HIPAA Business Associate Addendum
This HIPAA Business Association Addendum (this “HIPAA Addendum”) is an addendum to the Mailgun Terms of Service (the “Terms”). This HIPAA Addendum defines the rights and responsibilities of each of us with respect to Protected Health Information as defined in the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, including the HITECH Act and Omnibus Rule, as each may be amended from time to time (collectively, “HIPAA”). This HIPAA Addendum shall be applicable only in the event and to the extent Mailgun meets, with respect to you and as to your use of the Mailgun Services, the definition of a Business Associate set forth at 45 C.F.R. §160.103, or applicable successor provisions.
1. Defined Terms. For the purposes of this HIPAA Addendum, capitalized terms shall have the following meanings:
“Business Associate” shall mean Mailgun Technologies, Inc., a Delaware corporation.
“CFR” shall mean the Code of Federal Regulations.
“Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.
“Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information received by Business Associate from or on behalf of you.
“Required By Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.103.
“Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, located at 45 CFR Part 160 and Subparts A and C of Part 164.
“Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
2. Obligations and Activities of Business Associate.
(a) Business Associate shall not use or disclose PHI other than as permitted or required by this HIPAA Addendum or as permitted or Required by Law.
(b) Business Associate agrees to provide those physical, technical, and administrative safeguards described in the Terms and the other parts of the Agreement including any safeguards selected by you and described in a Service Order. If Business Associate agrees as part of this HIPAA Addendum to carry out an obligation of yours under the Privacy Rule, then Business Associate will comply with the requirements of the Privacy Rule applicable to such obligation.
(c) Business Associate agrees to mitigate, to the extent commercially reasonable and reasonably practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this HIPAA Addendum.
(d) Within five Business Days of becoming aware, Business Associate agrees to report to you (i) Security Incidents (as defined in 45 C.F.R. §164.304 and as further described below), (ii) the Breach of unsecured PHI (as defined in 45 CFR §164.402), or (iii) an access, acquisition, use or disclosure of PHI in violation of this HIPAA Addendum.
- Both parties acknowledge that there are likely to be a significant number of meaningless or unsuccessful attempts to access the Mailgun Services, which make a real-time reporting requirement impractical for both parties. The parties acknowledge that Business Associate’s ability to report on system activity, including Security Incidents, is limited by, and to, the Services which you have purchased (and does not extend to networks or systems operated by third parties as part of general internet connectivity).
- Business Associate undertakes no obligation to report network security related incidents which occur on the Mailgun managed network but do not directly involve your Customer Data. The parties agree that the following are illustrative examples of unsuccessful security incidents which, when they do not result in the unauthorized access, use, disclosure, modification or destruction of PHI need not be reported by Business Associate: pings against network devices, port scans, attempts to log on to a system or database with an invalid password or username, detection of malware.
- Depending on your use of the Services, they may include the transmission of plain text email in an unsecured fashion using the public internet. Business Associate shall have no obligation to monitor or attempt to monitor the access to such emails, including whether they are stored by or potentially accessed by third parties during ordinary email transmission activities.
(e) Business Associate agrees to obtain from any agent, including a subcontractor to whom it provides PHI, reasonable assurances that it will adhere to the same restrictions and conditions that apply to Business Associate under this HIPAA Addendum with respect to such information. This does not apply to third party conduits and providers who are involved in the transmission, routing, storage or receipt of email which is inherent in the delivery of the Mailgun Services.
(f) All PHI maintained by Business Associate for you will be available to you in a time and manner that reasonably allows you to comply with the requirements under 45 CFR § 164.524. Business Associate shall not be obligated to provide any such information directly to any Individual or person other than you.
(g) All PHI and other information maintained by Business Associate for you will be available to you in a time and manner that reasonably allows you to comply with the requirements under 45 CFR § 164.526.
(h) Business Associate agrees to make internal practices, books, and records available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary’s determining your compliance with the Privacy Rule; provided, however, that time incurred by Business Associate in complying with any such request that exceeds its normal customer service parameters shall be charged to you at Business Associate’s then current standard hourly rate for Supplemental Services.
(i) You acknowledge that Business Associate is not required by this HIPAA Addendum to make disclosures of PHI to Individuals or any person other than you, and that Business Associate does not, therefore, expect to maintain documentation of such disclosure as described in 45 CFR § 164.528. In the event that Business Associate does make such disclosure, it shall document the disclosure as would be required for you to respond to a request by an Individual for an accounting of disclosures in accordance with 45 CFR §164.504(e)(2)(ii)(G) and §164.528, and shall provide such documentation to you promptly on your request. In the event that a request for an accounting is made directly to Business Associate, Business Associate shall, within 2 Business Days, forward such request to you.
3. Permitted Uses and Disclosures by Business Associate. Except as otherwise limited in this HIPAA Addendum or other portion of the Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, you as specified in the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by you.
4. Specific Use and Disclosure Provisions. Except as otherwise limited in this HIPAA Addendum or other portion of the Agreement, Business Associate may:
- (a) use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities;
- (b) disclose PHI for the proper management and administration of Business Associate, provided that disclosures are (i) Required By Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and
- (c) use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
5. Your Obligations.
5.1 You shall notify Business Associate of:
- (a) any limitations(s) in your notice of privacy practices in accordance with 45 CFR § 164.520 to the extent that such changes may affect Business Associate’s use or disclosure of PHI;
- (b) any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI; and
- (c) any restriction to the use or disclosure of PHI that you have agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
5.2 You agree that you will not request Business Associate to use, transmit or disclose PHI in any manner that would not be permissible under the Privacy or Security Rules if done by you.
5.3 You agree as part of your security obligations to implement and maintain appropriate safeguards as required for you to comply with the Security and Privacy rules as applicable to you and your use of the Mailgun Services. This includes, without limitation: (i) implementing reasonable safeguards required by 45 CFR § 164.530(c), (ii) reasonably limiting the amount or type of information disclosed through the Mailgun Services, (iii) permitting individuals to utilize alternative secure electronic methods to receive confidential communications from you, (iv) verifying the recipient’s address, and that it is correctly entered into the Mailgun Services prior to using the Mailgun Services to transmit PHI, (v) including a privacy statement notifying the recipient of the insecure nature of email and providing a contact to whom a recipient can report a misdirected message and (vi) encrypting PHI transmitted through the Mailgun Services where appropriate or required by the Security Rule (such as through the use of encrypted attachments, PGP toolsets, or S/MIME).
5.4 You acknowledge and understand that the Mailgun Services include the transmission of unencrypted email in plain text over the public internet and open networks. Customer Data you upload to the Mailgun Services is not encrypted by Business Associate and is stored (and transmitted) in similar fashion as you provide it. You are responsible for encrypting any sensitive data you use in conjunction with the Mailgun Services. Email sent using the Mailgun Services may be unsecured, may be intercepted by other users of the public internet, and may be stored and disclosed by third parties (such as a recipient’s email service provider) who have no obligations to Business Associate with regards to the treatment of such communications. Although Mailgun Services include support for TLS, content will be transmitted even if the recipient does not also support TLS, resulting in an unencrypted transmission. You confirm that you have made these aspects of the Mailgun Services clear to your customers and end users as appropriate, and that they have provided full and adequate consent to the use of their PHI in the fashion in which you utilize the Mailgun Services.
6. Term and Termination
(a) The term of this HIPAA Addendum shall continue for the term of your use of the Mailgun Services subject to a valid Service Order, and following termination of such Service Order until all PHI is destroyed or returned to you or your designee.
(b) If Business Associate materially breaches the terms of this HIPAA Addendum, then you may terminate any related Mailgun Services with no early termination fee or other penalty.
(c) Upon your request (for any reason), Business Associate shall destroy all PHI which is in Business Associate’s possession. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate as well as Business Associate itself. Business Associate shall retain no copies of the PHI. In the event that Business Associate determines that destroying the PHI is infeasible, Business Associate shall promptly provide you notification of the conditions that make destruction infeasible. Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the destruction infeasible, for so long as Business Associate maintains such PHI. This Section does not require Business Associate to segregate any PHI from other information maintained on Business Associate’s servers.
(a) Amendment. Each of us agrees to take such action as is reasonably necessary to amend this HIPAA Addendum from time to time as is necessary for you to comply with the requirements of HIPAA as they may be amended from time to time; provided, however, that if such an amendment would materially increase the cost of Business Associate providing service under the Agreement, Business Associate shall have the option to terminate the Agreement on thirty (30) days advance notice.
(b) Survival. Our respective rights and obligations under this HIPAA Addendum shall survive the termination of the Agreement.
(c) Interpretation. Any ambiguity in this Business Associate Addendum shall be resolved to permit you to comply with HIPAA and the Privacy Rule.
Last revised 2/22/17.