This Addendum (the “BAA”) is incorporated by reference into the terms of the CandidPro Agreement (the “Services Agreement”) signed by Candid and the CandidPro Provider pertaining to the Services provided by Candid to the CandidPro Provider. Capitalized terms not otherwise defined herein have the meaning ascribed to such terms in the HIPAA privacy and security laws and regulations, as amended, including the HITECH Act.
1. Applicability. This BAA applies to CandidPro Provider and Candid with respect to PHI provided to Candid by or on behalf of CandidPro Provider (including by CandidPro Provider end users) in connection with the Services. This BAA is intended to comply with the requirement to have a business associate agreement in 45 CFR 164.502(e) and other applicable rules. The parties agree to promptly revise this BAA to comply with changes in legal requirements.
2. Permitted Use and Disclosure of PHI.
a. Except as otherwise stated in this BAA, Candid may use and disclose PHI only (i) as permitted or required by the Services Agreement and/or this BAA or (ii) as Required by Law. Candid is permitted to deidentify the PHI. Candid will comply with the minimum necessary requirements in any use or disclosure.
b. Candid may use and disclose PHI for its proper management and administration and to carry out its legal responsibilities, provided that any disclosure of PHI for such purposes may only occur if (i) Required by Law; or (ii) Candid obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Candid will be notified of any Breach or Security Incident.
3. CandidPro Provider Obligations. CandidPro Provider will not request that Candid use or disclose PHI in any manner that would not be permissible under HIPAA if done by CandidPro Provider (unless expressly permitted under HIPAA for a Business Associate). CandidPro Provider will promptly notify Candid of any new or additional restrictions to be imposed on CandidPro Provider’s PHI, and of any revocations of permission by any individual with respect to use or disclosure of PHI.
4. Appropriate Safeguards. Candid will use appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI it receives, maintains, processes or transmits for the CandidPro Provider.
5. Reporting and Related Obligations.
a. Candid will promptly notify CandidPro Provider of (i) any Security Incident of which Candid becomes aware, subject to Section 5(c); and (ii) any Breach that Candid discovers, provided that any notice for Breach will be made promptly and without unreasonable delay, and in no case later than 60 calendar days after discovery. Notifications made under this section will describe, to the extent reasonably possible, details of a Breach, including steps taken to mitigate the potential risks and steps Candid recommends CandidPro Provider take to address the Breach. Candid will reasonably cooperate with the CandidPro Provider in investigation of any Breach.
b. Candid will send any applicable notifications to the notification email address provided by CandidPro Provider in the Services Agreement or via direct communication with CandidPro Provider.
c. Notwithstanding Section 5(a), this Section 5(c) will be deemed as notice to CandidPro Provider that Candid periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification, or destruction of information, or interference with the general operation of Candid’s systems and the Services. CandidPro Provider acknowledges and agrees that even if such events constitute a Security Incident, Candid will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this Section 5(c).
6. Subcontractors. Candid will take appropriate measures to ensure that any Subcontractors used by Candid to perform its obligations under the Services Agreement that require access to PHI on behalf of Candid are bound by written obligations that provide the same material level of protection for PHI as this BAA. To the extent Candid uses Subcontractors in its performance of obligations hereunder, Candid will remain responsible for their performance as if performed by Candid.
7. Access and Amendment. Candid will make PHI in its possession available in a manner sufficient with meeting CandidPro Provider’s obligations under 45 CFR 164.524, and amend such PHI in order to satisfy CandidPro Provider’s obligations under 45 CFR 164.526.
8. Accounting of Disclosures. Candid will document disclosures of PHI by Candid and provide an accounting of such disclosures to CandidPro Provider as and to the extent required of a Business Associate under HIPAA.
9. Access to Records. To the extent required by law, and subject to all applicable legal privileges, Candid will make its internal practices, books, and records concerning the use and disclosure of PHI received from CandidPro Provider, or created or received by Candid on behalf of CandidPro Provider, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.
10. Expiration and Termination.
a. This BAA will terminate on the earlier of (i) a permitted termination in accordance with Section 10(b), or (ii) the expiration or termination of the Services Agreement.
b. If either party materially breaches this BAA, the non-breaching party may terminate this BAA on 10 days’ written notice to the breaching party unless the breach is cured within the 10-day period. If a cure under this Section 10(b) is not reasonably possible, the non-breaching party may immediately terminate this BAA, or if neither termination nor cure is reasonably possible under this Section 10(b), the non-breaching party may report the violation to the Secretary, subject to all applicable legal privileges.
11. Return/Destruction of Information. On termination of the Services Agreement, Candid will return or destroy all PHI received from CandidPro Provider, or created or received by Candid on behalf of CandidPro Provider; provided, however, that if such return or destruction is not feasible, Candid will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
12. Miscellaneous.
a. Survival. Sections 11 (Return/Destruction of Information) and 12 (Miscellaneous) will survive termination or expiration of this BAA.
b. Effects of Addendum. To the extent this BAA conflicts with the remainder of the Services Agreement, this BAA will govern. This BAA is subject to the CandidPro Provider Terms and Conditions, including, without limitations, the sections relating to "Governing Law", “Dispute Resolution” and “Limitation of Liability.” Except as expressly modified or amended under this BAA, the terms of the Services Agreement remain in full force and effect.
Last Updated: 06/15/2025
.png)
.svg){kind=icon}
