TigerConnect Business Associate Agreement
(Last Updated: January 13, 2025)
Capitalized terms not otherwise defined in this Business Associate Agreement shall have the meanings afforded them in the Terms of Service available to view at https://tigerconnect.com/legal/terms-of-service-agreement/ as the same may be updated from time to time.
This Business Associate Agreement (“BAA”) is entered into between the Customer, a covered entity as such term is defined under the HIPAA Rules (“Covered Entity”), and TigerConnect, Inc., on behalf of itself and its subsidiaries and affiliates (“TigerConnect”), and forms part of the agreement for services between Covered Entity and TigerConnect (“Services Agreement”).
1. Definitions
The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Business Associate, Covered Entity, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. In addition, the following definitions apply:
- HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
- Protected Health Information or PHI. “Protected Health Information” or “PHI” has the same meaning as under the HIPAA Rules, to the extent that such information is created, maintained, accessed by, received by, or transmitted to or by TigerConnect, to, from, or on behalf of the Covered Entity. For clarity, PHI does not include personal data about Covered Entity’s authorized users of the Services.
2. Roles of the Parties
For purposes of this BAA, Customer is either a Covered Entity or a Business Associate and TigerConnect is a Business Associate or a Subcontractor.
3. Obligations and Activities of TigerConnect
TigerConnect agrees to:
- Not Use or disclose PHI other than as permitted or required by this BAA or as Required By Law;
- Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, designed to prevent Use or Disclosure of PHI other than as provided for by the BAA;
- Promptly report to Covered Entity any Use or Disclosure of PHI not provided for by the BAA of which it becomes aware, including Breaches of Unsecured Protected Health Information, as required at 45 CFR 164.410, and any Security Incident of which it becomes aware. The parties agree that notice is hereby deemed given for all attempted, unsuccessful Security Incidents involving trivial and routine incidents such as port scans, attempts to log in with an invalid password or username, denial of service attacks that do not result in a server being taken offline, malware, and pings, or other similar types of events that do not compromise the security or privacy of PHI;
- In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of TigerConnect agree to restrictions, conditions, and requirements that are consistent with those that apply to TigerConnect under this BAA with respect to such information;
- Within fifteen (15) business days of a written request from Covered Entity, make any PHI in a Designated Record Set available to the Covered Entity as necessary to satisfy the relevant Covered Entity’s obligations under 45 CFR 164.524;
- Within fifteen (15) business days of a written request from Covered Entity, make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy the relevant Covered Entity’s obligations under 45 CFR 164.526;
- Maintain and, within fifteen (15) business days of a written request from Covered Entity, make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy the relevant Covered Entity’s obligations under 45 CFR 164.528;
- To the extent that TigerConnect is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and
- Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
- Employ device (e.g., desktop, laptop, USB thumb drive, etc.) encryption to render PHI unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology that is (i) tested by the National Institute of Standards and Technology and judged to meet the standard, or (ii) otherwise consistent with industry standards. Such protection shall also extend to any databases of PHI as well as to PHI backups and archives.
- If TigerConnect is also considered a “Qualified Service Organization”, with access to PHI containing protected substance abuse treatment information, TigerConnect agrees to the following: (i) in receiving, storing, processing or otherwise dealing with any PHI containing protected substance abuse information from Covered Entity, TigerConnect is fully bound by the provisions of the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2; (ii) if necessary, TigerConnect will resist in judicial proceedings any efforts to obtain access to PHI containing protected substance abuse information unless access is expressly permitted under 42 C.F.R. Part 2; and (iii) TigerConnect acknowledges that any unauthorized disclosure of the PHI covered under this section is a federal criminal offense.
4. Permitted Uses and Disclosures by TigerConnect
- TigerConnect may only Use or disclose PHI as specified in this BAA and as necessary to perform the services set forth in the Services Agreement between the parties.
- TigerConnect may Use or disclose PHI as Required By Law. TigerConnect may Use PHI to de-identify the information in accordance with 45 CFR 164.514(a)-(c), retaining any and all ownership claims relating to the de-identified data it creates from Covered Entity’s PHI.
- TigerConnect agrees to make Uses and Disclosures and requests for PHI consistent with the Minimum Necessary policies and procedures required by HIPAA.
- TigerConnect may provide Data Aggregation services relating to the Health Care Operations of the Covered Entity.
- TigerConnect may not Use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except for the specific Uses and Disclosures set forth below.
- TigerConnect may Use PHI for the proper management and administration of TigerConnect or to carry out the legal responsibilities of TigerConnect.
- TigerConnect may disclose PHI for the proper management and administration of TigerConnect or to carry out the legal responsibilities of TigerConnect, provided the Disclosures are Required By Law, or TigerConnect obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and Used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the person, and the person notifies TigerConnect of any instances of which it is aware in which the confidentiality of the information has been Breached.
- Covered Entity shall notify TigerConnect of any limitation(s) in the Notice of Privacy Practices of the relevant Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect TigerConnect’s Use or Disclosure of PHI.
- Covered Entity shall notify TigerConnect of any changes in, or revocation of, the permission by an Individual to Use or disclose his or her PHI, to the extent that such changes may affect TigerConnect’s Use or Disclosure of PHI.
- Covered Entity shall notify TigerConnect of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect TigerConnect’s Use or Disclosure of PHI.
5. Permissible Requests by Covered Entity
Covered Entity shall not request TigerConnect to Use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
6. Term and Termination
- Term. The Term of this BAA shall be effective as of the date of execution and shall terminate upon termination of the Services Agreement, except as agreed upon by the parties, or on the date Covered Entity terminates this BAA for cause pursuant to paragraph (b) of this Section, whichever is sooner.
- Termination for Cause. TigerConnect authorizes termination of this BAA by Covered Entity, if Covered Entity determines, acting reasonably, that TigerConnect has violated a material term of this BAA and TigerConnect has not cured the Breach or ended the violation within a reasonable time as specified by Covered Entity.
- Obligations of TigerConnect Upon Termination. Upon termination of this BAA for any reason, TigerConnect shall return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI that the TigerConnect still maintains in any form. TigerConnect shall retain no copies of the PHI, except that TigerConnect may retain PHI for its own management and administration purposes or to carry out its legal responsibilities, subject to HIPAA and this BAA. Notwithstanding the foregoing, TigerConnect (a) is not required to destroy or wipe any metadata containing PHI, and (b) is not required to delete or erase such materials from any disaster recovery tapes or other backup media of any record retention or computer storage system, provided that TigerConnect shall continue to extend the protections and satisfy the obligations of this BAA to such information, and limit further use and disclosure of such PHI to those purposes that make the return or destruction of the information unfeasible [45 C.F.R. Section 164.504(e)(ii)(2)(J)]. In addition, upon termination of this BAA for any reason, TigerConnect shall:
- Retain only that PHI which is necessary for TigerConnect to continue its proper management and administration or to carry out its legal responsibilities;
- Return to Covered Entity or destroy, if feasible, the remaining PHI that TigerConnect still maintains in any form;
- If the return or destruction of PHI is not feasible, as determined by TigerConnect in its reasonable discretion, continue to Use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to such PHI to prevent Use or Disclosure of the PHI, other than as provided for in this Section, for as long as TigerConnect retains the PHI; and
- Not Use or disclose the PHI retained by TigerConnect other than for the purposes for which such PHI was retained and subject to the same conditions set out herein which applied prior to termination.
- Survival. The obligations of TigerConnect under this Section shall survive the termination of this BAA.
7. Miscellaneous
- Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
- Limitations on Liability. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS BAA OR THE SERVICES AGREEMENT, IN NO EVENT SHALL (I) TIGERCONNECT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, EXEMPLARY, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, REGARDLESS OF WHETHER SUCH DAMAGES WERE FORESEEABLE OR UNFORESEEABLE; OR (II) TIGERCONNECT’S TOTAL CUMULATIVE LIABILITY IN CONNECTION WITH THIS BAA EXCEED $5,000,000.
- Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
- Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.
- Cooperation. The parties agree to provide reasonable cooperation to each other to comply with the requirements of the HITECH Act, the HIPAA Rules, the FTC Identity Theft Rules, and other applicable laws relevant to their performance under this BAA; to provide reasonable assistance to each other in responding to and mitigating the effects of any violation of the HIPAA Rules or this BAA; and to provide reasonable assistance to each other in responding to any investigation, complaint, or action by any government agency or third party relating to the performance of this BAA.
- Relation to Services Agreement. This BAA supplements the Services Agreement. The terms and conditions of the Services Agreement shall continue to apply. If there is a conflict between this BAA and the Services Agreement, this BAA shall control.
- No Third Party Beneficiaries. Nothing in this BAA is intended to nor shall it confer any rights on any other persons except Covered Entity and TigerConnect and their respective successors and assigns.
- Entire Agreement. This BAA, together with the Services Agreement, contains the entire agreement between the parties as it relates to the Use or Disclosure of PHI, and supersedes all prior discussions, negotiations and services relating to the same.