Atlassian Business Associate Agreement
This Business Associate Agreement (this “BAA”), dated as of the date of the last signature below (“Effective Date”), is entered into by and between Atlassian Pty Ltd (the “Business Associate”) and the customer entity identified in the signature block below (the “Customer”) (each, a “Party” and, collectively, the “Parties”). Customer has purchased a HIPAA-Qualified Cloud Product pursuant to the Atlassian Cloud Terms of Service or other written agreement governing Customer’s use of the HIPAA-Qualified Cloud Products (the “Agreement”).
The purpose of this BAA is to set forth the obligations of Business Associate and Customer to the extent PHI is created, received, maintained, or transmitted on behalf of Customer in connection with a HIPAA-Qualified Cloud Product, in accordance with Applicable Federal Laws, as defined below.
The Parties hereby agree as follows:
1.1 Unless otherwise specified in this BAA, all capitalized terms that are used in this BAA but not otherwise defined have the meanings established for purposes of the Applicable Federal Laws, or, as applicable, the Agreement.
1.2 The terms below have the following meanings:
"Applicable Federal Laws” means, collectively, HIPAA and HITECH.
“Electronic Protected Health Information” or “ePHI” means PHI that is transmitted or maintained in electronic media.
"HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, each, as amended from time to time.
“HIPAA-Qualified Cloud Products” means the Cloud Products specified on https://www.atlassian.com/trust/compliance/resources/hipaa and associated support.
“HITECH” means Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and its implementing regulations, each, as amended from time to time.
“PHI” means Protected Health Information, as defined in 45 C.F.R. § 160.103, limited to the Protected Health Information received from, or received or created on behalf of, Customer by Business Associate in the course of providing the HIPAA-Qualified Cloud Products pursuant to the Agreement.
“Privacy Rule” means the federal privacy regulations issued pursuant to HIPAA, as amended from time to time.
“Security Rule” means the federal security regulations issued pursuant to HIPAA, as amended from time to time.
“Support and Services” means support, Technical Account Manager (TAM) services or other services provided by Atlassian related to the HIPAA-Qualified Cloud Products.
“Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under § 13402(h)(2) of Public Law 111-5.
2. APPLICABILITY OF THIS BAA
2.1 Applicability. This BAA is applicable only to the extent that Customer has an active Subscription Term for a HIPAA-Qualified Cloud Product and has configured such HIPAA-Qualified Cloud Product in accordance with the specifications provided in Section 5 of this BAA. Customer must not provide PHI to any Cloud Product that is not a HIPAA-Qualified Cloud Product to which this BAA applies. For avoidance of doubt, Customer acknowledges and agrees that this BAA does not apply to (a) any Cloud Products or Support and Services provided by Atlassian or its Affiliates other than the HIPAA-Qualified Cloud Products, (b) any Third-Party Product, including any Third Party Apps, that Customer elects to integrate or enable for use with the HIPAA-Qualified Cloud Products, or (c) Customer’s own products and services used with any HIPAA-Qualified Cloud Products.
2.2 Term. The term of this BAA commences on the Effective Date and will terminate automatically upon expiration or earlier termination of the Agreement, unless earlier terminated pursuant to the terms of this BAA.
2.3 Execution. To the extent this BAA has been pre-signed on behalf of Business Associate, for the BAA to be enforceable, Customer must:
a) complete the signature block below by completing all required fields and counter-signing;
b) submit the completed and signed BAA to Business Associate as instructed; and
c) have only a signatory who possesses legal authority to bind Customer into legally enforceable contracts execute this BAA.
Where Customer makes any deletions or other revisions to this BAA, this BAA will be null and void.
3. RESPONSIBILITIES OF BUSINESS ASSOCIATE
3.1 Use and Disclosure. With regard to its use or disclosure of PHI, Business Associate agrees to:
(a) not use or disclose PHI except as permitted or required by this BAA or as otherwise Required by Law and, to the extent that Business Associate is to carry out any of Customer’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Customer in the performance of those obligations;
(b) implement and use appropriate technical, physical and administrative safeguards to prevent use or disclosure of ePHI other than as permitted or required by this BAA and comply with the Security Rule provisions applicable to business associates with respect to ePHI;
(c) report without unreasonable delay to Customer: (i) any use or disclosure of PHI of which it becomes aware that is not permitted by this BAA; or (ii) any Security Incident of which Business Associate becomes aware. Notwithstanding the foregoing, Customer acknowledges that Business Associate routinely experiences unsuccessful Security Incidents that do not result in a Breach of Unsecured PHI, such as pings, port scans, phishing attempts, log-on attempts, and other unsuccessful Security Incidents. Business Associate hereby notifies Customer of such unsuccessful Security Incidents, and the Parties acknowledge and agree that no further notice will be required of such unsuccessful Security Incidents;
(d) without unreasonable delay and in no case later than five (5) calendar days after discovery, Business Associate must notify Customer of a Breach of any Unsecured PHI, all in accordance with 45 C.F.R. § 164.410;
(e) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any of its subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree, in writing, to no less restrictive restrictions and conditions on the use or disclosure of PHI that apply to Business Associate; including to the extent that Business Associate provides ePHI to a subcontractor, it must require the subcontractor in writing to, where applicable, comply with the Security Rule with respect to that ePHI;
(f) make available its internal practices, books, and records relating to the use or disclosure of PHI to the Secretary of the Department of Health and Human Services (“HHS”) for purposes of determining Customer’s compliance with the Privacy Rule;
(g) within thirty (30) days after receiving a written request from Customer, make available information necessary for Customer to make an accounting of disclosures of PHI about an Individual as provided in 45 C.F.R. § 164.528 and when directed by Customer, make that accounting directly to the Individual;
(h) mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate that is not permitted by this BAA;
(i) if Business Associate maintains a Designated Record Set, make available Customer PHI as required to enable Customer to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.524 and 164.526, subject to the implementation guide as defined in Section 5.1;
(j) request, use or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure;
(k) not directly or indirectly receive remuneration in exchange for any PHI as prohibited by 45 C.F.R. § 164.502(a)(5)(ii); and
(l) not make or cause to be made a communication about a product or service that is prohibited by 45 C.F.R. §§ 164.501 and 164.508(a)(3).
4. OTHER PERMITTED USES AND DISCLOSURES OF PHI
4.1 Other Permitted Uses and Disclosures. Unless otherwise limited in this BAA, in addition to any other uses or disclosures permitted or required by this BAA, Business Associate may:
(a) use and disclose to subcontractors, the PHI in its possession as necessary to provide the HIPAA-Qualified Cloud Products to Customer pursuant to the Agreement;
(b) use and disclose the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of Business Associate, provided that any such disclosures are Required by Law or any third party to which Business Associate discloses PHI for those purposes provides written assurances that:
(i) such PHI will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the third party; and
(ii) the third party will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached; and
5. OBLIGATIONS OF CUSTOMER
5.1. Product Configuration. Customer is solely responsible for configuring all HIPAA-Qualified Cloud Products according to the implementation guide found here (or successor hyperlink), as may be updated from time to time:
Customer must configure all HIPAA-Qualified Cloud Products in accordance with the implementation guide prior to entering any PHI into the applicable product.
5.2 Authorizations and Consents. Customer must obtain and maintain any and all authorizations and consents by individuals or other parties required for Business Associate’s use or disclosure of PHI contemplated by this BAA.
5.3 Permissible Requests by Customer. Customer must not request Business Associate to access, use, or disclose PHI, nor act in any manner, that would not be permissible under HIPAA if done by Business Associate. Without limiting the foregoing, Customer must not provide to the HIPAA-Qualified Cloud Products any PHI that is subject to a restriction on the use or disclosure of PHI requested by the Individual pursuant to 45 C.F.R. § 164.522 and that may affect Business Associate’s use or disclosure of such PHI.
6.1 Termination. If either Party knows of a pattern of activity or practice of the other Party that constitutes a material breach or violation of this BAA then the non-breaching Party must provide notice of such breach or violation to breaching Party. Such notice shall clearly specify the nature of the breach or violation. If, after a reasonable time period, which shall not be less than 30 days, following the notice to breaching Party, the breaching Party has not cured the breach or ended the violation, the non-breaching Party may terminate this BAA.
6.2 Effect of Expiration or Earlier Termination. Within sixty (60) days after the expiration or earlier termination of this BAA, Business Associate must return or destroy all PHI, if feasible to do so, including all PHI in possession of Business Associate’s subcontractors. If return or destruction of the PHI is not feasible, Business Associate shall extend any and all protections, limitations and restrictions contained in this BAA to Business Associate’s use or disclosure of any PHI retained after the termination or expiration of this BAA, and limit any further uses or disclosures solely to the purposes that make return or destruction of the PHI infeasible.
7.1 Construction of Terms. To the extent they are not clear, the terms of this BAA shall be construed to allow for compliance by the Parties with HIPAA implementing regulations as applicable and as promulgated and amended from time to time.
7.2 No Third Party Beneficiaries. Nothing in this BAA shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
7.3 Survival. Sections 3.1(d), 3.1(g), 6.2, and 7.1 through 7.7 shall survive the termination for any reason or expiration of this BAA.
7.4 Notice. Notices to Customer as required under this BAA shall be made in writing via email in accordance with the applicable provisions in the Agreement. Notices to Atlassian as required under this BAA shall be in writing to the addresses set forth below:
Atlassian Pty Ltd, c/o Atlassian, Inc.
350 Bush Street, Floor 13
San Francisco, CA 94104
Attn: Privacy Officer
With copy to:
7.5. Relationship to the Agreement.
(a) Except for the changes made by this BAA, the Agreement remains unchanged and in full force and effect. If there is any conflict between the provisions of this BAA and the provisions of the Agreement (including the Atlassian Data Processing Addendum (if applicable)), the provisions of this BAA prevail over the provisions of the Agreement only to the extent of that conflict in connection with the use or disclosure of PHI to the HIPAA-Qualified Cloud Product; in all other cases, the provisions of the Agreement prevail over the provisions of this BAA.
(b) Notwithstanding anything to the contrary in the Agreement or this BAA, the liability of each Party and each Party’s Affiliates under this BAA is subject to the exclusions and limitations of liability set out in the Agreement.
7.6 Claims. Any claims against Atlassian or its Affiliates under this BAA may only be brought by the Customer entity that is a party to the Agreement against the Atlassian entity that is a party to the Agreement.
7.7 Governing Law. This BAA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Federal Laws.