HIPAA Business Associate Agreement
(For Enterprise Plan with HIPAA Compliance Feature Enabled)
This Business Associate Agreement (“BAA”) forms part of monday.com’s Terms of Service or other agreement governing the use of monday.com’s services (“Agreement”) whether you are an existing customer who accepted the Agreement or a new customer accepting the Agreement now and shall only apply to you if you are using the enterprise tier subscription and have enabled the HIPAA compliance feature on the Platform. You acknowledge that you, on your own behalf as an individual or on behalf of your employer or its Authorized Affiliates (collectively, “Covered Entity” “you”, “your” or the “Customer”) have read and understood and agree to comply with this BAA, and are entering into a binding legal agreement with monday.com Ltd., the owner of monday.com (“monday.com”, “us”, “we”, “our”, or “Business Associate”). “Authorized Affiliate” means any of Customer’s affiliate(s) which is explicitly permitted to use the Services pursuant to the Agreement between Customer and monday.com but has not signed its own agreement with monday.com and is not a “Customer” as defined under the Agreement. “Services” means the cloud-based work operating system platform (“Platform”) and any other services provided to Customer by monday.com under the Agreement. To the extent that you are agreeing to this BAA in connection with your use of our Services on behalf of an entity that is a “business associate”, as defined under HIPAA, of one or more HIPAA-covered entities and not itself a HIPAA-covered entity, monday.com acknowledges that it is functioning as a “subcontractor” hereunder as defined at 45 C.F.R. § 160.103 and that the term “Covered Entity” as used herein shall be considered contractual terminology and shall not imply that you are a covered entity as defined under HIPAA. Both parties shall be referred to as the “Parties” and each, a “Party”.
In the course of providing the Services pursuant to the Agreement, Business Associate may access, use, disclose, store, and/or process PHI on Covered Entity’s behalf. The BAA reflects the Parties’ agreement with how Business Associate uses and/or discloses the Covered Entity’s Protected Health Information (“PHI”) on behalf of the Covered Entity. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement or as defined under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations, as may be updated from time to time (collectively, “HIPAA”). You represent and warrant that you have, or you were granted, full authority to bind the Covered Entity to this BAA. If you cannot, or do not agree to, comply with, and be bound by, this BAA or do not have authority to bind the Covered Entity, please do not provide us or give us access to PHI.
To sign a BAA with us, you can either (i) countersign the online version of this BAA posted at www.monday.com/terms/hipaa-baa, using the “Sign Online Version” link to sign through DocuSign or (ii) if you are the Admin, by clicking the “I Accept” button on the monday.com Platform when enabling the HIPAA compliant feature. In the event of any conflict between certain provisions of this BAA and the provisions of the Agreement, the provisions of this BAA shall prevail.
The Parties agree to comply with the following provisions with respect to any PHI that the Covered Entity provides to Business Associate in order for Business Associate to perform the Services.
1. Permitted Uses and Disclosures.
The Business Associate may use and disclose PHI necessary to perform its obligations to the Covered Entity as set out in the Agreement or as otherwise permitted or Required by Law under HIPAA, provided that Business Associate shall not use or disclose PHI in a manner that would not be permitted if done by the Covered Entity. The Business Associate may also:
(a) use PHI (i) as necessary for its proper management and administration, or (ii) to carry out its legal responsibilities; and
(b) disclose PHI to third parties for the same purposes so long as (i) the disclosure is Required by Law or (ii) the Business Associate obtains satisfactory assurances from said third party that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed and that the third party will notify the Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
Business Associate shall only use, disclose, and request the Minimum Necessary PHI to accomplish the purpose of the use, disclosure or request.
2. Obligations of the Business Associate.
(a) Limitation on Disclosure. The Business Associate agrees not to use or further disclose PHI other than as permitted under the Agreement or BAA, or as Required by Law
(b) Safeguards. The Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that it creates, receives, stores, maintains or transmits on behalf of the Covered Entity pursuant to this BAA and the Agreement, and shall prevent the use or disclosure of Covered Entity’s PHI other than as provided for in this BAA, Agreement or as Required by Law.
(c) Mitigation. The Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of the BAA.
(d) Use of Agents/Subcontractors. The Business Associate agrees to ensure that any agents, including a subcontractor, to whom the Business Associate provides PHI received from, or created or received by, Business Associate on behalf of the Covered Entity, agree to restrictions and conditions with respect to use and disclosure of PHI that are no less restrictive than those that apply to the Business Associate under this BAA.
(e) Access to PHI. Within fifteen (15) days of receiving a written request from the Covered Entity or an Individual for a copy of PHI within a Designated Record Set, the Business Associate agrees to make the requested PHI available to the Covered Entity to enable the Covered Entity to respond to an Individual who seeks to inspect or copy his/her PHI. The Business Associate is required to comply with the Security Rule with respect to electronic PHI, including but not limited to, making available upon written request, copies of PHI in electronic format, when PHI is stored electronically. Any disclosure of, or decision not to disclose the PHI requested by an Individual and compliance with the requirements applicable to an Individual’s right to access PHI shall be the sole responsibility of the Covered Entity.
(f) Amendment of PHI. Within fifteen (15) days of receiving a written request from the Covered Entity to make an amendment to PHI within a Designated Record Set, the Business Associate will make such amendment and will inform the Covered Entity that an amendment has been made. If the Business Associate receives an amendment request directly from an Individual, the Business Associate shall notify Covered Entity of the request within fifteen (15) days of receiving a written request from the Individual.
(g) Accounting of Certain Disclosures. Within thirty (30) days of receiving a written request from the Covered Entity for an accounting of disclosures of PHI about an Individual, the Business Associate shall provide to the Covered Entity a listing of the persons or entities to which the Business Associate has disclosed PHI about the Individual within the prior six (6) years, along with the dates of, reasons for, and brief descriptions of the disclosures to enable the Covered Entity to respond to an Individual seeking an accounting of the disclosures of the Individual’s PHI in accordance with 45 C.F.R. § 164.528.
(h) Access to Books and Records. The Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, created by, or received by the Business Associate on behalf of the Covered Entity available upon request to the Secretary of the U.S. Department of Health and Human Services so that it may evaluate the Covered Entity’s compliance with the Privacy Rule.
(i) Obligations of Business Associate Upon Termination. The Business Associate shall, upon termination or expiration of this BAA, if feasible, return or allow the Covered Entity to destroy all PHI received from, processed by, or received by the Business Associate on behalf of the Covered Entity, that the Business Associate still maintains in any form in connection with this BAA and the Agreement through a deletion option provided by Business Associate in the Platform and retain no copies of such PHI except as otherwise set forth in Section 5(b) of this BAA or the Agreement. If such return or destruction is not feasible as determined by the Business Associate, Business Associate will extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
(j) Reporting of Security Incident. The Business Associate shall report to the Covered Entity any Security Incident of which it becomes aware. Under 45 C.F.R. § 164.304, a Security Incident is defined as the attempted or successful unauthorized access, use, disclosure, or destruction of information or interference with system operations in an information system. Notwithstanding the foregoing, the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents. Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, or through any other mechanism so long as no such incident results in Unauthorized access, use or disclosure of PHI.
3. Breach Notification Procedures.
(a) Reporting of Breach of Unsecured PHI. Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI. Such notification shall promptly be made to the Covered Entity in writing without unreasonable delay but in no event not later than thirty (30) days from the date that Business Associate became aware of such breach, or by exercising reasonable diligence should have known of such breach. Furthermore, in the event of a Breach of Unsecured PHI, Business Associate shall mitigate, to the extent practicable, any harmful effects of said Breach.
(b) Instructions for Reporting a Breach of Unsecured PHI. Upon Business Associate’s knowledge of a Breach of Unsecured PHI, Business Associate will notify Covered Entity, and in such notification, the Business Associate shall include, to the extent known and available, the following information: (1) a brief description of what happened, including the date of the incident and the date of the discovery of the incident; (2) the identification of each individual whose PHI was disclosed or potentially disclosed; (3) a description of the types of PHI that were involved in the incident; (4) any steps individuals should take to protect themselves from potential harm resulting from the incident; and (5) a brief description of what Business Associate is doing to investigate the incident, to mitigate the incident, and to protect against any further incidents. If any such information is not available at the time of the notification, Business Associate shall reasonably work with Covered Entity to provide further information as promptly as information becomes available.
4. Compliance Related Changes.
The Parties recognize that HIPAA may change or may be clarified from time to time, and that terms of this BAA may need to be revised, on advice of counsel, in order to remain in compliance with such changes or clarifications. The Parties agree to negotiate, in good faith, revisions to the terms of this BAA that cause the potential or actual violation or noncompliance.
5. Term and Termination.
(a) Term. This BAA shall become effective on the clicking “I Accept” on the monday.com Platform when enabling the HIPAA compliant feature (only applicable to the enterprise tier subscription) even if you have earlier signed the online version as set forth above, and shall terminate upon the termination or expiration of this BAA, the Agreement, or when all PHI processed or received by Business Associate on behalf of Covered Entity is, in accordance with this BAA, destroyed or returned to Customer or, if the Parties determine that it is not feasible to return or destroy the PHI, protections are extended to such information, in accordance with the terms of the Agreement and this BAA.
(b) Termination. Notwithstanding any other provision of any agreement, either Party may immediately terminate this BAA if either Party, acting reasonably, makes the determination that the other Party has breached a material term of this BAA and has failed to remedy such breach within thirty (30) days after receipt of written notice thereof. At the termination of the Agreement, BAA, or of the uses and/or disclosures of the PHI by the Business Associate, Business Associate shall if feasible, return or allow the Covered Entity to destroy all PHI received from, created by, or maintained by the Business Associate on behalf of the Covered Entity that the Business Associate still maintains in any form in connection with this BAA through an automatic deletion option provided by the Business Associate in the Platform and upon return or deletion retain no copies of such information except for one copy used solely for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or for compliance with legal obligations.
6. Obligations of the Covered Entity.
(a) Notice of Privacy Practices. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520, as well as any changes to that notice.
(b) Revocation of Permitted Use or Disclosure of PHI. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
(c) Restrictions on Use or Disclosure of PHI. Covered Entity shall notify Business Associate, in writing, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522.
(d) Minimum Necessary. Covered Entity shall provide to the Business Associate only the minimum PHI necessary for Business Associate to perform or fulfill a specific function required or permitted hereunder.
(a) Integration and Sharing. Business Associate’s Platform permits the integration, sharing, and exchange of information with Third Party Services and Links (both, as defined in the Agreement) that may or may not be compliant with HIPAA. If the Covered Entity chooses to use such Third Party Services and/or Links, Covered Entity is solely liable and responsible for the exchange of information, including any PHI between the Business Associate’s services and the third party. Third Party Services providers do not provide services concerning PHI on behalf of monday.com and are not business associates of monday.com. monday.com hereby expressly disclaims any liability for any use, disclosure, or other action taken by such Third Party Services providers or any noncompliance by Covered Entity with any applicable law, regulation, or contractual provision relating to the sharing of information, including PHI, with any such Third Party Services.
(b) Amendment. Covered Entity and Business Associate agree to amend this BAA to the extent necessary to allow either Covered Entity or Business Associate to comply with HIPAA as amended by the Secretary of the Department of Health and Human Services or other related regulations or statutes. Business Associate may amend this BAA for minor edits (e.g., typos, grammatical edits and/or non-material edits) with or without notice to Covered Entity. The Parties shall mutually agree to any material edits to this BAA. In the event either of the Parties, acting reasonably, is unable to agree to new or modified terms as required to bring the BAA into compliance, either Party may terminate this BAA on thirty (30) days written notice to the other Party, or earlier if necessary to prevent non-compliance with a HIPAA requirement.
(c) Audits. If and to the extent required to comply with applicable law, Business Associate shall provide to Covered Entity (and Covered Entity’s regulators) access during business hours and upon reasonable prior written notice (of no less than fourteen (14) days) to, and prior coordination with, Business Associate’s personnel, to Business Associate’s records and other pertinent information, all to the extent relevant to audit Business Associate’s compliance with its obligations under this BAA. Business Associate shall provide any assistance reasonably requested by Covered Entity or its designee in conducting any such audit.
(d) No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever.
(e) Notices. All notices required to be given to either Party under this BAA will be in writing and sent by traceable carrier, which includes via email, in accordance with the terms of the Agreement. Notices will be effective upon receipt.
(f) Governing Law. This BAA shall be governed by and construed in accordance with the laws governing the Agreement between the Parties, without regard to its conflict of laws provisions.
This BAA supersedes any previous BAA between the Parties related to the subject matter herein.
Last Updated: January 18, 2022