Business Associate Agreement


This Business Associate Agreement (this “BAA”) is entered into by and between Lyft Healthcare, Inc. (“LHI”) and the undersigned company (“Company”) pursuant to the Enterprise Order Form, Lyft Terms and Conditions and all other relevant agreements in effect governing services to be provided to Company by LHI or Lyft, Inc., its parent company under common control with LHI, as subsequently amended from time to time, (collectively, the "Agreement").

    WHEREAS, under the Agreement, LHI may have access to and use of protected health information (“PHI”) of Company, which is governed by, and subject to, the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic Clinical Health Act of 2009, and the implementing regulations set forth at 45 CFR Parts 160 and 164, Subpart C (the “Security Rule”), Subpart D (the “Breach Notification Rule”), and Subpart E (the “Privacy Rule”) (collectively, the “HIPAA Rules”);

    WHEREAS, Lyft, Inc. created LHI as its wholly owned subsidiary for contracting purposes with eligible healthcare partners, and LHI and Lyft, Inc. have appropriate inter-company services, data sharing and protection arrangements to enable access to transportation network platform services to be provided to authorized healthcare partners;

    WHEREAS, if in the course of providing services under the Agreement (the “Services”), LHI receives PHI as defined under the HIPAA Rules, then LHI will be deemed a Business Associate of Company and will comply with this BAA.  Capitalized terms used in this BAA have the meanings given to them in the HIPAA Rules. 

    NOW THEREFORE, LHI and Company agree as follows:

  1. Compliance with HIPAA Rules. LHI may use and disclose PHI received from Company to provide the Services contemplated by the Agreement. Except as expressly provided below, this BAA does not authorize LHI to make any use or disclosure of PHI that Company would not be permitted to make. 

  2. Obligations and Activities of LHI. LHI will perform the following specific duties in accordance with the HIPAA Rules:
    1. Use and Disclosure. LHI will not use or further disclose PHI except as permitted by the Agreement, or as required by law.
    2. Safeguards. LHI will use appropriate safeguards and comply with the Security Rule with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
    3. Minimum Necessary. LHI agrees to make reasonable efforts to limit the use and/or disclosure of PHI to the minimum amount of information necessary to accomplish the intended purpose of the use or disclosure.
    4. Mitigation. LHI agrees to mitigate, to the extent reasonably practicable, any harmful effect known to LHI of a use or disclosure of PHI by LHI in violation of this BAA.
    5. Subcontractors. LHI will ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of LHI agree to no less than the same restrictions, conditions, and requirements that apply to LHI with respect to such information. 
    6. Access to PHI. Because LHI does not maintain PHI in a Designated Record Set (which PHI is also separately held by Company), LHI is not required to provide an Individual access to PHI pursuant to 45 CFR §164.524. In the event LHI receives a request by an Individual for access to their PHI, LHI shall notify Company of such request.
    7. Amendment of PHI. Upon request by Company pursuant to 45 CFR §164.526 to amend PHI regarding an Individual, LHI shall provide reasonable collaboration in relation to such amendment, to the extent LHI may use such PHI in providing the Services.  LHI is not required to provide PHI to Company for amendment pursuant to 45 CFR §164.526.
    8. Accountings. LHI will make available the information required to provide an accounting of disclosures by LHI, if any, to the extent required in accordance with 45 CFR §164.528  LHI will upon notice from Company on requests by Individuals for accounting of disclosures of PHI, collaborate with Company to the extent reasonably necessary to facilitate Company’s response to such requests, in compliance  with 45 CFR §164.528.  Nothing in this BAA shall require LHI to maintain or provide an access report of PHI unless such action is determined to be required by amendments to 45 C.F.R. § 164.528.  
    9. Books and Records. LHI will make available its internal practices, books, and records relating to the use and disclosure of PHI received from, or created by LHI on behalf of, Company to the Secretary of the Department of Health and Human Services for purposes of determining Company’s compliance with HIPAA Rules. 
    10. Reporting. LHI agrees to promptly report to Company any Security Incident or other use or disclosure of the PHI not permitted by this BAA of which it becomes aware. If LHI discovers that a Breach of Unsecured PHI has occurred, LHI shall promptly (but in no event later than thirty (30) days after it has knowledge that a Breach has occurred) notify the Company in accordance with the requirements of 45 CFR §164.410. The parties acknowledge and agree that this section constitutes notice by LHI to Company that attempted but unsuccessful security incidents, such as pings and other broadcast attacks on LHI’s firewall, port scans, unsuccessful logon attempts, denials of service and any combination of the above, regularly occur and that no further notice will be made by LHI so long as no such incident results in unauthorized access, use or disclosure of PHI.
    11. Privacy Rule Obligations. To the extent LHI is to carry out one or more of Company’s obligations under the Privacy Rule, LHI shall comply with the applicable requirements of the Privacy Rule that apply to Company in the performance of such obligations.
  3. Permitted Uses and Disclosures by LHI.
    1. Uses and Disclosures. Except as otherwise expressly limited in this BAA, LHI may use and disclose PHI to perform functions, activities or services for, or on behalf of, Company and LHI, provided that such use or disclosure would not violate the HIPAA Rules if done by Company.
    2. Management and Administration. Except as otherwise expressly limited in this BAA, LHI may use PHI for the proper management and administration of LHI or to carry out the legal responsibilities of LHI. Except as otherwise expressly limited in this BAA, LHI may disclose PHI for disclosures that are Required By Law, or if LHI obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the LHI of any instances of which it is aware in which the confidentiality of the information has been breached.
    3. Data Aggregation. LHI may use and disclose PHI to provide Data Aggregation services to Company as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
    4. De-Identified Information. LHI may use and disclose PHI received from Company that has been de-identified by LHI in accordance with 45 C.F.R. §164.514. LHI’s use and disclosure of such de-identified information will not be subject to the requirements set forth in this BAA.
  4. Obligations of Company.
    1. Restrictions on Uses or Disclosures. Company shall notify LHI of any restriction on the use or disclosure of PHI that Company has agreed to or is required to abide by under 45 C.F.R. §164.522, to the extent that such restriction affects LHI’s use or disclosure of PHI.
    2. Requests for Uses or Disclosures. Company shall not request LHI to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Company.
  5. Term and Termination.
    1. Term. The term of this BAA shall commence on the Effective Date of the Agreement and shall terminate (i) upon termination or expiration of the Agreement, or (ii) upon termination as set forth in Section 5(b), whichever is earlier. Notwithstanding the foregoing, LHI may terminate this BAA for any reason, with or without cause, upon thirty (30) days’ notice to the Company and subject to the provisions of Section 5(c). 
    2. Termination. Upon thirty (30) days’ notice to the other party and for any reason, either party may terminate this BAA together with the Agreement. Upon either party’s (the “Non-Breaching Party,”) knowledge of a material breach by the other party (the “,Breaching Party”), the Non-Breaching Party may provide a reasonable opportunity for the Breaching Party to cure the material breach within a reasonable time, and if the Breaching Party does not cure the material breach within such time, the Non-Breaching Party may terminate this BAA. If the Breaching Party has breached a material term of this BAA and cure is not possible, the Non-Breaching Party may immediately terminate this BAA. 
    3. Effect of Termination. Upon termination of this BAA, for any reason, LHI shall extend the protections of this BAA to any PHI retained in transaction records and limit further uses and disclosures of such PHI to those that are required by law or contract obligation to Covered Entity or business associate that disclosed the PHI to LHI. LHI does not receive any paper records containing PHI, so an actual “return” of records is not applicable to LHI’s business. LHI shall extend such protections and limit such uses and disclosures for so long as LHI maintains such PHI.
  6. Miscellaneous.
    1. Regulatory References; Interpretation. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended from time to time, and for which compliance is required. Any ambiguity in this BAA shall be resolved to permit compliance with the HIPAA Rules. 
    2. Primacy. To the extent that any provisions of this BAA conflict with the provisions of any other agreement or understanding between the parties, this BAA shall control with respect to the subject matter of this BAA.
    3. Amendments; Waiver. This BAA may not be modified, nor shall any provision be waived or amended, except in writing duly signed by the parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. The parties will amend this BAA from time to time as necessary to comply with changes to the HIPAA Rules. 
    4. Assignment. Neither party shall assign this BAA without the prior written consent of the other party, except that the parties agree that LHI may, in its sole discretion, assign this BAA to any affiliate, subsidiary, or in the event of a public offering, merger or sale of all or substantially all of its assets, and, in such instance, the BAA shall continue in full force and effect without any further action of the parties.
    5. Notices. Any notices required hereunder shall be provided pursuant to the notice provision in the Agreement. 
    6. Survival. The respective rights and obligations of the parties shall survive the termination of this BAA.
    7. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended or shall be deemed to confer upon any person other than Company, LHI, and their respective successors and assigns, any rights, obligations, remedies or liabilities.
    8. Independent Contractors. No provision of this BAA is intended to create, nor shall be deemed or construed to create, any employment, agency or joint venture relationship between Company and LHI other than that of independent entities contracting with each other hereunder solely for the purpose of effectuating the provisions of this BAA. The parties have reviewed the factors to determine whether an agency relationship exists under the federal common law of agency and it is not the intention of either Company or LHI that LHI constitute an “agent” under such common law.
    9. Governing Law. This BAA shall be governed by, and construed in accordance with, the laws of the State of California, exclusive of conflict of law rules. Each party hereby agrees and consents that any legal action or proceeding with respect to this BAA shall only be brought in the courts of the State of California and the county of San Francisco.
    10. Entire Agreement. The Agreement together with this BAA constitutes the entire agreement between the parties with respect to the subject matter contained herein.

©Lyft, Inc. 10-2020