Legal Center > HIPAA Compliance
HIPAA Business Associate Addendum
HIPAA BAA - Table of Contents
This Business Associate Addendum (“BAA”) applies solely to the extent that Webklipper Technologies ( WebEngage, which includes its subsidiaries) processes Protected Health Information (“PHI”) on behalf of a Customer that qualifies as a “Covered Entity” or “Business Associate” under HIPAA. For Customers and engagements that do not involve PHI subject to HIPAA, this BAA shall not apply, and the parties’ relationship shall be governed exclusively by the Agreement and any other applicable data protection addenda.
Nothing in this BAA shall be construed to extend HIPAA obligations to WebEngage in respect of data processed under non-U.S. laws or for Customers outside the scope of HIPAA. In such cases, WebEngage’s obligations shall be limited to compliance with applicable data protection laws, including but not limited to the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (India), as well as any other applicable international data protection frameworks (e.g., GDPR, UK DPA).
The parties acknowledge that HIPAA regulations include:
- The Privacy Rule (45 CFR Parts 160 and 164, Subparts A & E), and
- The Security Rule (45 CFR Parts 160 and 164, Subparts A & C).
Capitalised terms not defined herein shall have the meaning outlined in the Agreement or, if not defined therein, the meaning ascribed under HIPAA.
1. Protected Health Information (PHI)
The Customer may submit PHI to the WebEngage Services when done pursuant to this BAA, notwithstanding the inclusion of PHI in the definition of Restricted Information in the Agreement.
2. Use and Disclosure of PHI by Customer
- Customer shall use and disclose PHI only as permitted by HIPAA. Customer shall not authorise, request, or require WebEngage to use or disclose PHI in any manner that would violate HIPAA if performed by Customer. The Customer is solely responsible for the accuracy, quality, and legality of PHI and the means by which PHI is acquired.
- The Customer may store PHI in compliance with HIPAA, but acknowledges that the WebEngage Services are intended exclusively for engagement, retention, relationship management, and marketing purposes, and are not intended for patient treatment or diagnostic use.
- Customer shall not send messages through the WebEngage Services containing diagnoses, test results, or similar sensitive medical information. WebEngage disclaims liability for HIPAA violations arising from such use.
3. Use and Disclosure of PHI by WebEngage
- WebEngage shall use or disclose PHI only as outlined in this BAA. Customer authorises WebEngage to: i. Use and disclose PHI in accordance with the Agreement and applicable Order Forms, provided such use or disclosure would not violate HIPAA if performed by Customer. ii. Use and disclose PHI for WebEngage’s proper management and administration, provided that:
- Such disclosure is required by law, and
- WebEngage receives reasonable assurances from the recipient that PHI will be held confidentially, used or disclosed only as required by law or for the intended purpose, and that any breach of confidentiality will be reported to WebEngage.
- WebEngage makes no representations or warranties regarding:
- The use or disclosure of PHI by third-party providers chosen by Customer (such providers may not be HIPAA compliant).
- The accuracy or availability of PHI received, maintained, or transmitted via the WebEngage Services. The Customer is responsible for duplicating and maintaining PHI elsewhere.
4. Protection of PHI
WebEngage shall: a. Implement appropriate administrative, technical, and physical safeguards to prevent unauthorised use or disclosure of PHI, and comply with the Security Rule regarding electronic PHI. b. Enter into written HIPAA-compliant Business Associate Agreements with subcontractors that receive, maintain, or transmit PHI on behalf of WebEngage, requiring safeguards comparable to those in this BAA. These safeguards are implemented in line with privacy policies outlined in the WebEngage Data Processing Addendum (DPA) and security practices
5. Notification of Security Incident
- WebEngage shall report to Customer, without unreasonable delay and no later than sixty (60) days from discovery, any successful security incident involving PHI, including any breach of unsecured PHI as required by 45 CFR § 164.410.
- This section also serves as notice of the regular occurrence of unsuccessful attempts at unauthorised access, use, disclosure, modification, or destruction of PHI, and unsuccessful attempts at interference with systems containing PHI.
- WebEngage shall provide Customer with all information required under 45 CFR § 164.410(c), to the extent known.
6. Access by HHS
WebEngage shall make its internal practices, books, and records relating to PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Customer’s compliance with HIPAA.
7. Individual Access and Amendment Requests
WebEngage shall promptly notify Customer if it receives a request from an individual for access to or amendment of PHI. WebEngage will confirm to the individual that the request has been passed to the Customer, but will not execute the request itself.
WebEngage shall make available to Customer all PHI entered into the Services to facilitate Customer’s compliance with 45 CFR § 164.524 and § 164.526.
8. Individual Accounting Requests
WebEngage shall maintain information related to disclosures of PHI and make such information reasonably available to Customer to facilitate compliance with 45 CFR § 164.528.
9. Termination for Cause
Either party may terminate this BAA and applicable Order Forms for cause upon thirty (30) days’ written notice of a material breach, if such breach remains uncured at the end of the notice period.
The Customer may terminate immediately if the breach is material and cannot be cured.
10. Return of PHI
- Enable Customer to export Customer Data (including PHI), and
- Securely delete Customer Data in accordance with applicable laws and documentation.
- If export or destruction of PHI is not feasible, WebEngage shall extend confidentiality and security protections to such PHI and limit further use or disclosure to purposes that make return or destruction infeasible.
- Data retention and deletion will follow the principles outlined in WebEngage’s Privacy Policy, unless stricter HIPAA requirements apply.
11. Amendment
The parties shall take necessary action to amend this BAA from time to time to comply with changes to HIPAA.
12. Governing Law and Jurisdiction
The laws of India shall govern this BAA, and the courts at Mumbai shall have exclusive jurisdiction. Notwithstanding the foregoing, HIPAA obligations apply under U.S. law to PHI processed for U.S. customers, and WebEngage agrees to comply with HIPAA requirements to the extent applicable.
13. Interpretation
Any ambiguity in this BAA shall be resolved in a manner that permits compliance with HIPAA.
