Skip to main content

Business Associate Agreement

Last Modified: July 1, 2025

I. GENERAL PROVISIONS

Section 1.1. Applicability.

You may be a Covered Entity under the Health Insurance Portability and Accountability Act (“HIPAA”).

If You are a Covered Entity, the Software and Support provided under these Terms of Use shall be covered by this Business Associate Agreement Addendum (this “Addendum” or “Agreement”).

If You are not a Covered Entity, this Addendum may not apply to You or to Your use of Software or Support. You are solely responsible for determining whether You are a Covered Entity under HIPAA.

This Addendum relates to Protected Health Information received by Pinnacle Automation, LLC or Diego Software, LLC (collectively “Pinnacle”), from or on behalf of You (“PHI”).

Where this Addendum provides that Pinnacle shall provide any PHI in its possession to You or any other entity, You agree that Pinnacle shall have no such obligation with respect to PHI located within systems and software under Your control.

Section 1.2. HIPAA Amendments.

The parties acknowledge and agree that the Health Information Technology for Economic and Clinical Health Act and its implementing regulations impose requirements with respect to privacy, security and breach notification applicable to Business Associates (collectively, the “HITECH BA Provisions”). The HITECH BA Provisions and any other future amendments to HIPAA affecting Business Associate Agreements are hereby incorporated by reference into this Addendum as if set forth in this Addendum in their entirety, effective on the later of the effective date of this Addendum or such subsequent date as may be specified by HIPAA.

Section 1.3. Regulatory References.

A reference in this Addendum to a section in HIPAA means the section as it may be amended from time-to-time. Capitalized terms used in this Addendum without definition shall have the meanings given to them by HIPAA or by this Agreement, as applicable.

II. OBLIGATIONS OF PINNACLE

Section 2.1. Use and Disclosure of PHI.

Pinnacle may use and disclose PHI as permitted or required under this Agreement (including this Addendum) or as Required by Law, but shall not otherwise use or disclose PHI. Pinnacle shall not use or disclose PHI received from You in any manner that would constitute a violation of HIPAA if so used or disclosed by You (except as set forth in Sections 2.1(a), (b) and (c) of this Addendum). To the extent Pinnacle carries out any of Your obligations under the HIPAA Privacy Rule, Pinnacle shall comply with the requirements of the HIPAA Privacy Rule that apply to You in the performance of such obligations. Without limiting the generality of the foregoing, Pinnacle is permitted to use or disclose PHI as set forth below:

(a) Pinnacle may use PHI internally for Pinnacle’s proper management and administrative services or to carry out its legal responsibilities;

(b) Pinnacle may disclose PHI to a third party for Pinnacle’s proper management and administration, provided that the disclosure is Required by Law or Pinnacle obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentially of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify Pinnacle of any instances of which the person is aware in which the confidentiality of the PHI has been breached;

(c) Pinnacle may use PHI to provide Data Aggregation services as defined by HIPAA; and

(d) Pinnacle may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Without limiting any other rights of Pinnacle under this Agreement, Pinnacle may use, create, sell, disclose to third parties and otherwise exploit de-identified health information for any purposes not prohibited by law. Pinnacle owns all right, title and interest in such de-identified health information and any data, information and material created by Pinnacle with such de-identified health information.

For the avoidance of doubt, the first paragraph of this Section 2.1(d) shall survive the expiration or earlier termination of this Agreement.

Section 2.2. Safeguards.

Pinnacle shall use reasonable and appropriate safeguards to prevent the use or disclosure of PHI except as otherwise permitted or required by this Addendum. In addition, Pinnacle shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI transmitted or maintained in Electronic Media (“EPHI”) that it creates, receives, maintains or transmits on behalf of You.

Pinnacle shall comply with the HIPAA Security Rule with respect to EPHI.

Section 2.3. Minimum Necessary Standard.

To the extent required by the “minimum necessary” requirements of HIPAA, Pinnacle shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.

Section 2.4. Mitigation.

Pinnacle shall take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Pinnacle) of a use or disclosure of PHI by Pinnacle in violation of this Addendum.

Section 2.5. Subcontractors.

Pinnacle shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits PHI on behalf of Pinnacle. Pinnacle shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Pinnacle under this Addendum.

Section 2.6. Reporting Requirements.

(a) If Pinnacle becomes aware of a use or disclosure of PHI in violation of this Agreement by Pinnacle or by a third party to which Pinnacle disclosed PHI, Pinnacle shall report any such use or disclosure to You without unreasonable delay.

(b) Pinnacle shall report any Security Incident involving EPHI of which it becomes aware in the following manner: (a) any actual, successful Security Incident will be reported to You in writing without unreasonable delay, and (b) any attempted, unsuccessful Security Incident of which Pinnacle becomes aware will be reported to You orally or in writing on a reasonable basis, as requested by You. If the HIPAA security regulations are amended to remove the requirement to report unsuccessful attempts at unauthorized access, the requirement hereunder to report such unsuccessful attempts will no longer apply as of the effective date of the amendment.

(c) Pinnacle shall, following the discovery of a Breach of Unsecured PHI, notify You of the Breach in accordance with 45 C.F.R. § 164.410 without unreasonable delay and in no case later than sixty (60) days after discovery of the Breach.

Section 2.7. Access to Information.

Pinnacle shall make available PHI in Software or Support to You in accordance with this Agreement for so long as Pinnacle maintains the PHI in a Designated Record Set. If Pinnacle receives a request for access to PHI directly from an Individual, Pinnacle shall forward such request to You within ten (10) business days. You shall have the sole responsibility for determining whether to approve a request for access to PHI and to provide such access to the Individual. This Section 2.7 shall not apply to PHI maintained in systems and software that You control. PHI that is maintained by You within Software or Support under Your control shall be Your responsibility, and Pinnacle shall not have any obligation to provide such PHI.

Section 2.8. Availability of PHI for Amendment.

Pinnacle shall provide PHI in Pinnacle’s possession with respect to Software or Support to You for amendment, and incorporate any such amendments in the PHI (for so long as Pinnacle maintains such information in the Designated Record Set), in accordance with this Addendum and as required by 45 C.F.R. § 164.526. If Pinnacle receives a request for amendment to PHI directly from an Individual, Pinnacle shall forward such request to You within ten (10) business days. You shall have the sole responsibility for determining whether to approve an amendment to PHI and to make such amendment. PHI that is maintained by You within Software or Support under Your control shall be Your responsibility, and Pinnacle shall not have any obligation to provide such PHI.

Section 2.9. Accounting of Disclosures.

Within thirty (30) business days of written notice by You to Pinnacle that it has received a request for an accounting of disclosures of PHI in the possession and control of Pinnacle and not of You (other than disclosures to which an exception to the accounting requirement applies), Pinnacle shall make available to You such information as is in Pinnacle’s possession and is required for You to make the accounting required by 45 C.F.R. § 164.528. If Pinnacle receives a request for an accounting directly from an Individual, Pinnacle shall forward such request to You within seven (7) business days. You shall have the sole responsibility for providing an accounting to the Individual.

Section 2.10. Availability of Books and Records.

Following reasonable advance written notice, Pinnacle shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Pinnacle on behalf of, You available to the Secretary for purposes of determining Your compliance with HIPAA.

III. YOUR OBLIGATIONS

Section 3.1. Permissible Requests.

You shall not request Pinnacle to use or disclose PHI in any manner that would not be permissible under HIPAA if done by You.

Section 3.2. Minimum Necessary Information.

When You disclose PHI to Pinnacle, You shall provide the minimum amount of PHI necessary for the accomplishment of Your purpose.

Section 3.3. Appropriate Use of PHI.

You and Your employees, representatives, consultants, contractors and agents shall not submit any Protected Health Information to Pinnacle (A) outside of Software or Support, including but not limited to submissions to any online forum made available by Pinnacle to its customers, email transmissions, and submissions through any support website, portal, or online help desk or similar service made available by Pinnacle outside of Software or Support; or (B) directly to any third party involved in the provision of an online forum, email, support website, online help desk or other service described in (A), above.

Section 3.4. Permissions; Restrictions.

You warrant that You have obtained and will obtain any consent, authorization and/or other legal permission required under HIPAA and other applicable law for the disclosure of PHI to Pinnacle. You shall notify Pinnacle of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Pinnacle’s use or disclosure of PHI. You shall not agree to any restriction on the use or disclosure of PHI under 45 CFR § 164.522 that restricts Pinnacle’s use or disclosure of PHI under this Agreement (including under this Addendum) unless such restriction is Required By Law or Pinnacle grants its written consent.

Section 3.5. Notice of Privacy Practices.

Except as Required By Law, with Pinnacle’s consent or as set forth in this Agreement, You shall not include any limitation in Your notice of privacy practices that limits Pinnacle’s use or disclosure of PHI under this Agreement (including this Addendum).

IV. TERMINATION OF THIS AGREEMENT

Section 4.1. Addendum Term.

Without limiting any other term of these Terms of Use (including this Addendum), this Addendum shall continue in full force and effect for so long as Pinnacle maintains any PHI.

Section 4.2. Termination Upon Breach of this Addendum.

Any other provision of this Addendum notwithstanding, this Addendum may be terminated by either party (the “Non Breaching Party”) upon ninety (90) days written notice to the other party (the “Breaching Party”) in the event that the Breaching Party materially breaches this BA Agreement in any material respect and such breach is not cured within such ninety day period. Any determination of whether a material breach has been cured shall be made by Pinnacle in its sole discretion.

Section 4.3. Return or Destruction of PHI upon Termination.

Upon termination of this Agreement, Pinnacle shall return or destroy all PHI received from You or created or received by Pinnacle on behalf of You and which Pinnacle still maintains as PHI. Notwithstanding the foregoing, to the extent that Pinnacle determines, in its sole discretion, that it is not feasible to return or destroy such PHI, this Addendum (including, without limitation, Section 2.1(d) of this Addendum) shall survive termination of this Agreement and such PHI shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI.

Section 4.4. Modification of Agreement.

This Business Associate Agreement may be modified by Pinnacle consistent with the requirements of the HIPAA regulations if, in Pinnacle’s sole discretion, it appears appropriate to do so. Such modified BAA will be posted on Pinnacle’s website, and will be effective as of the date of posting. Each modified BAA will have a modification date, and You can determine whether the BAA has been modified by inspecting the modification date on Pinnacle’s website.