DPA / BAA
Data Processing Agreement (DPA)
(For use when Myon Health Technology acts as a data processor for healthcare providers or organizations.)
Effective Date: [Insert Date]
This Data Processing Agreement (“Agreement”) forms part of any service arrangement between Myon Health Technology (“Processor”) and the healthcare provider or organization (“Controller”).
1. Definitions
- “Personal Data”: Any information relating to an identifiable individual.
- “Processing”: Any operation performed on Personal Data.
- “Controller”: The entity determining the purposes and means of processing.
- “Processor”: The entity processing data on behalf of the Controller.
2. Roles and responsibilities
2.1 Controller responsibilities
The Controller:
- Determines the purpose and legal basis for processing
- Ensures data subjects are informed
- Obtains all necessary consents
2.2 Processor responsibilities
The Processor:
- Processes data only on documented instructions
- Implements appropriate security measures
- Ensures personnel confidentiality
- Assists the Controller with data subject requests
- Notifies the Controller of data breaches without undue delay
3. Sub-processors
The Processor may engage sub-processors (e.g., cloud hosting providers). The Processor will:
- Maintain a list of sub-processors
- Ensure sub-processors meet equivalent security standards
- Remain liable for sub-processor actions
4. Security measures
The Processor will implement:
- Encryption in transit and at rest
- Access controls and authentication
- Audit logging
- Secure development practices
- Regular security assessments
5. Data transfers
Cross-border transfers will comply with applicable laws, including contractual safeguards where required.
6. Data breach notification
The Processor will notify the Controller promptly upon becoming aware of a breach affecting Personal Data.
7. Return or deletion of data
Upon termination, the Processor will:
- Return all Personal Data to the Controller, or
- Delete it, unless legally required to retain it
8. Audit rights
The Controller may audit the Processor's compliance, subject to reasonable notice and confidentiality.
9. Liability
Each party's liability is limited to the extent permitted by law and the underlying service agreement.
HIPAA-Aligned Business Associate Agreement (BAA)
(For U.S. healthcare providers.)
Effective Date: [Insert Date]
This Business Associate Agreement (“BAA”) is entered into between Myon Health Technology (“Business Associate”) and the healthcare provider (“Covered Entity”).
1. Purpose
This BAA ensures compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations.
2. Definitions
- Protected Health Information (PHI)
- Electronic PHI (ePHI)
- Business Associate
- Covered Entity
3. Permitted uses and disclosures
The Business Associate may:
- Use PHI to provide services to the Covered Entity
- Use PHI for internal management and operations
- De-identify PHI in accordance with HIPAA standards
The Business Associate may not use PHI in a manner not permitted by HIPAA.
4. Safeguards
The Business Associate will:
- Implement administrative, physical, and technical safeguards
- Encrypt ePHI in transit and at rest
- Maintain access controls and audit logs
5. Reporting obligations
The Business Associate will:
- Report breaches of unsecured PHI to the Covered Entity
- Report security incidents promptly
- Cooperate with investigations
6. Subcontractors
Subcontractors handling PHI must sign agreements imposing the same restrictions and safeguards.
7. Access and amendment
The Business Associate will assist the Covered Entity in:
- Providing individuals access to their PHI
- Amending PHI when required
8. Termination
Upon termination:
- PHI will be returned or destroyed
- If destruction is infeasible, protections remain in place
9. Liability
Each party is responsible for its own HIPAA compliance and violations.