logo
Terms of Service

Rhombus Systems, Inc.

Business Associate Addendum

Updated November 2024

If Rhombus Systems, Inc. (“Rhombus”) is deemed to be a “business associate” of Customer pursuant to the Health Insurance Portability and Accountability Act of 1996, and the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations as amended from time to time (collectively, “HIPAA”), then this Business Associate Addendum (the “Business Associate Addendum” or “BAA”) is incorporated by reference into the End User License Agreement ("EULA") by and between Rhombus and the Customer. All terms used but not otherwise defined herein have the respective meanings ascribed to them in the EULA, or the Administrative Simplification section of HIPAA.

1.         Obligations of Rhombus

1.1.      Use and Disclosure of PHI. Rhombus may use and disclose PHI as permitted or required under this BAA or as required by law, but shall not otherwise use or disclose PHI. Rhombus shall not use or disclose PHI received from Customer in any manner that would constitute a violation of HIPAA if so used or disclosed by Customer (except as set forth in Sections 1.1(b), (c), (d) and (e) of this BAA). To the extent Rhombus carries out any of Customer’s obligations under the HIPAA Privacy Rule, Rhombus shall comply with the requirements of the HIPAA Privacy Rule that apply to Customer in the performance of such obligations. Without limiting the generality of the foregoing, Rhombus is permitted to use or disclose PHI as set forth below:

(a)        Rhombus and its subcontractors may use and disclose PHI to carry out Rhombus’s duties and obligations and exercise their rights under the EULA.

(b)       Rhombus and its subcontractors may use PHI internally for Rhombus’s or its subcontractor’s proper management and administrative services or to carry out their legal responsibilities;

(c)       Rhombus and its subcontractors may disclose PHI to a third party for Rhombus’s or its subcontractor’s proper management and administration, provided that the disclosure is required by law, or Rhombus or the subcontractor, as applicable, obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will: (i) protect the confidentially of the PHI, (ii) only use or further disclose the PHI as required by law or for the purpose for which the PHI was disclosed to the third party, and (iii) notify, as applicable, Rhombus or the subcontractor of any instances of which the person is aware in which the confidentiality of the PHI has been breached;

(d)       Rhombus and its subcontractors may use PHI to provide data aggregation services; and

(e)       Rhombus and its subcontractors may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of Rhombus under the EULA, Rhombus may use, create, sell, disclose to third-parties and otherwise exploit de-identified health information for any purposes not prohibited by law. For the avoidance of doubt, the second sentence of this Section 1.1(e) shall survive the expiration or earlier termination of the EULA or this BAA.

1.2.      Safeguards. Rhombus shall use reasonable and appropriate safeguards to prevent the use or disclosure of PHI except as otherwise permitted or required by this BAA. In addition, Rhombus shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI transmitted or maintained in Electronic Media (“EPHI”) that it creates, receives, maintains or transmits on behalf of Customer. Rhombus shall comply with the HIPAA Security Rule with respect to EPHI.

1.3.      Minimum Necessary Standard. To the extent required by the “minimum necessary” requirements of HIPAA, Rhombus shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.

1.4.      Mitigation. Rhombus shall take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Rhombus) of a use or disclosure of PHI by Rhombus in violation of this BAA.

1.5.      Subcontractors. Rhombus shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each subcontractor that creates, receives, maintains or transmits PHI on behalf of Rhombus. Rhombus shall ensure that the written agreement with each subcontractor obligates the subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Rhombus under this BAA.

1.6.      Reporting Requirements.

(a)       If Rhombus becomes aware of a use or disclosure of PHI in violation of this BAA by Rhombus or by a third-party to which Rhombus disclosed PHI, Rhombus shall report any such use or disclosure to Customer without unreasonable delay.

(b)       Rhombus shall report any Security Incident involving EPHI of which it becomes aware in the following manner: (i) any actual, successful Security Incident will be reported to Customer in writing without unreasonable delay, and (ii) any attempted, unsuccessful Security Incident of which Rhombus becomes aware will be reported to Customer orally or in writing on a reasonable basis, as requested by Customer. If the HIPAA Security Rule is amended to remove the requirement to report any unsuccessful Security Incidents, the requirement hereunder to report such unsuccessful Security Incidents will no longer apply as of the effective date of the amendment.

(c)       Rhombus shall, following the discovery of a Breach of Unsecured PHI, notify Customer of the Breach in accordance with 45 C.F.R. § 164.410, without unreasonable delay and in no case later than thirty (30) days after discovery of the Breach.

1.7.      Access to Information. Rhombus shall make available PHI in the Products identified in the EULA to Customer in accordance with the EULA for so long as Rhombus maintains the PHI in a Designated Record Set. If Rhombus receives a request for access to PHI directly from an Individual, Rhombus shall forward such request to Customer within fifteen (15) business days. Customer shall have the sole responsibility for determining whether to approve a request for access to PHI and to provide such access to the Individual.

1.8.      Availability of PHI for Amendment. Rhombus shall provide PHI in the Products to Customer for amendment, and incorporate any such amendments in the PHI (for so long as Rhombus maintains such information in the Designated Record Set), in accordance with this BAA and as required by 45 C.F.R. § 164.526. If Rhombus receives a request for amendment to PHI directly from an Individual, Rhombus shall forward such request to Customer within fifteen (15) business days. Customer shall have the sole responsibility for determining whether to approve an amendment to PHI and to make such amendment.

1.9.      Accounting of Disclosures. Within thirty (30) business days of written notice by Customer to Rhombus that it has received a request for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies), Rhombus shall make available to Customer such information as is in Rhombus’s possession and is required for Customer to make the accounting required by 45 C.F.R. § 164.528. If Rhombus receives a request for an accounting directly from an Individual, Rhombus shall forward such request to Customer within fifteen (15) business days. Customer shall have the sole responsibility for providing an accounting to the Individual.

1.10.    Availability of Books and Records. Following reasonable advance written notice, Rhombus shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Rhombus on behalf of, Customer available to the Secretary for purposes of determining Customer’s compliance with HIPAA.

2.         Obligations of Customer

2.1.      Permissible Requests. Customer shall not request Rhombus to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer.

2.2.      Minimum Necessary Information. When Customer discloses PHI to Rhombus, Customer shall provide the minimum amount of PHI necessary for the accomplishment of Customer’s purpose.

2.3.      Appropriate Use of PHI. Customer and its employees, representatives, consultants, contractors and agents shall not submit any Protected Health Information to Rhombus (a) outside of the Products, including but not limited to email transmissions, and submissions through any support website, portal, or online help desk or similar service made available by Rhombus or its subcontractors outside of the Products; or (b) directly to any third-party involved in the provision of email, a support website, online help desk or other service described in (a), above.

2.4.      Permissions; Restrictions. Customer warrants that it has obtained and will obtain any consent, authorization and/or other legal permission required under HIPAA and other applicable law for the disclosure of PHI to Rhombus. Customer shall notify Rhombus of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Rhombus’s use or disclosure of PHI. Customer shall not agree to any restriction on the use or disclosure of PHI under 45 C.F.R. § 164.522 that restricts Rhombus’s use or disclosure of PHI under the EULA and this BAA unless such restriction is required by law or Rhombus grants its written consent.

2.5.      Notice of Privacy Practices. Except as required by law, with Rhombus’s consent or as set forth in this BAA, Customer shall not include any limitation in Customer’s notice of privacy practices that limits Rhombus’s use or disclosure of PHI under the EULA or this BAA.

3.         Termination of the EULA and the BAA

3.1.      BAA Term. This BAA shall continue in full force and effect for so long as Rhombus maintains any PHI.

3.2.      Termination Upon Breach of this BAA. Any other provision of the EULA notwithstanding, the EULA and this BAA may be terminated by either Party (the “Non-Breaching Party”) upon ninety (90) days written notice to the other Party (the “Breaching Party”) in the event that the Breaching Party materially breaches this BAA in any material respect and such breach is not cured within such ninety (90) day period. Any determination of whether a material breach has been cured shall be made by Rhombus in its sole discretion.

3.3.      Return or Destruction of PHI upon Termination. Upon termination of the EULA, Rhombus shall return or destroy all PHI received from Customer or created or received by Rhombus on behalf of Customer and which Rhombus still maintains as PHI. Notwithstanding the foregoing, to the extent that Rhombus determines, in its sole discretion, that it is not feasible to return or destroy such PHI, this BAA (including, without limitation, Section 1.1(e) of this BAA) shall survive termination of the EULA and this BAA and such PHI shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI.

4.         Miscellaneous Provision

4.1.      Applicability. This BAA relates to PHI that Rhombus or Rhombus’s subcontractors receive pursuant to the EULA.

4.2.      HIPAA Amendments. The Parties acknowledge and agree that the Health Information Technology for Economic and Clinical Health Act and its implementing regulations impose requirements with respect to privacy, security and breach notification applicable to Business Associates (collectively, the “HITECH BA Provisions”). The HITECH BA Provisions and any other future amendments to HIPAA affecting business associate agreements are hereby incorporated by reference into this BAA as if set forth in this BAA in their entirety, effective on the later of the Effective Date or such subsequent date as may be specified by HIPAA.

4.3.      Regulatory References. A reference in this BAA to a section in HIPAA means the section as it may be amended from time-to-time.

4.5.      Entire Agreement. The EULA and this BAA constitute the entire agreement between the Parties as to their subject matter, and supersede all previous and contemporaneous agreements, proposals or representations, written or oral, concerning such subject matter. Except as otherwise set forth therein, no modification, amendment, or waiver of any provision of this BAA shall be effective unless in writing and signed by the Party against whom the modification, amendment, or waiver is to be asserted.

4.6.      Waiver. No failure or delay by either Party in exercising any right under this BAA shall constitute a waiver of that right. Other than as expressly stated therein, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a Party at law or in equity.

BUSINESS ASSOCIATE: Rhombus Systems, Inc.

A signature on a white backgroundDescription automatically generated                                                                      

Address:   1610 R Street, Suite 350               __________________________

                  Sacramento, CA 95811                 (signature)

 

Email: privacy@rhombus.com                     Title:  Secretary & General Counsel

                                                                        Date: November 7, 2024