Get Started

HIPAA Business Associate Agreement for Shape Software Inc. “Covered Entity” Clients

Updated April 29, 2022

Table of Contents

These Standard HIPAA Business Associate Agreement Terms and Conditions (“HIPAA Addendum”) shall be incorporated into the Terms of Service (which may be found at https://setshape.com/terms-of-service/) and any other agreement that a person or entity signs with Shape Software Inc. (“Shape” “Covered Entity” or “Company”)  for Customers that are Covered Entities (as defined below) and that provide Protected Health Information (“PHI”)(as defined below) to Shape in connection with services they have purchased. These terms supplement and are made part of any agreement between Shape and Customers (“Underlying Agreement”) in order to comply with the federal Standards for Privacy of Individually Identifiable Health Information, located at 45 C.F.R. Part 160 and Part 164, Subparts A through E (“Privacy Rule”) and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (the “HITECH Act”).

Definitions

Terms used, but not otherwise defined, in this HIPAA Addendum shall have the same meaning as those terms in the Privacy Rule or the HITECH Act.

  • “Breach” shall have the same meaning given to such term under 42 U.S.0 § 17921.
  • “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Shape.
  • “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement.
  • “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
  • “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
  • “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity
  • “Required by Law” shall have the same meaning as the term “required by law” in 45 C.F.R. §160.103.
  • “Unsecured PHI” shall have the same meaning given to such term under the HITECH Act and any guidance issued pursuant to this act.

Obligations And Activities Of Business Associate

Permitted Uses And Disclosures By Shape

  • Permitted Uses and Disclosures. Except as otherwise limited in this HIPAA Addendum, Shape may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement provided such use or disclosure would not violate the Privacy Rule including, but not limited to, each applicable requirement of 45 C.F.R. § 164.504(e) and the HITECH Act if done by the Covered Entity.
  • Use for Management and Administration. Except as otherwise limited in this HIPAA Addendum, Shape may use PHI for the proper management and administration of Shape or to carry out the legal responsibilities of Shape.
  • Disclosure for Management and Administration. Except as otherwise limited in this HIPAA Addendum, Shape may disclose PHI for the proper management and administration of Shape, provided that disclosures are Required by Law, or Shape obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Shape of any instances of which it is aware in which the confidentiality of the information has been breached.
  • Minimum Necessary. Shape (and its agents or subcontractors) shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure. Shape understands and agrees that the definition of “minimum necessary” is subject to change from time to time and shall keep itself informed of guidance issued by the Secretary with respect to what constitutes “minimum necessary.”
  • Data Aggregation. Except as otherwise limited in this HIPAA Addendum, Shape may use PHI to provide Data Aggregation services to Covered Entity as permitted

Obligations Of Covered Entity

  • Notice of Privacy Practices. Covered Entity shall provide Shape with the notice of privacy practices that Covered Entity maintains in accordance with 45 C.F.R. § 164.520, to the extent that such limitations may affect Shape’s use or disclosure of PHI.
  • Changes in Permission. Covered Entity shall notify Shape of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Shape’s use or disclosure of PHI.
  • Notification of Restrictions. Covered Entity shall notify Shape of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Shape’s use or disclosure of PHI.
  • Permissible Requests by Covered Entity. Covered Entity shall not request Shape to use or disclose PHI in any manner that would not be permissible under the Privacy Rule and the HITECH Act if done by Covered Entity.

Term And Termination

  • Term. The Term of this HIPAA Addendum shall be effective as of the first day that Covered Entity provides PHI to Shape and shall terminate when all of the PHI provided by Covered Entity to Shape, or created or received by Shape on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
  • Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Shape, Covered Entity shall either:
  • (a) provide 60 days advance written notice specifying the nature of the breach or violation to Shape. Shape shall have 60 days from the date of the notice in which to remedy the breach or violation. If such corrective action is not taken within the time specified, this HIPAA Addendum and the Underlying Agreement shall terminate at the end of the 60 day period without further notice or demand;
  • (b) immediately terminate this HIPAA Addendum and the Underlying Agreement if Shape has breached a material term of this HIPAA Addendum and cure is not possible; or
  • (c) report the violation to the Secretary if neither cure of the breach nor termination of this HIPAA Addendum and the Underlying Agreement are feasible.
  • Effect of Termination.
  • (a) Except as provided in Section 4.3b, upon termination of this HIPAA Addendum or the Underlying Agreement, for any reason, Shape shall return or destroy all PHI received from Covered Entity, or created or received by Shape on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Shape. Shape shall retain no copies of the PHI.
  • (b) In the event that Shape determines that returning or destroying PHI is not feasible, Shape shall notify Covered Entity in writing of the conditions that make return or destruction infeasible. If return or destruction of the PHI is infeasible, Shape shall extend the protections of this HIPAA Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Shape maintains such PHI.

Miscellaneous In Addition To Terms And Conditions

  • Regulatory References. A reference in this HIPAA Addendum to a section in the Privacy Rule or the HITECH Act means the section as in effect or as amended.
  • No Third Party Beneficiaries. Nothing in this HIPAA Addendum shall be considered or construed as conferring any right or benefit on a person not party to this HIPAA Addendum nor imposing any obligations on either Party hereto to persons not a party to this HIPAA Addendum.
  • Amendments. Shape reserves the right to change the terms and conditions of this HIPAA Addendum at any time. Shape will notify Covered Entity of any material changes to this HIPAA Addendum by sending Covered Entity an e-mail to the last e-mail address Covered Entity provided to Shape or by prominently posting notice of the changes on Shape’s website. Any material changes to this HIPAA Addendum will be effective upon the earlier of thirty (30) calendar days following Shape’s dispatch of an e-mail notice to Covered Entity or thirty (30) calendar days following Shape’s posting of notice of the changes on its website. These changes will be effective immediately for new Shape Clients. Please note that at all times Covered Entity is responsible for providing Shape with its most current e-mail address. In the event that the last e-mail address that Covered Entity has provided Shape is not valid, or for any reason is not capable of delivering to Covered Entity the notice described above, Shape’s dispatch of the e-mail containing such notice will nonetheless constitute effective notice of the changes described in the notice. If Covered Entity does not agree with the changes to this HIPAA Addendum, Covered Entity must notify Shape prior to the effective date of the changes that Covered Entity wishes to terminate its subscription to the applicable Shape services. Continued use of Shape services, following notice of such changes, shall indicate Covered Entity’s acknowledgement of such changes and agreement to be bound by the terms and conditions of such changes.
  • Interpretation. The provisions of this HIPAA Addendum shall prevail over the provisions of any other agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this HIPAA Addendum, the Privacy Rule or the HITECH Act.

Get in Touch

Our team of experts are here to help! Call our sales line at (888) 762-7211

Download

Linkedin Facebook Twitter Youtube

Solutions

Features

Resources

Contact Sales

Get a Demo