Business Associate Agreement

Article 1 - Definitions. For purposes of this BAA:
(a) "Agreement" shall mean the Epocrates Terms of Use located at
(b) "BAA" means this Business Associate Agreement.
(c) The following terms used in this BAA shall have the same meaning as those terms under HIPAA: Breach; Business Associate; Designated Record Set; HITECH Act; and Unsecured PHI.
(d) "Epocrates" means Epocrates, Inc., an athenahealth company.
(e) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, and associated regulations, as they may be amended from time to time.
(f) "PHI" means "protected health information" as that term is used under HIPAA.
(g) "Privacy Rule" means the privacy standards in 45 C.F.R. Part 160 and Part 164, subparts A and E.
(h) "Security Rule" means the Security Standards in 45 C.F.R. Part 160 and Part 164, subparts A and C.
(i) "User" means the end-user who has registered or subscribed to the Services (as defined in the Agreement).
(j) "User PHI" means PHI that Epocrates receives from the User through its use of the Services.

Article 2 – Epocrates' Duties. Epocrates will:
(a) not use or disclose User PHI except (i) as required or permitted by law, (ii) as permitted under the terms of the Agreement or any permission of User under the Agreement, or (iii) as incidental under HIPAA to another permitted use or disclosure;
(b) use reasonable and appropriate safeguards to prevent use or disclosure of User PHI other than as provided in the Agreement;
(c) implement administrative, physical, and technical standards in accordance with the Security Rule to protect the confidentiality, integrity, and availability of User PHI in electronic form ("EPHI");
(d) not use or disclose User PHI in a manner that Epocrates knows would violate the requirements of HIPAA if done by User;
(e) mitigate, to the extent practicable, any harmful effect of a use or disclosure of User PHI by Epocrates that is known to Epocrates to be in violation of the requirements of the Agreement;
(f) report to User as soon as practicable and as required by HIPAA and the HITECH Act any known use or disclosure of User PHI by Epocrates not as provided by the Agreement and any "Security Incident" with respect to User EPHI as defined in the Security Rule. Additionally, Epocrates will notify User of any Breach of Unsecured PHI, and such notification shall be made without unreasonable delay following the date of discovery to enable User to comply with the Breach disclosure requirements under the HITECH Act. Epocrates shall include within such notice identification, to the extent possible, of each individual whose Unsecured PHI has been, or is reasonably believed by Epocrates to have been, accessed, used, or disclosed through the Breach and any other valuable information known to Epocrates that User is required to include in its notice to affected individuals. The reporting requirement set forth hereunder shall include, without limitation, disclosures that Epocrates is aware of that would need to be included in User's accounting of disclosures under HIPAA and/or HITECH Act, provided that Epocrates is required by HIPAA and the HITECH Act as a business associate of User to include such disclosures;
(g) require any agent, including a subcontractor, under the Agreement that creates, receives, maintains, or transmits User PHI on behalf of Epocrates to agree to substantially the same restrictions and conditions with respect to User PHI and User EPHI that apply through this BAA to Epocrates with respect to such PHI;
(h) at the request of User, provide access to User PHI in a Designated Record Set to User or, as properly directed by User, to an individual in order to meet the requirements under 45 C.F.R. §164.524;
(i) at the request of User, make any amendment to such User PHI in a Designated Record Set that User properly directs or agrees to pursuant to 45 C.F.R. §164.526;
(j) make its internal practices, books and records relating to the use and disclosure of User PHI available to the Secretary of Health and Human Services for purposes of the Secretary's determination of User's compliance with HIPAA requirements;
(k) document such disclosures of User PHI and information related to such disclosures as would be required for User to respond to a request by an individual for an accounting of disclosures of it in accordance with 45 C.F.R. §164.528;
(l) provide to User information collected in accordance with this Article to permit User to respond to an appropriate request for an accounting of disclosures of User PHI in accordance with 45 C.F.R. §164.528; and
(m) to the extent that Epocrates is to carry out any User obligation(s) under the HIPAA Privacy Standards, comply with the requirements of the HIPAA Privacy Standards that apply to User in the performance of such obligation(s).

Article 3 - User's Duties. User will:
(a) not request, direct, or cause Epocrates to use or disclose PHI unless the use or disclosure is in compliance with applicable law relating to the privacy and security of patient data and is the minimum amount necessary for the legitimate purpose of such use or disclosure;
(b) notify Epocrates of any limitation in its notice of privacy practices in accordance with 45 C.F.R. §164.520, to the extent that such limitation may affect Epocrates' use or disclosure of User PHI;
(c) notify Epocrates of any changes in, or revocation of permission by, an individual to use or disclose User PHI, to the extent that such changes may affect Epocrates' use or disclosure of User PHI; and
(d) notify Epocrates of any restriction on the use or disclosure of User PHI that User has agreed to in accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect Epocrates' use or disclosure of User PHI.

Article 4 - Business Associate Permitted Purposes. Epocrates' use and disclosure of User PHI is permitted for the following purposes:
(a) to provide the Services;
(b) as expressly permitted in the Agreement;
(c) as required by law;
(d) to provide data aggregation services as permitted by 45 C.F.R. §164.504(e)(2)(i)(B);
(e) for the proper management and administration of Epocrates, including, without limitation, making and maintaining reasonable business records of transactions in which Epocrates has participated or the Services have been used (including back-up documentation); and
(f) to de-identify User PHI and use such de-identified information in accordance with 45 C.F.R. §164.514(b).

Article 5 - Business Associate Disclosures. To the extent that it discloses User PHI pursuant to the purpose in Article 4(c) or (e) that is not also for another of the purposes under Article 4, Epocrates will
(a) obtain reasonable assurances from the person or entity to whom the PHI is disclosed that such person or entity will maintain confidentiality of the PHI and not use or further disclose it except as required by law or for the purpose for which it was disclosed to the person or entity and
(b) require the person or entity to whom the PHI is disclosed to notify Epocrates of any instances of which that person or entity is aware in which the confidentiality of such information has been breached.

Article 6 - Business Associate Termination. Upon termination of the Agreement, Epocrates will return, destroy, or continue to extend protections to and limit the use and disclosure of User PHI to the extent required by and in accordance with 45 C.F.R. §164.504(e)(2)(ii)(I), provided that the parties agree that it is not feasible in light of reasonable business requirements, regulatory compliance requirements, and the rights and obligations under the Agreement for Epocrates to return or destroy its business records and transaction databases, including, but not limited to, records and databases of transactions for which User has used the Services or in which Epocrates has engaged on behalf of User or records and databases that reflect the use of the Services and information that User or Epocrates has entered into Epocrates' products in the course of the Agreement to enable or perform the Services.

Article 7 - Business Associate Default. Any material default by Epocrates of its obligations under Articles 2, 4 and 5 will be deemed a default of a material provision of the Agreement, and, if cure of such default and termination of the Agreement are not feasible, User may report the default to the U.S. Secretary of Health and Human Services.

Article 8 - Epocrates Business Records. Subject to the other requirements and limitations of this BAA, the business records of Epocrates and all other records, electronic or otherwise, created or maintained by Epocrates in performance of the Agreement will be and remain the property of Epocrates, even though they may reflect or contain User PHI or other information concerning or provided by User. All de-identified information created by Epocrates in compliance with the Agreement will belong exclusively to Epocrates, provided that User will not hereby be prevented from itself creating and using its own de-identified information.