Rewind Business Associate Agreement

The below BAA is for reference purposes only. If you wish to proceed with signing a BAA, please contact Rewind’s sales team for more information.

This Business Associate Agreement (this “BAA”), is made and entered into as of the date of the last signature below (“Effective Date”), by and between Rewind Software Inc. (“Rewind”) and you or the entity you represent as the Covered Entity (the “Customer”) (each, a “Party” and, collectively, the “Parties”) and, subject to the Parties entering into an Order Form for  HIPAA Eligible Services (as defined below), is an addendum to the Rewind Terms of Service located at https://rewind.com/legal/terms-of-service/ (and any successor locations designated by Rewind) by and between Customer and Rewind, or other agreement between Rewind and Customer governing Customer’s use of the Services which includes Customer’s use of the HIPAA Eligible Services (the “Underlying Agreement”).

The purpose of this BAA is to set forth the obligations of Rewind and Customer to the extent PHI is created, received, maintained or transmitted on behalf of Customer in connection with a HIPAA Eligible Services, as defined below. Both Parties are committed to complying with the United States federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”) and both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Rewind pursuant to the terms of this Agreement, HIPAA, and other applicable laws.

NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Customer to Rewind under the Agreement in reliance on this BAA, the Parties agree as follows:

1. Definitions

1.1 Unless otherwise specified in this BAA, all capitalized terms that are used in this BAA but not otherwise defined have the meanings established for purposes of the Applicable Federal Laws, or, as applicable, the Underlying Agreement. 

1.2 The terms below have the following meanings:

Applicable Federal Laws” means, collectively, HIPAA and HITECH.

Affiliate” means a subsidiary or affiliate of Rewind or Customer that is, or has been, considered a covered entity, as defined by HIPAA.

Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.

Designated Record Set” has the meaning given to such term under the Privacy Rule, including 45 CFR §164.501.B.

Electronic Protected Health Information” or “ePHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103.

HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, each, as amended from time to time.

HIPAA Eligible Services” means the Services specified in Rewind’s HIPAA Configuration Guide (or successor hyperlink), as may be updated from time to time, and associated support excluding those fields identified in Rewind’s HIPAA Configuration Guide.

HITECH” means Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and its implementing regulations, each, as amended from time to time.

Individual” has the same meaning given to that term in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).

PHI” means Protected Health Information, as defined in 45 C.F.R. § 160.103, limited to the Protected Health Information created, received or transmitted from or on behalf of Customer by its Cloud Service Provider, or created, received, maintained, or transmitted on behalf of, Customer by Rewind in the course of providing the HIPAA Eligible Services pursuant to the Underlying Agreement.

Privacy Rule” means the United States federal privacy regulations issued pursuant to HIPAA, as amended from time to time.

Security Incident” means any attempted or actual unauthorized access, use, disclosure, or destruction of PHI, or any other event that compromises the security of PHI or system operations.

Security Rule” means the federal security regulations issued pursuant to HIPAA, as amended from time to time.

Subscription Term” means the Term as defined in the Underlying Agreement unless terminated earlier pursuant to and in accordance with the terms of the Underlying Agreement.

Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under § 13402(h)(2) of Public Law 111-5.

2. Applicability of this BAA

2.1 Applicability. This BAA is applicable only to the extent that Customer has (i) an active Subscription Term for HIPAA Eligible Services and the data retention period specified in Rewind’s Data Retention and Disposal of Customer Data policy (“Data Retention Policy”) set out at https://rewind.com/data-retention-policy/ (or successor hyperlink), as may be amended by Rewind from time to time (the “Archival Period”), and (ii) configured such HIPAA Eligible Services in accordance with the specifications provided in Section 5 of this BAA. Customer must not provide PHI to any Services that are not a HIPAA Eligible Service to which this BAA applies. For avoidance of doubt, Customer acknowledges and agrees that this BAA does not apply to:

(a) any Services or support provided by Rewind or its Affiliates other than the HIPAA Eligible Services;

(b) any Third-Party Product that Customer elects to integrate or enable for use with the HIPAA Eligible Services; or

(c) Customer’s own products and services used with any HIPAA Eligible Services.

2.2 Term. The term of this BAA commences on the Effective Date and, subject always to the Archival Period, will terminate automatically upon expiration or earlier termination of the Underlying Agreement in accordance with its terms, unless otherwise terminated earlier pursuant to the terms of this BAA.

2.3 Execution. To the extent this BAA has been pre-signed on behalf of Rewind, for the BAA to be enforceable, Customer must:

(a) complete the signature page below by filling out all required fields and counter-signing;

(b) submit the completed and signed BAA to Rewind as instructed; and

(c) have only a signatory who possesses legal authority to bind Customer into legally enforceable contracts execute this BAA.

Where Customer makes any deletions or other revisions to this BAA, this BAA will be null and void.   

3. Responsibilities of Rewind

3.1 Use and Disclosure. With regard to its use or disclosure of PHI, Rewind agrees to: 

(a) not use or disclose PHI except as permitted or required by this BAA and Rewind’s HIPAA Configuration Guide or as otherwise required by law and, to the extent that Rewind is to carry out any of Customer’s obligations under the Privacy Rule, Rewind will comply with the requirements of the Privacy Rule that apply to Customer in the performance of those obligations;

(b) implement and use appropriate technical, physical and administrative safeguards to prevent use or disclosure of ePHI other than as permitted or required by this BAA and comply with the Security Rule provisions applicable to business associates with respect to ePHI;

(c) report without unreasonable delay to Customer: (i) any use or disclosure of PHI of which it becomes aware that is not permitted by this BAA; or (ii) any Security Incident of which Rewind becomes aware.  Notwithstanding the foregoing, Customer acknowledges that Rewind routinely experiences unsuccessful Security Incidents that do not result in a Breach of Unsecured PHI, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, phishing attempts, log-on attempts, interception of encrypted information where the key is not compromised, and other unsuccessful Security Incidents.  Rewind hereby notifies Customer of such unsuccessful Security Incidents, and the Parties acknowledge and agree that no further notice will be required of such unsuccessful Security Incidents;

(d) without unreasonable delay and in no case later than five (5) calendar days after discovery, notify Customer of a Breach of any Unsecured PHI, all in accordance with 45 C.F.R. § 164.410;

(e) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any of its subcontractors that create, receive, maintain, or transmit PHI on behalf of Rewind agree, in writing, to no less restrictive restrictions and conditions on the use or disclosure of PHI that apply to Rewind; including to the extent that Rewind provides ePHI to a subcontractor, require the subcontractor in writing to, where applicable, comply with the Security Rule with respect to that ePHI;

(f) make available its internal practices, books, and records relating to the use or disclosure of PHI to the Secretary of the Department of Health and Human Services (“HHS”) for purposes of determining Customer’s compliance with the Privacy Rule;

(g) within thirty (30) days after receiving a written request from Customer, make available information necessary for Customer to make an accounting of disclosures of PHI about an Individual as provided in 45 C.F.R. § 164.528 and when directed by Customer, make that accounting directly to the Individual; 

(h) mitigate, to the extent practicable, any harmful effect that is known to Rewind of a use or disclosure of PHI by Rewind that is not permitted by this BAA;

(i) if Rewind maintains a Designated Record Set, make available Customer’s PHI as required to enable Customer to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.524 and 45 C.F.R. § 164.526, subject to the implementation guide as defined in Section 5.2;

(j) request, use or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure;

(k) not directly or indirectly receive remuneration in exchange for any PHI as prohibited by 45 C.F.R. § 164.502(a)(5)(ii); and   

(l) not make or cause to be made a communication about a product or service that is prohibited by 45 C.F.R. § 164.501 and 45 C.F.R. §164.508(a)(3). 

4. Other Permitted Uses and Disclosures of PHI

4.1 HITECH Act Compliance. The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach agreement on such a modification, either Party will have the right to terminate this BAA upon 30- days’ prior written notice to the other Party.

4.2 Other Permitted Uses and Disclosures. Unless otherwise limited in this BAA, in addition to any other uses or disclosures permitted or required by this BAA, Rewind may:

(a) use and disclose to subcontractors the PHI in its possession as necessary to provide the HIPAA Eligible Services to Customer pursuant to the Agreement; 

(b) use and disclose the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of Rewind, provided that any such disclosures are required by law or any third party to which Rewind discloses PHI for those purposes provides written assurances that:

(i) such PHI will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the third party; and

(ii) the third party will notify Rewind of any instances of which it becomes aware the confidentiality of the information has been breached.

5. Obligations of Customer

5.1 Protection of PHI and Unsecured Areas. Rewind and the Customer acknowledge that, due to limitations in the services provided by some of Rewind’s subcontractors, it is crucial for the Customer to follow Rewind’s HIPAA Configuration Guide (or successor hyperlink). Compliance with this guide is required before entering any PHI into any of Rewind’s Services, including HIPAA Eligible Services. The HIPAA Configuration Guide provides detailed information on “Excluded Fields” and the necessary steps to ensure compliance. Excluded Fields are specific fields within HIPAA Eligible Services where PHI must not be entered. Customers are strongly encouraged to read and understand the guide thoroughly to avoid any inadvertent breaches and to maintain the confidentiality, integrity, and security of PHI.

Since the Customer has exclusive control over what information is entered into HIPAA Eligible Services, it is the Customer’s sole responsibility to ensure that PHI is not entered into any Services which are not HIPAA Eligible Services. Additionally, PHI must not be entered into any Excluded Fields as outlined in Rewind’s HIPAA Configuration Guide. Information entered in Excluded Fields is not protected from disclosure as information entered in Excluded Fields is not encrypted and, as a result, is not protected from disclosure. The Customer must remain vigilant and take all necessary precautions to ensure that PHI is not entered into any Services which are not HIPAA Eligible Services and/or into any Excluded Fields. If the Customer enters PHI into any Services which are not HIPAA Eligible Services or into any Excluded Fields, any resulting breach is the Customer’s sole responsibility.

In the event that Customer places PHI in an unsecured area, Customer shall promptly follow the procedures set forth in Section 3 of this Agreement for responding to a Breach of PHI.

5.2 Permissible Requests by Customer. Customer must not request Rewind to access, use, or disclose PHI, nor act in any manner that would not be permissible under HIPAA if done by Customer. Without limiting the foregoing, Customer must not include in the HIPAA Eligible Services any PHI that is subject to a restriction on the use or disclosure of PHI requested by the Individual pursuant to 45 C.F.R. § 164.522 and that may affect Rewind’s use or disclosure of such PHI.

5.3 Encryption. Customer must encrypt all PHI stored in or transmitted using the Services.

5.4 Necessary Consents. Customer warrants that they have obtained any necessary authorizations, consents, and other permissions that may be required under applicable law prior to entering Customer Content, including, without limitation, PHI in any Cloud Service including, without limitation, in any HIPAA Eligible Services.

5.5 Restrictions on Disclosures. Customer will not agree to any restriction requests or place any restrictions in any notice of privacy practices that would cause Rewind to violate this Agreement or any applicable law.

6. Termination

6.1 Termination.  If either Party knows of a pattern of activity or practice of the other Party that constitutes a material Breach or violation of this BAA then the non-breaching Party must provide notice of such Breach or violation to breaching Party.  Such notice must clearly specify the nature of the Breach or violation.  If, after a reasonable time period, which will not be less than 30 days, following the notice to breaching Party, the breaching Party has not cured the Breach or ended the violation, the non-breaching Party may terminate this BAA.

6.2 Effect of Expiration or Earlier Termination.  Within sixty (60) days after the expiration or earlier termination of this BAA, Rewind must return or destroy all PHI, including all PHI in possession of Rewind’s subcontractors, if feasible to do so. According to Rewind’s data retention policy, automatic deletions occur after ninety (90) days for inactive accounts. If destruction of the PHI is not feasible, Rewind must extend any and all protections, limitations and restrictions contained in this BAA to Rewind’s use or disclosure of any PHI retained after the termination or expiration of this BAA, and limit any further uses or disclosures solely to the purposes that make return or destruction of the PHI infeasible.  

7. Miscellaneous

7.1 Construction of Terms.  To the extent they are not clear, the terms of this BAA are to be construed to allow for compliance by the Parties with HIPAA implementing regulations as applicable and as promulgated and amended from time to time.

7.2 No Third Party Beneficiaries.  Nothing in this BAA confers upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

7.3 Survival.  Sections 3.1(d), 3.1(g), 6.2, and 7.1 through 7.7 survive the termination for any reason or expiration of this BAA.

7.4 Notice. Notices to Customer as required under this BAA must be made in accordance with the applicable provisions in the Underlying Agreement. Notices to Rewind as required under this BAA must be in writing to the addresses set forth below: 

Rewind Software Inc.

333 Preston Street, Suite 200

Ottawa, ON, K1S 5N4

Attn: Privacy Officer

With copy to: 

legal@rewind.com

7.5 Relationship to the Agreement.

(a) Except for the changes made by this BAA, the Underlying Agreement remains unchanged and in full force and effect. If there is any conflict between the provisions of this BAA and the provisions of the Underlying Agreement, the provisions of this BAA prevail over the provisions of the Agreement only to the extent of that conflict in connection with the use or disclosure of PHI to the HIPAA Eligible Services; in all other cases, the provisions of the Underlying Agreement prevail over the provisions of this BAA.

(b) Notwithstanding anything to the contrary in the Underlying Agreement or this BAA, the liability of each Party and each Party’s Affiliates under this BAA is subject to the exclusions and limitations of liability set out in the Agreement. 

7.6 Claims. Any claims against Rewind or its Affiliates under this BAA may only be brought by the Customer entity that is a party to the Underlying Agreement against the Rewind entity that is a party to the Agreement.

7.7 Governing Law. This BAA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Underlying Agreement, unless required otherwise by Applicable Federal Laws.

version date: 16 January 2025