Lyve Cloud HIPAA Business Associate Addendum

• This LYVE CLOUD HIPAA BUSINESS ASSOCIATE ADDENDUM (the “BAA”) is incorporated by reference into the Lyve agreement to which this BAA is an addendum (the "Agreement") between Seagate and Company, as each is defined under the Agreement. In this BAA, Company and Seagate are, individually, each a “Party” and, collectively, the “Parties”.
• This BAA takes effect (i) on the date of execution of the Agreement; or (ii) if the Agreement is entered into electronically, on the day the Agreement is electronically accepted by Company.
•  For the avoidance of doubt, Company must have an existing Agreement, where Company has indicated and specified to Seagate that it will include Protected Health Information (as defined below) among Company Data in scope of the Services, and such Agreement must be currently in place and in effect for this BAA to be valid and effective. Together with the Agreement, this BAA will govern each Party’s respective obligations regarding such Protected Health Information.

BACKGROUND

1. Company is either a “covered entity” or a “business associate” of a covered entity, as each is defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);
2. The Parties have entered into the Agreement, under which Seagate provides or will provide certain Services to Company that are specified therein;
3. In providing Services pursuant to the Agreement, Seagate may have access to Protected Health Information;
4. By providing the Services pursuant to the Agreement, Seagate will become a “business associate” of Company;
5. Both Parties are committed to complying with all applicable United States federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Privacy Rule (as defined below); and,
6. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Seagate pursuant to the terms of the Agreement, this BAA, HIPAA, and as otherwise Required By Law.

STATEMENT OF AGREEMENT

The Parties hereby agree as follows:

1. Definitions. For purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1, below. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Agreement, HIPAA, the Privacy Rule or pertinent law.
   1. “Business Associate” has the definition given to it under HIPAA.
   2. “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule and which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
   3. “CFR" shall mean the Code of Federal Regulations.
   4. “Covered Entity” has the definition given to it under HIPAA.
   5. “Covered Services” means the Services expressly stated in the Agreement as covered by this BAA.
   6. “HHS” means the U.S. Department of Health and Human Services
   7. “HIPAA” has the meaning given in the Background section above.
   8. “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
   9. “Individual” has the same meaning given to that term in 45 CFR §§164.501 and 160.130 as to a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
   10. "Impermissible Use or Disclosure" has the definition given to it under HIPAA.
   11. “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
   12. “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by Seagate from or on behalf of Company.
   13. "Required By Law" has the meaning given to it under HIPAA.
   14. “Security Incident” has the meaning given to it under HIPAA in 45 CFR § 164.304 as to the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
   15. “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
   16. “Unsecured Protected Health Information” or “Unsecured PHI” means any Protected Health Information that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h).
   17. “Unsuccessful Security Events” means, without limitation, pings or other broadcast attacks on Seagate's firewalls, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination or variation of the above, so long as no such incident results in unauthorized access, use, disclosure, modification, or destruction of Protected Health Information.
2. Use and Disclosure of PHI.
   1. Except as otherwise provided in this BAA, Seagate may access, use, disclose, modify or destroy PHI as reasonably necessary to provide the Services described in the Agreement to Company, and to undertake other activities of Seagate permitted or required of Seagate by the Agreement, this BAA, or as otherwise Required By Law.
   2. Except as otherwise limited by this BAA or federal or state law, Company authorizes Seagate to use the PHI in its possession for the proper management and administration of Seagate’s business and to carry out its legal responsibilities. Seagate may disclose PHI for its proper management and administration, provided that (i) the disclosures are Required By Law; or (ii) Seagate obtains, in writing, prior to making any disclosure to a third party reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to this third party.
   3. Seagate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as Required By Law. Seagate may use or disclose PHI, to the extent practicable, as a limited data set or limited to the reasonably necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with the requirements of HIPAA, including Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI.
   4. Upon request, Seagate will make available to Company any of Company’s PHI that Seagate or any of its agents or subcontractors have in their possession, subject to the provisions of this BAA.
   5. Seagate may use PHI to report violations of law to appropriate U.S. federal and state authorities, consistent with 45 CFR §164.502(j)(1).
3. Safeguards Against Misuse of PHI. As are reasonable in light of the nature of the Services, Seagate will use appropriate safeguards designed to prevent the use or disclosure of PHI, and Seagate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI that it creates, receives, maintains or transmits on behalf of Company. Seagate agrees to take reasonable steps, including providing training to its employees to comply with this BAA and that are designed to prevent actions or omissions of its employees or agents from causing Seagate to breach the terms of this BAA.
4. Encryption. Due to the encryption configuration and security controls associated with the Services, Seagate will not have access to or know the nature of PHI contained within Company’s encrypted files and folders stored in the Services. As such, the Parties acknowledge that it may not be possible for Seagate to provide Company with all relevant information concerning the PHI of Individuals who may be affected by a Security Incident, Impermissible Use or Disclosure, or Breach of Unsecured PHI.
5. Reporting Disclosures of PHI and Security Incidents. Seagate will report to Company in writing (including by email) any use or disclosure of PHI not provided for by this BAA or the Agreement of which it becomes aware and Seagate agrees to report to Company any Security Incident actually affecting electronic PHI of Company of which it becomes aware. Seagate agrees to report any such event within five business days of confirmation of the event. Notwithstanding the foregoing, the Parties acknowledge and agree that this Section 5 constitutes notice by Seagate to Company of the ongoing existence and occurrence of Unsuccessful Security Events for which no additional notice to Company shall be required. Company hereby acknowledges and agrees that notice is hereby deemed given for all Unsuccessful Security Events and that Seagate will not be required to provide any notice under this BAA regarding such Unsuccessful Security Events.
6. Reporting Breaches of Unsecured PHI. Seagate will inform Company in writing (including by email) promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of such Breach. To the extent feasible, such information shall include the identification of each Individual whose Protected Health Information has been, or is reasonably believed by Seagate to have been improperly accessed, acquired, or disclosed, subject to Section 5 immediately above.
7. Reporting obligations. In light of section 4 above and in the event of a Breach of Unsecured PHI, Security Incident, or Impermissible Use or Disclosure, Company will be solely responsible for identifying impacted Individuals (if any), determining whether to notify such impacted Individuals, determining if regulatory bodies, such as the Secretary of the Department of U.S. Health and Human Services, or other enforcement commissions applicable to Company need to be notified, and for providing any such notices.
8. Mitigation of Disclosures of PHI. Seagate will take reasonable measures to mitigate, to the extent practicable, potential risks reasonably likely to result in a harmful effect that is known to Seagate of any use or disclosure of PHI by Seagate or its agents or subcontractors in violation of the requirements of this BAA.
9. Agreements with Agents or Subcontractors. Seagate will take appropriate measures designed to ensure that any agents or subcontractors used by Seagate to perform its obligations under the Agreement that require access to PHI are bound by written obligations that provide materially the same level of protection for PHI as this BAA. To the extent that Seagate uses agents or subcontractors in its performance of obligations hereunder, Seagate will remain responsible for their performance as if performed by Seagate.
10. Audit Report. To the extent Required By Law, and subject to all applicable legal privileges, Seagate shall, upon written request, make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI to the Secretary of the Department of Health and Human Services (the "Secretary") for the purpose of the Secretary determining Company’s and Seagate’s compliance with HIPAA and this BAA.
11. Accounting of Disclosures.
    1. Seagate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Seagate also will make available information related to such disclosures as would be required for Company to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, Seagate will furnish Company the following with respect to any covered disclosures by Seagate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.
    2. Seagate will furnish to Company information collected in accordance with this Section 9, within fifteen business days after written notice by Company, to permit Company to make an accounting of disclosures as required by 45 CFR §164.528, or in the event that Company elects to provide an Individual with a list of its business associates, Seagate will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act.
    3. In the event an Individual delivers the initial written notice for an accounting directly to Seagate in relation to such Individual's PHI stored by Seagate, Seagate will, within ten business days, forward such request to Company.
12. Responsibilities of Company. With regard to the use or disclosure of Protected Health Information by Seagate, Company agrees that it will:
    1. Not include in its notice of privacy practices any limitation that limits Seagate's permitted or required uses or disclosures of PHI under this BAA, unless such a limit is required by law. In the event that Company is required by law to include such a limitation in its notice of privacy practices, Company shall promptly notify Seagate of any such limitation, to the extent that such limitation may affect Seagate's use or disclosure of PHI.
    2. Notify Seagate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Seagate’s use or disclosure of PHI.
    3. Not agree to any request for a restriction that limits Seagate's permitted or required uses or disclosures of PHI under this BAA, or delivery of the Services, unless it is Required By Law. In the event that Company is required by law to agree to such a restriction, Company shall promptly notify Seagate of any such restriction.
    4. Not request or cause Seagate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Company, or in any way that does not conform to the Services.
    5. Implement and use appropriate privacy and security safeguards designed to prevent unauthorized use or disclosure of PHI, and to implement and use administrative, physical, and technical safeguards in order to reasonably and appropriately protect PHI in compliance with HIPAA and this BAA and as otherwise required under the Security Rule. In particular, Company shall encrypt all PHI stored in or transmitted using the Services in accordance with the Secretary of HHS’s document entitled “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals”, available online at https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html, as it may be updated from time to time, and as may be made available on any successor or related site designated by HHS. To the extent that Company chooses to use the Services to transmit PHI without encryption, Company is responsible for documenting under the Security Rule that encryption is not reasonable and appropriate for such communications and implementing any equivalent alternative measures if reasonable and appropriate. Company acknowledges and agrees that Seagate has no obligation to protect PHI under this BAA to the extent that Company creates, receives, maintains, or transmits PHI outside of the Services.
    6. Warrant for each delivery of PHI that it has obtained any necessary authorizations, consents, and other permissions that may be required under applicable law prior to disclosing or uploading any data, including without limitation PHI, in relation to the Services.
13. Data Ownership. This BAA will in no way alter that data ownership provisions agreed to in the Agreement.
14. Term and Termination.
    1. This BAA will terminate on the earlier of (i) a permitted termination in accordance with this Section 12, or (ii) the expiration or termination of the Agreement under which Company has access to the Services.
    2. Company may terminate immediately this BAA if it is determined that Seagate has breached a material term of this BAA and Seagate has failed to cure that material breach, to Company’s reasonable satisfaction, within 30 days after written notice from Company. Company may report the problem to the Secretary of HHS if Required By Law, subject to all applicable legal privileges.
    3. Subject to the section in the Agreement regarding Suspension, if Seagate determines that Company has breached a material term of this BAA, then Seagate will provide Company with written notice of the existence of the breach and shall provide Company with 30 days to cure the breach. Company’s failure to cure the breach within the 30-day period will be grounds for immediate termination of the Agreement or this BAA by Seagate. Seagate may report the breach to HHS, subject to all applicable legal privileges.
    4. After termination of the Agreement or this BAA for any reason, all PHI maintained by Seagate will be deleted from the Services in accordance with terms relating to Company Data in the Agreement. Seagate will extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for as long as Seagate maintains such PHI. The Parties understand that this Section 12.D. will survive any termination of this BAA.
15. Effect of BAA. This BAA is a part of and subject to the terms of the Agreement. This BAA, together with the Agreement as amended by this BAA, (i) is intended by the Parties as a final, complete and exclusive expression of the terms of their agreement and (ii) supersedes all prior agreements and understandings (whether oral or written) between the Parties with respect to the subject matter hereof. The provisions of this BAA override and control any conflicting provision of the Agreement; however, except as expressly modified or amended under this BAA as to PHI, the terms of the Agreement remain in full force and effect.
16. Amendments to comply with law. The Parties acknowledge that federal and state laws relating to data security and privacy of health information are rapidly evolving and that amendment of this BAA may be required to provide for procedures to ensure compliance with such developments. The Parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA. Upon the request of either Party, the other Party agrees to promptly enter into negotiations concerning the terms of an amendment to this BAA embodying written assurances consistent with the standards and requirements of HIPAA or other applicable laws. Either Party may terminate this BAA upon thirty (30) days prior written notice in the event that the other Party: (i) does not promptly enter into negotiations to amend this BAA when requested pursuant to this Section 16; or (ii) does not enter into an amendment to this BAA providing assurances regarding the safeguarding of PHI sufficient to satisfy the standards and requirements of HIPAA.
17. Interpretation. This BAA and the Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA. The Parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that complies, and is consistent, with HIPAA.