HIPAA Business Associate Agreement for Reveo “Covered Entity” Customers
These Standard HIPAA Business Associate Agreement Terms and Conditions (“HIPAAAddendum”) shall be incorporated into the Master Service Agreement for Customers that are Covered
Entities (as defined below) that provide Protected Health Information (“PHI”) (as defined below) to Reveo in connection with the Reveo for Local Business and Enterprise services they have
purchased. These terms supplement the purchase agreement between Reveo and Customers
(“Underlying Agreement”) in order to comply with the federal Standards for Privacy of Individually
Identifiable Health Information, located at 45 C.F.R. Part 160 and Part 164, Subparts A through E
(“Privacy Rule”) and the Health Information Technology for Economic and Clinical Health Act, Public
Law 111-005 (the “HITECH Act”).
1. CATCH-ALL DEFINITIONS. The following terms used in this Agreement shall have the same
meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set,
Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices,
Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor,
Unsecured Protected Health Information, and Use.
2. SPECIFIC DEFINITIONS. Terms used, but not otherwise defined, in this HIPAA Addendum shall
have the same meaning as those terms in the Privacy Rule or the HITECH Act.
A. “Breach” shall have the same meaning given to such term under 42 U.S.0 § 17921.
B. “Business Associate” shall generally have the same meaning as the term “business associate” at
45 CFR 160.103, and in reference to the party to this agreement, shall mean Reveo.
C. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR
160.103, and in reference to the party to this agreement, shall mean [Insert Name of Covered
D. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules
at 45 CFR Part 160 and Part 164.
E. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. §160.103 and
shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §
F. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected
health information” in 45 C.F.R. § 160.103, limited to the information created or received by
Business Associate from or on behalf of the Covered Entity.
G. “Required by Law” shall have the same meaning as the term “required by law” in 45 C.F.R.
H. “Unsecured PHI” shall have the same meaning given to such term under the HITECH Act and
any guidance issued pursuant to this act.
3. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
Reveo agrees to:
3.1 Use and Disclosure of PHI: Reveo shall not use or disclose PHI other than as permitted
or required by this HIPAA Addendum or as Required by Law. Reveo shall not use or disclose
PHI for fundraising or marketing purposes. Reveo shall not directly or indirectly receive
remuneration in exchange for PHI, except with the prior written consent of Covered Entity and as
permitted by the HITECH Act; however, this prohibition shall not affect payment by Covered Entity
to Reveo for services provided pursuant to the Underlying Agreement.
3.2 Safeguards: Reveo shall use appropriate safeguards, and comply with Subpart C of 45
CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as
provided for by the Agreement.
3.3 Mitigation: Reveo shall mitigate, to the extent practicable, any harmful effect that is
known to Reveo of a use or disclosure of PHI by Reveo in violation of the
requirements of this HIPAA Addendum.
3.4 Reporting: Reveo shall report to Covered Entity any use or disclosure of PHI not
provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as
required at 45 CFR 164.410, and any security incident of which it becomes aware;
Check all that apply:
[ ] Business Associate will notify Covered Entity of the breach within thirty (30) business days
[ ] Business Associate will notify patient of the breach
[ ] Business Associate will notify HHS Office for Civil Rights of breach
3.5 Disclosure to Agents and Subcontractors: In accordance with 45 CFR 164.502(e)(1)(ii) and
164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit
PHI on behalf of the Reveo agree to the same restrictions, conditions, and requirements that
apply to the Reveo with respect to such information
3.6 Designated Record Set: Reveo shall provide access, at the request of Covered Entity, to
PHI in a Designated Record Set in order to meet the requirements under 45 C.F.R. § 164.524.
Business Associate will forward request for access of the designated record set to Covered Entity
within thirty (30) days OR Business associate will respond to request for access of the designated
record set within Thirty  days ( per the applicability). If Business Associate is unable to respond
to request for access, the Business Associate will notify the requesting party.
3.7 Internal Practices, Policies and Procedures: Reveo shall make available its internal
practices, books, and records, including policies and procedures and PHI, relating to the use and
disclosure of PHI received from, or created or received by Reveo on behalf of, Covered Entity
available to the Covered Entity and to the Secretary of Health and Human Services (“Secretary”) for
purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and the
3.8 Accounting for Disclosures: Reveo agrees to maintain the information required to
provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and to make this
information available to the Covered Entity upon the Covered Entity’s request in order to allow the
Covered Entity to respond to an Individual’s request for accounting of disclosures.
3.9 Security Obligations: Reveo shall implement appropriate safeguards as are necessary to
prevent the use or disclosure of PHI otherwise than as permitted by the Underlying Agreement or this
HIPAA Addendum including, but not limited to, administrative, physical, and technical safeguards
that reasonably and appropriately protect the confidentiality, integrity, and availability of the Covered
Entity’s electronic PHI as required by 45 C.F.R. Sections 164.308, 164.310, and 164.312, as amended
from time to time. Reveo shall ensure that any agent, including a subcontractor, to whom it
provides such electronic PHI, agrees to implement reasonable and appropriate safeguards to protect it.
Reveo shall comply with the policies and procedures and document requirements of the
Privacy Rule including, but not limited to, 45 C.F.R. Section 164.316. Reveo agrees to report
promptly to the Covered Entity any security incident of which it becomes aware.
3.10 Breach Pattern or Practice by Covered Entity: If Reveo knows of a pattern of activity
or practice of the Covered Entity that constitutes a material breach or violation of the Covered
Entity’s obligations under the HIPAA Addendum, Reveo must take reasonable steps to cure
the breach or end the violation. If the steps are unsuccessful, Reveo must terminate the
Underlying Agreement, if feasible, or if termination is not feasible, report the problem to the
4. PERMITTED USES AND DISCLOSURES BY Reveo
4.1 Permitted Uses and Disclosures: Except as otherwise limited in this HIPAA Addendum, Reveo may use or disclose PHI to perform functions, activities, or services for or on behalf of the
Covered Entity as specified in the Underlying Agreement provided. Such use or disclosure would not
violate the Privacy Rule including, but not limited to, each applicable requirement of 45 C.F.R. §
164.504(e) and the HITECH Act if done by the Covered Entity.
4.2 Use for Management and Administration: Except as otherwise limited in this HIPAA
Addendum, Reveo may use PHI for the proper management and administration of Reveo or to carry out the legal responsibilities of Reveo.
4.3 Disclosure for Management and Administration: Except as otherwise limited in this HIPAA
Addendum, Reveo may disclose PHI for the proper management and administration of the
Reveo, provided that disclosures are Required by Law or Reveo obtains reasonable
assurances from the person to whom the information is disclosed that it will remain confidential, and
used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the
person, and the person notifies Reveo of any instances of which it is aware in which the
confidentiality of the information has been breached.
4.5 Minimum Necessary: Reveo (and its agents or subcontractors) shall request, use, and
disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use, or
disclosure. Reveo understands and agrees that the definition of “minimum necessary” is
subject to change from time to time and shall keep itself informed of guidance issued by the Secretary
with respect to what constitutes “minimum necessary.”
4.6 Data Aggregation: Except as otherwise limited in this HIPAA Addendum, Reveo may
use PHI to provide Data Aggregation services related to health care operations to the Covered Entity
as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
4.7 Report Violations of Law: Reveo may use PHI to report violations of law to appropriate
Federal and State authorities consistent with 45 C.F.R. §164.502(j)(1).
5. PROVISIONS FOR COVERED ENTITY TO INFORM BUSINESS ASSOCIATE OF
PRIVACY PRACTICES AND RESTRICTIONS
5.1 Notice of Privacy Practices: The Covered Entity shall notify Reveo of any limitation(s)
in the notice of privacy practices of the Covered Entity under 45 C.F.R. § 164.520, to the extent that
such limitations may affect Reveo’ use or disclosure of PHI.
5.2 Changes in Permission: The Covered Entity shall notify Reveo of any changes in, or
revocation of, permission by an Individual to use or disclose his or her PHI, to the extent that such
changes may affect Reveo’ use or disclosure of PHI.
5.3 Notification of Restrictions: The Covered Entity shall notify Reveo of any restriction to
the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45
C.F.R. § 164.522, to the extent that such restriction may affect Reveo’ use or disclosure of
5.4 Permissible Requests by Covered Entity: The Covered Entity shall not request Reveo
to use or disclose PHI in any manner that would not be permissible under the Privacy Rule and the
HITECH Act if done by Covered Entity. Exceptions if certain provisions are made; Data aggregation,
Management and administration and Legal responsibilities of Reveo (one or more may apply).
6. TERM AND TERMINATION
6.1 Term: The Term of this HIPAA Addendum shall be effective as of the first day that the Covered
Entity provides PHI to Reveo and shall terminate when all of the PHI provided by the
Covered Entity to Reveo, or created or received by Reveo on behalf of the Covered
Entity, is destroyed or returned to the Covered Entity, or if it is infeasible to return or destroy PHI,
protections are extended to such information in accordance with the termination provisions in this
6.2 Termination for Cause: Reveo authorizes termination of this Agreement by the Covered
Entity, if the Covered Entity determines Reveo has violated a material term of the Agreement:
A. Provide 60 days advance written notice specifying the nature of the breach or violation to
Reveo. Reveo shall have 60 days from the date of the notice in which to remedy
the breach or violation. If such corrective action is not taken within the time specified, this
HIPAA Addendum and the Underlying Agreement shall terminate at the end of the 60 day
period without further notice or demand
B. Immediately terminate this HIPAA Addendum and the Underlying Agreement if Reveo has breached a material term of this HIPAA Addendum and cure is not possible
C. Report the violation to the Secretary if neither cure of the breach nor termination of this
HIPAA Addendum and the Underlying Agreement are feasible
6.3 Obligation of Reveo Upon Termination:
A. Upon termination of this HIPAA Addendum or the Underlying Agreement, for any reason,
Reveo shall return or destroy all PHI received from Covered Entity, or created, maintains
or received by Reveo on behalf of Covered Entity. This provision shall apply to PHI that
is in the possession of subcontractors or agents of Reveo. Reveo shall retain no
copies of the PHI
B. Upon termination of this Agreement for any reason, Reveo, with respect to PHI
received from Covered Entity, or created, maintained, or received by Reveo on behalf of
the Covered Entity, shall:
1. Retain only that PHI which is necessary for Reveo to continue its proper
management and administration or to carry out its legal responsibilities;
2. Return to the Covered Entity [or, if agreed to by covered entity, destroy] the remaining
PHI that the Reveo still maintains in any form
3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164
with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided
for in this Section, for as long as Reveo retains the PHI
4. Not use or disclose the PHI retained by Reveo other than for the purposes for
which such PHI was retained and subject to the same conditions set out at which applied
prior to termination
5. Return to Covered Entity [or, if agreed to by covered entity, destroy] the PHI retained by
Reveo when it is no longer needed by Reveo for its proper management and
administration or to carry out its legal responsibilities
C. In the event that Reveo determines that returning or destroying PHI is not feasible,
Reveo shall notify Covered Entity in writing of the conditions that make return or
destruction infeasible. If return or destruction of the PHI is infeasible, Reveo shall extend
the protections of this HIPAA Addendum to such PHI and limit further uses and disclosures of
such PHI to those purposes that make the return or destruction infeasible, for so long as Reveo maintains such PHI
7. MISCELLANEOUS IN ADDITION TO TERMS AND CONDITIONS
7.1 Regulatory References: A reference in this HIPAA Addendum to a section in the Privacy Rule
or the HITECH Act means the section as in effect or as amended.
7.2 No Third Party Beneficiaries: Nothing in this HIPAA Addendum shall be considered or
construed as conferring any right or benefit on a person not party to this HIPAA Addendum nor
imposing any obligations on either Party hereto to persons not a party to this HIPAA Addendum.
7.3 Amendments: Reveo reserves the right to change the terms and conditions of this HIPAA
Addendum at any time. Reveo will notify the Covered Entity of any material changes to this
HIPAA Addendum by sending the Covered Entity an e-mail to the last e-mail address the Covered
Entity provided to Reveo or by prominently posting notice of the changes on Reveo’
website. Any material changes to this HIPAA Addendum will be effective upon the earlier of thirty
(30) calendar days following Reveo’ dispatch of an e-mail notice to the Covered Entity or
thirty (30) calendar days following Reveo’ posting of notice of the changes on its website.
These changes will be effective immediately for new Reveo Clients. Please note that at all
times the Covered Entity is responsible for providing Reveo with its most current e-mail
address. In the event that the last e-mail address that the Covered Entity has provided Reveo is
not valid, or for any reason is not capable of delivering to the Covered Entity the notice described
above, Reveo’ dispatch of the e-mail containing such notice will nonetheless constitute
effective notice of the changes described in the notice. If the Covered Entity does not agree with the
changes to this HIPAA Addendum, the Covered Entity must notify Reveo prior to the
effective date of the changes that the Covered Entity wishes to terminate its subscription to the
applicable Reveo services. Continued use of the Reveo services following notice of
such changes shall indicate the Covered Entity’s acknowledgement of such changes and agreement to
be bound by the terms and conditions of such changes.
7.4 Interpretation: The provisions of this HIPAA Addendum shall prevail over the provisions of
any other agreement that exists between the Parties that may conflict with, or appear inconsistent
with, any provision of this HIPAA Addendum, the Privacy Rule or the HITECH Act.
7.5 No Third Party Beneficiaries: The Business Associate and Covered Entity do not intend, nor
does anything expressed or implied in this Agreement intend to confer, upon any person other than
the Business Associate and Covered Entity and their respective successor or assigns, any rights,
remedies, obligations or liabilities whatsoever.
7.6 Independent Contractor: The Business Associate is performing services pursuant to the
Agreement and for all purposes hereunder, the Business Associate’s status shall be that of an