Privacy Resources

The below BAA is for reference purposes only.

This BUSINESS ASSOCIATE AGREEMENT (the “Agreement”) is made by and between [COMPANY] on behalf of [INSERT] ("Covered Entity") and ZP Insurance LLC, dba With Gusto Insurance Services, LLC, 525 20th Street, San Francisco, CA 94107 (“Business Associate”). This Agreement shall apply only to Business Associate’s HIPAA-Eligible Services and only to the extent that Business Associate (a) performs a function or activity on behalf of the Covered Entity for which Business Associate creates, receives, maintains, or transmits Protected Health Information for a function or activity regulated by the Privacy Rule and the Security Rule; or (b) provides administrative services that involve the disclosure of Protected Health Information to Business Associate from the Covered Entity or from another business associate of the Covered Entity. WHEREAS, Covered Entity is a group health plan as defined in the Privacy Rule adopted pursuant to the Health Insurance Portability and Accountability Act of 1996.

WHEREAS, Business Associate has been retained by the Covered Entity to perform a function or activity on behalf of the Covered Entity that may require the Business Associate to have access to Protected Health Information and/or Electronic Protected Health Information (collectively, “PHI”), and have designated members of its workforce to perform certain administrative functions.

WHEREAS, Covered Entity desires to receive satisfactory assurances from the Business Associate that it will comply with the obligations required of business associates by the Privacy Rule, the Security Rule, and HITECH.

WHEREAS, the parties wish to set forth their understandings with regard to the use and disclosure of Protected Health Information by the Business Associate in performance of its obligations.

NOW, THEREFORE, in consideration of the mutual promises set forth below, the parties hereby agree as follows:

1. Definitions

1. "Effective Date" shall mean the date this Agreement is effective and is the effective data of the Underlying Agreement.

2. "HITECH" shall mean Title XIII of the American Recovery and Reinvestment Act of 2009 (“ARRA”), called the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, codifies and expands on many of the requirements promulgated by the Department of Health & Human Services (“DHHS”) pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to protect the privacy and security of protected health information.

3. "HIPAA-Eligible Services" shall mean those specific Business Associate products, services, and features identified at https://gusto.com/privacyresources/hipaa-eligible-services, as may be amended from time to time.

4. “Individual” shall have the same meaning as the term “individual” in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).

5. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.

6. “Protected Health Information” (PHI) shall have the same meaning as the term “protected health information” in 45 CFR 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

7. "Required By Law” shall have the same meaning as the term “required by law” in 45 CFR 164.501.

8. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.

9. “Security Rule” shall mean the Health Insurance Reform: Security Standards at 45 CFR Parts 160, 162, and 164.

10. “Underlying Agreement” shall mean the related contract for products and/or services between the parties in an agreement separate from this Business Associate Agreement, including Business Associate’s Terms of Service and Privacy Policy , as amended from time to time.

Terms used but not otherwise defined in this Business Associate Agreement shall have the same meaning as those terms in the Privacy Rule or Security Rule, as amended, and the Underlying Agreement.

2. Obligations and Activities of Business Associate

1. Business Associate agrees to not use or further disclose PHI other than as permitted or required by the Underlying Agreement, this Agreement, or as otherwise Required by Law. Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s minimum necessary policies and procedures.

2. Business Associate agrees to use appropriate safeguards including administrative, physical, and technical safeguards, to prevent use or disclosure of the PHI, intentional or unintentional, other than as provided for by this Agreement, and to reasonably and appropriately protect the confidentiality, integrity, and availability of any ePHI that it may receive, maintain, or transmit on behalf of the Covered Entity under the terms of HIPAA and HITECH. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
3. Business Associate agrees to comply with the Security Rules, as required by HITECH, in a manner consistent with the Security Rules and regulations that may be adopted by relevant federal agencies, to keep all electronic protected health information in a secure manner, as required under federal law.
4. Business Associate agrees to report to Covered Entity of PHI that is actually used or disclosed in a matter not provided for by this Agreement or any security incident of which it becomes aware involving PHI of the Covered Entity. Business Associate shall not be required to report any inconsequential incident that occur, such as scans, “pings,” or other unsuccessful attempts to penetrate computer networks or services containing electronic protected health information maintained by Business Associate.
5. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
6. Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524
7. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity, as is applicable to the PHI Business Associate maintains.
8. Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy & Security Rules.
9. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.
10. Business Associate agrees to provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with Section 2 of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
11. Business Associate hereby acknowledges and agrees that Covered Entity has notified Business Associate that it is required to comply with the confidentiality, disclosure, breach notification, compliance, and disclosure requirements of HITECH, the Privacy Rule, and the Security Rule to the extent such requirements may be applicable.
12. Business Associate acknowledges that, in the event of any unauthorized acquisition, access, use or disclosure of PHI that constitutes a breach of unsecured PHI, Business Associate shall fully comply with the breach notification requirements, including regulations which have been promulgated as of the date the breach occurred. Unsecured protected health information means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of certain technologies or methodologies according to guidance from the HHS, currently available at: https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
13. Business Associate shall comply with any and all regulatory requirements which may arise in the future to comply fully with the Privacy Rules, the Security Rule, and HITECH, including, but not limited to, restrictions on disclosures to health plans, clarified minimum necessary standards, expanded accounting requirements applicable to electronic health records, revised prohibitions on sales of PHI, and updated marketing and fundraising restrictions. Business Associate acknowledges that, pursuant to HITECH, Business Associate, its employees and contractors, and any third party (and their employees, contractors, and further third parties) who may have access to or possession of the Covered Entity’s PHI are subject to regulatory oversight of the various federal and/or state agencies as a Business Associate, and may be subject to both civil and criminal penalties which may arise from violations of this Agreement, the Privacy Rules, the Security Rule, and HITECH.
14. Subcontractor shall take no action and Business Associate shall not direct it to take any action contrary to 45 CFR Parts 160 and 164 (“Final Rule”).
15. Subcontractor shall not disclose Protected Health Information where the Protected Health Information is potentially related to reproductive health care, and the Protected Health Information is requested for the purpose of investigating or imposing liability on any person for the act of seeking, obtaining, providing, or facilitating reproductive health care, or to identify a person in connection with such a purpose and any of the following apply:
    1. The reproductive health care is/was obtained or provided in a state where such care is lawful, and outside of the state where the investigation or proceeding is authorized.
    2. The reproductive health care is/was "protected, required, or expressly authorized by Federal law," regardless of which state in which the health care is/was provided.
    3. The regulated entity receiving the request has no actual knowledge that the reproductive health care was unlawful and the requesting person has provided no factual information that "demonstrates a substantial factual basis" that the health care was unlawful.
16. The proceeding restriction shall in no way prevent an Individual from accessing or requesting their own Protected Health Information.
17. Before disclosing any Protected Health Information potentially related to reproductive health care when the requested Protected Health Information is being requested for Health oversight activities, Judicial and administrative proceedings, Law enforcement purposes, or for disclosure to coroners and medical examiners, Subcontractor will obtain a signed and dated attestation that (i) states that the requested use or disclosure of Protected Health Information is not for a prohibited purpose; and (ii) provide a statement of notice of criminal penalties for persons who knowingly obtain or disclose individually identifiable health information in violation of HIPAA.

3. Permitted Uses and Disclosures by Business Associate

1. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate the Privacy Rules and the Security Rule if done by Covered Entity.
2. Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

3. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

4. Notwithstanding the provisions of this Agreement, Business Associate and its subcontractors may use and disclose non-personally identifiable information, including aggregated and de-identified information provided that the disclosed information does not include a key or other mechanism that would enable the information to be identified.

4. Obligations of the Covered Entity

1. Covered Entity shall provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with 45 CFR 164.520, as well as any changes to such notice.

2. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, if such changes affect Business Associate's permitted or required uses and disclosures.

3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522.

4. Covered Entity shall not provide, transmit, or otherwise make available Protected Health Information to any Business Associate product, service, or feature that is not a HIPAA-Eligible Service. Business Associate shall have no obligations under this Agreement with respect to any Protected Health Information provided to non-eligible products, services, or features.

5. Permissible Requests by the Covered Entity

1. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity, except for uses and disclosures of PHI by Business Associate in accordance with this Agreement. Covered Entity shall not request Business Associate to use or disclose Protected Health Information through any product, service, or feature that is not a HIPAA-Eligible Service, and any such request shall not be considered a permissible request under this Agreement.

6. Term and Termination

1. Term. The Term of this Agreement shall be effective as of the Effective Date and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section 6.

2. Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity will provide notice to Business Associate with an opportunity to cure the breach within 30 days or the time period specified by the Covered Entity whichever is later. If cure is not effected in this time period then Covered entity may terminate the Underlying Agreement.

3. Effect of Termination. Except as provided in Section 6(b) of this Agreement, upon termination of this Agreement or the Underlying Agreement for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity in connection with the HIPAA-Eligible Services, where reasonably practicable, or retain said Protected Health Information per subsection (i) below. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate to the extent such subcontractors or agents support the HIPAA-Eligible Services. Business Associate will retain the PHI that is necessary for the Business Associate, or subcontractor, to continue its proper management and administration or to carry out its legal responsibilities.
   1. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. If the return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

7. Miscellaneous

1. Regulatory References. A reference in this Agreement to a section in the Privacy rules, the Security Rule, or HITECH means the section as in effect or as amended, and for which compliance is required.

2. Amendment. Except as provided below, no amendment to this Agreement shall be valid unless made in writing and signed by both Parties. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy and Security Rules, HIPAA and HITECH. Notwithstanding the foregoing, Business Associate may update the list of HIPAA-Eligible Services from time to time by posting a revised list at https://gusto.com/privacyresources/hipaa-eligible-services. Updates that add services to the HIPPA-Eligible Services list shall be effective upon posting and posting shall constitute sufficient notice to Covered Entity for purposes of this Section 7(b) notwithstanding Section 7(f). Business Associate shall provide Covered Entity with reasonable prior written notice of any removal of a service from the HIPAA-Eligible Services list and such removal shall be effective on the date specified in such notice.
3. Survival. The respective rights and obligations of Business Associate under the Term and Termination provisions of this Agreement shall survive the termination of this Agreement and/or the Underlying Agreements, as shall the rights of access and inspection of Business Associate by Covered Entity.
4. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy and Security Rules. The parties agree that the terms of this Business Associate Agreement shall apply to the parties themselves and not for the benefit of any third party beneficiaries.
5. Governing Law; Conflict. This Agreement shall be enforced and construed in accordance with the laws of the State of California. Jurisdiction of any litigation with respect to this Agreement shall be in California, with venue in a court of competent jurisdiction located in San Francisco County. In the event of a conflict between the terms of this Agreement and the terms of any of the Underlying Agreements, the terms of this Agreement shall control.
6. Notices. Any notice given under this Agreement must be in writing and delivered via first class mail, via reputable overnight courier service, or in person to the parties' respective addresses as first written above or to such other address as the parties may from time to time designate in writing.
7. Assigns. Neither this Agreement nor any of the rights, benefits, duties, or obligations provided herein may be assigned by Business Associate without the prior written consent of the Covered Entity.
8. Third Party Beneficiaries. Nothing in this Agreement shall be deemed to create any rights or remedies in any third party.