Eleanote Business Associate Agreement
RECITALS
This Business Associate Agreement (the "Agreement") is entered into between Eleanote LLC (the "Business Associate") and the individual or entity that accepts this Agreement (the "Customer"). Customer acts in the capacity of a Covered Entity under HIPAA, as a part of or on behalf of a Covered Entity, or otherwise as a party authorized to enter into this Agreement, as further described in Section 9.4. This Agreement takes effect on the date Customer accepts it as described in the Acceptance section below (the "Effective Date").
WHEREAS, the Parties have entered into, and may in the future enter into, one or more arrangements through which Business Associate provides the Eleanote service (the "Services"), which sometimes may involve (i) the creation, receipt, maintenance, transmission, or use of Protected Health Information (as defined below) and Electronic Protected Health Information (as defined below) by Business Associate, or (ii) the disclosure of Protected Health Information and Electronic Protected Health Information by Customer (or another business associate of Customer) to Business Associate (the "Arrangement(s)");
WHEREAS, by providing the Services to Customer under the Arrangement(s), Business Associate acknowledges that it is acting as a Business Associate and that the creation, receipt, transmission, or maintenance of Protected Health Information and Electronic Protected Health Information by Business Associate is subject to the Privacy, Security, Breach Notification, and Enforcement rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") at 45 C.F.R. Parts 160 and 164. This Agreement is intended to document the business associate assurances required by the HIPAA Privacy Regulations (at 45 C.F.R. § 164.504(e)), and the HIPAA Security Regulations (at 45 C.F.R. § 164.314(a)) and Business Associate's obligations under the HIPAA Breach Notification Regulations (at 45 C.F.R. § 164.410);
WHEREAS, this Agreement will govern the terms and conditions under which Customer may disclose or have disclosed to Business Associate, and Business Associate may create, receive, maintain, transmit, or use Protected Health Information and Electronic Protected Health Information on behalf of Customer.
NOW THEREFORE, in consideration of the mutual promises and conditions contained herein, and for other good and valuable consideration, the Parties agree as follows:
SECTION 1 — DEFINITIONS
Capitalized terms used in this Agreement, but not otherwise defined in this Agreement, shall have the same meanings as those terms in the HIPAA Privacy Regulations, Security Regulations and Breach Notification Regulations codified at 45 C.F.R. Parts 160 and 164. Unless otherwise stated, a reference to a "Section" is to a Section in this Agreement. For purposes of this Agreement, the following terms shall have the following meanings.
1.1 Breach. "Breach" shall have the same meaning as the term "breach" in 45 C.F.R. § 164.402.
1.2 Covered Entity. "Covered Entity" shall have the same meaning as the term "covered entity" in 45 C.F.R. § 160.103. Where this Agreement refers to Customer's obligations, permissions, or records as those of a Covered Entity, it refers to the Covered Entity that Customer is, is part of, or acts on behalf of, as described in Section 9.4.
1.3 Designated Record Set. "Designated Record Set" shall have the same meaning as the term "designated record set" in 45 C.F.R. § 164.501.
1.4 Electronic Protected Health Information or EPHI. "Electronic Protected Health Information" or "EPHI" shall have the same meaning as the term "electronic protected health information" in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Customer.
1.5 Individual. "Individual" shall mean the person who is the subject of Protected Health Information as provided in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
1.6 Individually Identifiable Health Information. "Individually Identifiable Health Information" shall have the same meaning as the term "individually identifiable health information" in 45 C.F.R. § 160.103.
1.7 Protected Health Information or PHI. "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Customer.
1.8 Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 C.F.R. § 164.103.
1.9 Secretary. "Secretary" shall mean the Secretary of the federal Department of Health and Human Services or that person's designee.
1.10 Security Incident. "Security Incident" shall have the same meaning as the term "security incident" in 45 C.F.R. § 164.304.
1.11 Unsecured Protected Health Information. "Unsecured Protected Health Information" shall have the same meaning as the term "unsecured protected health information" in 45 C.F.R. § 164.402, limited to the information created or received by Business Associate from or on behalf of Customer.
SECTION 2 — PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
2.1 General. Except as otherwise specified in this Agreement, Business Associate may use or disclose PHI to perform its obligations for, or on behalf of, Customer provided that Business Associate uses and discloses PHI in the following manner:
2.1.1 consistent with the minimum necessary policies and procedures of the Covered Entity; and
2.1.2 would not violate 45 C.F.R. Subpart E if done by the Covered Entity, except as specified in paragraphs 2.2 and 2.3 of this section.
2.2 Other Permitted Uses. Except as otherwise limited by this Agreement, Business Associate may use PHI it receives or creates in its capacity as a business associate of Customer, if necessary:
2.2.1 for the proper management and administration of Business Associate; or
2.2.2 to carry out the legal responsibilities of Business Associate.
2.3 Other Permitted Disclosures. Except as otherwise limited by this Agreement, Business Associate may disclose to a third party PHI it receives or creates in its capacity as a business associate of Customer for the proper management and administration of Business Associate, provided that:
2.3.1 The disclosure is Required By Law; or
2.3.2 Business Associate obtains reasonable assurances from the third party to whom the information is disclosed that (i) the PHI will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the third party, and (ii) the third party notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
SECTION 3 — OBLIGATIONS OF BUSINESS ASSOCIATE
3.1 Limitations on Uses and Disclosures. Business Associate will not use or further disclose PHI other than as permitted or required by this Agreement or as Required By Law.
3.2 Safeguards. Business Associate will use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement.
3.3 Mitigation. Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or subcontractor or agent of a Business Associate in violation of the requirements of this Agreement.
3.4 Reporting. Business Associate will report to Customer any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware.
3.5 Agents and Subcontractors. Business Associate will ensure that any agent, including any subcontractor, to whom Business Associate provides PHI that was created for or received from or on behalf of Customer, has executed an agreement containing substantially the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate will ensure only those who reasonably need to know such information in order to perform Services receive such information and, in such case, only the minimum amount of such PHI is disclosed as is necessary for such performance.
3.6 Access. Where PHI held by Business Associate is contained in a Designated Record Set, within fifteen (15) days of receiving a written request from Customer, Business Associate will make such PHI available to Customer or, as directed by Customer, to an Individual, that is necessary for Customer to respond to Individuals' requests for access to PHI in accordance with 45 C.F.R. § 164.524. Business Associate will provide such PHI in an electronic format where directed by Customer.
3.7 Amendment of PHI. Where PHI held by Business Associate is contained in a Designated Record Set, within fifteen (15) days of receiving a written request from Customer or an Individual, Business Associate will make any requested amendment(s) to PHI in a Designated Record Set that Customer directs or agrees to pursuant to 45 C.F.R. § 164.526.
3.8 Disclosure Documentation. Business Associate will document its disclosures of PHI and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
3.9 Accounting of Disclosures. Within thirty (30) days of receiving a written request from Customer, Business Associate will provide to Customer such information as is necessary for Customer to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528.
3.10 Access to Business Associate's Internal Practices. Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Customer available to the Secretary or to Customer, in a time and manner designated by the Secretary or Customer, for purposes of the Secretary determining compliance with the HIPAA Privacy Regulations.
3.11 Breach Notification. Business Associate, following the discovery of a Breach of Unsecured Protected Health Information, shall notify Customer of such Breach in accordance with 45 C.F.R. § 164.410. Such notification shall be made without unreasonable delay, and in no case later than thirty (30) calendar days after discovery of the Breach.
3.11.1 Such notice shall include, to the extent possible: (i) the names of the Individual(s) whose Unsecured Protected Health Information has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach; (ii) a brief description of what happened, including the date of the Breach and the date of discovery of the Breach, if known; (iii) a description of the types of Unsecured Protected Health Information involved in the Breach; (iv) a brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against further Breaches; and (v) any other information Customer is required to include in notification to the Individual under 45 C.F.R. § 164.404 at the time Business Associate is required to provide notice or promptly thereafter as the information becomes available.
3.11.2 After receipt of notice from Business Associate of a Breach, Customer may in its sole discretion (i) require Business Associate, at Business Associate's sole expense, to notify, in accordance with 45 C.F.R. § 164.404, the Individual(s) affected, or who may have been affected, by the Breach, or (ii) elect to provide notice to the Individual(s) affected.
3.12 Remuneration in Exchange for PHI. Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI unless Customer notifies Business Associate that it obtained a valid authorization from the Individual specifying that the Individual permits such exchange for remuneration, and Business Associate complies with the conditions of such authorization.
3.13 Marketing. Business Associate must obtain, or confirm that Customer has obtained, an authorization for any use or disclosure of PHI for marketing, as defined in 45 C.F.R. § 164.501, except where the communication meets an exception under that section.
SECTION 4 — OBLIGATIONS OF CUSTOMER
4.1 Limited Disclosure Obligations. Customer will limit the PHI provided to Business Associate to only that necessary to the performance of the Services. Prior to the transmission of PHI to Business Associate, Customer will arrange with Business Associate for the proper and secure transmission of such PHI.
4.2 Requested Restrictions. Customer shall notify Business Associate, in writing, of any restriction on the use or disclosure of PHI that Customer has agreed to in accordance with 45 C.F.R. § 164.522, which permits an Individual to request certain restrictions of uses and disclosures, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
4.3 Changes in or Revocation of Permission. Customer will notify Business Associate in writing of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes or revocation may affect Business Associate's use or disclosure of PHI.
4.4 Permissible Requests by Customer. Customer shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Regulations and HIPAA Security Regulations if done by the Covered Entity, except to the extent that Business Associate will use or disclose PHI for management and administrative activities and legal responsibilities of Business Associate.
SECTION 5 — SECURITY RESTRICTIONS ON BUSINESS ASSOCIATE
5.1 General. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the EPHI that Business Associate creates, receives, maintains, or transmits on behalf of Customer as required by the HIPAA Security Regulations.
5.2 Agents; Subcontractors. Business Associate will ensure that any agent, including a subcontractor, to whom Business Associate provides EPHI, agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of such EPHI.
5.3 Reporting of Security Incidents. Business Associate shall report to Customer any Security Incident affecting EPHI created, received, maintained, or transmitted by Business Associate on behalf of Customer, of which Business Associate becomes aware. This Section constitutes notice to Customer of routine and ongoing attempts to gain unauthorized access to Business Associate's information systems (each an "Unsuccessful Attack"), including but not limited to pings, port scans, and denial of service attacks, for which no additional notice shall be required provided that no such incident results in unauthorized access to Electronic PHI.
5.4 HIPAA Security Regulations Compliance. Business Associate agrees to comply with Sections 164.306, 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations with respect to all EPHI.
SECTION 6 — TERM AND TERMINATION
6.1 Term. This Agreement shall take effect on the Effective Date, and shall terminate when all of the PHI disclosed to Business Associate by Customer or created or received by Business Associate on behalf of Customer, is destroyed or returned to Customer, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section 6.
6.2 Termination for Cause. If Customer determines that Business Associate has breached a material term of this Agreement, Customer will provide written notice to Business Associate which sets forth Customer's determination that Business Associate breached a material term of this Agreement, and Customer may:
6.2.1 Provide written notice to Business Associate which provides an opportunity for Business Associate to cure the breach or end the violation, as applicable. If Business Associate does not cure the breach or end the violation within the time specified by Customer, then Customer may immediately thereafter terminate this Agreement; or
6.2.2 Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible.
6.2.3 If neither termination nor cure is feasible as provided in Sections 6.2.1 and 6.2.2 of this Agreement, Customer will report the violation to the Secretary.
6.3 Effect of Termination.
6.3.1 Except as provided in Section 6.3.2 of this Agreement, upon termination of this Agreement, for any reason, Business Associate will return or destroy all PHI received from Customer, or created or received by Business Associate on behalf of Customer. This provision also applies to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate will retain no copies of the PHI.
6.3.2 In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate will provide to Customer notification of the conditions that make return or destruction infeasible. Upon reasonable determination that return or destruction of PHI is infeasible, Business Associate will extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
SECTION 7 — INDEMNIFICATION
Business Associate shall indemnify, defend and save harmless Customer and each of its officers, directors, agents and employees from and against any and all third party claims, demands, suits and proceedings (each, a "Claim") and all related losses, costs, liabilities, damages or deficiencies, including interest, penalties and attorneys' fees that arise out of or result from:
- A breach by Business Associate of any of its representations, warranties, covenants or obligations contained in this Agreement;
- Business Associate's acts or omissions constituting bad faith, willful malfeasance, negligence or reckless disregard of its duties under this Agreement; or
- Accrue to or result from any of Business Associate's Subcontractors or any other person, firm or corporation acts or omissions constituting bad faith, willful misfeasance, negligence or reckless disregard of its duties in furnishing or supplying services, material or supplies in connection with the performance of this Agreement.
- Any unauthorized access, use, modification or disclosure of PHI maintained, processed, created, received or transmitted by Business Associate or a Subcontractor; provided however, Business Associate shall have no liability for any unauthorized access, use, modification or disclosure of PHI made at the written direction of Customer or pursuant to a good faith interpretation of the policies and procedures of Customer.
For purposes of this Section 7, neither Business Associate nor any Subcontractor shall be considered an agent of Customer. Business Associate's obligations under this Section 7 regarding indemnification will survive any expiration or termination of this Agreement.
7.1 Limitation of Liability. Except as provided in Section 7.2, and notwithstanding anything to the contrary in this Agreement, Business Associate's total aggregate liability arising out of or relating to this Agreement, regardless of the form or theory of action (including contract, tort, negligence, strict liability, or otherwise), shall not exceed one million U.S. dollars ($1,000,000).
7.2 Exclusions from the Cap. The limitation in Section 7.1 shall not apply to liability arising from Business Associate's gross negligence or willful misconduct.
SECTION 8 — MISCELLANEOUS
8.1 Regulatory References. A reference in this Agreement to a section in the HIPAA Privacy Regulations, HIPAA Security Regulations, or HIPAA Breach Notification Regulations means the section as in effect or as amended.
8.2 Amendment. If any new state or federal law, rule, regulation, or policy, or any judicial or administrative decision, affecting the use or disclosure of PHI is enacted or issued that requires a change to this Agreement in order for Customer or Business Associate to comply, the parties agree to take such action in a timely manner and as is necessary for Customer and Business Associate to comply. If the parties are not able to agree on the terms of such an amendment, either party may terminate this Agreement on at least thirty (30) days' prior written notice to the other party.
8.3 Survival. The respective rights and obligations of Business Associate under Section 6.3 of this Agreement ("Effect of Termination") shall survive the termination of this Agreement.
8.4 Interpretation. Any ambiguity in this Agreement shall be resolved to permit compliance with the HIPAA Privacy Regulations and the HIPAA Security Regulations. The section and paragraph headings contained in this Agreement are for the convenience of the reader only and shall not affect the interpretation of this Agreement.
8.5 No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Business Associate and Customer and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
8.6 Assignment. This Agreement shall not be assigned or otherwise transferred by either party without the prior written consent of the other, which consent shall not be unreasonably withheld; provided that no such consent shall be required for either party's assignment or transfer of this Agreement in connection with a sale or transfer of all or substantially all of the business or assets of the assigning party to which this Agreement relates.
8.7 Entire Agreement. This Agreement constitutes the entire agreement between the parties as to its subject matter and supersedes all prior communications, representations, and agreements, oral or written, with respect to the subject matter of this Agreement.
8.8 Severability and Waiver. The invalidity of any term or provision of this Agreement will not affect the validity of any other provision. Waiver by any party of strict performance of any provision of this Agreement will not be a waiver of or prejudice the party's right to require strict performance of the same provision in the future or of any other provision of this Agreement.
8.9 Notices. Any notice permitted or required by this Agreement will be in writing and given by email. Notices to Business Associate will be sent to support@eleanote.ai. Notices to Customer will be sent to the email address associated with Customer's account. Either party may update its notice address by providing notice to the other. Notices are deemed given when sent, provided no bounce or delivery-failure message is received.
8.10 Counterparts. This Agreement may be executed in multiple counterparts, all of which together will constitute one agreement, even though all parties do not sign the same counterpart.
8.11 Effective Date. This Agreement becomes effective on the date Customer accepts it electronically through Business Associate's sign-up or acceptance process. Business Associate records and retains the version of this Agreement accepted, together with the date and time of Customer's acceptance.
SECTION 9 — ADDITIONAL TERMS SPECIFIC TO THE ELEANOTE SERVICE
9.1 PHI Architecture; No Retention; No Designated Record Set. The Eleanote Service is designed so that Protected Health Information transits Business Associate's systems only transiently for the purpose of generating Output for Customer. Business Associate does not retain Protected Health Information in an identifiable form, does not maintain Protected Health Information in a Designated Record Set, and does not index or organize any incidental Protected Health Information in a manner that would allow it to be located, retrieved, or associated with a particular Individual. To the extent Business Associate becomes aware of any Protected Health Information that has incidentally persisted in its systems — for example, within an error or diagnostic log — Business Associate will destroy or de-identify it promptly upon becoming aware of it, and will handle it in accordance with the safeguards in Sections 3 and 5 of this Agreement until it is destroyed or de-identified.
Because Business Associate does not maintain a Designated Record Set and does not retain identifiable Protected Health Information, Business Associate does not hold Protected Health Information that is subject to access or amendment under Sections 3.6 and 3.7, and any request by an Individual for access to or amendment of Protected Health Information shall be directed to and fulfilled by Customer, which maintains the relevant records in its electronic medical record system and on its own devices. Business Associate does not make disclosures of Protected Health Information that would require an accounting under Section 3.9 in the ordinary course of providing the Service; however, if Business Associate makes any disclosure of Protected Health Information that is required to be included in an accounting under 45 C.F.R. § 164.528, Business Associate will document that disclosure as provided in Section 3.8 and make the required information available to Customer upon request. Because Business Associate does not retain Protected Health Information, the return-or-destruction obligation in Section 6.3 is satisfied by Business Associate's ongoing practice of not retaining, and promptly destroying or de-identifying, any incidental Protected Health Information of which it becomes aware.
9.2 Artificial Intelligence; No Medical Advice. The Service uses artificial intelligence to generate Output and to assist Customer in creating automated inputs, including draft clinical notes, suggested codes, and order or text entries that the Service enters into other applications by keystroke at Customer's direction. Output may contain errors, omissions, or inaccuracies, and is not medical advice, a diagnosis, or a recommendation for treatment. The Service is a documentation and workflow tool; it does not practice medicine and does not exercise clinical judgment. Customer is solely responsible for reviewing all Output before relying on it, signing it, or using it in connection with patient care, and for all clinical decisions, diagnoses, orders, and documentation associated with its patients. The Service is not a medical device and is not a substitute for the professional judgment of a qualified clinician. Nothing in this Agreement, and no use of the Service, shifts any portion of Customer's clinical or professional responsibility to Business Associate.
9.3 Endpoint Security; Locally Stored Files. Customer is responsible for the security of the devices on which it installs and uses the Service, including maintaining device encryption, current operating system and security software, strong access controls, and physical security. The Service stores certain files — including Customer's preferences, order-automation recipes, and feedback — locally on Customer's device rather than on Business Associate's systems. These files are designed not to contain PHI, but Business Associate does not guarantee that they are free of PHI, and Customer shall treat these files, and the device on which they reside, as though they may contain PHI. Business Associate is not responsible for any unauthorized access to, use, or disclosure of PHI that results from a failure of Customer's endpoint security or from Customer's sharing of locally stored files.
9.4 Authority and Capacity. Customer represents and warrants that it is a Covered Entity under HIPAA, or a part of or acting on behalf of a Covered Entity, or otherwise has the authority to enter into this Agreement and to use the Service in connection with PHI. If Customer is employed by, affiliated with, or providing services to a hospital, health system, group practice, or other institution, Customer represents and warrants that it has obtained any authorization necessary to use the Service and to enter into this Agreement, and that its use of the Service does not violate any policy of, or agreement with, that institution. Business Associate relies on these representations in good faith and is not responsible for confirming Customer's authority or for any consequence arising from Customer's lack of authorization.
9.5 Relationship to Other Agreements. This Agreement is entered into together with Business Associate's Terms of Service and Privacy Policy, and together they constitute the entire agreement between the parties regarding Customer's use of the Service. This Agreement controls with respect to the use and disclosure of PHI and all matters arising under HIPAA. The Terms of Service control with respect to the general use of the Service, and the Privacy Policy controls with respect to the handling of information that is not PHI. Any liability of Business Associate arising from a breach of PHI or a violation of HIPAA is governed by the limitation of liability in Section 7 of this Agreement, and not by any separate limitation of liability in the Terms of Service.
ACCEPTANCE
Customer accepts this Agreement electronically by checking the box indicating agreement to this Business Associate Agreement during the Eleanote sign-up or account process, next to a link to this Agreement. By doing so, Customer agrees to be bound by all of its terms. Business Associate records and retains the version of this Agreement accepted, together with the date and time of acceptance.
Business Associate:
Eleanote LLC
15 Faucher Road
Londonderry, NH 03053
United States
Email: support@eleanote.ai
Customer:
The individual or entity accepting this Agreement, identified by the name and email address associated with its Eleanote account at the time of acceptance.