This Addendum (the “BAA”) is incorporated by reference into the terms of the Oliv Technology Agreement (the “Services Agreement”) signed by Oliv Technology and the Oliv Technology Provider pertaining to the Services provided by Oliv Technology to the Oliv Technology Provider.  Capitalized terms not otherwise defined herein have the meaning ascribed to such terms in the HIPAA privacy and security laws and regulations, as amended, including the HITECH Act.  

1. Applicability.  This BAA applies to Oliv Technology Provider and Oliv Technology with respect to PHI provided to Oliv Technology by or on behalf of Oliv Technology Provider (including by Oliv Technology Provider end users) in connection with the Services. This BAA is intended to comply with the requirement to have a business associate agreement in 45 CFR 164.502(e) and other applicable rules.  The parties agree to promptly revise this BAA to comply with changes in legal requirements.

2. Permitted Use and Disclosure of PHI.

a. Except as otherwise stated in this BAA, Oliv Technology may use and disclose PHI only (i) as permitted or required by the Services Agreement and/or this BAA or (ii) as Required by Law.  Oliv Technology is permitted to deidentify the PHI.  Oliv Technology will comply with the minimum necessary requirements in any use or disclosure.

b. Oliv Technology may use and disclose PHI for its proper management and administration and to carry out its legal responsibilities, provided that any disclosure of PHI for such purposes may only occur if (i) Required by Law; or (ii) Oliv Technology obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that Oliv Technology will be notified of any Breach or Security Incident.

3. Oliv Technology Provider Obligations.  Oliv Technology Provider will not request that Oliv Technology use or disclose PHI in any manner that would not be permissible under HIPAA if done by Oliv Technology Provider (unless expressly permitted under HIPAA for a Business Associate).  Oliv Technology Provider will promptly notify Oliv Technology of any new or additional restrictions to be imposed on Oliv Technology Provider’s PHI, and of any revocations of permission by any individual with respect to use or disclosure of PHI.

4. Appropriate Safeguards.  Oliv Technology will use appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI it receives, maintains, processes or transmits for the Oliv Technology Provider.  

5. Reporting and Related Obligations.

a. Oliv Technology will promptly notify Oliv Technology Provider of (i) any Security Incident of which Oliv Technology becomes aware, subject to Section 5(c); and (ii) any Breach that Oliv Technology discovers, provided that any notice for Breach will be made promptly and without unreasonable delay, and in no case later than 60 calendar days after discovery. Notifications made under this section will describe, to the extent reasonably possible, details of a Breach, including steps taken to mitigate the potential risks and steps Oliv Technology recommends Oliv Technology Provider take to address the Breach.  Oliv Technology will reasonably cooperate with the Oliv Technology Provider in investigation of any Breach.

b. Oliv Technology will send any applicable notifications to the notification email address provided by Oliv Technology Provider in the Services Agreement or via direct communication with Oliv Technology Provider.

c. Notwithstanding Section 5(a), this Section 5(c) will be deemed as notice to Oliv Technology Provider that Oliv Technology periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification, or destruction of information, or interference with the general operation of Oliv Technology’s systems and the Services. Oliv Technology Provider acknowledges and agrees that even if such events constitute a Security Incident, Oliv Technology will not be required to provide any notice under this BAA regarding such unsuccessful attempts other than this Section 5(c).

6. Subcontractors.  Oliv Technology will take appropriate measures to ensure that any Subcontractors used by Oliv Technology to perform its obligations under the Services Agreement that require access to PHI on behalf of Oliv Technology are bound by written obligations that provide the same material level of protection for PHI as this BAA. To the extent Oliv Technology uses Subcontractors in its performance of obligations hereunder, Oliv Technology will remain responsible for their performance as if performed by Oliv Technology.

7. Access and Amendment.  Oliv Technology will make PHI in its possession available in a manner sufficient with meeting Oliv Technology Provider’s obligations under 45 CFR 164.524, and amend such PHI in order to satisfy Oliv Technology Provider’s obligations under 45 CFR 164.526.

8. Accounting of Disclosures.  Oliv Technology will document disclosures of PHI by Oliv Technology and provide an accounting of such disclosures to Oliv Technology Provider as and to the extent required of a Business Associate under HIPAA.

9. Access to Records.  To the extent required by law, and subject to all applicable legal privileges, Oliv Technology will make its internal practices, books, and records concerning the use and disclosure of PHI received from Oliv Technology Provider, or created or received by Oliv Technology on behalf of Oliv Technology Provider, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this BAA.

10. Expiration and Termination.

a. This BAA will terminate on the earlier of (i) a permitted termination in accordance with Section 10(b), or (ii) the expiration or termination of the Services Agreement.

b. If either party materially breaches this BAA, the non-breaching party may terminate this BAA on 10 days’ written notice to the breaching party unless the breach is cured within the 10-day period. If a cure under this Section 10(b) is not reasonably possible, the non-breaching party may immediately terminate this BAA, or if neither termination nor cure is reasonably possible under this Section 10(b), the non-breaching party may report the violation to the Secretary, subject to all applicable legal privileges.

11. Return/Destruction of Information.  On termination of the Services Agreement, Oliv Technology will return or destroy all PHI received from Oliv Technology Provider, or created or received by Oliv Technology on behalf of Oliv Technology Provider; provided, however, that if such return or destruction is not feasible, Oliv Technology will extend the protections of this BAA to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

12. Miscellaneous.  

a. Survival. Sections 11 (Return/Destruction of Information) and 12 (Miscellaneous) will survive termination or expiration of this BAA.

b. Effects of Addendum. To the extent this BAA conflicts with the remainder of the Services Agreement, this BAA will govern. This BAA is subject to the Oliv Technology Provider Terms and Conditions, including, without limitations, the sections relating to  "Governing Law", “Dispute Resolution” and “Limitation of Liability.”  Except as expressly modified or amended under this BAA, the terms of the Services Agreement remain in full force and effect.next succeeding business day.

LAST UPDATED: 6/15/25