Version: December 22, 2022
This HIPAA Business Associate Addendum ("BAA") is entered into between Google and the customer agreeing to these terms ("Customer"), and supplements, amends and is incorporated into the Agreement(s) (defined below) solely with respect to Covered Services (defined below). This BAA will be effective as of the date on which Customer clicked to accept or the parties otherwise agreed to this BAA.
Customer must have an existing Agreement in place for this BAA to be valid and effective. Together with the Agreement, this BAA will govern each party’s respective obligations regarding Protected Health Information (defined below).
You represent and warrant that (i) you have the full legal authority to bind Customer to this BAA, (ii) you have read and understand this BAA, and (iii) you agree, on behalf of Customer, to the terms of this BAA. If you do not have legal authority to bind Customer, or do not agree to these terms, please do not sign or click to accept the terms of this BAA.
Capitalized terms used but not otherwise defined in this BAA will have the respective meanings assigned to such terms in either (a) the Administrative Simplification section of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their implementing regulations as amended from time to time (collectively, “HIPAA”) or (b) the Agreement(s).
“Agreement(s)” means the written agreement(s) between Google and Customer for the provision of Covered Services, which agreement(s) may be in the form of online terms of service.
“Covered Services” means Looker Studio, but does not include Looker Studio Pro.
“End Users” has the definition given to it under the Agreement.
“Google” means the Google Entity that is party to the Agreement(s).
“Google Entity” means Google LLC, Google Ireland Limited or any other Affiliate of Google LLC.
“HIPAA Implementation Guide” means the informational guide that Google makes available describing how the Covered Services may be configured by Customer in connection with Customer’s HIPAA compliance efforts. The HIPAA Implementation Guide for the Covered Services is available for review at the following URL: https://support.google.com/looker-studio/answer/10043514.
“Protected Health Information” or “PHI” has the definition given to it under HIPAA and for purposes of this BAA is limited to PHI within Customer Data to which Google has access through the Covered Services in connection with Customer’s permitted use of Covered Services.
- This BAA applies to the extent Customer is acting as a Covered Entity or a Business Associate to create, receive, maintain, or transmit PHI via a Covered Service and to the extent Google, as a result, is deemed under HIPAA to be acting as a Business Associate or Subcontractor of Customer. Customer acknowledges that this BAA does not apply to (i) any other Google product, service, or feature that is not a Covered Service; or (ii) any PHI that Customer creates, receives, maintains, or transmits outside of the Covered Services (including Customer’s use of its offline or on-premise storage tools or third-party applications).
- A reference in this BAA to a section in HIPAA means the section as it may be amended from time to time.
- Use and Disclosure of PHI.
- Google may use and disclose PHI only (i) as permitted or required by the Agreements and/or this BAA or (ii) as Required by Law.
- Google may use and disclose PHI for its proper management and administration and to carry out its legal responsibilities, provided that any disclosure of PHI for such purposes may only occur if: (1) Required by Law; or (2) Google obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and that Google will be notified of any Breach or Security Incident.
- To the extent required by the “minimum necessary” requirements of HIPAA, Google will only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
- To the extent Google agrees in writing to carry out any of Customer’s obligations under the HIPAA Privacy Rule, Google shall comply with the requirements of the HIPAA Privacy Rule that apply to Customer in the performance of such obligations.
- Customer Obligations.
- Customer is solely responsible for managing whether Customer’s End Users are authorized to share, disclose, create, and/or use PHI within the Covered Services.
- Customer will not request that Google or the Covered Services use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer (if Customer is a Covered Entity) or by the Covered Entity to which Customer is a Business Associate (unless expressly permitted under HIPAA for a Business Associate), except as provided in Section 3 of this BAA.
- When Customer discloses PHI to Google, Customer will provide the minimum amount of PHI necessary for the accomplishment of Google’s purpose.
- For End Users that use the Covered Services in connection with PHI, Customer will use controls available within the Services, including those detailed in the HIPAA Implementation Guide, to ensure its use of PHI is limited to the Covered Services. Customer acknowledges and agrees that the HIPAA Implementation Guide is provided by Google solely as an informational guide with respect to Customer’s configuration options, and that Customer is solely responsible for ensuring that its and its End Users’ use of the Covered Services complies with HIPAA.
- Customer warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and/or other applicable law for the disclosure of PHI to Google. If there are any changes in, or revocation of, the permission given by an Individual for use or disclosure of PHI, Customer is responsible for managing its use of the Covered Services accordingly to update and/or delete such PHI in the Covered Services.
- Safeguards. Google and Customer will each use reasonable and appropriate safeguards to prevent the use or disclosure of PHI, except as otherwise permitted or required by this BAA. In addition, Google shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI transmitted or maintained in Electronic Media (“EPHI”) that it creates, receives, maintains or transmits on behalf of Customer. Google shall comply with the applicable provisions of the HIPAA Security Rule with respect to EPHI.
- Reporting and Related Obligations.
- Google will promptly notify Customer of (i) any Security Incident of which Google becomes aware, subject to Section 6(c); and (ii) any Breach that Google discovers, provided that any notice for Breach will be made promptly and without unreasonable delay, and in no case later than 60 calendar days after discovery. Notifications made under this section will describe, to the extent possible, details of a Breach, including steps taken to mitigate the potential risks and steps Google recommends Customer take to address the Breach.
- Google will send any applicable notifications to the notification email address provided by Customer in the Agreement (and/or applicable service user interface) or via direct communication with the Customer.
- Notwithstanding Section 6(a), this Section 6(c) will be deemed as notice to Customer that Google periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification or destruction of information, or interference with the general operation of Google’s information systems and the Covered Services. Customer acknowledges and agrees that even if such events constitute a Security Incident, Google will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this Section 6(c).
- Google will take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Google) of a use or disclosure of PHI by Google in violation of this BAA.
- Google will report to Customer any use or disclosure of PHI not permitted under this BAA of which Google becomes aware.
- Subcontractors. Google will enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2), as applicable, with each Subcontractor that creates, receives, maintains or transmits PHI on behalf of Google. Google will ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that provide the same material level of protection for PHI as this BAA.
- Access and Amendment. Customer acknowledges and agrees that Customer is solely responsible for the form and content of PHI maintained by Customer within the Covered Services, including whether Customer maintains such PHI in a Designated Record Set within the Covered Services. Google will provide Customer with access to Customer’s PHI via the Covered Services so that Customer may fulfill its obligations under HIPAA with respect to Individuals’ rights of access and amendment, but will have no other obligations to Customer or any Individual with respect to the rights afforded to Individuals by HIPAA with respect to Designated Record Sets, including rights of access or amendment of PHI. Customer is responsible for managing its use of the Covered Services to appropriately respond to such Individual requests.
- Accounting of Disclosures. Google will document disclosures of PHI by Google and provide an accounting of such disclosures to Customer as and to the extent required of a Business Associate under HIPAA and in accordance with the requirements applicable to a Business Associate under HIPAA.
- Availability of Books and Access to Records. To the extent required by law, and subject to applicable attorney client privileges, Google will make its internal practices, books, and records concerning the use and disclosure of PHI received from Customer, or created or received by Google on behalf of Customer, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.
- Expiration and Termination.
- This BAA will terminate on the earlier of (i) a permitted termination in accordance with Section 11(b) below, or (ii) the expiration or termination of all Agreements under which Customer has access to a Covered Service.
- If either party materially breaches this BAA, the non-breaching party may terminate this BAA on 15 days’ written notice to the breaching party unless the breach is cured within the 15-day period. If a cure under this Section 11(b) is not reasonably possible, the non-breaching party may immediately terminate this BAA, or if neither termination nor cure is reasonably possible under this Section 11(b), the non-breaching party may report the violation to the Secretary, subject to all applicable legal privileges.
- If this BAA is terminated earlier than the Agreement(s), Customer may continue to use the Services in accordance with the Agreements, but must delete any PHI it maintains in the Covered Services and cease to further create, receive, maintain, or transmit such PHI to Google.
- Return/Destruction of Information. On termination of the Agreement(s), Google will return or destroy all PHI received from Customer, or created or received by Google on behalf of Customer; provided, however, that if such return or destruction is not feasible, Google will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
- Changes to this BAA. Google may modify the terms of this BAA (including URLs referenced in these terms and the content within such URLs) from time to time. A notice of such modifications will be available at the relevant URL (or a different URL that Google may provide from time to time) or the user interface of the relevant Covered Service. Changes to these terms (including changes to the content within URLs) will not apply retroactively and will become effective 14 days after they are posted, except that changes to URL references will be effective immediately.
- Survival. Sections 12 (Return/Destruction of Information) and 14 (Miscellaneous) will survive termination or expiration of this BAA.
- Effects of Addendum. To the extent this BAA conflicts with the remainder of the Agreement(s), this BAA will govern. This BAA is subject to the “Governing Law” section in the Agreement(s). Except as expressly modified or amended under this BAA, the terms of the Agreement(s) remain in full force and effect.