This Business Associate Agreement (“BAA”) is entered into as of the date last signed by the parties (the “Effective Date”) between Notion Labs, Inc. (“Notion,” “Business Associate,” “we,” “our,” or “us”) and the customer identified on the signature page hereto (“Customer,” “you,” or “your”). Notion and Customer may individually be referred to as a “party” and collectively “the parties.”

Recitals:

A. Customer is either a “covered entity” or “business associate,” as those terms are defined under HIPAA. In that capacity, Customer is required to comply with HIPAA requirements regarding the confidentiality and privacy of Protected Health Information.

B. Business Associate provides the Services to Customer pursuant to a Master Subscription Agreement between the parties (the “Agreement”). In connection with the Services, the parties anticipate that Business Associate may from time to time create and/or receive Protected Health Information for or on behalf of Customer. By creating and/or receiving Protected Health Information in its provision of Services to Customer, Business Associate shall become a “business associate” or “subcontractor” of Customer, as such terms are defined under HIPAA, and will therefore have obligations regarding the confidentiality and privacy of Protected Health Information that Business Associate creates for, or receives from or on behalf of, Customer.

C. This BAA applies only (1) to the extent Customer is a “covered entity” or “business associate,” as those terms are defined by HIPAA; (2) where Customer has executed an Order Form that authorizes Customer to utilize a HIPAA-enabled Notion account; and (3) where Customer meets all other HIPAA eligibility criteria, as specified in the Documentation (currently found here: https://www.notion.so/help/hipaa, including maintaining an eligible Subscription Plan and completing all required configurations (“HIPAA Eligibility Criteria”)). The HIPAA Eligibility Criteria may be updated by Notion from time to time in its sole discretion.

  1. Definitions: For the purposes of this BAA, capitalized terms shall have the meanings ascribed to them below. All capitalized terms used but not otherwise defined herein will have the meaning ascribed to them by HIPAA, the Agreement, or the applicable Supplementary Terms.
    1. HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder.
    2. HITECH Act” means the security provisions of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act.
    3. Protected Health Information” or “PHI” is any information, whether oral or recorded in any form or medium that is created, received, maintained, or transmitted by Business Associate for or on behalf of Customer, that identifies an individual or might reasonably be used to identify an individual and relates to: (i) the individual’s past, present or future physical or mental health; (ii) the provision of health care to the individual; or (iii) the past, present or future payment for health care.
    4. Secretary” shall refer to the Secretary of the U.S. Department of Health and Human Services.
    5. Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). This definition applies to both hard copy PHI and electronic PHI.
  2. Business Associate Obligations
    1. Use and Disclosure of PHI.
      1. Business Associate warrants that it, its agents and its subcontractors: (i) shall use or disclose PHI only in connection with fulfilling its duties and obligations under this BAA and the Agreement; (ii) shall not use or disclose PHI other than as permitted or required by this Agreement or required by law; (iii) shall not use or disclose PHI in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by Customer; and (iv) shall only use and disclose the minimum necessary PHI for its specific purposes. Customer agrees that Business Associate may rely on Customer’s instructions to determine if uses and disclosures meet this minimum necessary requirement.
      2. Subject to the restrictions set forth throughout this BAA, Business Associate may use the information received from Customer if necessary for (i) the proper management and administration of Business Associate; or (ii) to carry out the legal responsibilities of Business Associate.
      3. Subject to the restrictions set forth in this BAA, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that: (1) disclosures are required by law; or (2) Business Associate obtains reasonable assurances from the person or entity to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and
      4. Business Associate is permitted, for Data Aggregation purposes to the extent permitted under HIPAA, to use, disclose, and combine PHI created or received on behalf of Customer by Business Associate pursuant to this BAA with PHI, as defined by 45 C.F.R. 160.103, received by Business Associate in its capacity as a business associate of other covered entities, to permit data analyses that relate to the Health Care Operations of the respective covered entities and/or Customer.
    2. Safeguards. Business Associate shall employ appropriate administrative, technical and physical safeguards to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this BAA or the Agreement. Business Associate shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this BAA or the Agreement.
    3. Audits and Records. Business Associate shall, in accordance with HIPAA, make available to the Secretary Business Associate’s internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Customer for purposes of determining Customer’s compliance with its obligations under HIPAA.
    4. Individuals’ Rights to Their PHI.
      1. To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow Customer (or the relevant “covered entity” where Customer acts as a “business associate”) to respond to a request by an Individual for access to PHI pursuant to 45 CFR Section 164.524, Business Associate, within ten (10) business days upon receipt of written request by Customer, shall make available to Customer such PHI.
        1. In the event that any Individual requests access to PHI directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days of request by the Individual.
        2. Customer will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Except as required by law, only Customer will be responsible for determining the release of PHI to an Individual pursuant to such a request. Any denial of access to PHI determined by Customer pursuant to 45 CFR Section 164.524, and conveyed to Business Associate by Customer, shall be the responsibility of Customer, including resolution or reporting of all appeals and/or complaints arising from denials.
      2. To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow Customer (or the relevant “covered entity” where Customer acts as a “business associate”) to respond to a request by an Individual for an amendment to PHI, Business Associate shall, within ten (10) business days upon receipt of a written request by Customer, make available to Customer such PHI:
        1. In the event that any Individual requests amendment of PHI directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days of request by the Individual.
        2. Customer will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment to PHI and Business Associate will make no such determinations. Any denial of amendment to PHI determined by Customer pursuant to 45 CFR Section 164.526, and conveyed to Business Associate by Customer, shall be the responsibility of Customer, including resolution or reporting of all appeals and/or complaints arising from denials.
        3. Within ten (10) business days of receipt of a request from Customer to amend an individual’s PHI in the Designated Record Set, Business Associate shall incorporate, or make available PHI for Customer to incorporate, any approved amendments, statements of disagreement, and/or rebuttals into its Designated Record Set as required by 45 CFR Section 164.526.
      3. In order to allow Customer (or the relevant “covered entity” where Customer acts as a “business associate”) to respond to a request by an Individual for an accounting pursuant to 45 CFR Section 164.528, Business Associate shall, within ten (10) business days of a written request by Customer for an accounting of disclosures of PHI about an Individual, make available to Customer such PHI.
        1. In the event that any Individual requests an accounting of disclosures of PHI directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days of request by the Individual.
        2. Customer will be responsible for preparing and delivering an accounting to Individual.
        3. Business Associate shall implement an appropriate recordkeeping process to enable it to comply with the requirements of this BAA.
      4. Subcontractors. Business Associate shall obtain and maintain a written agreement with each subcontractor or agent that has or will have access to PHI, which is received from, or created or received by, Business Associate for or on behalf of Customer, pursuant to which agreement such subcontractor and agent agrees to be bound by the same types of restrictions, terms, and conditions that apply to Business Associate pursuant to this BAA with respect to such PHI.
    5. Security Breach and Reporting Obligations.
      1. In the event of any verified incident of unauthorized or accidental disclosure of or access to any Unsecured PHI that Business Associate accesses, maintains, retains, modifies, records, or otherwise holds or uses on behalf of Customer (“Security Breach”), Business Associate shall promptly report such Security Breach to Customer, but in no event later than ten (10) business days after the date the Security Breach is discovered. Notice of a Security Breach shall include, to the extent such information is known to Business Associate: (1) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Security Breach; (2) the date of the Security Breach, if known, and the date of discovery of the Security Breach; (3) the scope of the Security Breach; and (4) the Business Associate’s response to the Security Breach.
      2. In the event of a use or disclosure of PHI that is improper under this BAA but does not constitute a Security Breach, Business Associate shall report such use or disclosure to Customer within ten (10) business days after the date on which Business Associate becomes aware of such use or disclosure.
      3. The parties acknowledge that unsuccessful Security Breaches (e.g., pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts) occur within the normal course of business and the parties stipulate and agree that this paragraph constitutes notice by Business Associate to Customer for such unsuccessful Security Breaches.
  3. Customer Obligations
    1. Customer shall not request Business Associate to use or disclose PHI in any manner that would violate applicable federal and state laws if such use or disclosure were made by Customer.
    2. Customer shall comply with all applicable laws and regulations pertaining to PHI Customer sends, or directs to be sent, to Business Associate.
    3. To the extent Customer uses any generative artificial intelligence features that are made available by Notion, Customer shall require that only duly trained and qualified individuals who maintain licenses, certifications, or other authorizations required to perform healthcare activities will use or disclose the Output in connection with any such healthcare activities.
    4. Restriction on Certain Categories of PHI. Customer agrees that it will not store or otherwise process through the Services any PHI that includes sensitive biometric information, including fingerprints, iris scans, retina scans, and facial recognition imaging.
    5. Required Notifications.
      1. Customer shall notify Business Associate of any limitation in any applicable notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
      2. Customer shall notify Business Associate of any changes in, or revocation of, permission by individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
      3. Customer shall notify Business Associate of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
  4. Term and Termination.
    1. Term. This BAA is effective as of the effective date of the Agreement and shall terminate (i) upon termination of the Agreement in accordance with the terms of the Agreement or as expressly authorized by Section 4(b); (ii) when all PHI has been disposed of in strict compliance with the terms of this BAA; (iii) if Customer fails to maintain a HIPAA eligible Subscription Plan; or (iv) if Customer, after being notified of changes or updates to the HIPAA Eligibility Criteria, fails to meet the revised HIPAA Eligibility Criteria; whichever occurs later.
    2. Termination for Material Breach. Where either party has knowledge of a material breach by the other party, the non-breaching party shall provide the breaching party with an opportunity to cure. Where said breach is not cured to the reasonable satisfaction of the non-breaching party within twenty (20) business days of the breaching party’s receipt of notice from the non-breaching party of said breach, the non-breaching party shall, if feasible, terminate this BAA and the portion(s) of the Agreement affected by the material breach. Where either party has knowledge of a material breach by the other party and cure is not possible, the non-breaching party shall, if feasible, terminate this BAA and the portion(s) of the Agreement affected by the material breach.
    3. Return or Destruction of PHI. Upon termination of this BAA for any reason, Business Associate shall:
      1. If feasible as determined by Business Associate, return or destroy all PHI received from, or created or received by Business Associate for or on behalf of Customer that Business Associate or any of its subcontractors and agents still maintain in any form, and Business Associate shall retain no copies of such information; or
      2. If Business Associate determines that such return or destruction is not feasible, extend the protections of this BAA to such information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible, in which case Business Associate’s obligations under this Section 4(c)(ii) shall survive the termination of this BAA.
  5. General
    1. Amendment. If any of the regulations promulgated under HIPAA or the HITECH Act are amended or interpreted in a manner that renders this BAA inconsistent therewith, the parties shall cooperate in good faith to amend this BAA to the extent necessary to comply with such amendments or interpretations.
    2. Interpretation. Any ambiguity in this BAA shall be resolved to permit the parties to comply with HIPAA and the HITECH Act.
    3. Limitation of Liability. The parties agree and acknowledge that the limitation of liability provisions contained under the Agreement shall apply and govern each party’s performance under this BAA.
    4. Conflicting Terms. In the event that any terms of this BAA conflict with any terms of the Agreement, the terms of this BAA shall govern and control over the conflicting term in the Agreement. All other nonconflicting terms of the Agreement shall remain valid and enforceable.

Last Updated: August 5, 2024