Explore Products
Explore Products

Utility Menu

Business Associate Addendum

This Business Associate Addendum (“BAA”) forms a part of Customer’s Agreement with GoTo and is subject to its terms. It supersedes all obligations contained in the Agreement (including the DPA) to the extent of any conflict and applies solely with respect to GoTo’s Processing of Protected Health Information. This BAA is effective on the date of last signature below (“Effective Date”).

WHEREAS, GoTo has contracted to provide certain Services to Customer under the Agreement; and

WHEREAS, Customer intends to use the Services in a way that may require GoTo to Process Protected Health Information through the Services; and

WHEREAS, to the extent applicable, the Parties are committed to complying with their obligations under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, Pub. L. 111-5 (“HIPPA”), which may be further amended from time to time.

NOW, THEREFORE, this BAA sets forth the terms and conditions pursuant to which Protected Health Information, including Electronic Protected Health Information, will be handled. The Parties agree as follows:

  1. Definitions
    • 1.1 General Definitions. All defined terms appearing in this BAA not otherwise defined in the Agreement (including the DPA) shall have the same meaning as those terms in the HIPAA Rules.
    • 1.2 Specific Definitions. For purposes of this BAA, the following terms have the indicated meanings whenever the term appears with initial upper-case letters:
      • 1.2.1 “Breach” means the acquisition, access, use or disclosure of PHI in a manner not permitted by HIPAA which compromises the security or privacy of the PHI unless such acquisition, access, use or disclosure is otherwise excluded under 45 C.F.R. § 164.402.
      • 1.2.2 “Business Associate” has the same meaning as the term is defined in 45 C.F.R. § 160.103.
      • 1.2.3 “Covered Entity” means the same as the term is defined in 45 C.F.R. § 164.103.
      • 1.2.4 “Designated Record Set” means a group of records maintained by or for Customer within the meaning of 45 C.F.R. § 164.501 that consists of: (i) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (ii) records that are used, in whole or in part, by or for the Customer to make decisions about Individuals. For purposes of this section, the term “record” means any item, collection or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for the Covered Entity.
      • 1.2.5 “Electronic PHI or ePHI” means PHI in electronic form.
      • 1.2.6 “HIPAA Rules” mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
      • 1.2.7 “Individual” has the same meaning as the term as defined in 45 C.F.R. § 160.103 and includes a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
      • 1.2.8 “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
      • 1.2.9 “Protected Health Information” or “PHI” has the same meaning as the term is defined in 45 C.F.R. § 160.103, limited to such information provided by Customer to GoTo under the Agreement.
      • 1.2.10 “Required by Law” has the same meaning as the term is defined in 45 C.F.R. § 164.103.
      • 1.2.11 “Secretary” means the Secretary of the United States Department of Health and Human Services (“HHS”) or their designee.
      • 1.2.12 “Security Rule” means the Security Standards at 45 C.F.R. Part 160, Part 162, and Part 164.
      • 1.2.13 “Services” means the functions, activities or services to be provided to Customer by GoTo under the terms of the Agreement.
  2. Roles of the Parties. To the extent that GoTo processes PHI, (i) GoTo is a Business Associate to Customer; and (ii) Customer is either a Covered Entity or a higher-level Business Associate. If Customer is a higher-level Business Associate, then as between the parties, Customer is responsible for fulfilling the obligations of the Covered Entity set forth in this BAA, or causing them to be fulfilled, as applicable.
  3. Permitted Uses and Disclosures of PHI.
    • 3.1 GoTo may use or disclose PHI as reasonably necessary to provide Services to Customer and as otherwise Required by Law.
    • 3.2 GoTo may use PHI for its proper management and administration and to carry out its legal obligations. GoTo may also disclose PHI for its proper management and administration or to carry out its legal obligations, provided that (i) the disclosures are Required by Law; or (ii) GoTo obtains (a) reasonable assurances from the recipient of the PHI that the PHI will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which the PHI was disclosed to it, and (b) the recipient agrees to notify GoTo of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.
    • 3.3 GoTo may deidentify the PHI in accordance with 45 C.F.R. § 164.514 (a)-(c) and use and disclose such information for GoTo’s legitimate business purposes. Deidentified information no longer constitutes PHI and is not subject to this BAA.
  4. GoTo Obligations.
    GoTo shall:
    • 4.1 Not use or disclose PHI other than as permitted by the Agreement or as Required by Law.
    • 4.2 Request, use and disclose the minimum PHI necessary to achieve the intended business purpose
    • 4.3 Not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Customer, except for the uses and disclosures set forth in Sections 3.2 and 3.3.
    • 4.4 Maintain appropriate administrative, physical and technical safeguards in accordance with Subpart C of the Security Rule (45 C.F.R. Part 164) to prevent use or disclosure of PHI other than as provided in this Agreement.
    • 4.5 Report to Customer any use or disclosure of PHI not provided for by the Agreement or any Security Incident of which it becomes aware. Customer acknowledges that GoTo routinely experiences “Unsuccessful Security Incidents,” such as pings and other broadcast attacks on GoTo’s firewall, port scans, unsuccessful log-on attempts, phishing attempts, denials of service, and any combination of the above, that do not result in the unauthorized access, use or disclosure of PHI. GoTo hereby notifies Customer of such Unsuccessful Security Incidents, and Customer agrees that no additional notice from GoTo is required.
    • 4.6 Use reasonable efforts to mitigate, to the extent practicable, any harmful effect arising from any use or disclosure of PHI by GoTo that is not permitted by the Agreement.
    • 4.7 Notify Customer of any Breach of Unsecured PHI without unreasonable delay, and in all cases within the timeframes set forth in 45 C.F.R. § 164.410. GoTo’s notification to Customer under this Section shall include, to the extent possible, the information contained in 45 C.F.R. § 164.404 (c) (1) (A)-(D), contact information to which Customer may address inquiries, and the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by GoTo to have been, accessed, acquired, used, or disclosed during the Breach. GoTo shall promptly update its notification to Customer if any of the foregoing information becomes available to GoTo following its initial notification.
    • 4.8 Solely to the extent that GoTo maintains a Designated Record Set on behalf of the Customer that is only copy of such PHI and where Customer is unable to complete the request without GoTo’s assistance, GoTo shall, on written request of Customer (i) provide access to PHI to Customer in the timeframes set forth in 45 C.F.R. § 164.524; and (ii) make any amendment(s) to PHI in a Designated Record Set that Customer directs or agrees to in the timeframes set forth in 45 C.F.R. § 164.526, or take other measures necessary to satisfy Customer’s obligations under 45 C.F.R. § 164.526.
    • 4.9 Maintain and make available the information required to provide an accounting of disclosures to Customer as necessary to satisfy Customer (or the relevant Covered Entity if not Customer) under 45 C.F.R. § 164.528.
    • 4.10 Require subcontractors that create, receive, maintain, or transmit PHI on behalf of GoTo to agree to the same restrictions, conditions, and requirements that apply to GoTo with respect to such information, in accordance with 45 C.F.R. §§ 164.502 (e) (1) (ii) and 164.308 (b) (2), if applicable.
    • 4.11 Upon request by the Secretary, make available to HHS its internal practices, books, and records relating to GoTo’s use and disclosure of PHI for purposes of determining the Parties’ compliance with the HIPAA Rules; and
    • 4.12 To the extent GoTo’s Services requires it to carry out one or more of Customer's obligations under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to Customer in the performance of such obligation(s).
  5. Customer Obligations
    • 5.1 Customer shall:
      • 5.1.1 Disclose to GoTo only the minimum amount of PHI reasonably necessary to accomplish the intended purpose under the Agreement.
      • 5.1.2 Not request GoTo to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Customer.
      • 5.1.3 Notify GoTo of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that this limitation may affect GoTo’s use or disclosure of PHI in accordance with this Agreement. GoTo will use commercially reasonable efforts to comply with such limitations.
      • 5.1.4 Notify GoTo of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect GoTo's use or disclosure of PHI in accordance with this Agreement. GoTo agrees to comply with those changes in, or revocation of, permission communicated by Customer, to the extent practicable under the Agreement.
      • 5.1.5 Notify GoTo of any restriction on the use or disclosure of PHI that Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that those restrictions may affect GoTo’s use or disclosure of PHI in accordance with this Agreement. GoTo shall comply with any restrictions communicated by Customer, to the extent practicable under the Agreement and applicable law.
    • 5.2 Customer is solely responsible for (i) its compliance with HIPAA; (ii) using the Services only in a manner that complies with HIPAA; and (iii) ensuring that it has sufficient rights to disclose PHI to GoTo and/or to cause GoTo to Process PHI as contemplated by under the Agreement, including, without limitation, obtaining and maintaining all required consents or authorizations.
  6. Term and Termination
    • 6.1 Automatic Termination. This BAA will automatically terminate without further action of the Parties upon (i) termination or expiration of the Agreement; or (ii) completion of GoTo’s provision of Services to Customer requiring the Processing of PHI, which ever first occurs.
    • 6.2 Termination for Cause. If either Party becomes aware of a material breach of this BAA by the other Party, the non-breaching Party shall provide written notice to the breaching Party setting forth the nature of the breach and providing 30 days to cure. The non-breaching Party may terminate this BAA, or, at its election, the Agreement, if the breaching Party has not cured the breach to the satisfaction of the non-breaching Party, or if cure is not possible. If Customer is the breaching Party, Customer shall immediately cease providing PHI to, or causing GoTo to Process PHI via, the Services. This provision is in addition to the termination provisions of the Agreement.
    • 6.3 Effect of Termination.
      • 6.3.1 Upon termination or expiration of this BAA or of the Agreement for any reason, GoTo shall return or destroy all PHI pursuant to 45 C.F.R. § 164.504 (e) (2) (ii) (J) if it is reasonably feasible to do so. If GoTo determines that the foregoing is not feasible, GoTo shall (i) inform Customer of the reasons supporting its determination; and (ii) extend any and all protections, limitations and restrictions contained in this BAA to any PHI retained after the termination of this Agreement until such time as the PHI is returned to Customer or destroyed.
      • 6.3.2 Notwithstanding Section 6.4.1, following termination of this BAA or the Agreement for any reason, GoTo may retain all PHI that is necessary for its own management and administration or to carry out its legal responsibilities; provided that GoTo shall not use such PHI for any other purpose and shall extend any and all protections, limitations and restrictions contained in this BAA to any PHI retained after the termination of this Agreement until such time as the PHI is no longer needed for this purpose. GoTo shall comply with the provisions of Section 6.4.1.
  7. Miscellaneous
    • 7.1 Survival. The respective rights and obligations of GoTo and Customer under the provisions of Sections 4.3, 4.5, and 4.9; Sections 6.3.1 and 6.3.2 and Section 7, shall survive termination of this Agreement until such time as the PHI is returned to Customer or destroyed.
    • 7.2 Amendments. In addition to the amendments provision in the Agreement, the Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary to comply with the requirements of the HIPAA Rules.
    • 7.3 No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
    • 7.4 Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
    • 7.5 Interpretation. Any ambiguities in this BAA shall be resolved in a manner that allows the Parties to comply with the HIPAA Rules.

Last Updated: November 2024 (2024.v1.0)