Uber Health Business Associate Addendum to the Uber Health General Terms and Conditions – United States of America
This Uber Health Business Associate Addendum (“BAA”) to the Uber Health General Terms and Conditions (the “General Terms” or “Terms”) is entered into by and between the company identified within the Uber Health sign-up process (“Company”) and Uber Health, LLC (“Uber Health”). The Terms are hereby incorporated by reference hereto. Undefined, capitalized terms used herein shall have the meaning ascribed to them in the Terms that Uber Health and Company previously entered into. To the extent that this BAA conflicts with any other agreement or understanding between the parties, including the Terms and/or any Product Addendum, this BAA shall control with respect to Uber Health’s obligations regarding PHI.
WHEREAS, the parties desire to ensure that their respective rights and responsibilities under the Agreement reflect all applicable legal requirements relating to Protected Health Information (“PHI”) under HIPAA (each, as defined herein);
WHEREAS, Company is a Covered Entity or Business Associate (each, as defined herein) subject to HIPAA;
WHEREAS, HIPAA requires Covered Entities and Business Associates to enter into Business Associate Agreements with Business Associates and Subcontractor (as defined herein) Business Associates, respectively, that create, receive, transmit, or maintain PHI for or on behalf of Covered Entities or Business Associates;
WHEREAS, the purpose of the Agreement between the parties is to enable Company to utilize Health Products which enable Company to request on-demand ground transportation or other services provided by Drivers for individuals selected by Company;
WHEREAS, Uber Health may receive, create, transmit, or maintain certain personal data about individuals who are provided transportation services through Company’s utilization of the Health Products, and such data might include PHI subject to HIPAA; and
WHEREAS, the parties agree that the purpose of this BAA is to satisfy the standards and requirements of HIPAA, if and to the extent applicable, with regard to any PHI that Uber Health may create, receive, transmit, or maintain from or on Company’s behalf.
NOW, THEREFORE, in respect of good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:
The following terms used in this BAA shall have the same meaning as those terms in HIPAA: Breach, Business Associate (“BA”), Covered Entity, Data Aggregation, De-Identification, Designated Record Set, Disclosure, Health Care Operations, Individual, Individually Identifiable Health Information, Minimum Necessary, Organized Health Care Arrangement, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. In addition, the following definitions apply:
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, and the Health Information Technology for Economic and Clinical Health Act enacted as part of the American Recovery and Reinvestment Act of 2009 (HITECH), including all subsequent amendments to either Act, and including all regulations and guidance issued thereunder, including but not limited to the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
“Protected Health Information” or “PHI” has the meaning provided at 45 CFR 160.103 and in reference to this BAA, means PHI, if any, that Uber Health creates, receives, transmits, or maintains from or on behalf of Company pursuant to this BAA.
2. Obligations and Activities of Uber Health.
Uber Health agrees to:
2.1. Not use or disclose PHI other than as permitted or required by this BAA or law.
2.2. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
2.3. Promptly, as required by HIPAA, report to Company any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI, as required at 45 CFR 164.410. Notices of a Breach of Unsecured PHI shall include, to the extent the information is reasonably available at the time, the identities of each Individual whose Unsecured PHI has been, or is believed by Uber Health to have been, compromised as a result of the Breach, and any other information reasonably available to Uber Health about the Breach that is required to be included in notices required under 45 CFR 164.404(c). Uber Health shall cooperate with Company and shall supplement such information in a timely manner as more information becomes available. Uber Health shall not make any notifications directly to Individuals, the Secretary, or the media, unless otherwise agreed to in writing by the parties.
2.4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Uber Health agree to the same restrictions, conditions, and requirements that apply to Uber Health with respect to such information.
2.5. Make PHI in a Designated Record Set available to Company as necessary to satisfy Company’s obligations under 45 CFR 164.524.
2.6. Make any amendment(s) to PHI in a Designated Record Set as directed by Company pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Company’s obligations under 45 CFR 164.526.
2.7. Maintain and make available to Company the information required to provide an accounting of disclosures as necessary to satisfy Company’s obligations under 45 CFR 164.528.
2.8. To the extent that Uber Health agrees in writing to carry out any of Company's obligations under Subpart E of 45 CFR Part 164, comply with any applicable requirements of Subpart E in the performance of such obligations.
2.9. Make uses and disclosures consistent with the Minimum Necessary requirements of HIPAA.
2.10. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with HIPAA.
3. Permitted Uses and Disclosures by Uber Health.
3.1. Uber Health may only use or disclose PHI as specified in this BAA and as necessary to perform the services set forth in the Agreement.
3.2. Uber Health may use or disclose PHI as Required By Law.
3.3. Uber Health may provide Data Aggregation services relating to the Health Care Operations of Company and may conduct De-Identification of PHI in accordance with 45 CFR 164.514(a)-(c).
3.4. Uber Health may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Company, except for the specific uses and disclosures set forth below.
3.4.1. Uber Health may use PHI for the proper management and administration of Uber Health or to carry out the legal responsibilities of Uber Health.
3.4.2. Uber Health may disclose PHI for the proper management and administration of Uber Health or to carry out the legal responsibilities of Uber Health, provided the disclosures are Required By Law, or Uber Health obtains reasonable assurances from the person or entity to whom the information is disclosed that the information will remain confidential and be used or further disclosed only as Required By Law or for the purposes for which it was disclosed to such person or entity, and such person or entity notifies Uber Health of any instances of which it is aware in which the confidentiality of the information has been breached.
4. Term and Termination.
4.1. Term. The term of this BAA shall be effective as of Company’s acceptance of the Terms, and shall continue unless or until this BAA is terminated in accordance herewith.
4.2. Termination of Agreement. This BAA shall automatically terminate in the event that the Agreement between the parties is terminated, subject to Sections 4.4 and 5.7 of this BAA.
4.3. Termination for Cause. Uber Health authorizes termination of this BAA by Company, if Company determines Uber Health has violated a material term of this BAA and Uber Health has not cured the breach or ended the violation within a reasonable time specified by Company.
4.4. Obligations of Uber Health Upon Termination. Upon termination of this BAA for any reason, Uber Health shall return or destroy all PHI that Uber Health still maintains in any form, except that Uber Health may retain PHI (a) as Required By Law or regulation, (b) if Uber Health reasonably determines that such return or destruction is not feasible, (c) for its own management and administration purposes, or (d) to carry out its legal responsibilities. If any PHI is thus retained by Uber Health or any of its Subcontractors, Uber Health shall continue to comply with its obligations under this BAA and HIPAA with regard to such PHI, including protecting it in accordance with the safeguards of the Security Rule.
5.1. Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended.
5.2. Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as necessary for compliance with HIPAA and any other applicable law. If the parties cannot agree as to a necessary amendment, either party may terminate the Agreement and this BAA with ten (10) days’ prior written notice to the other party.
5.3. Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA.
5.4. Independent Parties; No Agency Relationship. The parties agree and acknowledge that the relationship between the parties created by the Agreement and this BAA is that of independent contractors and not an agency relationship. Uber Health is not, and may not hold itself out as, an agent of Company for any purpose.
5.5. No Third-Party Beneficiaries. Nothing expressed or implied in this BAA is intended or shall be deemed to confer upon any person other than Company, Uber Health, and their respective successors and assigns, any rights, obligations, remedies or liabilities.
5.6. Survival. The obligations created by this BAA with respect to PHI shall survive so long as, and to the extent that, Uber Health or any Subcontractors of Uber Health, retain any PHI.
5.7. Superseding Agreement. This BAA supersedes any and all previous business associate agreements between the parties.
5.8. Notices. Uber Health shall submit any notice required or permitted to be delivered to Company by this BAA to the email address provided during account setup or the email address of the admin account on file. Company shall submit any notice required or permitted to be delivered to Uber Health by this BAA to LegalNotices@health.uber.com. Each party agrees to notify the other party promptly of any change to its email address for receipt of notices.