Updated 03/01/2024
This Agreement (“Agreement”) is established and entered into at the date and time your Glassmind AI Inc. account is created and is between you (“Covered Entity”) and Glassmind AI Inc. (“Business Associate”), a Delaware C Corp.
WHEREAS, Business Associate is engaged in the provision of an online resource management product (“Offering”); and
WHEREAS, Covered Entity desires to employ, or has employed, Business Associate in connection with said Offering,
NOW, THEREFORE, in consideration of the premises and mutual promises herein contained, it is agreed as follows:
Definitions. Terms utilized, but not otherwise defined in this Agreement, shall have the same meaning as those terms in the Privacy Rule, Security Rule, and HITECH Act.
Agent. “Agent” shall have the meaning as determined in accordance with the federal common law of agency.
Breach. “Breach” shall have the same meaning as the term “breach” in 45 CFR § 164.402.
Business Associate. “Business Associate” shall mean Glassmind AI Inc.
Covered Entity. “Covered Entity” shall mean active subscriber to Glassmind AI Inc.
Data Aggregation. “Data Aggregation” shall have the same meaning as the term “data aggregation” in 45 CFR § 164.501.
Designated Record Set. “Designated Record Set” shall have the same meaning as the term “designated record set” in 45 CFR § 164.501.
Disclosure. “Disclosure” and “Disclose” shall have the same meaning as the term “Disclosure” in 45 CFR § 160.103.
Electronic Health Record. “Electronic Health Record” shall have the same meaning as the term in Section 13400 of the HITECH Act.
Health Care Operations. “Health Care Operations” shall have the same meaning as the term “health care operations” in 45 CFR § 164.501.
HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
HITECH Act. “HITECH Act” shall mean The Health Information Technology for Economic and Clinical Health Act, part of the American Recovery and Reinvestment Act of 2009 (“ARRA” or “Stimulus Package”), specifically DIVISION A: TITLE XIII Subtitle D—Privacy, and its corresponding regulations as enacted under the authority of the Act.
Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
Minimum Necessary. “Minimum Necessary” shall mean the Privacy Rule Standards found at §164.502(b) and § 164.514(d)(1).
Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information created, received, maintained or transmitted by Business Associate on behalf of Covered Entity.
Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.103.
Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
Security Incident. “Security Incident” shall have the same meaning as the term “Security Incident” in 45 CFR §164.304.
Security Rule. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C.
Subcontractor. “Subcontractor” shall have the same meaning as the term “subcontractor” in 45 CFR § 160.103.
Unsecured Protected Health Information. “Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402.
Use. “Use” and “Uses” shall have the same meaning as the term “use” in 45 CFR § 160.103.
Business Associate agrees to not Use or Disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this Agreement. Business Associate agrees to report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information as required at 45 CFR § 164.410, and any Security Incident of which it becomes aware, in each case without unreasonable delay and in no case later than three (3) business days after Business Associate’s discovery of the Breach or Security Incident. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. Business Associate agrees to provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.
Except as otherwise limited by this Agreement, Business Associate may make any Uses and Disclosures of Protected Health Information necessary to perform its services to Covered Entity and otherwise meet its obligations under this Agreement, if such Use or Disclosure would not violate the Privacy Rule, or the privacy provisions of the HITECH Act, if done by Covered Entity. All other Uses or Disclosures by Business Associate not authorized by this Agreement, or by specific instruction of Covered Entity, are prohibited. Except as otherwise limited in this Agreement, Business Associate may Use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Except as otherwise limited in this Agreement, Business Associate may Disclose Protected Health Information for the proper management and administration of the Business Associate, provided that Disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and used, or further Disclosed, only as Required By Law, or for the purpose for which it was Disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Except as otherwise limited in this Agreement, Business Associate may Use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B). Business Associate agrees that such Data Aggregation services shall be provided to Covered Entity only wherein said services pertain to Health Care Operations. Business Associate further agrees that said services shall not be provided in a manner that would result in Disclosure of Protected Health Information to another covered entity who was not the originator and/or lawful possessor of said Protected Health Information. Further, Business Associate agrees that any such wrongful Disclosure of Protected Health Information is a direct violation of this Agreement and shall be reported to Covered Entity immediately after the Business Associate becomes aware of said Disclosure and, under no circumstances, later than three (3) business days thereafter. Business Associate may Use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1). Business Associate shall make Uses, Disclosures, and requests for Protected Health Information consistent with the Minimum Necessary principle as defined herein.
Covered Entity shall notify Business Associate of the provisions and any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such provisions and limitation(s) may affect Business Associate’s Use or Disclosure of Protected Health Information. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that the changes or revocation may affect Business Associate’s use or disclosure of Protected Health Information. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR §164.522, and also notify Business Associate regarding restrictions that must be honored under section 13405(a) of the HITECH Act, to the extent that such restrictions may affect Business Associate’s Use or Disclosure of Protected Health Information. Covered Entity shall notify Business Associate of any modifications to accounting disclosures of Protected Health Information under 45 CFR § 164.528, made applicable under Section 13405(c) of the HITECH Act, to the extent that such restrictions may affect Business Associate’s use or disclosure of Protected Health Information. Business Associate shall provide information to Covered Entity via email or phone call, wherein such information is required to be provided to Covered Entity as agreed to by Business Associate in paragraph 2(d) of this Agreement. Covered Entity reserves the right to modify the manner and format in which said information is provided to Covered Entity, as long as the requested modification is reasonably required by Covered Entity to comply with the HIPAA Rules or the HITECH Act, and Business Associate is provided sixty (60) business days notice before the requested modification takes effect. Covered Entity shall not require Business Associate to Use or Disclose Protected Health Information in any manner that would not be permissible under the HIPAA Rules if done by the Covered Entity.
Unless otherwise restricted by this Agreement, Glassmind may undertake any Uses and Disclosures of Protected Health Information required to deliver its services to the Covered Entity and fulfill its responsibilities under this Agreement, provided such Use or Disclosure would not contravene the Privacy Rule, or the privacy stipulations of the HITECH Act, if performed by the Covered Entity. Any other Uses or Disclosures by Glassmind not authorized by this Agreement, or by explicit instruction of the Covered Entity, are forbidden. Unless otherwise restricted in this Agreement, Glassmind may Use Protected Health Information for the appropriate management and administration of Glassmind or to execute the legal duties of Glassmind. Unless otherwise restricted in this Agreement, Glassmind may Disclose Protected Health Information for the appropriate management and administration of Glassmind, given that Disclosures are Mandated By Law, or Glassmind secures reasonable assurances from the individual receiving the information that it will be kept confidential and used, or further Disclosed, only as Mandated By Law, or for the purpose it was Disclosed to the individual, and the individual notifies Glassmind of any instances of which it is aware where the confidentiality of the information has been compromised. Unless otherwise restricted in this Agreement, Glassmind may Use Protected Health Information to offer Data Aggregation services to the Covered Entity as allowed by 45 CFR §164.504(e)(2)(i)(B). Glassmind agrees that such Data Aggregation services shall be provided to the Covered Entity only where said services relate to Health Care Operations. Glassmind further agrees that said services shall not be provided in a way that would result in Disclosure of Protected Health Information to another covered entity who was not the originator and/or lawful possessor of said Protected Health Information. Moreover, Glassmind agrees that any such wrongful Disclosure of Protected Health Information is a direct violation of this Agreement and shall be reported to the Covered Entity immediately after Glassmind becomes aware of said Disclosure and, under no circumstances, later than three (3) business days thereafter. Glassmind may Use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1). Glassmind shall make Uses, Disclosures, and requests for Protected Health Information consistent with the Minimum Necessary principle as defined herein.
The Covered Entity shall inform Glassmind of the provisions and any limitation(s) in its notice of privacy practices in accordance with 45 CFR § 164.520, to the extent that such provisions and limitation(s) may affect Glassmind’s Use or Disclosure of Protected Health Information. The Covered Entity shall inform Glassmind of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that the changes or revocation may affect Glassmind’s use or disclosure of Protected Health Information. The Covered Entity shall inform Glassmind of any restriction to the use or disclosure of Protected Health Information that the Covered Entity has agreed to in accordance with 45 CFR §164.522, and also inform Glassmind regarding restrictions that must be honored under section 13405(a) of the HITECH Act, to the extent that such restrictions may affect Glassmind’s Use or Disclosure of Protected Health Information. The Covered Entity shall inform Glassmind of any modifications to accounting disclosures of Protected Health Information under 45 CFR § 164.528, made applicable under Section 13405(c) of the HITECH Act, to the extent that such restrictions may affect Glassmind’s use or disclosure of Protected Health Information. Glassmind shall provide information to the Covered Entity via email or phone call, wherein such information is required to be provided to the Covered Entity as agreed to by Glassmind in paragraph 2(d) of thisAgreement. The Covered Entity reserves the right to modify the manner and format in which said information is provided to the Covered Entity, as long as the requested modification is reasonably required by the Covered Entity to comply with the HIPAA Rules or the HITECH Act, and Glassmind is provided sixty (60) business days notice before the requested modification takes effect. The Covered Entity shall not require Glassmind to Use or Disclose Protected Health Information in any manner that would not be permissible under the HIPAA Rules if done by the Covered Entity.
The Duration of this Agreement shall commence as of the date and time the Covered Entity agrees to the Terms of Service for using Glassmind’s Website, Software, and Services by creating an account, and shall terminate when all of the Protected Health Information provided by the Covered Entity to Glassmind, or created or received by Glassmind on behalf of the Covered Entity, is destroyed or returned to the Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Agreement. Termination for Cause by Covered Entity. Upon the Covered Entity’s knowledge of a significant breach of this Agreement by Glassmind, the Covered Entity shall give Glassmind written notice of such breach and provide a reasonable opportunity for Glassmind to rectify the breach or end the violation. The Covered Entity may terminate this Agreement, and Glassmind agrees to such termination, if Glassmind has breached a significant term of this Agreement and does not rectify the breach or rectification is not possible. If neither termination nor rectification is feasible, the Covered Entity shall report the violation to the Secretary. Termination for Cause by Glassmind. Upon Glassmind’s knowledge of a significant breach of this Agreement by the Covered Entity, Glassmind shall give the Covered Entity notice via email of such breach and provide a reasonable opportunity for the Covered Entity to rectify the breach or end the violation. Glassmind may terminate this Agreement, and the Covered Entity agrees to such termination, if the Covered Entity has breached a significant term of this Agreement and does not rectify the breach or rectification is not possible. If neither termination nor rectification is feasible, Glassmind shall report the violation to the Secretary. Effect of Termination. Except as provided in paragraph (2) of this section, upon termination of this Agreement for any reason, Glassmind shall return or destroy all Protected Health Information received from, or created or received by Glassmind on behalf of the Covered Entity. This provision shall also apply to Protected Health Information that is in the possession of Subcontractors of Glassmind. Glassmind shall retain no copies of the Protected Health Information. In the event that Glassmind determines that returning or destroying the Protected Health Information is infeasible, Glassmind shall provide to the Covered Entity, within ten (10) business days, notification of the conditions that make return or destruction infeasible. Upon such determination, Glassmind shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Glassmind maintains such Protected Health Information.
A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.
All notices, requests and demands or other communications to be given under this BAA to a Party will be made via electronic mail to the Party’s address given below:
A. If to Covered Entity, to:
{Your Practice Name}, c/o {Account Owner Name}, {Account Owner Email}
B. If to Business Associate, to:
Attn: legal@glassmind.io
This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
This Agreement may be modified only by a signed written agreement between the Covered Entity and Glassmind. All other agreements entered into between the Covered Entity and Glassmind, not related to this Subject Matter, remain in full force and effect.
This Agreement and the rights of the parties shall be governed by and construed in accordance with the Federal Arbitration Act, Federal law as it pertains to the Subject Matter, and shall be governed by and construed in accordance with the laws of the New Hampshire as it pertains to contract formation and interpretation, without giving effect to its conflict of laws. In the event of a Dispute between you and Glassmind (including any dispute over the validity, enforceability, or scope of this dispute resolution provision), other than with respect to claims for injunctive relief, the Dispute will be resolved by binding arbitration pursuant to the rules of the American Arbitration Association Commercial Arbitration Rules. The place of the arbitration shall be in Concord, New Hampshire. In the event that there is any Dispute between you and Glassmind that is determined not to be subject to arbitration pursuant to the preceding sentence, you agree to submit in that event to the exclusive jurisdiction and venue of the state and federal courts located in Hillsboro County, New Hampshire.
Regulatory References. A reference in this Agreement to a section in the Privacy Rule, Security Rule, or HITECH Act means the section as in effect or as amended. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Covered Entity and Glassmind to comply with the requirements of the Privacy Rule, Security Rule, the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), and the HITECH Act and its corresponding regulations. Survival. The respective rights and obligations of Glassmind under Section 5(d) of this Agreement shall survive the termination of this Agreement. Interpretation. Any ambiguity in this Agreement shall be resolved to permit the Covered Entity and Glassmind to comply with the Privacy Rule, Security Rule, the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), and the HITECH Act and its corresponding regulations.
If any provision or provisions of this Agreement is/are determined by a court of competent jurisdiction to be unlawful, void, or unenforceable, this Agreement shall not be unlawful, void or unenforceable thereby, but shall continue in effect and be enforced as though such provision or provisions were omitted.
If you have any questions, please reach out and ask.