Version 1.0.0 of This Agreement was created on December 21, 2021 .
This Business Associate Amendment (this “BAA”), effective as of the date electronically agreed and excepted by you (the “BAA Effective Date”), is entered into by and between Functional Software, Inc. dba Sentry (“Sentry”, “we”, or “us”) and the party that electronically accepts or otherwise agrees or opts-in to this BAA (“Customer”, or “you”).
You have entered into one or more agreements with us (each, as amended from time to time, an “Agreement”) governing the provision of our real-time error tracking, crash reporting, and visibility service more fully described at www.sentry.io (the “Service”). This BAA will amend the terms of the Agreement to reflect the parties’ rights and responsibilities with respect to the processing and security of your Protected Health Information (defined below) under the Agreement. If you are accepting this BAA in your capacity as an employee, consultant or agent of Customer, you represent that you are an employee, consultant or agent of Customer, and that you have the authority to bind Customer to this BAA.
This BAA applies only to Sentry’s processing of PHI for Customer in Customer’s capacity as a Covered Entity or Business Associate.
For good and valuable consideration, the sufficiency of which is hereby acknowledged, the parties agree as follows:
For the purposes of this BAA, capitalized terms shall have the meanings ascribed to them below. All capitalized terms used but not otherwise defined herein will have the meaning ascribed to them by HIPAA.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder, and the HITECH Act;
“HITECH Act” means the security provisions of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act;
“Protected Health Information” or “PHI” is any information, whether oral or recorded in any form or medium that is created, received, maintained, or transmitted by Sentry for or on behalf of Customer pursuant to this BAA, that identifies an individual or might reasonably be used to identify an individual and relates to: (i) the individual’s past, present or future physical or mental health; (ii) the provision of health care to the individual; or (iii) the past, present or future payment for health care;
“Secretary” shall refer to the Secretary of the U.S. Department of Health and Human Services;
“Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). This definition applies to both hard copy PHI and electronic PHI.
Customer represents and warrants as follows:
That it is a “Covered Entity” or a “Business Associate” as defined by HIPAA;
That it shall comply with HIPAA in its use of the Service, including utilizing tools made available in the Service to facilitate Customer’s compliance with HIPAA’s minimum necessary requirement;
That it will not request that Sentry take any action that would violate HIPAA if performed by Customer; and
That it will not request Sentry to use or disclose PHI in any manner that would violate applicable federal or state laws if such use or disclosure were made by Customer.
Sentry (1) shall not use or disclose PHI, other than as permitted or required by this BAA and Agreement, or as required by law; (2) shall not use or disclose PHI in any manner that violates applicable federal or state laws or would violate such laws if used or disclosed in such manner by Customer; and (3) shall only use and disclose the minimum necessary PHI for its specific purposes. Customer agrees that Sentry may rely on Customer’s instructions to determine if uses and disclosures meet this minimum necessary requirement.
Sentry may use the information received from Customer if necessary for (i) the proper management and administration of Sentry; or (ii) to carry out the legal responsibilities of Sentry. Sentry may disclose PHI for its proper management and administration provided that: (1) disclosures are required by law; or (2) Sentry obtains reasonable assurances form the person or entity to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies Sentry of any instances of which it is aware in which the confidentiality of the information has been breached.
Sentry will report to Customer any use or disclosure of PHI not provided for by this BAA of which Sentry becomes aware, including breaches of Unsecured PHI subject to the following:
The parties acknowledge that unsuccessful attempts to access Unsecured PHI (e.g., pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts) occur within the normal course of business and the parties stipulate and agree that this paragraph constitutes notice by Sentry to Customer for such unsuccessful attempts; and
Communications by or on behalf of Sentry with Customer in connection with this Section 3(c) shall not be construed as an acknowledgment by Sentry of any fault or liability with respect to the breaches of Unsecured PHI.
Sentry will ensure that any subcontractors that create, receive, maintain, or transmit PHI on Sentry’s behalf agree to the same restrictions and conditions that apply to Sentry with respect to such PHI.
Upon request of Customer or an individual, Sentry will promptly provide information to Customer as may be reasonably necessary to facilitate Customer’s compliance with its obligation to: (i) make available to requesting individuals a copy of any PHI about such individuals held by Sentry in a designated record set, in accordance with 45 CFR 164.524; (ii) amend PHI or records about the requesting individual held by Sentry in a designated record set, in accordance with 45 CFR 164.526; and (iii) provide to requesting individuals an accounting of disclosures of PHI about such individuals made by Customer in the six (6) years prior to the date of request, in accordance with 45 CFR 164.528.
In the event that any individual requests from Sentry access, amendment, or an accounting of PHI, Sentry shall forward such request to Customer within five (5) business days. Customer shall be responsible for responding to the individual’s request and Customer agrees that Sentry may respond to the individual directing them to make such request to Customer.
Sentry will comply with HIPAA security standards for electronic PHI.
Sentry will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Sentry on behalf of, Customer available to the Secretary for the purpose of determining Customer’s compliance with HIPAA.
To the extent that Sentry carries out Customer’s obligations under HIPAA regulations, Sentry will comply with the requirements of this Section 3 that apply to Customer in the performance of such obligations.
Sentry will use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this BAA and to comply with the HIPAA Security Rule (Subpart C of 45 CFR Part 164).
This BAA shall be effective on the BAA Effective Date, and shall remain in effect until the earlier of: (i) the termination or expiration of the Agreement; or (ii) the termination of this BAA in accordance with Section 5, below.
Customer may terminate this BAA upon written notice if Sentry materially breaches a term of this BAA, and fails to cure the breach within thirty (30) days of receiving written notice of it. Sentry may terminate this BAA upon written notice if Customer either: (i) agrees to restrictions that impact Sentry’s ability to perform its obligations under the Agreement; (ii) agrees to restrictions that increase Sentry’s cost of performance under this BAA or the Agreement; or (iii) fails to meets its obligations under HIPAA. The Parties may also terminate this BAA upon mutual consent.
In the event that Customer reasonably determines that Sentry has breached its obligations under this BAA, Customer may, in addition to its other rights set forth in this BAA, immediately stop all further disclosures of PHI to Sentry until the breach has been resolved.
Upon termination of this BAA, unless otherwise directed by Customer, Sentry will return or destroy all PHI received from, created by, or received on behalf of, Customer and will not retain copies of any such PHI; provided that in the event Sentry deems return or destruction of such PHI unfeasible, the terms of this BAA will survive termination and, for as long as Sentry retains that PHI, Sentry will use or disclose it solely as permitted by law.
There are no third party beneficiaries to this BAA. Except as expressly provided herein, nothing in this BAA will be deemed to waive or modify any of the provisions of the Agreement (including limitations of liability), which otherwise remain in full force and effect. If you have entered into more than one Agreement with us, this BAA will amend each of the Agreements separately. In the event of a conflict or inconsistency between the terms of this BAA and the terms of the Agreement, the terms of this BAA will control. The parties recognize that electronic PHI is a subset of PHI and all references to PHI in this BAA shall include electronic PHI. A reference in this BAA to a section of HIPAA means the section as in effect or as amended, and for which compliance is required. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Sentry to comply with HIPAA. If any of the regulations promulgated under HIPAA are amended or interpreted in a manner that renders this BAA inconsistent therewith, the parties shall cooperate in good faith to amend this BAA to the extent necessary to comply with such amendments or interpretations.