HIPAA Business Associate Addendum
Last Modified: February 15, 2024
This HIPAA Business Associate Addendum (“BAA”) forms part of the Master Subscription Agreement or other written or electronic agreement between Braze, Inc. and Customer (the “Agreement’) for the purchase of online services from Braze, and implements certain of the requirements of the Health Insurance Portability and Accountability Act of 1996, and the rules and regulations promulgated thereunder, as supplemented and amended by the requirements of Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the rules and regulations promulgated thereunder (collectively, “HIPAA”). The parties acknowledge that those regulations include both the federal privacy regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 CFR Parts 160 and 164 (Subparts A & E) (the “Privacy Rule”) and the federal security regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 CFR Parts 160 and 164 (Subparts A & C) (the “Security Rule”). A capitalized term not defined herein shall have the meaning set forth in the Agreement, or, if any such term has no meaning in the Agreement, then such term shall have the meaning ascribed to it under HIPAA.
In the course of providing the Braze Services to Customer pursuant to the Agreement, Braze may, on behalf of Customer, receive, maintain, or transmit information entered into the Braze Services as Customer Data that constitutes Protected Health Information (“PHI”), and as a result may, for certain purposes and under certain circumstances, be deemed a Business Associate (or Business Associate Subcontractor).
Accordingly, the parties agree as follows:
1. Protected Health Information. Notwithstanding the inclusion of PHI in the definition of Restricted Information in the Agreement, Customer may submit Protected Health Information to the Braze Services when done pursuant to this BAA.
2. Use and Disclosure of PHI by Customer.
a. Customer shall Use and Disclose PHI, including in any data export of PHI, only as permitted by HIPAA. Customer shall not authorize, request, or require Braze to Use or Disclose PHI in any manner that would violate HIPAA if the Use or Disclosure were carried out by Customer. Customer shall have sole responsibility for the accuracy, quality, and legality of PHI and the means by which Customer acquired the PHI.
b. Customer shall not store or submit to the Braze Services medical records or medical images. Customer acknowledges and agrees that the Braze Services shall be used exclusively for engagement, retention, customer relationship management, and marketing purposes, and is not intended to be relied upon as part of patient treatment.
c. Customer shall not send any Messages through the Braze Services that contain diagnoses, test results or similar sensitive medical information, and Braze disclaims any liability for violations of HIPAA arising from Customer’s use of the Braze Services to send Messages containing such medical information.
3. Use and Disclosure of PHI by Braze.
a. Braze shall Use or Disclose PHI only in the manner and for the purposes set forth in this BAA and not in any other manner or for any other purposes. Customer hereby authorizes Braze to do the following:
i. Use and Disclose PHI in accordance with the Agreement and applicable Order Form(s), so long as such Use or Disclosure would not violate HIPAA if done by Customer; and
ii. Use and Disclose PHI for Braze’s proper management and administration, provided that (a) any such Disclosure is Required by Law, and (b) Braze receives reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purposes for which it was Disclosed to the person, and that the person will notify Braze of any instances of which the person is aware in which the confidentiality of the PHI has been breached.
b. Braze makes no representations or warranties about: (i) the Use and Disclosure of PHI by any Third Party Providers that Customer opts to use with the Braze Services. For clarity, such Third Party Providers may not be HIPAA compliant, and Braze is not liable for data breaches, violations of law, or damages that arise as a result of Customer’s use of any such Third Party Providers; and (ii) the accuracy and availability of PHI that is received, maintained, or transmitted by or on behalf of Customer by the Braze Services. Customer is responsible for ensuring that all PHI submitted to the Braze Services is duplicated and exists elsewhere.
4. Protection of PHI. In connection with its receipt, maintenance, or transmission of PHI on behalf of Customer, Braze agrees to do the following:
a. implement appropriate administrative, technical, and physical safeguards designed to prevent Use or Disclosure of PHI other than as provided for by this BAA, and comply, where applicable, with the Security Rule with respect to Electronic Protected Health Information; and
b. enter into a written agreement with any Subcontractors that receive, maintain, or transmit PHI on behalf of Braze, containing administrative, technical and physical safeguards comparable to those that apply to Braze in this BAA, to the extent applicable to the nature of the services provided by such Subcontractor.
5. Notification of Security Incident. Braze shall report to Customer, without unreasonable delay, any successful Security Incidents pertaining to PHI of which Braze becomes aware, including any Breach of Unsecured PHI as required by 45 CFR § 164.410, except that this section hereby serves as notice, and no additional reporting shall be required, of the regular occurrence of unsuccessful attempts at unauthorized access, use, disclosure, modification, destruction of PHI, and unsuccessful attempts at interference with systems containing PHI. Braze shall provide to Customer all information required by 45 CFR § 164.410(c) to the extent known.
6. Access by HHS. Braze shall make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the United States Department of Health and Human Services for purposes of determining Customer’s compliance with HIPAA.
7. Individual Access and/or Individual Amendment Requests. Braze shall, to the extent Braze has been able to identify that the request comes from an Individual whose PHI was submitted to the Braze Services by Customer, promptly notify Customer if Braze receives a request from an Individual for access and/or amendment to the Individual’s PHI. Braze will confirm to the Individual that it has passed the request to Customer, but Braze shall not execute the request. By virtue of providing the Braze Services to Customer, Braze shall make available to Customer via the Braze Services all PHI that is entered into the Braze Services by or on behalf of Customer, including PHI about an Individual: (i) to facilitate Customer’s compliance with its obligations under 45 CFR § 164.524, and (ii) in a manner that allows Customer to reasonably incorporate any amendments to the PHI in accordance with 45 CFR § 164.526.
8. Individual Accounting Requests. Braze shall maintain information related to Disclosures of PHI made by Braze and shall make such information reasonably available to Customer to facilitate Customer’s compliance with its obligations under 45 CFR § 164.528.
9. Termination for Cause. A party may terminate this BAA and any applicable Order Form(s) for cause upon thirty (30) days’ written notice to the other party of a material breach of this BAA if such breach remains uncured at the expiration of such period. Such termination shall be exercised in accordance with the “Termination for Cause” section of the Agreement.
10. Return of PHI. At the termination or expiration of the Agreement, Braze shall return Customer Data (including PHI contained therein) by enabling Customer to export its Customer Data as set forth in the Agreement, and shall securely delete Customer Data in accordance with applicable laws and the Documentation. If export or destruction of Customer Data that constitutes PHI is not feasible, Braze shall extend the confidentiality and security protections of this BAA to that Customer Data and limit further Uses and Disclosures of such Customer Data to those purposes that make the return or destruction of the Customer Data infeasible.
11. Amendment. The parties shall take such action as is necessary to amend this BAA from time to time as is necessary for the parties to comply with changes to HIPAA.
12. Interpretation. Any ambiguity in this BAA shall be resolved to permit the parties to comply with HIPAA.