HIPAA Breach Indemnification Agreement

Version 1.5 - August 2017

This Aptible HIPAA Breach Indemnification Agreement (“BIA”) between Aptible, Inc. (“Aptible”, “us” or “we”) and users of the Aptible Services (“you”) governs the use of the Aptible Services under the provisions of the Aptible Terms of Service.

Unless otherwise provided herein, this BIA is subject to the provisions of the Terms.

1. Applicability

This BIA applies only to specific accounts, Services, and data, for which you have a valid, signed HIPAA Business Associate Agreement (“BAA”) in place with Aptible. This BIA may cover use of both the Enclave and Gridiron products.

This BIA does not apply to any account, Service, or data that is:

  • Not subject to a valid BAA, or
  • Where you have failed to apply the security controls and configurations required by the BAA

For example, this BIA does not apply to Enclave Shared Environments, or to Gridiron accounts for which you do not have a BAA with Aptible.

2. Definitions

Capitalized words and phrases have the meaning specified in the Terms, which uses the definitions found in HIPAA where applicable.

“Breach” has the meaning specified in 45 CFR § 164.402.

“Claim” means any claim, proceeding, or suit brought against you by a Third Party.

“Covered Breach” means, except for Excluded Breaches, a Breach of Unsecured Protected Health Information from your Aptible Services that results directly from a failure by Aptible to properly configure or maintain the components of the Aptible Services under Aptible’s exclusive control.

“Covered Claim” means any Claim, to the extent the Claim results directly from a Covered Breach. Claims that do not result directly from a Covered Breach are not Covered Claims.

“Covered Expenses” means (a) all damages, costs, and attorneys’ fees finally awarded against you in any Covered Claim; and (b) all out-of-pocket costs (including reasonable attorneys’ fees) that you reasonably incurred in connection with the defense of a Covered Claim (other than attorneys’ fees and costs incurred without Aptible’s consent after Aptible has accepted defense of the Covered Claim).

“Excluded Breach” means any Breach of PHI that in any way results from: (a) as between you and Aptible, your failure to properly configure your Aptible Services to protect PHI; (b) as between you and Aptible, your failure to properly configure or enforce user access policies and permissions for your Aptible Services or Enclave Containerized Services to protect PHI; (c) any other vulnerability introduced by your Enclave Containerized Services themselves (and not the infrastructure or Enclave platform on which the service is hosted); (d) actions or omissions by any Aptible vendor, such as Amazon Web Services; or (e) your breach of the Aptible Terms of Service, your BAA, or this BIA.

“Governmental Agency” means any court, administrative agency or commission or other federal, state, county, or local governmental entity, instrumentality, agency or commission.

“Regulatory Investigation” means a formal investigation by the U.S. Department of Health and Human Services into your security procedures regarding Protected Health Information.

“Third Party” means, other than a Governmental Agency, an unaffiliated corporation, partnership, or other entity, or a natural person.

“Unsecured Protected Health Information” has the meaning specified in 45 CFR § 164.402.

3. Indemnity

A. Defense. Subject to Section 3(C) of this BIA, Aptible will either defend you from or settle a Covered Claim if you:

  1. Give Aptible prompt written notice of the Covered Claim;
  2. Grant Aptible full control over the defense and settlement of the Covered Claim;
  3. Provide assistance in connection with the defense and settlement of the Covered Claim as Aptible reasonably requests; and
  4. Comply with any settlement or court order made in connection with the Covered Claim.

You must not defend or settle any Covered Claim without Aptible’s prior written consent. You have the right to participate in the defense of the Covered Claim at your own expense and with counsel of your own choosing, but Aptible will have sole control over the defense and settlement of the Covered Claim.

B. Indemnification. Subject to Section 3(C) of this BIA, Aptible will indemnify you from and pay:

  1. All Covered Expenses incurred by you in connection with a Covered Claim; and
  2. Any monetary fines imposed on you by a Governmental Agency in connection with a Regulatory Investigation for carrying out practices for the protection of PHI that you implemented pursuant to Aptible’s express written recommendations.

C. Exclusions. Aptible will have no obligation to you under Sections 3(A) or 3(B) of this BIA if:

  1. You are in breach of the Aptible Terms of Service, your BAA, or this BIA at such time the Claim or Regulatory Investigation (as applicable) arises;
  2. The Claim or Regulatory Investigation (as applicable) relates to or arises from, directly or indirectly an Excluded Breach;
  3. You fail to enter or otherwise provide accurate information to Aptible in connection with your use of the Services;
  4. You fraudulently omitted or included any information as part of your use of the Services; or
  5. You fail to update information that was accurate when provided to Aptible in connection with your use of the Services but which information later becomes inaccurate.

4. Dispute Resolution and Arbitration

Disputes arising under this BIA shall be resolved under the Dispute Resolution and Arbitration provisions of the Aptible Terms of Service.

5. Entire Agreement; Conflict

Except as amended by this BIA, the Aptible Terms of Service and your BAA will remain in full force and effect. This BIA, together with the Terms and your BAA:

  1. Is intended by the parties as a final, complete and exclusive expression of the terms of their agreement; and
  2. Supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof.

If there is a conflict between the Terms, this BIA, your BAA, or any other amendment or any addendum to those agreements, the document executed by the parties later in time will prevail.