SERVICE ATTACHMENT of DOCUSIGN BUSINESS ASSOCIATE ADDENDUM for DOCUSIGN SIGNATURE
This Service Attachment was last updated on: December 15, 2016.
This Service Attachment of DocuSign Business Associate Addendum for DocuSign Signature (“BAA”) is made part of the Agreement between DocuSign and Customer for the use of the DocuSign Signature Service to which Customer has subscribed in an Order Form with DocuSign. This BAA applies separately to each DocuSign Signature Account. Any term not otherwise defined herein shall have the meaning specified in the Agreement. In the event of any inconsistency or conflict between the Agreement and this BAA, the terms of this BAA shall control with respect to DocuSign Signature. The terms of this BAA are limited to the scope of this BAA and shall not be applicable to any other Service Schedules or DocuSign Services.
Except as otherwise defined in this BAA or the Agreement, capitalized terms will have the meaning given to them in HIPAA:
“HIPAA” means, collectively, the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (HITECH) Act and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act: Other modifications to the HIPAA Rules; Final Rule.
“HIPAA Account” means a DocuSign Account under the Agreement under which Customer uses DocuSign Signature to store or transmit any Protected Health Information (defined below).
“Protected Health Information” or “PHI” has the same meaning as the term “protected health information” in 45 CFR § 160.103; provided that, for purposes of this BAA, such term is limited to protected health information that is received and maintained by DocuSign from or on behalf of Customer via Customer’s HIPAA Account.
“Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on DocuSign’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of PHI.
2. PERMITTED USE AND DISCLOSURE.
2.1 Performance under the Agreement. Subject to the requirements set forth in this BAA, DocuSign may Use and Disclose PHI for, or on behalf of, Customer as specified under the Agreement.
2.2 Management, Administration, and Legal Responsibilities. DocuSign may Use and Disclose PHI for the management and administration of DocuSign’s business and to carry out the legal responsibilities of DocuSign; provided that any Disclosures under this section will be made only if DocuSign obtains reasonable assurances from the recipient of the PHI that (a) the recipient will hold the PHI confidentially and will Use or Disclose the PHI only as required by law or for the purpose for which it was disclosed to the recipient, and (b) that the recipient will notify DocuSign of any instances of which it is aware in which the confidentiality of the PHI has been breached.
3. DOCUSIGN’S OBLIGATIONS.
3.1 Prohibited Use and Disclosure. DocuSign will not Use or Disclose PHI other than as permitted or required by the Agreement and this BAA, or as otherwise required by law; provided that any such Use or Disclosure would not violate HIPAA if done by a Covered Entity, unless permitted under HIPAA for a Business Associate.
3.2 Safeguards. DocuSign will use reasonable and appropriate safeguards, as evidenced by its Information Security Program, to prevent the Use or Disclosure of PHI other than as provided for by the Agreement, this BAA, and in accordance with the requirements of Subpart C of 45 C.F.R. Part 164 (with respect to Electronic PHI).
3.3 Reporting, Access, Amendment, and Accounting. Due to the encryption configuration and security controls associated with DocuSign Signature, DocuSign will not have access to or know the nature of PHI contained within Customer’s encrypted eDocuments. As such, the Parties acknowledge that it may not be possible for DocuSign to provide Customer with all relevant information concerning the PHI of Individuals who may have been affected by a Security Incident, Impermissible Use or Disclosure, or Breach of Unsecured PHI. In addition, the Parties acknowledge and agree that DocuSign will not provide Individuals with the ability to access or amend their PHI or provide Individuals with an accounting of disclosures.
(a) Reporting. In the event of a Breach of Unsecured PHI, Security Incident, or Impermissible Use or Disclosure, Customer will be solely responsible for determining whether to notify impacted Individuals, determining if regulatory bodies, such as the Secretary of the Department of U.S. Health and Human Services, or other enforcement commissions applicable to Customer need to be notified, and for providing any such notices. DocuSign will, without unreasonable delay, report the following to Customer:
(i) Any Breach of Unsecured PHI in accordance with and to the extent required by 45 C.F.R. § 164.410;
(ii) Any Security Incidents involving PHI of which DocuSign becomes aware and in which there is a successful unauthorized access, Use, Disclosure, modification, or destruction of information or interference of the system operations associated with Customer’s HIPAA Account in a manner that risks the confidentiality, integrity, or availability of such PHI; provided, however, that notice is hereby deemed given for all Unsuccessful Security Incidents; and
(iii) Any Use or Disclosure of Customer’s PHI that is not permitted or required by the Agreement and this BAA of which DocuSign becomes aware.
(b) Access, Amendment, and Accounting. Should DocuSign receive any requests for access, amendment, or an accounting of disclosures directly from an Individual, DocuSign will advise such Individual to submit its request to Customer and Customer will be responsible for responding to any such request in accordance with 45 CFR 164.524, 45 CFR 164.526, and 45 CFR 164.528 (as applicable) in a manner consistent with the functionality of DocuSign Signature and the terms of the Agreement.
3.4 Subcontractors. DocuSign will ensure that any subcontractors that create, receive, maintain, or transmit Customer’s PHI on behalf of DocuSign: (a) agree to restrictions and conditions that are at least as stringent or the same as those found in this BAA, and (b) agree to implement reasonable and appropriate safeguards to protect Customer’s PHI.
3.5 Audit Rights. DocuSign will make its internal practices, records, and books relating to the Use and Disclosure of PHI available to the Secretary of the Department of U.S. Health and Human Services for purposes of determining Customer’s compliance with HIPAA. Nothing in this section will be deemed to waive any applicable privilege or protection with respect to trade secrets and Confidential Information.
4. CUSTOMER RESPONSIBILITIES.
4.1 HIPAA Account Configuration and Monitoring. Customer agrees that DocuSign does not act as a Business Associate under HIPAA and will have no obligations under this BAA to the extent Customer creates, receives, maintains, or transmits PHI outside of its HIPAA Account. Customer is responsible for:
(a) Implementing appropriate privacy and security safeguards to protect its PHI in compliance with HIPAA;
(b) Using and enforcing controls available in connection with DocuSign Signature (including any security controls) to support its HIPAA compliance requirements;
(c) Obtaining all necessary authorizations, consents, and other permissions that may be required under HIPAA in order to create, receive, maintain, or transmit PHI via its HIPAA Account;
(d) Determining whether its Authorized Users are authorized to create, receive, maintain, or transmit PHI using the HIPAA Account; and
(f) Using the functionality of DocuSign Signature to respond to and comply with any additional restriction requests made by Individuals or required by any notice of privacy practices agreed to by Customer.
4.2 Limitations on Use. Customer will not:
(a) Request or cause DocuSign (either directly or via the HIPAA Account) to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by a Covered Entity or Business Associate; or
(b) Transmit PHI to DocuSign outside of its HIPAA Account, its eDocuments, or, otherwise, in decrypted form (By way of example and not limitation, Customer may include PHI within an eDocument but Customer must not include PHI in the subject lines of Envelopes or in emails and messages to DocuSign’s support teams).
5. TERM AND TERMINATION.
5.1 Term. This BAA will commence on the effective date of the Agreement and will continue until the earlier of: (a) termination of this BAA by either Party for breach as set forth in Section 5.2 below; (b) notification to DocuSign by Customer that the HIPAA Account is no longer subject to this BAA, which, for clarification, will not terminate any then-current Order Forms; or (c) the expiration or termination of the Agreement.
5.2 Termination for Breach. A material breach of this BAA will be treated as a material breach of the Agreement and, in the event of such breach, the termination provisions of the Agreement will apply.
5.3 Effect of Termination. DocuSign will store and delete Customer’s Envelopes and eDocuments in accordance with the terms set forth in the Agreement. If and to the extent DocuSign maintains possession of Customer PHI in decrypted form, DocuSign will, at Customer’s request following the expiration or termination of this BAA, return or destroy such PHI. If it is not feasible to return or destroy decrypted PHI in DocuSign’s possession, then DocuSign will extend the protections of this BAA, without limitation, to such PHI and limit any further Use or Disclosure of the PHI to those purposes that make the return or destruction of the PHI infeasible. Both Parties acknowledge that, to the extent PHI may be included in any Transaction Data (as defined in the Agreement), it is not feasible to destroy or return such PHI upon the expiration or termination of this BAA.
6.1 Mitigation. In the event of a Breach resulting in the unauthorized Use or Disclosure of PHI in violation of this BAA, both Parties will, to the extent practicable under the circumstances, make commercially reasonable efforts to mitigate the harmful effects resulting from such breach.
6.2 No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor will anything in this BAA confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
6.3 Interpretation. It is the Parties’ intent that any ambiguity under this BAA be interpreted in accordance with HIPAA, and the regulations promulgated under HIPAA, as each is amended from time to time.