=================== Business Associate Agreement
Last updated 3/1/2024
BUSINESS ASSOCIATE AGREEMENT
1. Purpose. InfoseekAI and Customer entered into the Healthcare Addendum, pursuant to which InfoseekAI provides
Customer access to certain InfoseekAI products and services that implicate HIPAA. For purposes of the Healthcare
Addendum, Customer is either a Covered Entity, or a Business Associate of its Upstream Customers. InfoseekAI is either
a Subcontractor of Customer, or a Business Associate of Customer.
2. Definitions. The following definitions shall apply for purposes of this Business Associate Agreement.
2.1. “Business Associate” has the same meaning as the term “Business Associate” in 45 C.F.R. §
160.103.
2.2. “Covered Entity” has the same meaning as the term “covered entity” in 45 C.F.R. § 160.103.
2.3. “HIPAA Breach Notification Rule” means the Breach Notification for Unsecured Protected Health
Information regulations, codified at 45 C.F.R. parts 160 and 164, as amended.
2.4. “HIPAA Privacy Rule” means the Standards for Privacy of Individually Identifiable Health
Information, codified at 45 C.F.R. parts 160 and 164, as amended.
2.5. “HIPAA Security Rule” means the Security Standards for the Protection of Electronic Protected
Health Information, codified at 45 C.F.R. parts 160 and 164, as amended.
2.6. “Protected Health Information” or “PHI” has the same meaning as under HIPAA, limited to such
information that InfoseekAI receives from Customer via the HIPAA Workflow.
2.7. “Required by Law” has the same meaning as the term “required by law” in 45 C.F.R. § 164.103.
2.8. “Security Incident” has the same meaning as the term “security incident” in 45 C.F.R. § 164.304.
2.9. “Subcontractor” has the same meaning as the term “subcontractor” in 45 C.F.R. § 160.103.
2.10. “Unsecured Protected Health Information” or “Unsecured PHI” have the same meaning as under
the HIPAA Breach Notification Rule, limited to such information that InfoseekAI receives from
Customer via the HIPAA Workflow.
3. InfoseekAI Requirements and Obligations.
3.1. Prohibited Uses and Disclosures of PHI. InfoseekAI shall not use or disclose PHI other than as
permitted or required by this BAA or the Services Agreement, or as Required by Law. InfoseekAI may
not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Customer
or its Upstream Customers that are Covered Entities, except as provided in this BAA.
3.2. Permissible Use and Disclosure of PHI. InfoseekAI is permitted to collect, receive, use, maintain,
create, disclose, transmit, destroy, and otherwise process PHI (i) in connection with performing its
obligations and exercising its rights under the Services Agreement, (ii) as permitted or required by
this BAA, (iii) as Required by Law, (iv) as authorized by an Individual, and (v) as otherwise permitted
by applicable law. InfoseekAI may use PHI for the proper management and administration of InfoseekAI
or to carry out the legal responsibilities of InfoseekAI. InfoseekAI may disclose PHI for the proper
management and administration of InfoseekAI or to carry out the legal responsibilities of InfoseekAI,
provided the disclosures are Required by Law, or InfoseekAI obtains reasonable assurances from the
person to whom the information is disclosed that the information will remain confidential and be
used or further disclosed only as Required by Law or for the purposes for which it was disclosed to
the person, and the person notifies InfoseekAI of any instances of which it becomes aware in which
the confidentiality of the PHI has been breached.
3.3. Minimum Necessary. To the extent that InfoseekAI uses, discloses, or requests PHI to provide the
Services, InfoseekAI shall use reasonable efforts to limit PHI to the minimum necessary to accomplish
the intended purpose of the use, disclosure, or request, unless an exception to the minimum
necessary requirements under HIPAA applies. Notwithstanding anything to the contrary, the
parties acknowledge and agree that all PHI that is transmitted to InfoseekAI via the HIPAA Workflow
is the minimum necessary required by InfoseekAI to perform its obligations and exercise its rights
under the Services Agreement.
3.4. Incident Reporting. InfoseekAI will report to Customer (i) any use or disclosure of PHI by InfoseekAI that
is not permitted under this BAA of which InfoseekAI becomes aware, including Breaches of Unsecured
PHI as required by 45 C.F.R. § 164.410, and (ii) any Security Incident of which InfoseekAI becomes
aware. Any such report(s) must be made promptly after, but in no case more than five (5) days
after, Discovery by InfoseekAI of such impermissible use or disclosure, such Security Incident, or such
Breach of Unsecured PHI. InfoseekAI will provide such reasonable cooperation as is reasonably
requested by Customer in responding to such event and will supplement such initial report with
additional information, including all information reasonably available to InfoseekAI that is required to
be included in notices to affected Individuals, regulators, the media, or other entities as required
by HIPAA or applicable state laws. The parties agree that notice is hereby deemed given for all
attempted, unsuccessful Security Incidents involving trivial and routine incidents such as port
scans, attempts to log-in with an invalid password or user name, denial of service attacks that do
not result in a server being taken off-line, malware, and pings, or other similar types of events that
do not compromise the security or privacy of PHI.
3.5. Mitigation. InfoseekAI will take reasonable steps to mitigate, to the extent practicable, any harmful
effects known to InfoseekAI from any unauthorized use or disclosure of PHI by InfoseekAI in violation of
HIPAA or this BAA.
3.6. Subcontractors of InfoseekAI. InfoseekAI shall ensure that any Subcontractors of InfoseekAI that create,
receive, maintain, or transmit PHI agree to the same restrictions and conditions that apply to
InfoseekAI with respect to such information, to the extent required by HIPAA. If InfoseekAI learns of any
pattern or activity that constitutes a material breach of a Subcontractor’s obligations with respect
to PHI, InfoseekAI will take reasonable steps to cure the breach, end the violation, or terminate the
relationship with its Subcontractor.
3.7. Requests for Access. The parties acknowledge and agree that InfoseekAI does not maintain a
Designated Record Set for or on behalf of Customer or Upstream Customers. In the event that
InfoseekAI receives a request for access to PHI under 45 C.F.R. § 164.524, InfoseekAI’s sole responsibility
shall be to promptly forward the request to Customer. In the event that Customer or any Upstream
Customer receives a request for access to PHI under 45 C.F.R. § 164.524, InfoseekAI shall have no
obligations.
3.8. Requests for Amendment. The parties acknowledge and agree that InfoseekAI does not maintain a
Designated Record Set for or on behalf of Customer or Upstream Customers. In the event that
InfoseekAI receives a request for amendment of PHI under 45 C.F.R. § 164.526, InfoseekAI’s sole
responsibility shall be to promptly forward the request to Customer. In the event that Customer
or any Upstream Customer receives a request for amendment of PHI under 45 C.F.R. § 164.526,
InfoseekAI shall have no obligations.
3.9. Accounting of Disclosures. In the event that InfoseekAI discloses PHI in a manner that is required to
be included in an accounting under 45 C.F.R. § 164.528, InfoseekAI shall maintain and, within ten (10)
business days of a request from Customer, make available such information as Customer or
Upstream Customer would be required to provide an Individual requesting an accounting of
disclosures under 45 C.F.R. § 164.528.
3.10. Customer Privacy Rule Obligations. The parties acknowledge and agree that InfoseekAI is not intended
to carry out one or more of Customer’s or any of Upstream Customer’s obligation(s) under the
HIPAA Privacy Rule.
3.11. Availability of Books and Records. InfoseekAI will make its HIPAA policies and any other books and
records that relate to the use and disclosure of PHI available to the Secretary of the U.S.
Department of Health and Human Services (or his or her designee) for purposes of determining
compliance with HIPAA.
3.12. Privacy and Security Safeguards. InfoseekAI shall use appropriate safeguards and comply, where
applicable, with the HIPAA Security Rule (as codified in 45 C.F.R. §§ 164.302-164.318) with respect
to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
4. Customer Restrictions and Obligations.
4.1. Compliance with Upstream Customer Business Associate Agreements. Customer shall comply with
the terms and conditions of Customer’s business associate agreements (entered into pursuant to
45 C.F.R. §§ 164.502(e), 164.504(e), 164.308(b), and 164.314(a)) with its Upstream Customers that
are relevant to the Services.
4.2. Upstream Customer Limitation(s) in Notice of Privacy Practices. Customer shall ensure that there
are no limitation(s) in its own notice of privacy practices and that of any Upstream Customer under
45 C.F.R. § 164.520 that may affect InfoseekAI’s use or disclosure of PHI pursuant to the Services
Agreement.
4.3. Permissions, Authorizations, and Consents. Customer represents and warrants that any
permissions, authorizations (including authorizations under 45 C.F.R. § 164.508), or consents that
may be required for InfoseekAI to provide Services, or to otherwise collect, receive, use, maintain,
create, disclose, transmit, destroy, or otherwise process PHI as permitted or required under this
BAA, have been obtained and reasonably documented.
4.4. Restrictions on the Use and Disclosure of PHI. Customer shall ensure that Customer and Upstream
Customers have not agreed to, or are not otherwise required to abide by, restrictions on the use
or disclosure of PHI under 45 C.F.R. § 164.522 that may affect InfoseekAI’s use or disclosure of PHI
pursuant to the Services Agreement.
4.5. Permissible Requests by Customer. Customer shall not ask InfoseekAI to use or disclose PHI in any
manner that would not be permissible under the HIPAA Privacy Rule if done by Customer or any
Upstream Customer. Customer shall not request that InfoseekAI collect, receive, use, maintain,
create, disclose, transmit, maintain, destroy, or otherwise process PHI in any manner that violates
HIPAA or any other applicable law or regulation.
4.6. Mitigation. Customer shall take reasonable steps to mitigate, to the extent practicable, any
harmful effects known to Customer of a breach of this BAA by Customer.
5. Term and Termination. The term of this BAA shall begin on the first date Customer transmits PHI to InfoseekAI
pursuant to the Services Agreement and shall continue for as long as the Healthcare Addendum remains in effect.
The Healthcare Addendum, including this BAA, may be terminated in accordance with Section 6 of the Healthcare
Addendum. Following termination or expiration of this BAA for any reason, upon Customer’s written request,
InfoseekAI shall certify that all PHI has been returned or destroyed.
6. General. Except as modified by this BAA, the Healthcare Addendum applies equally to this BAA. In the
event of a conflict between this BAA and the Healthcare Addendum, this BAA shall prevail with respect to the subject
matter of this BAA.
================= Contact Information
If you have any inquiries regarding our privacy practices or this policy, or if you wish to exercise
any of your available rights, please contact us via email at:
hello @ infoseek.ai
+1 425-522-2474
522 W RIVERSIDE AVE STE N
SPOKANE, WA 99201-0580
UNITED STATES