Customer Business Associate Agreement
Last Updated date with April 17, 2024
This Business Associate Agreement (this “BAA”) forms the Parties’ agreement with regard to the Parties’ obligations under HIPAA (defined below) under the Master Services Agreement or other agreement(s) governing the provision of services (the “Services”) between customer (“Customer”) and Five9, Inc., having offices at 3001 Bishop Drive, Suite 350, San Ramon, California 94583 USA (“Five9”), for the purchase of Services from Five9 (“Agreement”), which is incorporated by reference. Customer and Five9 are collectively referred to as the “Parties.”
This BAA is effective as of the date that it is executed or as otherwise determined between the Parties. If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control. This BAA replaces and supersedes any and all prior business associate agreements between the Parties.
1. Definitions.
Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.
“Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.
“Breach” has the definition given to it in 45 CFR § 164.402 of HIPAA.
“Business Associate” has the definition given to it in 45 CFR § 160.103 of HIPAA.
“Covered Entity” has the definition given to it in 45 CFR § 160.103 of HIPAA.
“Designated Record Set” has the definition given to it in 45 CFR § 164.501 of HIPAA.
“Disclosure” and its variants have the definitions consistent with the definition given to “disclosure” in 45 CFR § 160.103 of HIPAA.
“HIPAA” collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.
“Individual” has the definition given to it in 45 CFR § 160.103 of HIPAA.
“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR § 160 and § 164, Subparts A and E.
“Protected Health Information” or “PHI” has the definition given to it in 45 CFR § 160.103 of HIPAA.
“Required by Law” has the definition given to in 45 CFR § 164.103 of HIPAA.
“Security Incident” has the definition given to it in 45 CFR § 164.304 of HIPAA.
“Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information found at 45 CFR § 160 and § 164, Subparts A and C.
“Subcontractor” has the definition given to it in 45 CFR § 160.103 of HIPAA.
“Unsecured Protected Health Information” has the definition given to it in 45 CFR § 164.402 of HIPAA.
“Use” has the definition given to it in 45 CFR § 160.103 of HIPAA.
2. Applicability.
This BAA applies to the extent Customer is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI via the Services and to the extent Five9, as a result, is deemed under HIPAA to be acting as a Business Associate or, when Customer is itself a Business Associate, a Subcontractor of Customer.
Both Parties shall comply with all applicable federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Privacy Rule, and both Parties intend to protect the privacy and provide for the security of PHI disclosed to Five9 pursuant to the terms of this BAA, HIPAA and other applicable laws.
3. Permitted Use and Disclosure of Protected Health Information.
a. Performance of the Agreement. Except as otherwise limited in this BAA, Five9 may Use and Disclose PHI for, or on behalf of, Customer as specified in the Agreement and any applicable Service Order; provided that any such Use or Disclosure would not violate HIPAA if done by Customer, unless expressly permitted under Section 3.b below.
b. Management, Administration, and Legal Responsibilities. Except as otherwise limited in this BAA, Five9 may Use and Disclose PHI for the proper management and administration of Five9 and/or to carry out the legal responsibilities of Five9, provided that any Disclosure may occur only if: (1) Required by Law; or (2) Five9 obtains written reasonable assurances from the person to whom the PHI is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person, and the person notifies Five9 of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.
4. Five9 Responsibilities with Respect to Protected Health Information.
To the extent Five9 is acting as a Business Associate or a Subcontractor of Customer, Five9 agrees to the following:
a. Limitations on Use and Disclosure. Five9 shall not Use and/or Disclose the PHI other than as permitted or required by the Agreement, any applicable Service Order, and/or this BAA or as otherwise Required by Law. Five9 shall not disclose, capture, maintain, scan, index, transmit, share or Use PHI for any activity not authorized under the Agreement, any applicable Service Order, and/or this BAA. Five9 shall Use, Disclose, and/or request the minimum necessary PHI to accomplish the intended purpose of such Use, Disclosure, or request.
b. Safeguards. Five9 shall: (1) use reasonable and appropriate safeguards to prevent Use and Disclosure of PHI other than as permitted in Section 3 herein; and (2) comply with the applicable requirements of the Security Rule.
c. Reporting. Five9 shall report to Customer: (1) any Use and/or Disclosure of PHI that is not permitted or required by this BAA of which Five9 becomes aware; (2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (3) any Breach of Unsecured Protected Health Information that Five9 may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than seventy-two (72) hours after Five9’s discovery of a Breach.
For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Five9’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of PHI.
d. Subcontractors. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, Five9 shall require its Subcontractors who create, receive, maintain, or transmit PHI on behalf of Five9 to agree in writing to: (1) restrictions and conditions no less restrictive than those that apply to Five9 with respect to such PHI; (2) appropriately safeguard the PHI; and (3) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. Five9 remains responsible for its Subcontractors’ compliance with obligations in this BAA.
e. Disclosure to the Secretary. To the extent required by law, and subject to all applicable legal privileges, Five9 will make its internal practices, books, and records concerning the Use and Disclosure of PHI received from Customer available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.
f. Access. In the event Five9 maintains PHI in a Designated Record Set, then at the written request of Customer, Five9 shall within fifteen (15) days make access to such PHI available to Customer in accordance with 45 CFR § 164.524 of the Privacy Rule.
g. Amendment. Subject to Section 4f above, if Five9 maintains PHI in a Designated Record Set, then at the written request of Customer, Five9 shall within fifteen (15) days make available such PHI to Customer for amendment and incorporate any reasonably requested amendment in the PHI in accordance with 45 CFR § 164.526 of the Privacy Rule.
h. Accounting of Disclosure. At the written request of Customer, Five9 shall within thirty (30) days make available to Customer such information relating to Disclosures made by Five9 as required for Customer to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.
5. Customer Responsibilities with Respect to Protected Health Information.
a. Safeguards. Customer shall use appropriate safeguards to prevent against unauthorized Use or Disclosure of PHI, including, without limitation, ordering encryption services, and as otherwise required under HIPAA or HITECH.
b. No Impermissible Requests. Customer shall not request Five9 to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a Business Associate).
6. Term and Termination.
a. Term. This BAA shall continue in effect until the earlier of (1) termination by a Party for breach as set forth in Section 6.b below, or (2) expiration of the Agreement.
b. Termination for Breach. Upon written notice, either Party may immediately terminate the Agreement and this BAA if the other Party is in material breach or default of any obligation in this BAA. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice.
c. Return, Destruction, or Retention of Protected Health Information Upon Termination. Upon written request of Customer, Five9 shall return or destroy all PHI in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Agreement, in all cases subject to any retention required by law. If it is not feasible to return or destroy any portions of the PHI upon such request, then Five9 shall extend the protections of this BAA, without limitation, to such PHI and limit any further Use or Disclosure of the PHI to those purposes that make the return or destruction infeasible for the duration of the retention of the PHI. The provisions of this Section 6.c will survive termination or expiration of this BAA.
7. Miscellaneous.
a. Interpretation. The Parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Except where this BAA conflicts with the Agreement, all other terms and conditions of the Agreement remain unchanged.
b. Waiver. A waiver with respect to one event shall not be construed as continuing, as a bar to, or as a waiver of any right or remedy as to subsequent events.
c. Notification. Any reports, notifications, or other notices under this BAA will be in accordance with the notice provisions in the Agreement.
d. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
8. Severability.
In the event that any provision of this BAA is found to be invalid or unenforceable, the remainder of this BAA shall not be affected thereby, but rather the remainder of this BAA shall be enforced to the greatest extent permitted by law.
9. Governing Law.
This BAA shall be governed by and construed in accordance with the laws of the State of California.