HIPAA Breach Indemnification Agreement
Version 1.0 – December 2018
This myBrand HIPAA Breach Indemnification Agreement (“BIA”) between Restyle Groep Nederland b.v., trading as myBrand (“myBrand”, “us” or “we”) and users of the myBrand Services (“you”) governs the use of the myBrand Services under the provisions of the myBrand Terms of Service.
Unless otherwise provided herein, this BIA is subject to the provisions of the Terms.
This BIA applies only to specific accounts, Services, and data, for which you have a valid, signed HIPAA Business Associate Agreement (“BAA”) in place with myBrand. This BIA may cover use of myBrand services.
This BIA does not apply to any account, Service, or data that is:
- Not subject to a valid BAA, or
- Where you have failed to apply the security controls and configurations required by the BAA
For example, this BIA does not apply to myBrand environments or accounts for which you do not have a BAA with myBrand.
Capitalized words and phrases have the meaning specified in the Terms, which uses the definitions found in HIPAA where applicable.
“Breach” has the meaning specified in 45 CFR § 164.402.
“Claim” means any claim, proceeding, or suit brought against you by a Third Party.
“Covered Breach” means, except for Excluded Breaches, a Breach of Unsecured Protected Health Information from your myBrand Services that results directly from a failure by myBrand to properly configure or maintain the components of the myBrand Services under myBrand’s exclusive control.
“Covered Claim” means any Claim, to the extent the Claim results directly from a Covered Breach. Claims that do not result directly from a Covered Breach are not Covered Claims.
“Covered Expenses” means (a) all damages, costs, and attorneys’ fees finally awarded against you in any Covered Claim; and (b) all out-of-pocket costs (including reasonable attorneys’ fees) that you reasonably incurred in connection with the defense of a Covered Claim (other than attorneys’ fees and costs incurred without myBrand’s consent after myBrand has accepted defense of the Covered Claim).
“Excluded Breach” means any Breach of PHI that in any way results from: (a) as between you and myBrand, your failure to properly configure your myBrand Services to protect PHI; (b) as between you and myBrand, your failure to properly configure or enforce user access policies and permissions for your myBrand Services or Enclave Containerized Services to protect PHI; (d) actions or omissions by any myBrand vendor, such as Microsoft Azure; or (e) your breach of the myBrand Terms of Service, your BAA, or this BIA.
“Governmental Agency” means any court, administrative agency or commission or other federal, state, county, or local governmental entity, instrumentality, agency or commission.
“Regulatory Investigation” means a formal investigation by the Dutch Department of Health and Human Services into your security procedures regarding Protected Health Information.
“Third Party” means, other than a Governmental Agency, an unaffiliated corporation, partnership, or other entity, or a natural person.
“Unsecured Protected Health Information” has the meaning specified in 45 CFR § 164.402.
A. Defense. Subject to Section 3(C) of this BIA, myBrand will either defend you from or settle a Covered Claim if you:
- Give myBrand prompt written notice of the Covered Claim;
- Grant myBrand full control over the defense and settlement of the Covered Claim;
- Provide assistance in connection with the defense and settlement of the Covered Claim as myBrand reasonably requests; and
- Comply with any settlement or court order made in connection with the Covered Claim.
You must not defend or settle any Covered Claim without myBrand’s prior written consent. You have the right to participate in the defense of the Covered Claim at your own expense and with counsel of your own choosing, but myBrand will have sole control over the defense and settlement of the Covered Claim.
B. Indemnification. Subject to Section 3(C) of this BIA, myBrand will indemnify you from and pay:
- All Covered Expenses incurred by you in connection with a Covered Claim; and
- Any monetary fines imposed on you by a Governmental Agency in connection with a Regulatory Investigation for carrying out practices for the protection of PHI that you implemented pursuant to myBrand’s express written recommendations.
C. Exclusions. myBrand will have no obligation to you under Sections 3(A) or 3(B) of this BIA if:
- You are in breach of the myBrand Terms of Service, your BAA, or this BIA at such time the Claim or Regulatory Investigation (as applicable) arises;
- The Claim or Regulatory Investigation (as applicable) relates to or arises from, directly or indirectly an Excluded Breach;
- You fail to enter or otherwise provide accurate information to myBrand in connection with your use of the Services;
- You fraudulently omitted or included any information as part of your use of the Services; or
- You fail to update information that was accurate when provided to myBrand in connection with your use of the Services but which information later becomes inaccurate.
4. Dispute Resolution and Arbitration
Disputes arising under this BIA shall be resolved under the Dispute Resolution and Arbitration provisions of the myBrand Terms of Service.
5. Entire Agreement; Conflict
Except as amended by this BIA, the myBrand Terms of Service and your BAA will remain in full force and effect. This BIA, together with the Terms and your BAA:
Is intended by the parties as a final, complete and exclusive expression of the terms of their agreement; and
Supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof.
If there is a conflict between the Terms, this BIA, your BAA, or any other amendment or any addendum to those agreements, the document executed by the parties later in time will prevail.