IMPORTANT – PLEASE READ CAREFULLY
This Business Associate Agreement (“Agreement”) is entered into between the customer or service provider (“Covered Entity”) and CyberSentriq (“Business Associate”), effective as of the date of signature and/or documented agreement (“Effective Date”).
1. Introduction
1.1 The Covered Entity is a “covered entity” or “business associate” as defined under the Health Insurance Portability and Accountability Act of 1996, as amended, including the HITECH Act and associated regulations (“HIPAA”).
1.2 The parties have entered into, or will enter into, one or more agreements (“Underlying Agreement(s)”) under which CyberSentriq provides services.
1.3 In providing such services, CyberSentriq may create, receive, maintain, or transmit Protected Health Information (“PHI”).
1.4 Accordingly, CyberSentriq acts as a “Business Associate” to the Covered Entity under HIPAA.
2. Definitions
For the purposes of this Agreement:
- "Protected Health Information (PHI)” has the meaning assigned under HIPAA· “Breach” means the unauthorized acquisition, access, use, or disclosure of PHI
- “Security Incident” means attempted or successful unauthorized access or interference with systems
3. Permitted Uses and Disclosures
3.1. CyberSentriq may use or disclose PHI only:
- to perform services under the Underlying Agreement
- as required by law
- as permitted by this Agreement
3.2. CyberSentriq shall not use or disclose PHI in any manner that would violate HIPAA if done by the Covered Entity.
4. Safeguards and Security
4.1. CyberSentriq shall implement appropriate administrative, technical, and organizational safeguards to:
- protect PHI
- prevent unauthorized access or disclosure
4.2 CyberSentriq shall comply with applicable requirements of the HIPAA Security Rule for electronic PHI.
4.3 CyberSentriq maintains security controls aligned to industry best practices, including:
- access controls
- encryption (where applicable)
- monitoring and logging
- incident response processes
5. Reporting and Incident Management
5.1. CyberSentriq shall report to the Covered Entity:
- any unauthorized use or disclosure of PHI
- any Breach of unsecured PHI
- any Security Incident affecting PHI
5.2. Such notification shall be made without unreasonable delay and in accordance with applicable legal requirements.
6. Subcontractors
6.1. CyberSentriq may engage subcontractors who may have access to PHI.
6.2. CyberSentriq shall ensure that any such subcontractor:
- agrees in writing to the same restrictions and safeguards
- complies with HIPAA requirements
6.3. CyberSentriq remains responsible for subcontractor compliance.
7. Access, Amendment, and Accounting
7.1. CyberSentriq shall, where applicable:
- provide access to PHI
- support amendments
- provide accounting of disclosures
to enable the Covered Entity to meet its obligations under HIPAA.
8. Audit and Compliance
CyberSentriq shall make available its internal practices, records, and policies relating to PHI to:
- the Covered Entity
- regulators (where required)
for purposes of demonstrating compliance with HIPAA.
9. Termination
9.1. This Agreement shall terminate upon termination of the Underlying Agreement unless otherwise required by law.
9.2. Upon termination, CyberSentriq shall:
- return or securely destroy PHI where feasible
- retain PHI only where legally required
9.3. If return or destruction is not feasible, CyberSentriq shall continue to protect such PHI.
10. Obligations of the Covered Entity
The Covered Entity agrees to:
- provide PHI in compliance with HIPAA
- not request CyberSentriq to use or disclose PHI in violation of HIPAA
- implement appropriate safeguards on its own systems
11. Liability and Indemnity
Each party shall be responsible for its own compliance with HIPAA.
Failure to comply may result in:
- contractual remedies
- regulatory penalties
- termination of services
12. No Agency Relationship
CyberSentriq acts as an independent contractor and not as an agent of the Covered Entity.
13. Territory
CyberSentriq operates in the United Kingdom, South Africa, Ireland, the United States of America, and other jurisdictions from time to time.
14. Applicable Law
This Agreement shall be governed by the laws of the jurisdictions listed above, unless otherwise required by applicable HIPAA jurisdictional requirements.
15. General
- This Agreement supplements and forms part of the Underlying Agreement,
- In the event of conflict, this Agreement prevails with respect to PHI,
- If any provision is invalid, the remainder remains enforceable.