Atlassian Business Associate Agreement

2.1 Applicability. This BAA is applicable only to the extent that Customer has an active Subscription Term for a HIPAA-Qualified Cloud Product and has configured such HIPAA-Qualified Cloud Product in accordance with the specifications provided in Section 5 of this BAA. Customer must not provide PHI to any Cloud Product that is not a HIPAA-Qualified Cloud Product to which this BAA applies. For avoidance of doubt, Customer acknowledges and agrees that this BAA does not apply to (a) any Cloud Products or Support provided by Atlassian or its Affiliates other than the HIPAA-Qualified Cloud Products, (b) any Third-Party Product, including any Third Party Apps, that Customer elects to integrate or enable for use with the HIPAA-Qualified Cloud Products, or (c) Customer’s own products and services used with any HIPAA-Qualified Cloud Products.

2.2 Term. The term of this BAA commences on the Effective Date and will terminate automatically upon expiration or earlier termination of the Agreement, unless earlier terminated pursuant to the terms of this BAA.

2.3 Execution. To the extent this BAA has been pre-signed on behalf of Business Associate, for the BAA to be enforceable, Customer must:

a) complete the signature block below by completing all required fields and counter-signing;

b) submit the completed and signed BAA to Business Associate as instructed; and

c) have only a signatory who possesses legal authority to bind Customer into legally enforceable contracts execute this BAA.

Where Customer makes any deletions or other revisions to this BAA, this BAA will be null and void.   

 

3.1 Use and Disclosure. With regard to its use or disclosure of PHI, Business Associate agrees to: 

(a) not use or disclose PHI except as permitted or required by this BAA or as otherwise Required by Law and, to the extent that Business Associate is to carry out any of Customer’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Customer in the performance of those obligations;

(b) implement and use appropriate technical, physical and administrative safeguards to prevent use or disclosure of ePHI other than as permitted or required by this BAA and comply with the Security Rule provisions applicable to business associates with respect to ePHI;

(c) report without unreasonable delay to Customer: (i) any use or disclosure of PHI of which it becomes aware that is not permitted by this BAA; or (ii) any Security Incident of which Business Associate becomes aware.  Notwithstanding the foregoing, Customer acknowledges that Business Associate routinely experiences unsuccessful Security Incidents that do not result in a Breach of Unsecured PHI, such as pings, port scans, phishing attempts, log-on attempts, and other unsuccessful Security Incidents.  Business Associate hereby notifies Customer of such unsuccessful Security Incidents, and the Parties acknowledge and agree that no further notice will be required of such unsuccessful Security Incidents;

(d) without unreasonable delay and in no case later than five (5) calendar days after discovery, notify Customer of a Breach of any Unsecured PHI, all in accordance with 45 C.F.R. § 164.410;

(e) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any of its subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree, in writing, to no less restrictive restrictions and conditions on the use or disclosure of PHI that apply to Business Associate; including to the extent that Business Associate provides ePHI to a subcontractor, require the subcontractor in writing to, where applicable, comply with the Security Rule with respect to that ePHI;

(f) make available its internal practices, books, and records relating to the use or disclosure of PHI to the Secretary of the Department of Health and Human Services (“HHS”) for purposes of determining Customer’s compliance with the Privacy Rule;

(g) within thirty (30) days after receiving a written request from Customer, make available information necessary for Customer to make an accounting of disclosures of PHI about an Individual as provided in 45 C.F.R. § 164.528 and when directed by Customer, make that accounting directly to the Individual; 

(h) mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate that is not permitted by this BAA;

(i) if Business Associate maintains a Designated Record Set, make available Customer PHI as required to enable Customer to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.524 and 164.526, subject to the implementation guide as defined in Section 5.1;

(j) request, use or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure;

(k) not directly or indirectly receive remuneration in exchange for any PHI as prohibited by 45 C.F.R. § 164.502(a)(5)(ii); and   

(l) not make or cause to be made a communication about a product or service that is prohibited by 45 C.F.R. §§ 164.501 and 164.508(a)(3). 

 

4.1 Other Permitted Uses and Disclosures. Unless otherwise limited in this BAA, in addition to any other uses or disclosures permitted or required by this BAA, Business Associate may:

(a) use and disclose to subcontractors, the PHI in its possession as necessary to provide the HIPAA-Qualified Cloud Products to Customer pursuant to the Agreement; 

(b) use and disclose the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of Business Associate, provided that any such disclosures are Required by Law or any third party to which Business Associate discloses PHI for those purposes provides written assurances that:

(i)  such PHI will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the third party; and 

(ii) the third party will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached.

(c) de-identify the PHI in accordance with 45 C.F.R. § 164.514.