Last Updated: June 18, 2024
Business Associate Agreement
This Business Associate Agreement (“BAA”) is made between Weights and Biases, Inc., a Delaware corporation having its principal place of business at 400 Alabama Street, Suite 202, San Francisco, CA 94110 (“W&B” and/or “Business Associate”), and Covered Entity (defined below) and governs how PHI (defined below) is to be handled between Covered Entity and Business Associate.
“Covered Entity” means an entity that accepts and agrees to the terms of this BAA as of the earlier date (“Start Date”) where such a person for such entity either clicks a box indicating acceptance of this BAA or transmits PHI to Business Associate. W&B reserves the right to modify or update this BAA in its sole discretion, the effective date of such updates and/or modifications will be the earlier of: (i) 30 days from the date of such update or modification; or (ii) Covered Entity’s continued use of a W&B Asset and/or transmission of PHI to W&B.
IF YOU DO NOT ACCEPT THIS BAA, YOU MAY NOT ACCESS OR USE THE W&B ASSETS OR TRANSMIT PHI TO W&B. THE W&B ASSETS ARE INTENDED FOR THE COVERED ENTITY AND ITS AUTHORIZED USERS ONLY AND ARE NOT FOR USE BY CHILDREN UNDER 13 YEARS OF AGE. IF AN INDIVIDUAL IS ENTERING INTO THIS BAA ON BEHALF OF A COVERED ENTITY, SUCH PERSON REPRESENTS AND WARRANTS THAT IT HAS THE LEGAL AUTHORITY TO BIND SUCH COVERED ENTITY TO THIS BAA AND THIS BAA APPLIES TO SUCH ENTITY WHICH IS DEEMED THE COVERED ENTITY.
WHEREAS, the parties have entered into a services agreement (“Agreement”) under which the Business Associate may receive PHI (as defined below) in its provision of the Software and/or Service described in the Agreement. Any terms used, but not defined in this BAA, have the meaning as set forth in the Agreement or under HIPAA;
WHEREAS, Covered Entity is or may be subject to the requirements of the Administrative Simplification Subtitle of the Health Insurance Portability and Accountability Act of 1996, as amended by Subtitle D of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, and their implementing regulations (“HIPAA”). As used herein, “PHI” refers to “protected health information” as defined under HIPAA, which is maintained, transmitted, created or received by Business Associate on behalf of Covered Entity. Both parties are committed to complying with HIPAA.
NOW, THEREFORE, in consideration of the terms, conditions, covenants, agreements and obligations herein stated, the parties agree as follows:
1. Services and Applicability.
Pursuant to the Agreement, Business Associate provides the Software and/or Service to Covered Entity, which may involve the use and disclosure of PHI. Business Associate agrees to only use and disclose PHI as authorized by this BAA. This BAA applies only to Business Associate’s Dedicated Cloud BYOB Deployment, and is subject to any applicable security configurations set forth in the Documentation.
2. Privacy and Protected Health Information
a. Permitted Uses and Disclosures of PHI by Business Associate. Business Associate may use or disclose PHI: (i) for the purpose of providing the Software and/or Service to Covered Entity under the Agreement; (ii) for proper management and administration, and to carry out its legal responsibilities; or (iii) as required by applicable law.
b. Responsibilities of Business Associate. Regarding the use or disclosure of PHI, Business Associate agrees it will:
i. Use or disclose PHI in a manner that would not violate HIPAA if done so by Covered Entity. Covered Entity will not request or cause Business Associate to use or disclose PHI in a manner that does not comply with HIPAA or this BAA;
ii. Use reasonable and appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA, consistent with the requirements of Subpart C of 45 C.F.R. Part 164 (with respect to Electronic PHI), as determined by Business Associate and as reflected in the Agreement;
iii. Promptly notify Covered Entity of any (i) Security Incident of which Business Associate becomes aware, in which there is successful unauthorized access, use or disclosure in a manner that risks the confidentiality, integrity or availability of PHI, and (ii) Breach of Covered Entity’s Unsecured PHI that Business Associate may discover to the extent required by 45 C.F.R. § 164.410, and Business Associate will make such notification without unreasonable delay, and in no case later than 30 calendar days after discovery;
iv. Provide Covered Entity with access to Covered Entity’s PHI via the Software and/or Service so that Covered Entity may fulfill its obligations under HIPAA with respect to Individuals’ rights of access and amendment, but will have no other obligations to Covered Entity or any Individual with respect to the rights afforded to Individuals by HIPAA with respect to Designated Record Sets, including rights of access or amendment of PHI. Covered Entity is responsible for managing its use of the Software and/or Service to appropriately respond to such individual requests. Covered Entity acknowledges and agrees that Covered Entity is solely responsible for the form and content of PHI maintained by Covered Entity within the Software and/or Service, including whether Covered Entity maintains such PHI in a Designated Record Set within the Software and/or Service;
v. Document disclosures of PHI by Business Associate and provide an accounting of such disclosures to Covered Entity to the extent required of a Business Associate under HIPAA and in accordance with the requirements applicable to Business Associate under HIPAA;
vi. Ensure that Business Associate’s subcontractors that maintain, transmit, create or receive PHI agree: (a) to establish and implement reasonable and appropriate safeguards to protect PHI; and (b) to restrictions and conditions no less protective than those that apply to Business Associate with respect to PHI; and
vii. To the extent required by law, make its internal practices, books, and records concerning the use and disclosure of PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.
3. Termination.
a. Covered Entity’s Right to Terminate.Covered Entity is authorized to terminate this BAA and the Agreement immediately if Covered Entity determines that Business Associate has violated a material term of this Agreement that pertains to PHI and has failed to cure the breach or end the violation within 30 days.
b. Effect of Termination. Termination of this BAA and the Agreement shall not affect any claims or rights that arise based on the acts or omissions of the parties prior to the effective date of termination.
c. Automatic Termination.This Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of the Agreement.
d. Duties of Business Associate Upon Termination. Upon termination of this BAA and the Agreement, the PHI that Business Associate received from Covered Entity must be destroyed or returned to Covered Entity; provided, however, if Covered Entity determines that returning or destroying PHI is not feasible, Business Associate must extend the protections of this BAA to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
4. Damages.
The limitations on liability set forth in the Agreement apply to this BAA.5. Miscellaneous
Sections 13 (Miscellaneous), 14 (Governing Law and Courts) and 15 (Notices) of the Agreement apply to this BAA.
