Business Associate Agreement
Nurix Business Associate Agreement
This Agreement ("Agreement") is entered into by and between Covered Entity and Nurix Labs Pvt. Ltd., having its principal place of business at 42, 15th Main Rd, Sector 4, HSR Layout, Bengaluru, Karnataka 560102 ("Nurix Labs Pvt. Ltd."), and Covered Entity collectively referred to as the "Parties".
Background
Covered Entity and Nurix Labs Pvt. Ltd. have entered into an agreement whereby Nurix Labs Pvt. Ltd. may have access to, use, or disclose Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations, including the Privacy Rule (45 C.F.R. Parts 160 and 164) and the Security Rule (45 C.F.R. Parts 160, 162, and 164) (collectively, "HIPAA Rules"), in connection with the services provided by Nurix Labs Pvt. Ltd. to Covered Entity ("Services").
In accordance with the HIPAA Rules, Covered Entity is "Covered Entity " and Nurix Labs Pvt. Ltd. is "Nurix Labs Pvt. Ltd." as defined under HIPAA.
The Parties desire to comply with the requirements of HIPAA and to protect the privacy and security of PHI in accordance with the HIPAA Rules.
In accordance with the HIPAA Rules, Covered Entity is "Covered Entity " and Nurix Labs Pvt. Ltd. is "Nurix Labs Pvt. Ltd." as defined under HIPAA.
The Parties desire to comply with the requirements of HIPAA and to protect the privacy and security of PHI in accordance with the HIPAA Rules.
Terms and Conditions
1. Definitions
1.1
"PHI" shall have the meaning given to it under the HIPAA Rules and shall include, without limitation, any information that is created, received, maintained, or transmitted by Nurix Labs Pvt. Ltd. on behalf of Covered Entity in connection with the Services.
1.2
"Electronic Protected Health Information" or "ePHI" shall have the meaning given to it under the HIPAA Rules and shall include PHI that is transmitted or maintained in electronic form.
1.3
"Designated Record Set" shall have the meaning given to it under the HIPAA Rules and shall include, without limitation, any group of records maintained by or for Covered Entity that is used, in whole or in part, to make decisions about individuals.
1.4
"Breach" shall have the meaning given to it under the HIPAA Rules and shall mean the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Rules, which compromises the security or privacy of the PHI.
1.5
"Security Incident" shall have the meaning given to it under the HIPAA Rules and shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
2. Obligations of Nurix Labs Pvt. Ltd.
2.1
Use and Disclosure of PHI: Nurix Labs Pvt. Ltd. shall not use or disclose PHI, except as necessary to perform the Services or as otherwise required by law. Nurix Labs Pvt. Ltd. shall comply with the requirements of the HIPAA Rules with respect to the use and disclosure of PHI, including, without limitation, the minimum necessary standard.
2.2
Safeguards: Nurix Labs Pvt. Ltd. shall implement appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in this Agreement. Such safeguards shall comply with the requirements of the HIPAA Rules, including, without limitation, the Security Rule.
2.3
Reporting of Breaches and Security Incidents: Nurix Labs Pvt. Ltd. shall report to Covered Entity any Breach or Security Incident of which it becomes aware without unreasonable delay, but in no event later than 72 hours after discovery of the Breach or Security Incident. Such report shall include, without limitation, the following information: (a) a description of the Breach or Security Incident, including the nature of the PHI involved; (b) the date of the Breach or Security Incident; (c) the type of Breach or Security Incident; (d) any actions taken to mitigate (e) any additional information reasonably requested by Covered Entity.
2.4
Access to PHI: Nurix Labs Pvt. Ltd. shall provide access to PHI to Covered Entity or an individual as required by the HIPAA Rules within the timeframes and in the manner specified by the HIPAA Rules.
2.5
Amendments to PHI: Nurix Labs Pvt. Ltd. shall make amendments to PHI as requested by Covered Entity or an individual as required by the HIPAA Rules within the timeframes and in the manner specified by the HIPAA Rules.
2.6
Accounting of Disclosures: Nurix Labs Pvt. Ltd. shall document and provide an accounting of disclosures of PHI as required by the HIPAA Rules within the timeframes and in the manner specified by the HIPAA Rules.
2.7
Subcontractors: If Nurix Labs Pvt. Ltd. engages subcontractors to perform any services that involve the use or disclosure of PHI, Nurix Labs Pvt. Ltd. shall enter into a written agreement with such subcontractors that complies with the requirements of the HIPAA Rules, including the same restrictions and conditions that apply to Nurix Labs Pvt. Ltd. with respect to PHI.
2.8
Security Controls: Nurix Labs Pvt. Ltd. shall implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI, in accordance with the requirements of the Security Rule.
2.9
Reporting Security Incidents: Nurix Labs Pvt. Ltd. shall promptly report to Covered Entity any Security Incident of which it becomes aware, including any unauthorized access, use, disclosure, modification, or destruction of ePHI, or any other security incident that may compromise the confidentiality, integrity, or availability of ePHI.
2.10
Compliance with HIPAA Rules: Nurix Labs Pvt. Ltd. shall comply with the requirements of the HIPAA Rules, including, without limitation, the Privacy Rule, the Security Rule, and the Breach Notification Rule, as applicable to its use and disclosure of PHI and its safeguarding of ePHI.
3. Obligations of Covered Entity
3.1
Notice of Privacy Practices: Covered Entity shall provide Nurix Labs Pvt. Ltd. with a copy of its current notice of privacy practices, or any changes thereto, as required by the Privacy Rule.
3.2
Changes to Authorization or Permission: Covered Entity shall notify Nurix Labs Pvt. Ltd. of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Nurix Labs Pvt. Ltd.'s use or disclosure of PHI.
3.3
Restrictions on Use or Disclosure: Covered Entity shall notify Nurix Labs Pvt. Ltd. of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by, to the extent that such restrictions may affect Nurix Labs Pvt. Ltd.'s use or disclosure of PHI.
3.4
Compliance with HIPAA Rules: Covered Entity shall comply with the requirements of the HIPAA Rules, including, without limitation, the Privacy Rule, the Security Rule, and the Breach Notification Rule, as applicable to its use and disclosure of PHI and its safeguarding of ePHI.
4. Term and Termination
4.1
Term: This Agreement shall be effective as of the date of its execution by both Parties and shall continue in effect until terminated by either Party in accordance with Section 4.
4.2
Termination for Convenience: Either Party may terminate this Agreement for any reason or no reason upon written notice to the other Party.
4.3
Termination for Breach: Either Party may terminate this Agreement upon written notice to the other Party in the event of a material breach of this Agreement by the other Party, unless the breach is cured within a reasonable time period specified by the non-breaching Party.
4.4
Obligations Upon Termination: Upon termination of this Agreement for any reason, Nurix Labs Pvt. Ltd. shall return or destroy all PHI data upon termination of this Agreement for any reason, Nurix Labs Pvt. Ltd. shall return or destroy all PHI in its possession or control, including any copies or derivatives thereof, in accordance with the requirements of the HIPAA Rules and any instructions provided by Covered Entity. Nurix Labs Pvt. Ltd. shall also provide written certification to Covered Entity that it has complied with this requirement within 30 days of termination.
5. Miscellaneous
5.1
Entire Agreement: This Agreement constitutes the entire understanding between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, understandings, representations, and warranties, whether oral or written, relating to the subject matter hereof.
5.2
Amendments: This Agreement may not be amended or modified except in writing signed by both Parties.
5.3
No Third-Party Beneficiaries: This Agreement is not intended to and does not confer any rights or benefits upon any person or entity other than the Parties hereto and their respective successors and permitted assigns.
5.4
Governing Law and Jurisdiction: This Agreement shall be governed by and construed in accordance with the laws of the state or jurisdiction where Covered Entity is located. Any disputes arising under or in connection with this Agreement shall be resolved in the courts of competent jurisdiction in the same state or jurisdiction.
5.5
Survival: The obligations and responsibilities of the Parties under this Agreement shall survive termination of this Agreement for any reason, to the extent necessary to fulfill the purposes for which the PHI was disclosed or received under this Agreement.
5.6
Waiver: The waiver of any breach of this Agreement shall not be deemed a waiver of any other or subsequent breach, and shall not be construed as a modification of the terms of this Agreement.
5.7
Severability: If any provision of this Agreement is held to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect.
5.8
Counterparts: This Agreement may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
