This HIPAA Business Associate Agreement (“Agreement”) is entered into by and between GoDaddy.com, LLC, a Delaware limited liability company (“GoDaddy”) and you, and is made effective as of the date of electronic acceptance. This Agreement sets forth each party’s respective obligations regarding the Microsoft® Office 365 email services sold and supported by GoDaddy and represented by us as being HIPAA-compliant (the “Services”), and represents the entire agreement between you and GoDaddy concerning the subject matter hereof.
Your electronic acceptance of this Agreement signifies that you have read, understand, acknowledge and agree to be bound by this Agreement, along with our Universal Terms of Service Agreement, which is incorporated herein by this reference, and any plan limits presented on the product landing pages, which are also incorporated herein by this reference.
The terms “we”, “us” or “our” shall refer to GoDaddy. The terms “you”, “your”, “User” or “customer” shall refer to any individual or entity who accepts this Agreement. Nothing in this Agreement shall be deemed to confer any third-party rights or benefits.
We may, in our sole and absolute discretion, change or modify this Agreement, any policies or agreements which are incorporated herein, and any limits or restrictions on the Services, at any time, and such changes or modifications shall be effective immediately upon posting to the GoDaddy website (“Site”). Your use of the Site or the Services after such changes or modifications shall constitute your acceptance of this Agreement and Service limitations as last revised. If you do not agree to be bound by this Agreement and the Services limitations as last revised, do not continue to use this Site or the Services.
We may occasionally notify you of changes or modifications to this Agreement by email. It is therefore very important that you keep your shopper account information current. We assume no liability or responsibility for your failure to receive an email notification if such failure results from an inaccurate email address.
The parties agree as follows:
For purposes of this Agreement, any capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement and under HIPAA.
GoDaddy and you will use appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI, consistent with this Agreement, and as otherwise required under the Security Rule, with respect to the Services.
GoDaddy will promptly notify you following the discovery of a breach resulting in the unauthorized use or disclosure of PHI in violation of this Agreement in the most expedient time possible under the circumstances, consistent with the legitimate needs of applicable law enforcement and applicable laws, and after taking any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the Services system by using commercially reasonable efforts to mitigate any further harmful effects to the extent practicable. You hereby agree that any such report, notification or other notice made pursuant to this Agreement may be provided electronically. For clarity, you and not GoDaddy are responsible for managing whether your end users are authorized to create, receive, maintain or transmit PHI within the Services and GoDaddy will have no obligations relating thereto. This Section will be deemed as notice to you that GoDaddy periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification or destruction of information or interference with the general operation of GoDaddy’s information systems and the Services and even if such events are defined as a Security Incident under HIPAA, GoDaddy will not provide any further notice regarding such unsuccessful attempts.
GoDaddy will take appropriate measures to ensure that any agents and subcontractors used by GoDaddy to perform its obligations under the Agreement that require access to PHI on behalf of GoDaddy are bound by written obligations that provide the same material level of protection for PHI as this Agreement. To the extent GoDaddy uses agents and subcontractors in its performance of obligations hereunder, GoDaddy will remain responsible for their performance as if performed by GoDaddy itself under this Agreement.
GoDaddy will make available to you the PHI via the Services so you may fulfill your obligation to give individuals their rights of access, amendment, and accounting in accordance with the requirements under HIPAA. You are responsible for managing your use of the Services to appropriately respond to such individual requests.
To the extent required by law, and subject to applicable attorney client privileges, GoDaddy will make its internal practices, books, and records concerning the use and disclosure of PHI received from you, or created or received by GoDaddy on behalf of you,, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this Agreement.
GoDaddy agrees that upon termination of the Agreement, GoDaddy will return or destroy all PHI received from you, or created or received by GoDaddy on behalf of you, which GoDaddy still maintains as provided in the Universal Terms of Service Agreement; provided, however, that if such return or destruction is not feasible, GoDaddy will extend the protections of this Agreement to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible. In the event this Agreement is terminated earlier than the underlying Universal Terms of Service Agreement, you may continue to use the Services in accordance with the Universal Terms of Service Agreement, but must delete any PHI you maintain in the Services and cease to create, receive, maintain or transmit such PHI to GoDaddy or within the Services.
This Agreement will expire upon the earlier of: (i) your cancellation of the Services to which this Agreement applies; or (ii) your acceptance of an updated HIPAA business associate agreement that supersedes this Agreement.
It is the parties’ intent that any ambiguity under this Agreement be interpreted consistently with the intent to comply with applicable laws.
This Agreement supersedes in its entirety any pre-existing HIPAA business associate agreement executed by GoDaddy and you covering the same Services. Each covenant and agreement in this Agreement shall be construed for all purposes to be a separate and independent covenant or agreement. If a court of competent jurisdiction holds any provision (or portion of a provision) of this Agreement to be illegal, invalid, or otherwise unenforceable, the remaining provisions (or portions of provisions) of this Agreement shall not be affected thereby and shall be found to be valid and enforceable to the fullest extent permitted by law. In the event there is a conflict between the provisions of this Agreement and the provisions of the Universal Terms of Service Agreement, the provisions of this Agreement shall control.