NICEJOB HIPAA STATEMENT

NiceJob has received independent third-party verification that it complies with the rules and regulations of HIPAA. For more details, please contact hello@nicejob.com

Business Associate Addendum Terms for Applicable NiceJob Customers

These HIPAA Business Associate terms and conditions ("HIPAA Addendum") shall be incorporated into the applicable Terms of Service or Master Service Agreement ("Underlying Agreement") for applicable Customers that are Covered Entities (as defined below) that provide Protected Health Information ("PHI") (as defined below) to NiceJob in connection with the NiceJob services they have purchased. These terms supplement the Underlying Agreement to comply with the federal Standards for HIPAA of Individually Identifiable Health Information, located at 45 C.F.R. Part 160 and Part 164, Subparts A through E ("HIPAA Rule") and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (the "HITECH Act").

1. HIPAA RULES DEFINITIONS

The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

2. SPECIFIC DEFINITIONS

Terms used, but not otherwise defined, in this HIPAA Addendum shall have the same meaning as those terms in the Privacy Rule or the HITECH Act:

  • a) “Breach” shall have the same meaning given to such term under 42 U.S.C. § 17921.
  • b) “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean NiceJob.
  • c) “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Covered Entity].
  • d) “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
  • e) “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
  • f) “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of the Covered Entity.
  • g) “Required by Law” shall have the same meaning as the term “required by law” in 45 C.F.R. §160.103.
  • h) “Unsecured PHI” shall have the same meaning given to such term under the HITECH Act and any guidance issued pursuant to this act.

3. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

NiceJob agrees to:

  • a) Use and Disclosure of PHI: NiceJob shall not use or disclose PHI other than as permitted or required by this HIPAA Addendum or as Required by Law. NiceJob shall not use or disclose PHI for marketing or sale to third parties. NiceJob shall not directly or indirectly receive remuneration in exchange for PHI, except with the prior written consent of Covered Entity and as permitted by the HITECH Act; however, this prohibition shall not affect payment by Covered Entity to NiceJob for services provided pursuant to the Underlying Agreement.

  • b) Safeguards: NiceJob shall use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement.

  • c) Mitigation: NiceJob shall mitigate, to the extent practicable, any harmful effect that is known to NiceJob of a use or disclosure of PHI by NiceJob in violation of the requirements of this HIPAA Addendum.

  • d) Reporting: NiceJob shall report to Covered Entity any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware;

    • i. Business Associate will notify Covered Entity of the breach within thirty (30) business days
    • ii. Business Associate will notify the patient of the breach
    • iii. Business Associate will notify HHS Office for Civil Rights of breach
  • e) Disclosure to Agents and Subcontractors: In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of NiceJob agree to the same restrictions, conditions, and requirements that apply to NiceJob with respect to such information

  • f) Designated Record Set: NiceJob shall provide access, at the request of Covered Entity, to PHI in a Designated Record Set to meet the requirements under 45 C.F.R. § 164.524. Business Associate will forward the request for access of the designated record set to Covered Entity within thirty (30) days OR Business Associate will respond to the request for access of the designated record set within Thirty [30] days (Per the applicability). If Business Associate is unable to respond to the request for access, the Business Associate will notify the requesting party.

  • g) Internal Practices, Policies, and Procedures: NiceJob shall make available its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by NiceJob on behalf of, Covered Entity available to the Covered Entity and to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and the HITECH Act.

  • h) Accounting for Disclosures: NiceJob agrees to maintain the information required to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and to make this information available to the Covered Entity upon the Covered Entity’s request to allow the Covered Entity to respond to an Individual’s request for accounting of disclosures.

  • i) Security Obligations: NiceJob shall implement appropriate safeguards as are necessary to prevent the use or disclosure of PHI otherwise than as permitted by the Underlying Agreement or this HIPAA Addendum including, but not limited to, administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Covered Entity’s electronic PHI as required by 45 C.F.R. Sections 164.308, 164.310, and 164.312, as amended from time to time. NiceJob shall ensure that any agent, including a subcontractor, to whom it provides such electronic PHI, agrees to implement reasonable and appropriate safeguards to protect it. NiceJob shall comply with the policies and procedures and document requirements of the Privacy Rule including, but not limited to, 45 C.F.R. Section 164.316. NiceJob agrees to report promptly to the Covered Entity any security incident of which it becomes aware.

  • j) Breach Pattern or Practice by Covered Entity: If NiceJob knows of a pattern of activity or practice of the Covered Entity that constitutes a material breach or violation of the Covered Entity’s obligations under the HIPAA Addendum, NiceJob must take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, NiceJob must terminate the Underlying Agreement, if feasible, or if termination is not feasible, report the problem to the Secretary.

4. PERMITTED USES AND DISCLOSURES BY NICEJOB

  • a) Permitted Uses and Disclosures: Except as otherwise limited in this HIPAA Addendum, NiceJob may use or disclose PHI to perform functions, activities, or services for or on behalf of the Covered Entity as specified in the Underlying Agreement provided. Such use or disclosure would not violate the Privacy Rule including, but not limited to, each applicable requirement of 45 C.F.R. § 164.504(e) and the HITECH Act if done by the Covered Entity.

  • b) Use for Management and Administration: Except as otherwise limited in this HIPAA Addendum, NiceJob may use PHI for the proper management and administration of NiceJob or to carry out the legal responsibilities of NiceJob.

  • c) Disclosure for Management and Administration: Except as otherwise limited in this HIPAA Addendum, NiceJob may disclose PHI for the proper management and administration of NiceJob, provided that disclosures are Required by Law or NiceJob obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential, and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies NiceJob of any instances of which it is aware in which the confidentiality of the information has been breached.

  • d) Minimum Necessary: NiceJob (and its agents or subcontractors) shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure. NiceJob understands and agrees that the definition of “minimum necessary” is subject to change from time to time and shall keep itself informed of guidance issued by the Secretary with