Local Services Ads HIPAA Business Associate Agreement

This Local Services Ads HIPAA Business Associate Agreement (“BAA”) is entered into between Google LLC (“Google”) and the customer agreeing to the terms below (“Customer”), in connection with the Agreement(s) (defined below) between Google and Customer. This BAA will be effective as of the date electronically accepted by Customer (the “BAA Effective Date”).

This BAA (a) only applies to Covered Services provided under the Agreement(s), and (b) together with the Agreement(s), governs each party’s respective obligations regarding Protected Health Information.

Capitalized terms used in this BAA without definition shall have the respective meanings assigned to such terms in the Administrative Simplification section of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their implementing regulations as amended from time to time (collectively, “HIPAA”).

1. Definitions.

“Agreement(s)” means the written agreement(s) between Google and Customer for the provision of Services, which agreement(s) may be in the form of online terms of service.

“Covered Services” means the Google products and/or services specifically listed in the URLs or otherwise specifically listed on Attachment 1, as may be updated from time to time by Google.

“Customer Data” means data provided to Google by Customer or End Users through the Services.

“End Users” has the definition given to it under the Agreement(s).

“Protected Health Information” or “PHI” has the definition given to it under HIPAA and for purposes of this BAA is limited to PHI within Customer Data to which Google has access through the Covered Services in connection with Customer’s permitted use of Covered Services.

“Services” means any Google products and/or services provided by Google under the Agreement(s).

2. General Provisions.
   1. This BAA applies to the extent Customer is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI via a Covered Service and to the extent Google, as a result, is deemed under HIPAA to be acting as a Business Associate or Subcontractor of Customer. Customer acknowledges that this BAA does not apply to (i) any other Google product, service, or feature that is not a Covered Service; or (ii) any PHI that Customer creates, receives, maintains, or transmits outside of the Covered Services (including Customer’s use of its offline or on-premise storage tools or third-party applications).
   2. A reference in this BAA to a section in HIPAA means the section as it may be amended from time-to-time.
3. Use and Disclosure of PHI.
   1. Google may use and disclose PHI only (i) as permitted or required by the Agreement or this BAA or (ii) as Required by Law.
   2. Google may use and disclose PHI for its proper management and administration and to carry out its legal responsibilities, provided that any disclosure of PHI for such purposes may only occur if (i) Required by Law; or (ii) Google obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and that Google will be notified of any Breach or Security Incident.
   3. To the extent required by the “minimum necessary” requirements of HIPAA, Google will only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
   4. To the extent Google agrees in writing to carry out any of Customer’s obligations under the HIPAA Privacy Rule, Google shall comply with the requirements of the HIPAA Privacy Rule that apply to Customer in the performance of such obligations.

4. Customer Obligations.
   1. Customer will not request that Google or the Covered Services use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer (if Customer is a Covered Entity) or by the Covered Entity to which Customer is a Business Associate (unless expressly permitted under HIPAA for a Business Associate), except as provided in Section 3 of this BAA.
   2. When Customer discloses PHI to Google, Customer will provide the minimum amount of PHI necessary for the accomplishment of Google’s purpose.
   3. For End Users that use the Covered Services in connection with PHI, Customer will ensure its use of PHI is limited to the Covered Services. Customer acknowledges and agrees that Customer is solely responsible for ensuring that its and its End Users’ use of the Covered Services complies with HIPAA and HITECH.
5. Safeguards. Google and Customer will each use reasonable and appropriate safeguards to prevent the use or disclosure of PHI, except as otherwise permitted or required by this BA Agreement. In addition, Google shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI transmitted or maintained in Electronic Media (“EPHI”) that it creates, receives, maintains or transmits on behalf of Customer. Google shall comply with the applicable provisions of the HIPAA Security Rule with respect to EPHI.

6. Reporting and Related Obligations.
   1. Google will promptly notify Customer of (i) any Security Incident of which Google becomes aware, subject to Section 6(c); and (ii) any Breach that Google discovers, provided that any notice for Breach will be made promptly and without unreasonable delay, and in no case later than 60 calendar days after discovery. Notifications made under this section will describe, to the extent possible, details of a Breach, including steps taken to mitigate the potential risks and steps Google recommends Customer take to address the Breach.
   2. Google will send any applicable notifications to the notification email address provided by Customer in the applicable Agreement or via direct communication with Customer.
   3. Notwithstanding Section 6(a), this Section 6(c) will be deemed as notice to Customer that Google periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification, or destruction of information, or interference with the general operation of Google’s systems and the Covered Services. Customer acknowledges and agrees that even if such events constitute a Security Incident, Google will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this Section 6(c).
   4. Google will take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Google) of a use or disclosure of PHI by Google in violation of this BAA.
   5. Google will report to Customer any use or disclosure of PHI not permitted under this BAA of which Google becomes aware.

7. Subcontractors. Google shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2), as applicable, with each Subcontractor that creates, receives, maintains or transmits PHI on behalf of Google. Google will ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that provide the same material level of protection for PHI as this BAA.

8. Access and Amendment. Customer acknowledges and agrees that Customer is solely responsible for the form and content of PHI maintained by Customer within the Covered Services, including whether Customer maintains such PHI in a Designated Record Set within the Covered Services. Google will provide Customer with access to Customer’s PHI via the Covered Services so that Customer may fulfill its obligations under HIPAA with respect to Individuals’ rights of access and amendment, but will have no other obligations to Customer or any Individual with respect to the rights afforded to Individuals by HIPAA with respect to Designated Record Sets, including rights of access or amendment of PHI. Customer is responsible for managing its use of the Covered Services to appropriately respond to such individual requests.

9. Accounting of Disclosures. Google will document disclosures of PHI by Google and provide an accounting of such disclosures to Customer as and to the extent required of a Business Associate under HIPAA and in accordance with the requirements applicable to a Business Associate under HIPAA.

10. Availability of Books and Records. To the extent required by law, and subject to applicable attorney client privileges, Google will make its internal practices, books, and records concerning the use and disclosure of PHI received from Customer, or created or received by Google on behalf of Customer, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.

11. Expiration and Termination.
    1. This BAA will terminate on the earlier of (i) a permitted termination in accordance with Section 11(b), or (ii) the expiration or termination of all Agreement(s) under which Customer has access to a Covered Service.
    2. If either party materially breaches this BAA, the non-breaching party may terminate this BAA on 15 days’ written notice to the breaching party unless the breach is cured within the 150-day period. If a cure under this Section 11(b) is not reasonably possible, the non-breaching party may immediately terminate this BAA, or if neither termination nor cure is reasonably possible under this Section 11(b), the non-breaching party may report the violation to the Secretary, subject to all applicable legal privileges.

12. Return/Destruction of Information. On termination of the Agreement(s), Google will return or destroy all PHI received from Customer, or created or received by Google on behalf of Customer; provided, however, that if such return or destruction is not feasible, Google will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

13. Miscellaneous.
    1. Survival. Sections 12 (Return/Destruction of Information) and 13 (Miscellaneous) will survive termination or expiration of this BAA.
    2. Counterparts. The parties may execute this BAA in counterparts, including facsimile, PDF, or other electronic copies, which taken together will constitute one instrument.
    3. Effects of Addendum. The Agreement(s) remain in full force and effect except as modified by this BAA. To the extent the Agreement(s) and this BAA conflict, this BAA governs.
    4. Governing Law. All claims arising out of or relating to the Agreement or the Services will be governed by California law, excluding that state’s conflict of laws rules, and will be litigated exclusively in the federal or state courts of Santa Clara County, California; the parties consent to personal jurisdiction in those courts.

You represent and warrant that (i) you have the full legal authority to bind Customer to this BAA, (ii) you have read and understand this BAA, and (iii) you agree, on behalf of Customer, to the terms of this BAA. If you do not have legal authority to bind Customer, or do not agree to these terms, please do not accept the terms of this BAA.

 

Attachment 1

List of Covered Services

Features of Local Services Ads (or any Google product or service specifically identified at: https://ads.google.com/local-services-ads/) that enable connections or communications between an End User and a Customer.