Zynco.io Header
HIPAA Statement | Zynco

Compliance & Legal

HIPAA Statement

Zynco Business Associate Agreement

HIPAA Statement

Zynco has hired an independent third party auditor that is compliant with the rules and regulations of HIPAA. For more details, please contact privacy@zynco.io.

Business Associate Agreement for Zynco “Covered Entity” Customers

These Standard HIPAA Business Associate Agreement Terms and Conditions (“HIPAA Addendum”) shall be incorporated into the Master Service Agreement for Customers that are Covered Entities (as defined below) that provide Protected Health Information (“PHI”) (as defined below) to Zynco in connection with the Zynco for Local Business and Enterprise services they have purchased. These terms supplement the purchase agreement between Zynco and Customers (“Underlying Agreement”) in order to comply with the federal Standards for HIPAA of Individually Identifiable Health Information, located at 45 C.F.R. Part 160 and Part 164, Subparts A through E (“HIPAA Rule”) and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (the “HITECH Act”).

1. CATCH-ALL DEFINITIONS

The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

2. SPECIFIC DEFINITIONS

Terms used, but not otherwise defined, in this HIPAA Addendum shall have the same meaning as those terms in the Privacy Rule or the HITECH Act:

  • A. “Breach” shall have the same meaning given to such term under 42 U.S.O § 17921.
  • B. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Zynco.
  • C. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Covered Entity].
  • D. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
  • E. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
  • F. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of the Covered Entity.
  • G. “Required by Law” shall have the same meaning as the term “required by law” in 45 C.F.R. § 160.103.
  • H. “Unsecured PHI” shall have the same meaning given to such term under the HITECH Act and any guidance issued pursuant to this act.

3. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

Zynco agrees to:

1- Use and Disclosure of PHI

Zynco shall not use or disclose PHI other than as permitted or required by this HIPAA Addendum or as Required by Law. Zynco shall not use or disclose PHI for fundraising or marketing purposes. Zynco shall not directly or indirectly receive remuneration in exchange for PHI, except with prior written consent of Covered Entity and as permitted by the HITECH Act.

2- Safeguards

Zynco shall use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent any unauthorized use or disclosure.

3- Mitigation

Zynco shall mitigate, to the extent practicable, any harmful effect that is known to Zynco of a use or disclosure of PHI in violation of this Addendum.

4- Reporting

Zynco shall report to Covered Entity any use or disclosure not provided for, including breaches of unsecured PHI and any security incidents.

Check that apply: Business Associate will notify Covered Entity of the breach within thirty (30) business days. Business Associate will notify the breach. Business Associate will notify HHS Office for Civil Rights of the breach.

5- Disclosure to Agents and Subcontractors

In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Zynco agree to the same restrictions, conditions, and requirements that apply to Zynco with respect to such information.

6- Designated Record Set

Zynco shall provide access, at the request of Covered Entity, to PHI in a Designated Record Set to meet the requirements under 45 C.F.R. § 164.524. Business Associate will forward requests for access of the designated record set to Covered Entity within thirty (30) days (Per the applicability). If Business Associate is unable to respond to request for access, the Business Associate will notify the requesting party.

7- Internal Practices, Policies, and Procedures

Zynco shall make available its internal practices, records, and documents, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Zynco on behalf of, Covered Entity available to the Covered Entity and to the Secretary of Health and Human Services (“Secretary”) for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and the HITECH Act.

8- Accounting for Disclosures

Zynco agrees to maintain the information required to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and to make this information available to the Covered Entity upon the Covered Entity’s request in order to allow the Covered Entity to respond to an individual’s request for accounting of disclosures.

9- Security Obligations

Zynco shall implement appropriate safeguards as are necessary to prevent the use or disclosure of PHI otherwise than as permitted by the Underlying Agreement or this HIPAA Addendum, including, but not limited to, administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Covered Entity’s electronic PHI as required by 45 C.F.R. Sections 164.308, 164.310, and 164.312, as amended from time to time. Zynco shall ensure that any agent, including a subcontractor, to whom it provides such electronic PHI, agrees to implement reasonable and appropriate safeguards to protect it. Zynco shall comply with the policies and procedures and document requirements of the Privacy Rule including, but not limited to, 45 C.F.R. Section 164.316. Zynco agrees to report promptly to the Covered Entity if the confidentiality of the information has been breached.

10- Breach Pattern or Practice by Covered Entity

If Zynco knows of a pattern of activity or practice of the Covered Entity that constitutes a material breach or violation of the Covered Entity’s obligations under the HIPAA Addendum, Zynco must take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, Zynco will notify the Secretary.

4. PERMITTED USES AND DISCLOSURES BY ZYNCO

1- Permitted Uses and Disclosures: Except as otherwise limited in this HIPAA Addendum, Zynco may use or disclose PHI to perform functions, activities, or services for or on behalf of the Covered Entity as specified in the Underlying Agreement provided. Such use or disclosure would not violate the Privacy Rule including, but not limited to, each applicable requirement of 45 C.F.R. § 164.504(e) and the HITECH Act if done by Covered Entity.

2- Use for Management and Administration: Except as otherwise limited in this HIPAA Addendum, Zynco may use PHI for the proper management and administration of Zynco or to carry out its legal responsibilities.

3- Disclosure for Management and Administration: Except as otherwise limited in this HIPAA Addendum, Zynco may disclose PHI for the proper management and administration of Zynco, provided that such disclosure is Required by Law or Zynco obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used for further disclosures as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Zynco of any breaches of confidentiality.

4- Minimum Necessary: Zynco (and its agents or subcontractors) shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the use, disclosure, or request. The definition of “minimum necessary” is subject to change from time to time and shall keep itself informed of guidance issued by the Secretary with respect to what constitutes “minimum necessary.”

5- Data Aggregation: Except as otherwise limited in this HIPAA Addendum, Zynco may use PHI to provide Data Aggregation services related to health care operations to the Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).

6- Report Violations of Law: Zynco may use PHI to report violations of law to appropriate Federal and State authorities consistent with 45 C.F.R. §164.502(l).

5. PROVISIONS FOR COVERED ENTITY TO INFORM BUSINESS ASSOCIATE OF PRIVACY PRACTICES AND RESTRICTIONS

1- Notice of Privacy Practices: The Covered Entity shall notify Zynco of any limitation(s) in the notice of privacy practices of the Covered Entity under 45 C.F.R. § 164.520, to the extent that such limitations may affect Zynco’s use or disclosure of PHI.

2- Changes in Permission: The Covered Entity shall notify Zynco of any changes in, or revocation of, permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect Zynco’s use or disclosure of PHI.

3- Notification of Restrictions: The Covered Entity shall notify Zynco of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide under 45 C.F.R. § 164.522, to the extent that such restriction may affect Zynco’s use or disclosure of PHI.

4- Permissible Requests by Covered Entity: The Covered Entity shall not request Zynco to use or disclose PHI in any manner that would not be permissible under the Privacy Rule and the HITECH Act if done by Covered Entity. Exceptions if certain provisions are made; Data aggregation, Management and administration and Legal responsibilities of Zynco (one or more may apply).

6. TERM AND TERMINATION

1- Term: The Term of this HIPAA Addendum shall be effective as of the first day that the Covered Entity provides PHI to Zynco and shall terminate when all of the PHI provided by the Covered Entity to Zynco, or created or received by Zynco on behalf of the Covered Entity, is destroyed or returned to the Covered Entity, or if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions in this Section.

2- Termination for Cause: Zynco authorizes termination of this Agreement by the Covered Entity, if the Covered Entity determines Zynco has violated a material term of the Agreement:

  • Provide 60 days advance written notice specifying the nature of the breach or violation to Zynco.
  • Immediately terminate this HIPAA Addendum and the Underlying Agreement if Zynco has breached a material term of this HIPAA Addendum and cure is not possible.
  • Report the violation to the Secretary if neither cure of the breach nor termination of this HIPAA Addendum and the Underlying Agreement are feasible.

3- Obligation of Zynco Upon Termination:

Upon termination, Zynco shall return or destroy all PHI. Zynco shall retain no copies of the PHI. In the event that return or destruction is infeasible, Zynco shall extend the protections of this HIPAA Addendum to such PHI and limit further uses and disclosures.

7. MISCELLANEOUS IN ADDITION TO TERMS AND CONDITIONS

1- Regulatory References: A reference in this HIPAA Addendum to a section in the Privacy Rule or the HITECH Act means the section as in effect or as amended.

2- No Third Party Beneficiaries: Nothing in this HIPAA Addendum shall be considered or construed as conferring any right or benefit on a person not party to this HIPAA Addendum.

3- Amendments: Zynco reserves the right to change the terms and conditions of this HIPAA Addendum at any time.

4- Interpretation: The provisions of this HIPAA Addendum shall prevail over the provisions of any other agreement that exists between the Parties that may conflict with HIPAA Rules.

5- No Third Party Beneficiaries: The Business Associate and Covered Entity do not intend to confer any rights upon any person other than the parties involved.

6- Independent Contractor: The Business Associate’s status shall be that of an independent contractor.

Compliance Support

For details regarding HIPAA compliance or BAA terms.

privacy@zynco.io