) you agree to the terms of this HIPAA BAA.
We recommend that you print a copy of this HIPAA BAA and the Agreement that incorporates it and retain copies for your records.
All capitalized terms used but not otherwise defined in this HIPAA BAA will have the same meaning as in HIPAA.
● “HIPAA” means the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 and the rules and regulations thereunder, as amended, including with respect to the HITECH Act.
“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted by the United States Congress, which is Title XII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.
“Protected Health Information” or “PHI” will have the same meaning as the term “protected health information” in HIPAA, 45 C.F.R. § 160.103, except limited to information: (a) that is created, received, maintained, or transmitted by us on your behalf; and (b) will not include information to the extent that it is exempt from HIPAA under Section 1179 of the Social Security Act, 42 U.S.C. § 1320d-8.
“Individual” will have the same meaning as the term “individual” in HIPAA, 45 C.F.R. § 160.103, and will include a person who qualifies as a personal representative in accordance with the HIPAA “Privacy Rule” as described in 45 C.F.R. § 164.502(g).
2. Square’s Permitted Uses and Disclosures
Except as otherwise limited in this HIPAA BAA, we may:
Use or Disclose PHI in our possession to perform the Services, provided that such Use or Disclosure would not violate HIPAA if done by you;
Use PHI for our proper management and administration and to carry out any of our legal responsibilities;
Use PHI to create de-identified Health Information in accordance with the HIPAA “Privacy Rule” as described in 45 C.F.R. § 164.514(b);
Use PHI for Data Aggregation services related to your Health Care Operations; and
Disclose PHI in our possession to a third party for our proper management and administration or to fulfill any of our legal responsibilities, provided that: (i) the Disclosure is Required by Law; or (ii) we have received reasonable written assurances from the person to whom PHI will be disclosed that: (a) the information will remain confidential and will be Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed; and (b) we will be notified of any instances of which the person becomes aware that the confidentiality of the information has been breached.
3. Square’s Obligations
We will not Use or Disclose PHI other than as permitted or required by this HIPAA BAA or as Required by Law. We agree to use appropriate safeguards and to comply, where applicable, with the Security Standards for Protection of Electronic Protected Health Information, 45 C.F.R. Part 164 Subpart C (the “Security Rule”) with respect to Electronic Protected Health Information, to prevent Use or Disclosure of the PHI other than as provided for by this HIPAA BAA. We agree to comply with the other applicable requirements of the Security Rule.
To the extent that we carry out one or more of your obligations under the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 164 Subpart E, including but not limited to the provision of a notice of privacy practices on your behalf, we will comply with the requirements of Subpart E that apply to you in the performance of such obligations.
We agree to promptly report to Covered Entity: (i) Any Use or Disclosure of PHI not provided for by this HIPAA BAA, including Breaches of Unsecured PHI; and/or (ii) Any Security Incident, provided that this Section 3(a) will serve as notice, and no additional reporting will be required, of any unsuccessful attempts at unauthorized Access, Use, Disclosure, modification, or destruction of information or unsuccessful interference with system operations in an information system. For any Breach of Unsecured PHI, we agree to supplement the above report with the information required by 45 C.F.R. § 164.410 without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach.
b. Square’s Subcontractors
We agree to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on our behalf agree in writing to the same restrictions and conditions that apply through this HIPAA BAA to us with respect to such PHI, including complying with the applicable requirements of the Security Rule.
c. Access to Records
We agree to make our internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on your behalf, available to the Secretary of the Department of Health and Human Services (“Secretary”) for the purposes of the Secretary determining compliance with HIPAA. Nothing in this Section will be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information.
d. Individual Privacy Rights
Upon your request, we will make PHI in a Designated Record Set available to you as necessary to allow you to comply with your obligations to provide access to Individuals of their health information as required by 45 C.F.R. § 164.524. Upon your request, we will make PHI in a Designated Record Set available to you and will incorporate any amendments to such information as instructed by you as necessary to allow you to comply with your amendment obligations as required by 45 C.F.R. § 164.526. We will maintain and, upon your request, provide you with the information necessary for you to provide an Individual with an accounting of Disclosures as required by 45 C.F.R. § 164.528.
4. Your Obligations
You will use appropriate safeguards to prevent against unauthorized Use or Disclosure of PHI, consistent with this HIPAA BAA, and as otherwise required under the Security Rule. To the extent that you choose to use the Service to transmit PHI without encryption, you are responsible for documenting under the Security Rule that encryption is not reasonable and appropriate for such communications and implementing any equivalent alternative measures if reasonable and appropriate.
You will provide us with any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, if such changes affect our permitted or required Uses or Disclosures of PHI under this HIPAA BAA. You will not agree to any request for a restriction that limits our permitted or required Uses or Disclosures of PHI under this HIPAA BAA unless you are required by law. In the event that you are required by law to agree to such a restriction, you will promptly notify us of the restriction. You will not request or cause us to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by you.
You will not include in your notice of privacy practices under HIPAA any limitation that limits our permitted or required Uses or Disclosures of PHI under this HIPAA BAA unless such a limit is required by law. In the event that you are required by law to include such a limitation in your notice of privacy practices, you will promptly notify us of the limitation.
5. Authority to Terminate for Breach
If you determine that we have violated a material term of this HIPAA BAA, you may terminate this HIPAA BAA in accordance with Section 11 of the Agreement.
6. Effect of Termination
Except as provided in this Section 6, upon termination of this HIPAA BAA for any reason, we will return or destroy all PHI to the extent feasible. We will not retain copies of the PHI. In the event that we determine that returning or destroying the PHI is infeasible, then we will extend the protections of this HIPAA BAA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for as long as we maintain such PHI.
It is the parties’ intent that any ambiguity under this HIPAA BAA be interpreted consistently with the intent to comply with applicable laws.
8. No Third Party Beneficiaries
Nothing in this HIPAA BAA shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
9. No Agency Relationship
Nothing in this HIPAA BAA is intended to create an agency relationship between the parties.
10. Entire Agreement
This HIPAA BAA supersedes any pre-existing agreements between the parties relating to HIPAA covering the Services. To the extent of any conflict or inconsistency between the terms of this HIPAA BAA and the remainder of the Agreement, the terms of this HIPAA BAA will govern. Except as expressly modified or amended under this HIPAA BAA, the terms of the Agreement remain in full force and effect.