Business Associate Agreement

(i) Use and Disclosure

Business Associate shall not use or disclose PHI other than (a) as necessary to perform the services, (b) in accordance with Section 2(ii) of this BAA, or (c) as Required by Law and in accordance with Section 2(iii) of this BAA. Business Associate shall not use or disclose PHI in any manner that violates HIPAA or any other applicable federal or state laws and regulations relating to the privacy and security of PHI.

(ii) Certain Permitted Uses and Disclosures

In accordance with 45 CFR §§ 164.504(e)(2)(i) and 164.504(e)(4), Business Associate may use or disclose PHI (a) for the proper management and administration of Business Associate including data analysis necessary to review, improve, or validate the platform, features, or services offered under this Agreement; (b) to provide Data Aggregation services for the Covered Entity; (c) in order to create de-identified PHI pursuant to 45 CFR §§ 164.514(b) and use the resulting de-identified data for its business purposes, provided that the de-identified data will not be associated with or attributable to Covered Entity or its employees or patients; and (d) to carry out the legal responsibilities of Business Associate; provided, however, that any permitted disclosure of PHI to a third party must be either Required By Law or subject to reasonable assurances obtained by Business Associate from the third party that the PHI will be held confidentially and used or further disclosed only as Required By Law or for the purposes for which it was disclosed to such third party, and that any breaches of confidentiality of the PHI which become known to such third party will be immediately reported to Business Associate.

(iii) Uses and Disclosures Required By Law

Business Associate may use and disclose PHI to the extent such use or disclosure is Required By Law provided (a) the use or disclosure complies with and is limited to the relevant requirements of such law, (b) Business Associate promptly notifies Covered Entity of such use or disclosure and, at Covered Entity’s request and Business Associate’s expense, assists in obtaining a protective order or other similar order, and (c) the use or disclosure complies with the requirements of 45 CFR § 164.512 to the same extent such requirements would apply if the use or disclosure were made by Covered Entity.

(iv) Minimum Necessary

Business Associate agrees to follow any guidance issued by the Department of Health and Human Services regarding what constitutes “minimum necessary” with respect to the use or disclosure of PHI, to the extent it is applicable to Business Associate’s provision of the services. Until the time that any such guidance is issued, Business Associate shall, where applicable and required by HIPAA, limit its use or disclosure of PHI to the minimum necessary to accomplish the intended purpose of such use or disclosure.

(v) Safeguards

Consistent with the requirements of 45 CFR § 164.504, Business Associate shall use appropriate administrative, technical, and physical safeguards to prevent the use or disclosure of PHI other than as permitted in this Agreement.

(vi) Security of EPHI

Business Associate agrees to comply with the applicable standards of 45 CFR §§ 164.306, 164.308, 164.310, 164.312, 164.314, and 164.316 with respect to EPHI.

(vii) Notification Obligations

Business Associate shall report to Covered Entity without unreasonable delay any Security Incident of which Business Associate becomes aware. In addition, Business Associate shall report to Covered Entity without unreasonable delay any acquisition, access, use or disclosure of Unsecured Protected Health Information not permitted by this Agreement. In no case shall such notification of the unauthorized acquisition, access, use or disclosure of unsecured PHI occur later than ten (10) business days after Business Associate’s discovery. Discovery will be deemed to occur on the date that Business Associate actually became aware or, by exercising reasonable diligence should have been aware of the unauthorized acquisition, access, use or disclosure of Unsecured PHI.

To the extent an assessment by Business Associate concludes that a Breach of Unsecured PHI has occurred, such notification shall also include, to the extent possible and known to Business Associate, the identification of each Individual whose PHI has been or is reasonably believed to have been accessed, acquired, used or disclosed during the incident, along with any other information that the Covered Entity will be required to include in its notification to the Individual, the media and/or the Secretary, as applicable, including, without limitation, (a) a description of the incident, (b) the date of the incident and the date of its discovery, (c) the types of Unsecured Protected Health Information involved, and (d) a description of Business Associate’s investigation, mitigation, and prevention efforts. In the event that a Breach occurs that is properly attributable to the acts or omissions of Business Associate, Business Associate shall cooperate and assist Covered Entity in preparing any written notifications required by the Breach Notification Rule.

Notwithstanding the notification provisions above, the Parties acknowledge and agree that this Section 2(vii) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required.

(viii) Mitigation

To the extent properly attributable to the acts or omissions of Business Associate, Business Associate shall mitigate promptly, to the extent practicable, any harmful effect that is known to Business Associate of an acquisition, access, use or disclosure of PHI by Business Associate in violation of this Agreement, the Privacy Rule, the Security Rule, or other applicable federal or state laws concerning the privacy or security of PHI. Business Associate shall promptly thereafter provide Covered Entity with a written report of the issues and corresponding actions taken by Business Associate.

(ix) Subcontractors

• (a) Written Agreement. Business Associate shall ensure that any Subcontractor that creates, receives, maintains or transmits PHI (including tracking technologies such as cookies, pixels, and tags) on its behalf agrees in writing to materially similar restrictions and conditions that apply to Business Associate with respect to such PHI under HIPAA, including without limitation the provisions of this Section 2.
• (b) Violations of Agreement. If Business Associate becomes aware of a pattern of activity or practice of a Subcontractor that constitutes a material violation of the subcontractor’s obligations under the written agreement described in Section 2(ix)(a), Business Associate agrees to take reasonable steps to cure or end the violation, and if such steps are unsuccessful, to terminate the agreement, if feasible.

(x) Individual Rights

The Parties agree and acknowledge that Business Associate will not through the provision of the services, maintain PHI on behalf of Covered Entity that would be considered part of a Designated Record Set. Notwithstanding this acknowledgement, Business Associate agrees to undertake the following actions.

• (a) Request to Access or Amend PHI. If any Individual submits a request to Business Associate for access to or amendment of his/her/their PHI in a Designated Record Set, Business Associate agrees to notify Covered Entity of such request and provide such information as known and reasonably available to Business Associate that may assist Covered Entity in its response to the request.
• (b) Request for Accounting of Disclosures. If any Individual submits a request to Business Associate for an accounting of disclosures of his/her/their PHI, Business Associate agrees to notify Covered Entity of such request and provide such information as known and reasonably available to Business Associate that may assist Covered Entity in its response to the request.

(xi) Remuneration in Exchange for PHI

Except as permitted under 45 CFR § 164.502(a)(5)(ii), Business Associate agrees that it shall not directly or indirectly receive remuneration in exchange for PHI from or on behalf of the recipient of such PHI.

(xii) Audit

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, upon request, for purposes of determining and facilitating Covered Entity’s compliance with HIPAA.

(i) Appropriate Permissions

Covered Entity represents that it has provided all necessary notices to Individuals and has obtained any necessary permissions from Individuals and other entities, in order to disclose PHI to Business Associate and in order for Business Associate to use and disclose PHI as set forth in this BAA, in compliance with HIPAA and other applicable laws and regulations.

(ii) Individual Permission

Covered Entity shall notify Business Associate of change(s) in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such change(s) affect(s) Business Associate’s permitted uses or disclosures of PHI.

(iii) Restrictions

Covered Entity shall notify Business Associate of restriction(s) on the use or disclosure of PHI to which Covered Entity has agreed, to the extent such restriction(s) affect(s) Business Associate’s permitted uses or disclosures of PHI.

(i) Term

The term of this Agreement shall begin on the Effective Date and shall terminate after thirty (30) days. Upon termination, all PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity, must be returned to Covered Entity or destroyed, as agreed by the Parties. Business Associate may retain PHI as required by applicable law.

(ii) Termination for Cause

• By Covered Entity. Upon Covered Entity’s knowledge of a material violation by Business Associate of this Agreement, Covered Entity may: immediately terminate this Agreement if Business Associate has violated a material term of this Agreement and cure is not possible; or terminate this Agreement upon thirty (30) days’ notice after (1) Covered Entity determines that Business Associate has violated a material term of this Agreement, and (2) following Covered Entity’s written notification of the material violation to the Business Associate, Business Associate is unable or unwilling to take steps to cure the violation within such thirty (30) day period. In the event Business Associate cures the violation within such thirty (30) day period, this Agreement shall remain in full force and effect.
• By Business Associate. Upon Business Associate’s knowledge of a material violation by Covered Entity of this Agreement, Business Associate may: immediately terminate this Agreement if Covered Entity has violated a material term of this Agreement and cure is not possible; or terminate this Agreement upon thirty (30) days’ notice after (1) Business Associate determines that Covered Entity has violated a material term of this Agreement, and (2) following Business Associate’s written notification of the material violation to Covered Entity, Covered Entity is unable or unwilling to take steps to cure the violation within such thirty (30) day period. In the event Covered Entity cures the violation within such thirty (30) day period, this Agreement shall remain in full force and effect.

(iii) Survival

In the event of termination of this Agreement pursuant to Section 4(ii), to the extent feasible, Business Associate shall return to Covered Entity or destroy all PHI that Business Associate still maintains in any form. If the return or destruction of all PHI is not feasible, Business Associate shall extend the protections of this Agreement to the remaining information and limit further use and disclosure of PHI to those purposes that make the return or destruction of the PHI infeasible. The terms of Section 2(vii) (“Notification”) and Section 2(viii) (“Mitigation”) along with such other terms that by their nature indicate the intent for survival, shall survive the termination or expiration of this Agreement.

(i) Amendment

The Parties acknowledge that the Secretary may promulgate additional regulations and interpretative guidance that is not available at the time of executing this Agreement. In the event Covered Entity determines in good faith that any such regulation or guidance adopted or amended after the execution of this Agreement is required by law to be implemented and made a part hereof, this Agreement shall be renegotiated in good faith so as to amend the applicable provision(s) in a manner that would eliminate any such substantial risk.

(ii) Property Rights in PHI

Business Associate hereby acknowledges that, as between Business Associate and Covered Entity, all PHI shall be and remain the sole property of Covered Entity, including any forms of PHI developed by Business Associate in the course of fulfilling its obligations under this Agreement.