BUSINESS ASSOCIATE AGREEMENT

WHEREAS, Business Associate and Covered Entity have entered into one or more agreements (collectively the “Services Agreement”), whereby Business Associate provides services or performs certain functions or activities (the “Services”) for or on behalf of the Covered Entity, that involve the use or disclosure of protected health information; and

WHEREAS, Business Associate and Covered Entity enter into this Agreement for the purpose of compliance with the Health Insurance Portability and Accountability Act of 1996, as amended, including by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) (collectively, with all regulations promulgated thereunder, including the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A and E (the “Privacy Rule”) and Subparts A and C (the “Security Rule”), “HIPAA”).

NOW, THEREFORE, in consideration of the mutual covenants contained in this Agreement and intending to be legally bound, Covered Entity and Business Associate agree as follows:

1. Definitions. Terms used herein have the same meaning as those terms as set forth in HIPAA, including the following: breach; data aggregation; designated record set; disclosure; electronic PHI, limited to information created or received by Business Associate from or on behalf of Covered Entity (“EPHI”); individual; minimum necessary; notice of privacy practices; protected health information, limited to information created or received by Business Associate from or on behalf of Covered Entity (“PHI”); required by law; secretary; security incident; subcontractor; unsecured protected health information, limited to information created or received by Business Associate from or on behalf of Covered Entity (“Unsecured PHI”), and use. Other terms shall have the meaning ascribed to them by HIPAA.
2. Obligations and Activities of Business Associate.
   • Limits on Use and Disclosure. Business Associate agrees not to use or further disclose PHI other than as permitted or required by this Agreement or the Services Agreement or as required by law, or as otherwise authorized by Covered Entity in writing. When using or disclosing PHI or when requesting PHI, Business Associate shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
   • Safeguards. Business Associate agrees to implement reasonable and appropriate administrative, physical and technological safeguards and comply, where applicable, with Subpart C of the Security Rule with respect to EPHI, to prevent use or disclosure of the information other than as provided for by this Agreement.
   • Mitigation. Business Associate agrees to use reasonable efforts to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate that is in violation of the requirements of this Agreement.
   • Reporting. Business Associate agrees to report in writing to the Privacy Officer of Covered Entity any use or disclosure of PHI not permitted under this Agreement of which Business Associate becomes aware and any security incident of which it becomes aware. The parties agree that this Section constitutes notice by Business Associate of the ongoing existence and occurrence of attempted but unsuccessful security incidents, including, but not limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-in attempts, denials of service and any combinations thereof. Business Associate will, without unreasonable delay and no later than within ten (10) business days, notify Covered Entity of a Breach of Unsecured PHI, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. Such notification of Breach of Unsecured PHI will include, to the extent possible, the individuals whose Unsecured PHI has been, or is reasonably believed to have been, the subject of a Breach, and all other information required by 45 C.F.R. § 164.404(c)(1).
   • Agents and Subcontractors. Business Associate agrees to ensure that any agent or subcontractor to whom Business Associate provides PHI agrees in writing to the same restrictions and conditions that apply to Business Associate with respect to such PHI through this Agreement, including compliance with the applicable requirements of the Security Rule.
   • Access. In order to permit Covered Entity to comply with 45 C.F.R. § 164.524, Business Associate agrees, within ten (10) business days of receipt of a written request from Covered Entity, to provide access to PHI in a designated record set to Covered Entity.
   • Amendments. In order to permit Covered Entity to comply with 45 C.F.R. § 164.526, Business Associate agrees, within ten (10) business days of receipt of a written request from Covered Entity, to make PHI in a designated record set available to the Covered Entity for amendment, as soon as practicable after receiving such request.
   • Books and Records. Business Associate shall make all internal practices, books and records relating to the use and disclosure of PHI available to the Secretary, for the purpose of determining Covered Entity’s compliance with HIPAA, in a time and manner designated by the Secretary; subject to attorney-client and any other applicable legal privileges.
   • Documentation of Disclosures. In order to permit Covered Entity to comply with 45 C.F.R. § 164.528, Business Associate shall (a) document and return to Covered Entity the following information, with respect to those disclosures of PHI made by Business Associate for which an accounting must be made pursuant to 45 C.F.R. § 164.528 and other applicable provisions of the Privacy Rule: (i) the date of the disclosure, (ii) the name of the entity or person who received the PHI and, if known, the address of such entity or person, (iii) a brief description of the PHI disclosed, and (iv) a brief statement of the purpose of the disclosure that reasonably states the basis for the disclosure; and (b) at and only at the request of Covered Entity, provide such information relating to disclosures of PHI to Covered Entity (or, as directed by Covered Entity, to an individual) within ten (10) business days of receiving such written request.
   • Covered Entity Obligations. To the extent Business Associate is to carry out an obligation of Covered Entity under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
3. Permitted Uses and Disclosures by Business Associate.
   • Use or Disclosure to Perform Functions, Activities or Services. Except as otherwise provided in this Agreement, Business Associate may use or disclose PHI to perform those Services that Business Associate performs for or on behalf of Covered Entity or as otherwise required under the Services Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
   • Additional Uses and Disclosures. Except as otherwise provided in this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate and to carry out the legal responsibilities of the Business Associate, and may disclose PHI for such purpose provided that such disclosures are required by law, or Business Associate obtains reasonable assurances in writing from the person to whom the PHI is disclosed that such PHI will remain confidential and be used or further disclosed only as required by law or for the purposes for which such PHI was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
4. Obligations of Covered Entity.
   • Provision of Notice. Covered Entity shall notify Business Associate of any: (a) limitations in or any changes to Covered Entity’s notice of privacy practices; (b) changes in, or revocation of, permission by an individual to use or disclose PHI; or (c) restrictions on the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. §164.522, to the extent the same may affect Business Associate’s permitted or required uses and disclosures of PHI.
   • No Request to Use or Disclose in Impermissible Manner. Except as necessary for the management and administrative activities of the Business Associate as set forth herein, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
   • Affiliated Covered Entity; Commingling. Covered Entity represents and warrants that: (a) it and its affiliates or other entities listed in the Services Agreement or otherwise receiving services from Business Associate constitute a single “affiliated covered entity” under HIPAA; or (b) it will ensure that the commingling of data among such affiliates or other entities is permitted by each affiliate or entity, and will otherwise be solely responsible for all obligations and restrictions regarding data under any agreement between it and any of affiliates or entities, unless otherwise agreed to in writing by Business Associate.
5. Term and Termination.
   • Term. The Term of this Agreement shall be effective as of the date first set forth above, and shall remain in effect until termination for any reason of the Services Agreements, or as otherwise provided in this Agreement.
   • Termination with Cause. Upon one party’s knowledge of a material breach by the other party, the non-breaching party shall either: (a) if cure is possible, provide an opportunity for the breaching party to cure the breach or end the violation, within the period of time specified in writing, which will be at least thirty (30) days, and terminate this Agreement if the breaching party does not cure the breach or end the violation within such period to the satisfaction of the non-breaching party; or (b) if a cure is not possible, immediately terminate this Agreement upon written notice.
   • Effect of Termination. Upon termination of this Agreement for any reason, Business Associate shall return or destroy PHI, and shall retain no copies of such PHI. To the extent that destroying the PHI is infeasible, Business Associate shall provide to Covered Entity written notification of the conditions that make return or destruction infeasible, and Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
6. Limitation of Liability. Neither party shall be deemed to be in default of any provision of this Agreement or be liable to the other party or to any third party for any delay, failure in performance, or interruption of performance resulting directly or indirectly from acts of God, war, insurrection, riot, strikes, civil disturbance, interruption of electrical power or communications, or other causes beyond the control and without the fault of negligence of a party.
7. Miscellaneous.
   • Interpretation. Unless otherwise authorized by Covered Entity in writing, in the event of an inconsistency between the provisions of this Agreement and the Services Agreement, the provisions of this Agreement shall control, and in the event of an inconsistency between the provisions of this Agreement and the provisions of the Privacy Rule, the terms of the Privacy Rule shall control. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with the requirements of HIPAA. The parties agree to amend this Agreement from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of HIPAA. Any reference in this Agreement to a section in HIPAA, the Privacy Rule, the Security Rule, the HITECH Act, or other law shall mean the section as in effect or as amended.
   • Notice. Any notice required or permitted by this Agreement shall be in writing and shall be governed by the notice provisions of the Services Agreement.
   • Survival. The rights and obligations of Business Associate under this Agreement, including but not limited to Section 5.3, shall survive the termination of this Agreement.
   • Miscellaneous. This Agreement constitutes the entire agreement of the parties, superseding all prior oral and written agreements or understandings between them with respect to the matters provided for herein, and cannot be modified unless such modifications are made in writing, and are signed by a duly authorized agent of both parties. In the event a court of competent jurisdiction determines that any provision of this Agreement is invalid or unenforceable, the enforceability or validity of the remaining provisions shall not be affected. No failure or delay by either party in exercising its rights under this Agreement shall operate as a waiver of such rights, and no waiver of any breach shall constitute a waiver of any other breach. This Agreement shall be governed by and construed in accordance with the laws of the State designated in the Services Agreement, to the extent not preempted by the provisions of HIPAA. This Agreement shall be binding upon and inure to the benefit of the respective legal successors of the parties. Except as provided in this Section, it is not the intent of the parties to make any third party the beneficiary of this Agreement.
   • Independent Contractors. For purposes of this Agreement, Covered Entity and Business Associate are and will act at all times as independent contractors. None of the provisions of this Agreement are intended to create any partnership, agency, employment agreement or joint venture between the parties, or any relationship other than that of independent entities.

IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed by their authorized representatives.