Business Associate Agreement

Version 1.0.0 of This Agreement was created on April 22, 2022

This Business Associate Agreement (“BAA”), effective from the date it is electronically confirmed and accepted by you (the “Effective Date of the BAA”), is established between BrainCert Inc. (“BrainCert”, “we”, or “us”) and the party that electronically consents to or otherwise agrees to or opts into this BAA (“Customer”, or “you”). You have engaged in one or more service agreements with us (individually and collectively referred to as an “Agreement”), which cover the usage of our comprehensive LMS platform, online testing capabilities, virtual classroom features, and other related services, detailed at www.braincert.com (the “Service”). This BAA modifies the terms of the Agreement to accurately represent both parties' rights and obligations regarding the management and safeguarding of your Protected Health Information (as defined later in this document) within the scope of the Agreement. If you are accepting this BAA on behalf of the Customer, in a role such as an employee, consultant, or representative, you confirm that you have the required authority to legally bind the Customer to this BAA. This BAA is specifically applicable to the processing of Protected Health Information (PHI) by BrainCert when acting for the Customer, who is functioning either as a Covered Entity or a Business Associate. Acknowledging the mutual benefits of this agreement, the parties hereby agree to the following terms:

1. Glossary of Terms

For the purpose of this Business Associate Agreement (BAA), the following capitalized terms shall be understood as described below. Any capitalized term used but not explicitly defined in this document will assume the meaning attributed to it by HIPAA.

  • "HIPAA" refers to the Health Insurance Portability and Accountability Act of 1996, including all related regulations and the HITECH Act.
  • "HITECH Act" designates the security guidelines established under the American Recovery and Reinvestment Act of 2009, commonly recognized as the Health Information Technology for Economic and Clinical Health Act.
  • "Protected Health Information" or "PHI" encompasses any data, whether spoken or recorded in any format, that BrainCert handles or processes on behalf of the Customer under this BAA. This includes information that can identify an individual, or is likely to do so, and pertains to: (i) the person’s past, current, or future physical or mental health; (ii) the delivery of health care to the person; or (iii) the past, present, or future payment for providing health care.
  • "Secretary" refers to the Secretary of the U.S. Department of Health and Human Services.
  • "Unsecured PHI" means any PHI that is not secured through a method that renders it unusable, unreadable, or indecipherable to unauthorized persons as defined by the Secretary, such as encryption. This definition includes both physical and electronic forms of PHI.

2. Commitments from the Customer

The Customer declares and guarantees the following:

  • The Customer is either a "Covered Entity" or a "Business Associate" as outlined in HIPAA.
  • The Customer will adhere to HIPAA regulations while using the Service, which includes leveraging any tools provided within the Service to meet HIPAA’s minimum necessary standard.
  • The Customer will not prompt BrainCert to undertake any actions that would be in violation of HIPAA if performed by the Customer.
  • The Customer will not ask BrainCert to use or disclose PHI in any way that would contravene relevant federal or state laws if such use or disclosure was conducted by the Customer.

3. Assurances Provided by BrainCert

  1. BrainCert assures that it will (1) not use or disclose PHI except as allowed or required by this BAA and the associated Agreement, or as mandated by law; (2) refrain from using or disclosing PHI in any way that infringes upon applicable federal or state laws or would be deemed unlawful if performed by the Customer; and (3) restrict its use and disclosure of PHI to only what is minimally necessary for the designated purposes. The Customer acknowledges that BrainCert may base its judgment on the Customer’s guidance to determine if such uses and disclosures adhere to the minimum necessary standard.
  2. For operational requirements, BrainCert may process information received from the Customer when it is essential for (i) the efficient management and administrative functions of BrainCert; or (ii) fulfilling BrainCert’s legal obligations. BrainCert is authorized to disclose PHI for its proper management and administration under these conditions: (1) if such disclosures are compulsory by law; or (2) if BrainCert secures adequate assurances from the recipient that the information will be kept confidential and used or further disclosed solely as legally required or for the purpose it was originally shared, with the recipient also obligated to inform BrainCert of any breaches of confidentiality they become aware of.
  3. BrainCert will inform the Customer of any usage or disclosure of PHI not outlined by this BAA, including any incidents of Unsecured PHI breaches, as soon as they come to light. It is acknowledged that attempts to unlawfully access Unsecured PHI, such as through unsuccessful network intrusion efforts, are part of the normal digital landscape. Such events are hereby recognized as being duly noted to the Customer when they occur. Furthermore, any communications from BrainCert to the Customer related to these security incidents are not to be interpreted as an admission of fault or liability regarding Unsecured PHI breaches.
  4. BrainCert will also ensure that its subcontractors, who handle PHI on behalf of BrainCert, adhere to the same constraints and conditions as BrainCert in relation to such PHI.
  5. Should the Customer or an individual request, BrainCert will promptly furnish the necessary information to the Customer to help them comply with their obligations to: (i) provide individuals with access to their PHI as specified under 45 CFR 164.524; (ii) modify PHI or records concerning the individual as stipulated under 45 CFR 164.526; and (iii) give an account of disclosures of the individual's PHI as per 45 CFR 164.528, for the six years preceding the request date.
  6. In cases where an individual directly seeks access, amendment, or an account of their PHI from BrainCert, such requests will be forwarded to the Customer within five business days. It is the Customer's responsibility to respond to these requests, and BrainCert may guide individuals to direct their requests to the Customer.
  7. BrainCert commits to adhering to HIPAA’s security standards for electronic PHI and will make available its internal practices, books, and records related to the use and disclosure of PHI received from, or created or received on behalf of, the Customer to the Secretary for the purpose of verifying the Customer's compliance with HIPAA.
  8. In instances where BrainCert executes the Customer's duties under HIPAA regulations, BrainCert will conform to the requirements of this Section 3 applicable to the Customer in the performance of such obligations.
  9. Furthermore, BrainCert will implement suitable measures to prevent the use or disclosure of PHI beyond what is allowed by this BAA and to ensure compliance with the HIPAA Security Rule (Subpart C of 45 CFR Part 164).

4. Duration of Agreement

This Business Associate Agreement (BAA) becomes effective as of the BAA Effective Date and will remain active until either: (i) the associated Agreement concludes or expires, or (ii) this BAA is terminated as outlined in Section 5.

5. Termination Procedures

The Customer has the right to terminate this BAA through written notice if BrainCert significantly breaches any term of this BAA and does not remedy the breach within thirty (30) days after receiving written notification. Conversely, BrainCert may terminate this BAA with a written notice if the Customer: (i) imposes limitations that adversely affect BrainCert's ability to fulfill its responsibilities under the Agreement; (ii) consents to limitations that elevate BrainCert’s operational costs under this BAA or the Agreement; or (iii) fails to uphold its HIPAA obligations. Both parties can also mutually agree to terminate this BAA.

6. Suspension of Information Disclosure

Should the Customer reasonably conclude that BrainCert has not met its obligations under this BAA, the Customer may suspend all further disclosures of PHI to BrainCert, in addition to other rights outlined in this BAA, until the issue is resolved.

7. Protocol for PHI Post-Termination

Upon the termination of this BAA, BrainCert, following the Customer's direction, will either return or destroy all PHI that was received from, created by, or received on behalf of the Customer, ensuring no copies are retained. However, if BrainCert finds it impractical to return or destroy such PHI, the stipulations of this BAA will persist post-termination. In such cases, BrainCert will continue to use or disclose the retained PHI strictly in compliance with legal requirements.

8. Additional Provisions

No individual or entity outside the parties to this BAA is entitled to benefits under it.

  • This BAA does not override or alter any terms of the Agreement (including any liability limitations), except as explicitly stated herein. Where multiple Agreements exist between the parties, this BAA amends each of them separately.
  • In instances of discrepancies or conflicts between the terms of this BAA and the Agreement, the terms of this BAA will take precedence.
  • It's recognized here that electronic PHI is a component of PHI, and all references to PHI within this BAA encompass electronic PHI as well.
  • References to specific sections of HIPAA in this BAA pertain to those sections as currently enacted or as they may be amended, with compliance being obligatory.
  • Ambiguities in this BAA are to be interpreted in a way that allows BrainCert to maintain HIPAA compliance.
  • Should there be any amendments to HIPAA regulations or interpretations that conflict with this BAA, both parties commit to cooperate in good faith to modify this BAA as necessary to remain compliant.