XM Knowledge Base
QUALTRICS CONTRACTOR BUSINESS ASSOCIATE AGREEMENT
(hereinafter referred to as the “Agreement”)
This Agreement is effective as of the commencement of services pursuant to the Underlying Contracts (the “Effective Date”) by and between Qualtrics, LLC (“Business Associate”), on behalf of itself and Business Associate’s Affiliates, and you (“Contractor”), including all current and future lines of business, affiliates, and subsidiaries.
RECITALSA. Business Associate and Contractor have entered into one or more arrangements and may in the future enter into additional arrangements (collectively, the “Underlying Contracts”) pursuant to which Contractor provides various items and/or services to Business Associate and/or Business Associate’s Customers and Partners, and may create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate and/or Business Associate’s Customers and Partners.
B. In accordance with the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act and otherwise, and its implementing regulations at 45 CFR Parts 160, 162, and 164 (collectively, “HIPAA”), Business Associate has entered into one or more agreements with Business Associate’s Customers and Partners who are “Covered Entities” or “Business Associates,” in which Business Associate has agreed to comply with applicable provisions of HIPAA and to contractually pass on such requirements to subcontractors.
C. Business Associate and Contractor are committed to complying with the administrative simplification provisions of HIPAA.
Refer to this Agreement regularly to ensure compliance. Please read this Agreement carefully before signing a Master Services Agreement which references and incorporates this Agreement. This Agreement takes effect when referenced in a Master Services Agreement executed by and between Qualtrics and Contractor. Qualtrics may modify this Agreement at any time by posting a revised version on this website or otherwise providing notice to Contractor. By continuing to provide the Services or Deliverables after the effective date of any modifications to this Agreement, Contractor agrees to be bound by the modified terms. Last revised: February 14, 2023.
****************
- Definitions
All capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as in the HIPAA regulations.
“Business Associate’s Affiliates” means any of Qualtrics International Inc.’s current and future affiliates and subsidiaries, meaning a corporation or other entity of which Qualtrics International Inc. owns, either directly or indirectly, more than fifty percent (50%) of the stock or other equity interests.
“Business Associate’s Customers and Partners” means (i) Business Associate’s Affiliates, (ii) Business Associate’s resellers, (iii) direct and indirect customers of Business Associate, Business Associate’s Affiliates and of Business Associate’s resellers, and/or (iv) any other commercial end users of Business Associate’s products.
“Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
“Protected Health Information” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103 that is created, received, maintained, or transmitted by Contractor on behalf of Business Associate and/or Business Associate’s Customers and Partners.
- Permitted Uses and Disclosures by Contractor
a) Except as otherwise limited in this Agreement, Contractor may Use or Disclose Protected Health Information in its possession to perform functions, activities, or services for, or on behalf of, Business Associate and/or Business Associate’s Customers and Partners as necessary to provide the items or services specified in the Underlying Contracts, provided that such Use or Disclosure would not violate HIPAA if done by Business Associate or Business Associate’s Customers and Partners.
b) Except as otherwise limited in this Agreement, Contractor may Use Protected Health Information for the proper management and administration of Contractor or to carry out the legal responsibilities of Contractor.
c) Except as otherwise limited in this Agreement, Contractor may Disclose the Protected Health Information in its possession to a third party for the proper management and administration or to fulfill any legal responsibilities of Contractor, provided that: (i) The Disclosure is Required by Law, provided that Contractor makes a reasonable effort to notify Business Associate prior to the Disclosure if such notification is permissible under law and Contractor cooperates with any of Business Associate’s reasonable attempts to challenge or limit the Disclosure; or (ii) Contractor has received from the third party written assurances that: (1) the information will remain confidential and will be Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the party; and (2) the third party will notify Contractor within 48 hours of any instances of which it becomes aware in which the confidentiality of the information has been breached. Contractor shall not disclose Protected Health Information to a third party pursuant to this paragraph unless Required by Law or Contractor has first conducted reasonable due diligence of the third party’s information security and determined that such security is reasonable.
d) Contractor may not Use Protected Health Information to create de-identified Health Information in accordance with 45 C.F.R. § 164.514(b) without prior written approval of Business Associate.
e) Contractor may not maintain the Protected Health Information outside of the United States, or knowingly allow a third party acting on Contractor’s behalf to access the Protected Health Information outside of the United States, without Business Associate’s prior written consent.
f) When requesting, Using, or Disclosing Protected Health Information, Contractor shall make reasonable efforts to limit Protected Health Information to the minimum necessary to accomplish the intended purpose of the Use, Disclosure, or request in accordance with 45 C.F.R. §§ 164.502(b) and 164.514(d).
- Obligations and Activities of Contractor
a) Contractor shall not Use or Disclose Protected Health Information other than as permitted or required by this Agreement.
b) Contractor agrees to use appropriate administrative, physical, and technical safeguards to prevent Use or Disclosure of the Protected Health Information other than as provided for by this Agreement.
c) Contractor agrees to comply with the applicable requirements of the Security Standards for Protection of Electronic Protected Health Information, 45 C.F.R. Part 164 Subpart C (the “Security Rule”), including using appropriate administrative, physical, and technical safeguards to safeguard the confidentiality, integrity, and availability of Electronic Protected Health Information.
d) Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure of Protected Health Information by Contractor in violation of the requirements of this Agreement and shall cooperate with Business Associate in the mitigation process.
e) Contractor agrees to report in writing to Business Associate, without unreasonable delay and no later than within 48 hours of Discovery: (i) Any Use or Disclosure of Protected Health Information not provided for by this Agreement, including Breaches of Unsecured Protected Health Information; and/or (ii) Any Security Incident.
f) For any Breach of Unsecured Protected Health Information, Contractor agrees to supplement the above report with the information required by 45 C.F.R. § 164.410 without unreasonable delay and in no case later than 14 calendar days after discovery of the Breach. Contractor shall reasonably cooperate with Business Associate to provide any information in its possession needed by Business Associate to conduct a Breach risk assessment or to respond to Individuals’ or Business Associate’s Customers and Partners’ inquiries regarding a successful Security Incident or an unauthorized use or disclosure of Protected Health Information. Contractor will reimburse Business Associate for reasonable remediation and notification costs incurred by Business Associate resulting from a Breach or Security Incident caused by Contractor’s breach of this Agreement.
g) Except to the extent required by applicable law, Contractor shall not make any public announcement or provide notice regarding Business Associate’s or Business Associate’s Customers and Partners’ involvement in a Breach without Business Associate’s prior written approval, which shall not be unreasonably withheld or delayed.
h) Contractor agrees to ensure that any further subcontractors that create, receive, maintain, or transmit Protected Health Information on Contractor’s behalf agree in writing to the same restrictions and conditions that apply through this Agreement to Contractor with respect to such Protected Health Information, including complying with the applicable requirements of the Security Rule. Contractor shall not allow a further Contractor to create, receive, maintain, or transmit Protected Health Information on Contractor’s behalf unless Contractor has first conducted reasonable due diligence of the further subcontractor’s information security and determined that such security is reasonable. If Contractor knows of a pattern of activity or practice of its subcontractor that constitutes a breach of that subcontractor’s obligations under the agreement referenced in this Section 3(h), Contractor shall take reasonable steps to require the subcontractor to cure the breach or terminate its agreement with the subcontractor.
i) Contractor agrees to make its internal practices, books, records, agreements, policies, and procedures relating to the Use and Disclosure of Protected Health Information available to Business Associate and to the Secretary of the Department of Health and Human Services (“Secretary”) for the purposes of determining compliance with HIPAA, and Business Associate determining Contractor’s compliance with this Agreement. Nothing in this section shall be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information. Contractor shall immediately notify Business Associate of any request (i) from the Secretary pertaining to an investigation of Business Associate’s or Business Associate’s Customers’ and Partners’ compliance with HIPAA, or (ii) for disclosure of Protected Health Information that Contractor believes is Required by Law.
j) Contractor, upon request by Business Associate, will make Protected Health Information in a Designated Record Set available to Business Associate or, at the request of Business Associate, the Individual, within ten (10) days of Business Associate’s request, as necessary to allow Business Associate’s Customers and Partners to comply with their obligations to provide Individuals access to their health information as required by 45 C.F.R. § 164.524.
k) Contractor, upon request by Business Associate, will make Protected Health Information in a Designated Record Set available to Business Associate and will incorporate any amendments to such information as instructed by Business Associate within ten (10) days of a request, as necessary to allow Business Associate’s Customers and Partners to comply with their amendment obligations as required by 45 C.F.R. § 164.526.
l) Contractor will maintain and, upon request by Business Associate, within ten (10) days provide Business Associate with the information necessary for Business Associate to provide an Individual with an accounting of each disclosure of Protected Health Information made by Contractor or its employees, agents, representatives, or subcontractors that is subject to 45 CFR Section 164.528. Contractor shall implement a process that allows for an accounting to be collected and maintained for any disclosure of Protected Health Information for which Business Associate or Business Associate’s Customers and Partners are required to maintain such an accounting. Contractor shall include in the accounting, to the extent known to Contractor: (a) the date of the disclosure; (b) the name, and address if known, of the entity or person who received the Protected Health Information; (c) a brief description of the Protected Health Information disclosed; and (d) a brief statement of the purpose of the disclosure. For each disclosure that requires an accounting under this section, Contractor shall document the information specified in the preceding sentence and shall securely retain this documentation for the period of time necessary for Business Associate and Business Associate’s Customers and Partners to be able to comply with 45 CFR Section 164.528.
m) In the event any Individual requests access to, or amendment or an accounting of, Protected Health Information directly from Contractor, Contractor shall forward such request to Business Associate within two (2) business days.
n) To the extent that Contractor is to carry out one or more of Business Associate’s or Business Associate’s Customers’ and Partners’ obligations under the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 164 Subpart E, including but not limited to the provision of a notice of privacy practices on behalf of Business Associate or Business Associate’s Customers and Partners, Contractor shall comply with the requirements of Subpart E that apply to Business Associate or Business Associate’s Customers and Partners in the performance of such obligations.
o) Contractor shall not use Protected Health Information for marketing purposes, and shall not directly or indirectly receive remuneration in exchange for Protected Health Information unless such remuneration is permissible under HIPAA.
p) To the extent Contractor uses, discloses, maintains, or transmits Protected Health Information that is considered substance use disorder records (“Part 2 Data”) protected by 42 C.F.R. Part 2 (“Part 2”), Contractor: (a) acknowledges that, in receiving, storing, processing, or otherwise dealing with Part 2 Data, Contractor is fully bound by Part 2; and (b) if necessary, Contractor will resist in judicial proceedings any efforts to obtain access to Part 2 Data except as permitted by Part 2. Contractor will not re-disclose Part 2 Data to a third party unless that third party is a contract agent of Contractor helping Contractor provide services described in the Underlying Contracts, and so long as the agent only further discloses the information back to Contractor or Business Associate.
q) Contractor agrees it will provide appropriate data privacy and data security training to any employee of Contractor who will have access to or make use of Protected Health Information of Business Associate or Business Associate’s Customers and Partners.
- Term and Termination
a) Term. The term of this Agreement shall commence as of the Effective Date and shall terminate when all Underlying Contracts have terminated.
b) Termination. Upon Business Associate’s determination of a breach of this Agreement by Contractor or its agents or subcontractors, Business Associate may terminate the Underlying Contracts: (i) immediately if Business Associate determines that there is a continuing risk to the confidentiality, integrity, or availability of Protected Health Information that cannot be immediately cured; or (ii) after Business Associate has notified Contractor of the breach and provided at least 30 calendar days for Contractor to cure the breach if Contractor has not cured the breach in such period of time.
c) Effect of Termination.
(i) Except as provided in paragraph (ii) of this section, upon termination of this Agreement or the Underlying Contracts for any reason, Contractor shall promptly (and in no event later than 90 days following such termination) return or destroy all Protected Health Information. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Contractor. Contractor shall retain no copies of the Protected Health Information. Upon Business Associate’s request, Contractor shall provide a certificate of destruction for any Protected Health Information that it has destroyed.
(ii) In the event that returning or destroying the Protected Health Information obtained by Contractor is infeasible, and to the extent the Contractor retains any knowledge of the Protected Health Information, then Contractor shall extend any and all protections, limitations, and restrictions contained in this Agreement to such Protected Health Information and limit further Uses and Disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for as long as Contractor maintains such Protected Health Information. Contractor will (i) promptly notify Business Associate of any such retention (unless prohibited by law or court order), and (ii) delete such retained data, and promptly notify Business Associate of such deletion, once the purposes for retention have ended. This Section shall survive the termination of this Agreement for any reason.
- Miscellaneous
a) Indemnification. Contractor agrees to indemnify and hold harmless Business Associate and Business Associate’s Customers and Partners, and their respective employees, officers, trustees, agents, and contractors, from any and all liability, including attorneys’ fees, costs of defense, and costs of mitigation and/or notification, that arise from Contractor’s breach of this Agreement.
b) No limitations on liability. No limitations of liability, limitations of remedy, or disclaimers by Contractor contained in the Underlying Contracts shall apply to the obligations and subject matter of this Agreement or to remedies sought by Business Associate and Business Associate’s Customers and Partners with respect to a breach of this Agreement by Contractor or any of Contractor’s workforce, agents, or Contractors.
c) Insurance. Contractor shall maintain appropriate and adequate insurance coverage to cover Contractor’s obligations pursuant to this Agreement.
d) Equitable and injunctive relief. The parties acknowledge that the Use or Disclosure of Protected Health Information in a manner inconsistent with this Agreement will cause Business Associate and Business Associate’s Customers and Partners irreparable damage and that Business Associate and Business Associate’s Customers and Partners shall have the right to equitable and injunctive relief to prevent the unauthorized Use or Disclosure and to such damages as are occasioned by such unauthorized Use or Disclosure in addition to other remedies available at law or in equity. Business Associate’s and Business Associate’s Customers’ and Partners’ remedies under this Agreement and the Underlying Contracts shall be cumulative, and the exercise of any remedy shall not preclude the exercise of any other.
e) Ownership of Protected Health Information. The Parties agree that the Contractor shall not have an ownership interest in the Protected Health Information it receives in accordance with this Agreement.
f) Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Business Associate and Business Associate’s Customers and Partners to comply with the requirements of HIPAA and federal and state law. Business Associate may terminate the Underlying Contracts if Contractor fails to agree to an amendment that Business Associate reasonably determines is necessary to comply with federal and state law.
g) Interpretation. This Agreement modifies and supplements the terms and conditions of the Underlying Contracts and shall be deemed a part of the Underlying Contracts. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with HIPAA and other applicable laws. In the event any provision of any of the Underlying Contracts conflicts or is inconsistent with this Agreement, then this Agreement shall control. The terms of this Agreement shall be construed in light of any applicable interpretation or guidance on HIPAA issued by the Secretary from time to time. A reference in this Agreement to a section in HIPAA means the section as in effect or as amended or modified from time to time, including any corresponding provisions of subsequent superseding laws or regulations.
h) No Third Party Beneficiaries. Except as otherwise set forth in this Agreement, nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
i) Independent Contractor. Contractor is an independent contractor and nothing in this Agreement is intended to create or imply an agency or employment relationship between the parties.
j) Amendment; Waiver. This Agreement may be modified only in writing, executed by both parties. The waiver by either party of a breach or violation of any provision of this Agreement shall not be construed to be a continuing waiver or a waiver of any subsequent breach of either the same or any other provision of this Agreement.
k) Effect on Agreement. Except as specifically required to implement the purposes of this Agreement, or to the extent inconsistent with this Agreement, all other terms of the Underlying Contracts shall remain in force and effect.