Tealium Business Associate Addendum
This Tealium Business Associate Addendum (the “Addendum”) is made as of [ENTER MONTH], [ENTER YEAR], (“Addendum Effective Date”) by and between Tealium Inc., with a place of business located at 11095 Torreyana Road, San Diego, CA 92121 (“Tealium”) and [ENTER FULL COMPANY NAME], a [ENTER STATE OR COUNTRY OF INCORPORATION] [CORPORATION, LLC, PARTNERSHIP], with a place of business located at the address below (“Customer”).
A. Tealium and Customer have entered into a Master Services Agreement dated as of [ENTER MONTH], [ENTER YEAR], (the “MSA”). Tealium provides certain Services (as defined in the MSA) to Customer.
B. The parties are entering into this Addendum to address the use and disclosure of Protected Health Information (“PHI”) that may be created, received, stored or transmitted in the course of providing Services under the Services Agreement in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, including as amended by the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations (collectively “HIPAA“). Capitalized terms used in this Addendum and not otherwise defined herein shall have the meanings given them in HIPAA. PHI shall have the same meaning given to such term in 45 C.F.R. Section 164.103, as applied to the information created, received, maintained or transmitted by Tealium from or on behalf of Customer.
The parties hereby agree as follows:
- Applicability. This Addendum applies only to HIPAA Accounts. A “HIPAA Account” means an account under the Services Agreement: (a) that only uses Tealium’s Private Cloud HIPAA Eligible Services to store or transmit any PHI, (b) that is identified under Section 4(a) of this Addendum, and (c) to which Customer has applied the required security configurations as specified in Section 4(c) of this Addendum. This Addendum does not apply to other accounts Customer may have now or in the future or to any use of any Tealium Services that do not satisfy the foregoing requirements. Private Cloud HIPAA Eligible Services (or “HIPAA Eligible Services”) means the Tealium Services deployed in a Tealium Private Cloud environment. Tealium may, in its discretion, from time to time add or remove Services (or features or functionality thereof) to the HIPAA Eligible Services. Tealium will provide at least six (6) months prior notice if Tealium discontinues or materially modifies a HIPAA Eligible Service such that Customer’s use of that Service will be materially and adversely affected.
- Use and Disclosure of PHI.
(a) Service Offering. Tealium may Use or Disclose PHI for or on behalf of Customer as specified in the Services Agreement.
(b) Administration and Management of Tealium Services. Tealium may Use and Disclose PHI as necessary for the proper management and administration of Tealium or the Services. Any disclosures under this Section will be made if Tealium obtains reasonable assurances from the recipient of the PHI that (i) the recipient will hold the PHI confidentially and will Use or Disclose the PHI only as Required by Law or for the purpose for which it was disclosed to the recipient, and (ii) the recipient will notify Tealium of any instances of which it is aware in which the confidentiality of the information has been breached.
- Obligations of Tealium.
(a) Tealium Obligations Conditioned on Appropriate Configuration. For any other Customer accounts or any of Customer’s use of any Service other than HIPAA Eligible Services, Tealium does not act as a Business Associate under HIPAA and will have no obligations under this Addendum.
(b) Limit on Uses and Disclosures. Tealium will Use or Disclose PHI only as permitted by the Addendum or as Required by Law, provided that any such Use or Disclosure would not violate HIPAA if done by a Covered Entity, unless permitted under HIPAA for a Business Associate. To the extent Tealium is carrying out any of Customer’s obligations under HIPAA pursuant to the terms of the Services Agreement or this Addendum, Tealium shall comply with the requirements of HIPAA that apply to Customer in the performance of such obligation(s).
(c) Safeguards. Tealium will use reasonable and appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this Addendum, consistent with the requirements of Subpart C of 45 C.F.R. Part 164 (with respect to Electronic PHI) as determined by Tealium and as reflected in the Services Agreement.
(d) Reporting. For all reporting obligations under this Addendum, the parties acknowledge that, because Tealium does not know the nature of the PHI contained in any Customer’s accounts, it will not be possible for Tealium to provide information about the identities of the individuals who may have been affected, or a description of the type of information that may have been subject to a Security Incident, Impermissible Use or Disclosure, or Breach.
(1) Reporting of Impermissible Uses and Disclosures. Tealium will report to Customer any Use or Disclosure of PHI not permitted or required by this Addendum of which Tealium becomes aware.
(2) Reporting of Security Incidents. Tealium will report to Customer on no less than a quarterly basis any Security Incidents involving PHI of which Tealium becomes aware in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. No notice will be provided for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings, and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
(3) Reporting of Breaches. Tealium will report to Customer any Breach of Customer’s Unsecured PHI that Tealium may discover to the extent required by 45 C.F.R. Section 164.410. Tealium will make such report without unreasonable delay and in no case later than ten (10) business days after discovery of such Breach.
(e) Subcontractors. Tealium will ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of Tealium agree to restrictions and conditions at least as stringent as those found in this Addendum, and agree to implement reasonable and appropriate safeguards to protect PHI.
(f) Access to PHI. Tealium will make PHI in a Designated Record Set available to Customer so Customer can comply with 45 C.F.R. Section 164.524.
(g) Amendment to PHI. Tealium will make PHI in a Designated Record Set available to Customer for amendment and incorporate any amendments to the PHI, as may reasonably be requested by Customer in accordance with 45 C.F.R. Section 164.526.
(h) Accounting of Disclosures. Tealium will make available to Customer the information required to provide an accounting of Disclosures in accordance with 45 C.F.R. Section 164.528 of which Tealium is aware, if requested by Customer. Because Tealium cannot readily identify which individuals are identified or what types of PHI are included in Content Customer or any End User (i) run on the Services, (ii) cause to interface with the Services, or (iii) upload to the Services under Customer’s account or otherwise transfer, process, use or store in connection with Customer’s account (“Customer Content”), Customer will be solely responsible for identifying which Individuals, if any, may have been included in Customer Content that Tealium has disclosed and for providing a brief description of the PHI disclosed.
(i) Internal Records. Tealium will make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services (“HHS”) for purposes of determining Customer’s compliance with HIPAA. Nothing in this section will waive any applicable privilege or protection, including with respect to trade secrets and confidential commercial information.
(j) Mitigation. To the extent practicable, Tealium will reasonably cooperate with Customer’s efforts to mitigate a harmful effect that is known to Tealium of a Use or Disclosure of PHI by Tealium that is not permitted by this Addendum.
4. Customer’s Obligations.
- Identification of HIPAA Accounts. All Customer’s accounts that Customer intends to be applicable to this Addendum that contain PHI are identified on Exhibit A to this Addendum.
- Appropriate Use of HIPAA Accounts. Customer is responsible for implementing appropriate privacy and security safeguards in order to protect Customer’s PHI in compliance with HIPAA and this Addendum. Without limitation, Customer will not include PHI in any Services that are not HIPAA Eligible Services.
- Appropriate Configurations. Customer is solely responsible for encrypting all PHI transmitted using the Services in accordance with the Secretary of HHS’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, available at: https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html, as it may be updated from time to time, and as may be made available on any successor or related site designated by HHS.
- Necessary Consents. Customer warrants that it has obtained any necessary authorizations, consents, and other permissions that may be required under applicable law prior to placing Customer Content, including without limitation PHI, on the Tealium network. Customer shall notify Tealium of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect placing Customer Content, including without limitation PHI, on the Tealium network.
- Restrictions on Disclosures. Customer will not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause Tealium to violate this Addendum or any applicable law.
- Compliance with HIPAA. Customer will not request or cause Tealium to make a Use or Disclosure of PHI in a manner that does not comply with HIPAA or this Addendum.
5. Term and Termination.
- Term. The term of this Addendum will commence on the Addendum Effective Date and will remain in effect with respect to each account that Customer identifies as being subject to this Addendum until the earlier of the termination of the Services Agreement with respect to that particular account or use, or notification by Customer that an account is no longer subject to this Addendum.
- Termination. Either party has the right to terminate this Addendum for any reason upon 90 days prior written notice to the other party. A material breach of this Addendum will be treated as a material breach of the Services Agreement.
- Effect of Termination. At termination of this Addendum, Tealium, if feasible, will return or destroy all PHI that Tealium still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of this Addendum to the information and limit further Uses and Disclosures to those purposes that make the return or destruction of the information infeasible. The Services provide Customer with controls that Customer may use to retrieve or delete PHI. Up to the termination date, Customer will continue to have the ability to retrieve or delete PHI in accordance with this Section. To the extent Customer is unable to retrieve or delete PHI itself through its use of the Services, Tealium will assist Customer in such retrieval or deletion upon Customer’s written request. Upon the termination date, Customer will close all accounts. Tealium will delete PHI when requested by Customer by using the Service controls provided for this purpose by Tealium.
6. No Agency Relationship. As set forth in the Agreement, nothing in this Addendum is intended to make either party an agent of the other. Nothing in this Addendum is intended to confer upon Customer the right or authority to control Tealium’s conduct in the course of Tealium complying with the Services Agreement and this Addendum.
7. Nondisclosure. Customer agrees that the terms of this Addendum are not publicly known and constitute Tealium Confidential Information under the Services Agreement.
8. Entire Agreement; Conflict. Except as amended by this Addendum, the Services Agreement will remain in full force and effect. This Addendum, together with the Services Agreement as amended by this Addendum: (a) is intended by the parties as a final, complete and exclusive expression of the terms of their agreement; and (b) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof. If there is a conflict between the Services Agreement, this Addendum or any other amendment or addendum to the Services Agreement or this Addendum, the document later in time will prevail. Where provisions of this Addendum are different from those mandated in HIPAA, but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this Addendum shall control.
9. Counterparts. This Addendum may be executed in two or more counterparts, each of which will be deemed an original and all of which taken together will be deemed to constitute one and the same document.
10. General. This Addendum is governed by, and shall be construed in accordance with, the laws of the State that govern the MSA. Any action relating to this Addendum must be commenced within one (1) year after the date upon which the cause of action accrued. Customer shall not assign this Addendum without the prior written consent of Tealium, which shall not be unreasonably withheld. If any part of a provision of this Addendum is found illegal or unenforceable, it shall be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this Addendum shall not be affected. All notices relating to the parties’ legal rights and remedies under this Addendum shall be provided in writing to a party, shall be sent to its address set forth in the Services Agreement, or to such other address as may be designated by that party by notice to the sending party, and shall reference this Addendum.
In Witness Whereof, the parties have executed this Addendum as of the Addendum Effective Date.
Printed Name: __________________________
[ENTER FULL COMPANY NAME]
Printed Name: __________________________