HIPAA Statement / BAA

Updated as of January 2020

Business Associate Agreement for SocialSwell, Inc. (dba. Swell CX) “Covered Entity” Customers 

These Standard HIPAA Business Associate Agreement Terms and Conditions (“HIPAA  Addendum) shall be incorporated into the Master Service Agreement for Customers that  are Covered Entities (as defined below) that provide Protected Health Information  (“PHI”)(as defined below) to Swell CX in connection with the Swell CX services they have  purchased. These terms supplement the purchase agreement between Swell CX and  Customers (“Underlying Agreement”) in order to comply with the federal Standards for  Privacy of Individually Identifiable Health Information, located at 45 C.F.R. Part 160 and  Part 164, Subparts A through E (“Privacy Rule”) and the Health Information Technology  for Economic and Clinical Health Act, Public Law 111-005 (the “HITECH Act”). 

1. CATCH-ALL DEFINITIONS The following terms used in this Agreement shall have the  same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation,  Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum  Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law,  Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information,  and Use. 

2. SPECIFIC DEFINITIONS Terms used, but not otherwise defined, in this HIPAA  Addendum shall have the same meaning as those terms in the Privacy Rule or the  HITECH Act. 

 A. “Breach” shall have the same meaning given to such term under 42 U.S.0 § 17921.  

B. “Business Associate” shall generally have the same meaning as the term “business  associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean  Swell CX. 

C. “Covered Entity” shall generally have the same meaning as the term “covered  entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean  [Insert Name of Covered Entity].

D. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and  Enforcement Rules at 45 CFR Part 160 and Part 164.

E. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R.  §160.103 and shall include a person who qualifies as a personal representative in  accordance with 45 C.F.R. § 164.502(g).

F. “Protected Health Information” or “PHI” shall have the same meaning as the term  “protected health information” in 45 C.F.R. § 160.103, limited to the information created or  received by Business Associate from or on behalf of the Covered Entity.

G. “Required by Law” shall have the same meaning as the term “required by law” in 45  C.F.R. §160.103.

H. “Unsecured PHI” shall have the same meaning given to such term under the  HITECH Act and any guidance issued pursuant to this act. 

Obligations and Activities of Business Associate

Swell CX agrees to: 

1. Use and Disclosure of PHI: Swell CX shall not use or disclose PHI other than as  permitted or required by this HIPAA Addendum or as Required by Law. Swell CX shall  not use or disclose PHI for fundraising or marketing purposes. Swell CX shall not directly  or indirectly receive remuneration in exchange for PHI, except with the prior written  consent of Covered Entity and as permitted by the HITECH Act; however, this prohibition  shall not affect payment by Covered Entity to Swell CX for services provided pursuant to  the Underlying Agreement. 

2. Safeguards: Swell CX shall use appropriate safeguards, and comply with Subpart C of  45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other  than as provided for by the Agreement. 

3. Mitigation: Swell CX shall mitigate, to the extent practicable, any harmful effect that is  known to Swell CX of a use or disclosure of PHI by Swell CX in violation of the  requirements of this HIPAA Addendum. 

4. Reporting: Swell CX shall report to Covered Entity any use or disclosure of PHI not  provided for by the Agreement of which it becomes aware, including breaches of  unsecured PHI as required at 45 CFR 164.410, and any security incident of which it  becomes aware. 

5. Disclosure to Agents and Subcontractors: In accordance with 45 CFR 164.502(e)(1)(ii)  and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive,  maintain, or transmit PHI on behalf of the Swell CX agree to the same restrictions,  conditions, and requirements that apply to the Swell CX with respect to such  information 

6. Designated Record Set: Swell CX shall provide access, at the request of Covered Entity,  to PHI in a Designated Record Set in order to meet the requirements under 45 C.F.R. §  164.524. Business Associate will forward request for access of the designated record set  to Covered Entity within thirty (30) days OR Business associate will respond to request  for access of the designated record set within Thirty [30] days ( Per the applicability). If  Business Associate is unable to respond to request for access, the Business Associate will  notify the requesting party. 

7. Internal Practices, Policies and Procedures: Swell CX shall make available its internal  practices, books, and records, including policies and procedures and PHI, relating to the  use and disclosure of PHI received from, or created or received by Swell CX on behalf of,  Covered Entity available to the Covered Entity and to the Secretary of Health and Human  Services (“Secretary”) for purposes of the Secretary determining Covered Entity’s  compliance with the Privacy Rule and the HITECH Act. 

8. Accounting for Disclosures: Swell CX agrees to maintain the information required to  provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and to  make this information available to the Covered Entity upon the Covered Entity’s request  in order to allow the Covered Entity to respond to an Individual’s request for accounting  of disclosures. 

9. Security Obligations: Swell CX shall implement appropriate safeguards as are  necessary to prevent the use or disclosure of PHI otherwise than as permitted by the  Underlying Agreement or this HIPAA Addendum including, but not limited to,  administrative, physical, and technical safeguards that reasonably and appropriately  protect the confidentiality, integrity, and availability of the Covered Entity’s electronic  PHI as required by 45 C.F.R. Sections 164.308, 164.310, and 164.312, as amended from time  to time. Swell CX shall ensure that any agent, including a subcontractor, to whom it  provides such electronic PHI, agrees to implement reasonable and appropriate safeguards to protect it. Swell CX shall comply with the policies and procedures and  document requirements of the Privacy Rule including, but not limited to, 45 C.F.R.  Section 164.316. Swell CX agrees to report promptly to the Covered Entity any security  incident of which it becomes aware. 

10. Breach Pattern or Practice by Covered Entity: If Swell CX knows of a pattern of activity  or practice of the Covered Entity that constitutes a material breach or violation of the  Covered Entity’s obligations under the HIPAA Addendum, Swell CX must take  reasonable steps to cure the breach or end the violation. If the steps are unsuccessful,  Swell CX must terminate the Underlying Agreement, if feasible, or if termination is not feasible, report the problem to the Secretary. 

Permitted Uses and Disclosures by Swell CX

1. Permitted Uses and Disclosures: Except as otherwise limited in this HIPAA Addendum,  Swell CX may use or disclose PHI to perform functions, activities, or services for or on  behalf of the Covered Entity as specified in the Underlying Agreement provided. Such  use or disclosure would not violate the Privacy Rule including, but not limited to, each  applicable requirement of 45 C.F.R. § 164.504(e) and the HITECH Act if done by the  Covered Entity. 

2. Use for Management and Administration: Except as otherwise limited in this HIPAA  Addendum, Swell CX may use PHI for the proper management and administration of  Swell CX or to carry out the legal responsibilities of Swell CX. 

3. Disclosure for Management and Administration: Except as otherwise limited in this  HIPAA Addendum, Swell CX may disclose PHI for the proper management and  administration of the Swell CX, provided that disclosures are Required by Law or Swell  CX obtains reasonable assurances from the person to whom the information is disclosed  that it will remain confidential, and used or further disclosed only as Required by Law or  for the purpose for which it was disclosed to the person, and the person notifies Swell CX  of any instances of which it is aware in which the confidentiality of the information has  been breached. 

4. Minimum Necessary: Swell CX (and its agents or subcontractors) shall request, use,  and disclose only the minimum amount of PHI necessary to accomplish the purpose of  the request, use, or disclosure. Swell CX understands and agrees that the definition of  “minimum necessary” is subject to change from time to time and shall keep itself  informed of guidance issued by the Secretary with respect to what constitutes  “minimum necessary.”Data Aggregation: Except as otherwise limited in this HIPAA  Addendum, Swell CX may use PHI to provide 

5. Data Aggregation services related to health care operations to the Covered Entity as  permitted by 45 C.F.R. §164.504(e)(2)(i)(B). 

6. Report Violations of Law: Swell CX may use PHI to report violations of law to  appropriate Federal and State authorities consistent with 45 C.F.R. §164.502(j)(1). 

Provisions For Covered Entity to Inform Business Associate of Privacy Practices and Restrictions

1. Notice of Privacy Practices: The Covered Entity shall notify Swell CX of any limitation(s)  in the notice of privacy practices of the Covered Entity under 45 C.F.R. § 164.520, to the  extent that such limitations may affect Swell CX’s use or disclosure of PHI. 2. Changes in Permission: The Covered Entity shall notify Swell CX of any changes in, or  revocation of, permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Swell CX’s use or disclosure of PHI. 

3. Notification of Restrictions: The Covered Entity shall notify Swell CX of any restriction to  the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by  under 45 C.F.R. § 164.522, to the extent that such restriction may affect Swell CX’s use or  disclosure of PHI. 

4. Permissible Requests by Covered Entity: The Covered Entity shall not request Swell CX  to use or disclose PHI in any manner that would not be permissible under the Privacy  Rule and the HITECH Act if done by Covered Entity. Exceptions if certain provisions are  made; Data aggregation, Management and administration and Legal responsibilities of  Swell CX (one or more may apply). 

Term and Termination

1. Term: The Term of this HIPAA Addendum shall be effective as of the first day that the  Covered Entity provides PHI to Swell CX and shall terminate when all of the PHI provided  by the Covered Entity to Swell CX, or created or received by Swell CX on behalf of the  Covered Entity, is destroyed or returned to the Covered Entity, or if it is infeasible to  return or destroy PHI, protections are extended to such information in accordance with  the termination provisions in this Section. 

2. Termination for Cause: Swell CX authorizes termination of this Agreement by the  Covered Entity, if the Covered Entity determines Swell CX has violated a material term of  the Agreement: 

 A.Provide 60 days advance written notice specifying the nature of the breach or  violation to Swell CX. Swell CX shall have 60 days from the date of the notice in which to  remedy the breach or violation. If such corrective action is not taken within the time  specified, this HIPAA Addendum and the Underlying Agreement shall terminate at the  end of the 60 day period without further notice or demand 

 B.Immediately terminate this HIPAA Addendum and the Underlying Agreement if  Swell CX has breached a material term of this HIPAA Addendum and cure is not possible  C. Report the violation to the Secretary if neither cure of the breach nor termination of  this HIPAA Addendum and the Underlying Agreement are feasible 

Obligation of Swell CX Upon Termination: 

3. Upon termination of this HIPAA Addendum or the Underlying Agreement, for any  reason, Swell CX shall return or destroy all PHI received from Covered Entity, or created,  maintains or received by Swell CX on behalf of Covered Entity. This provision shall apply  to PHI that is in the possession of subcontractors or agents of Swell CX. Swell CX shall  retain no copies of the PHIA. 

 A. Upon termination of this Agreement for any reason, Swell CX, with respect to PHI  received from Covered Entity, or created, maintained, or received by Swell CX on behalf  of the Covered Entity, shall:

1. Retain only that PHI which is necessary for Swell CX to continue its proper  management and administration or to carry out its legal responsibilities;

2. Return to the Covered Entity [or, if agreed to by covered entity, destroy] the  remaining PHI that the Swell CX still maintains in any form

3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR  Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than  as provided for in this Section, for as long as Swell CX retains the PHI

4. Not use or disclose the PHI retained by Swell CX other than for the purposes for  which such PHI was retained and subject to the same conditions set out at which applied prior to termination

5. Return to Covered Entity [or, if agreed to by covered entity, destroy] the PHI  retained by Swell CX when it is no longer needed by Swell CX for its proper management  and administration or to carry out its legal responsibilities 

 B. In the event that Swell CX determines that returning or destroying PHI is not  feasible, Swell CX shall notify Covered Entity in writing of the conditions that make  return or destruction infeasible. If return or destruction of the PHI is infeasible, Swell CX  shall extend the protections of this HIPAA Addendum to such PHI and limit further uses  and disclosures of such PHI to those purposes that make the return or destruction  infeasible, for so long as Swell CX maintains such PHI 

Miscellaneous in Addition to Terms and Conditions

1. Regulatory References: A reference in this HIPAA Addendum to a section in the Privacy  Rule or the HITECH Act means the section as in effect or as amended. 2. No Third Party Beneficiaries: Nothing in this HIPAA Addendum shall be considered or  construed as conferring any right or benefit on a person not party to this HIPAA  Addendum nor imposing any obligations on either Party hereto to persons not a party to  this HIPAA Addendum. 2. Amendments: Swell CX reserves the right to change the terms  and conditions of this HIPAA Addendum at any time. Swell CX will notify the Covered  Entity of any material changes to this HIPAA Addendum by sending the Covered Entity  an e-mail to the last e-mail address the Covered Entity provided to Swell CX or by  prominently posting notice of the changes on Swell CX’s website. Any material changes  to this HIPAA Addendum will be effective upon the earlier of thirty (30) calendar days  following Swell CX’s dispatch of an e-mail notice to the Covered Entity or thirty (30)  calendar days following Swell CX’s posting of notice of the changes on its website. These  changes will be effective immediately for new Swell CX Clients. Please note that at all  times the Covered Entity is responsible for providing Swell CX with its most current e mail address. In the event that the last e-mail address that the Covered Entity has  provided Swell CX is not valid, or for any reason is not capable of delivering to the  Covered Entity the notice described above, Swell CX’s dispatch of the e-mail containing  such notice will nonetheless constitute effective notice of the changes described in the  notice. If the Covered Entity does not agree with the changes to this HIPAA Addendum, the Covered Entity must notify Swell CX prior to the effective date of the changes that  the Covered Entity wishes to terminate its subscription to the applicable Swell CX  services. Continued use of the Swell CX services following notice of such changes shall  indicate the Covered Entity’s acknowledgement of such changes and agreement to be  bound by the terms and conditions of such changes. 

3. Interpretation: The provisions of this HIPAA Addendum shall prevail over the provisions  of any other agreement that exists between the Parties that may conflict with, or appear  inconsistent with, any provision of this HIPAA Addendum, the Privacy Rule or the  HITECH Act. 

4. No Third Party Beneficiaries: The Business Associate and Covered Entity do not intend,  nor does anything expressed or implied in this Agreement intend to confer, upon any  person other than the Business Associate and Covered Entity and their respective  successor or assigns, any rights, remedies, obligations or liabilities whatsoever. 5. Independent Contractor: The Business Associate is performing services pursuant to  the Agreement and for all purposes hereunder, the Business Associate’s status shall be  that of an independent contractor.

Copyright Social Swell Inc.


Please fill out the form below to request a demo.