SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

WHEREAS, Business Associate and Subcontractor have entered into one or more agreements (collectively the “Services Agreement”), whereby Subcontractor provides services or performs certain functions or activities (the “Services”) for or on behalf of Business Associate or its customers or contractors that are covered entities (each, a “Covered Entity”), that involve the use or disclosure of protected health information; and

WHEREAS, Business Associate and Subcontractor enter into this Agreement for the purpose of compliance with the Health Insurance Portability and Accountability Act of 1996, as amended, including by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) (collectively, with all regulations promulgated thereunder, including the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A and E (the “Privacy Rule”) and Subparts A and C (the “Security Rule”), “HIPAA”).

NOW, THEREFORE, in consideration of the mutual covenants contained in this Agreement and intending to be legally bound, Business Associate and Subcontractor agree as follows:

1. Definitions. Terms used herein have the same meaning as those terms as set forth in HIPAA, including the following: breach; data aggregation; designated record set; disclosure; electronic PHI, limited to information created or received by Subcontractor from or on behalf of Business Associate or a Covered Entity (“EPHI”); individual; minimum necessary; notice of privacy practices; protected health information, limited to information created or received by Subcontractor from or on behalf of Business Associate or a Covered Entity (“PHI”); required by law; secretary; security incident; subcontractor; unsecured protected health information, limited to information created or received by Subcontractor from or on behalf of Business Associate or a Covered Entity (“Unsecured PHI”), and use. Other terms shall have the meaning ascribed to them by HIPAA.
2. Obligations and Activities of Subcontractor.
   • Limits on Use and Disclosure. Subcontractor agrees not to use or further disclose PHI other than as permitted or required by this Agreement or the Services Agreement or as required by law, or as otherwise authorized by Business Associate and Covered Entity in writing. When using or disclosing PHI or when requesting PHI, Subcontractor shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
   • Safeguards. Subcontractor agrees to implement reasonable and appropriate administrative, physical and technological safeguards and comply, where applicable, with Subpart C of the Security Rule with respect to EPHI, to prevent use or disclosure of the information other than as provided for by this Agreement.
   • Mitigation. Subcontractor agrees to use reasonable efforts to mitigate, to the extent practicable, any harmful effect that is known to Subcontractor of a use or disclosure of PHI by Subcontractor that is in violation of the requirements of this Agreement.
   • Reporting. Subcontractor agrees to report in writing to Business Associate any use or disclosure of PHI not permitted under this Agreement of which Subcontractor becomes aware and any security incident of which it becomes aware without unreasonable delay and no later than within five (5) business days or such shorter period as may be required by Covered Entity. Subcontractor will, without unreasonable delay and no later than within five (5) business days or such shorter period as may be required by Covered Entity, notify Business Associate of a Breach of Unsecured PHI. Such notification of Breach of Unsecured PHI will include, to the extent possible, the individuals whose Unsecured PHI has been, or is reasonably believed to have been, the subject of a Breach, and all other information required by 45 C.F.R. § 164.404(c)(1).
   • Agents and Subcontractors. Subcontractor agrees to ensure that any agent or subcontractor to whom Subcontractor provides PHI agrees in writing to the same restrictions and conditions that apply to Subcontractor with respect to such PHI through this Agreement, including compliance with the applicable requirements of the Security Rule.
   • Access. In order to permit Covered Entity to comply with 45 C.F.R. § 164.524, Subcontractor agrees, within five (5) business days of receipt of a written request from Covered Entity – or such shorter period as may be required by Covered Entity – to provide access to PHI in a designated record set to Business Associate or Covered Entity, as soon as practicable after receiving such request.
   • Amendments. In order to permit Covered Entity to comply with 45 C.F.R. § 164.526, Subcontractor agrees, within five (5) business days of receipt of a written request from Covered Entity – or such shorter period as may be required by Covered Entity – to make PHI in a designated record set available to Business Associate or Covered Entity for amendment, as soon as practicable after receiving such request.
   • Books and Records. Business Associate shall make all internal practices, books and records relating to the use and disclosure of PHI available to the Secretary and Covered Entity, for the purpose of determining Covered Entity’s and Business Associate’s compliance with HIPAA, in a time and manner designated by the Secretary or Covered Entity.
   • Documentation of Disclosures. In order to permit Covered Entity to comply with 45 C.F.R. § 164.528, Subcontractor shall (a) document and return to Business Associate or Covered Entity, as instructed by Business Associate, the following information, with respect to those disclosures of PHI made by Subcontractor for which an accounting must be made pursuant to 45 C.F.R. § 164.528 and other applicable provisions of the Privacy Rule: (i) the date of the disclosure, (ii) the name of the entity or person who received the PHI and, if known, the address of such entity or person, (iii) a brief description of the PHI disclosed, and (iv) a brief statement of the purpose of the disclosure that reasonably states the basis for the disclosure; and (b) at and only at the request of Business Associate or Covered Entity, provide such information relating to disclosures of PHI to Business Associate or Covered Entity (or, as directed by Covered Entity, to an individual) within five (5) business days – or such shorter period as may be required by Covered Entity – of receiving such written request.
   • Covered Entity Obligations. To the extent Subcontractor is to carry out an obligation of Covered Entity under the Privacy Rule, Subcontractor shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
3. Permitted Uses and Disclosures by Subcontractor.
   • Use or Disclosure to Perform Functions, Activities or Services. Except as otherwise provided in this Agreement, Subcontractor may use or disclose PHI to perform those Services that Subcontractor performs for or on behalf of Business Associate or Covered Entity and as otherwise required under the Services Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by a Covered Entity.
4. Term and Termination.
   • Term. The Term of this Agreement shall be effective as of the date first set forth above, and shall remain in effect until termination for any reason of the Services Agreements, or as otherwise provided in this Agreement.
   • Termination with Cause. Upon one party’s knowledge of a material breach by the other party, the non-breaching party shall either: (a) if cure is possible, provide an opportunity for the breaching party to cure the breach or end the violation, within the period of time specified in writing, and terminate this Agreement if the breaching party does not cure the breach or end the violation within such period to the satisfaction of the non-breaching party; or (b) if a cure is not possible, immediately terminate this Agreement upon written notice.
   • Effect of Termination. Upon termination of this Agreement for any reason, Subcontractor shall, at the election of Business Associate and Covered Entities, return or destroy PHI, and shall retain no copies of such PHI. To the extent that destroying the PHI is infeasible, Subcontractor shall provide to Business Associate written notification of the conditions that make return or destruction infeasible, and shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Subcontractor maintains such PHI. If a Covered Entity disagrees with the purported conditions that make return or destruction of PHI infeasible, Subcontractor will promptly comply with all requests of Covered Entity or Business Associate to address such disagreement.
5. Miscellaneous.
   • Interpretation. Unless otherwise authorized by Business Associate in writing, in the event of an inconsistency between the provisions of this Agreement and the Services Agreement, the provisions of this Agreement shall control, and in the event of an inconsistency between the provisions of this Agreement and the provisions of the Privacy Rule, the terms of the Privacy Rule shall control. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with the requirements of HIPAA. Any reference in this Agreement to a section in HIPAA, the Privacy Rule, the Security Rule, the HITECH Act, or other law shall mean the section as in effect or as amended.
   • Amendments. The parties agree to amend this Agreement from time to time as is necessary to comply with the requirements of HIPAA. Business Associate may provide notice of any proposed amendment under this Section 5.2 to Subcontractor, including any amendments required by a Covered Entity, and if Subcontractor does not object in writing within ten (10) days of receipt of notice, the amendment shall be deemed to be effective. If Subcontractor does timely object in writing, the parties will use good faith efforts to promptly negotiate the amendment within any time period required by a Covered Entity.
   • Notice. Any notice required or permitted by this Agreement shall be in writing and shall be governed by the notice provisions of the Services Agreement.
   • Survival. The rights and obligations of Subcontractor under this Agreement, including but not limited to Section 5.3, shall survive the termination of this Agreement.
   • Miscellaneous. This Agreement constitutes the entire agreement of the parties, superseding all prior oral and written agreements or understandings between them with respect to the matters provided for herein, and cannot be modified unless such modifications are made in writing, and are signed by a duly authorized agent of both parties. In the event a court of competent jurisdiction determines that any provision of this Agreement is invalid or unenforceable, the enforceability or validity of the remaining provisions shall not be affected. No failure or delay by either party in exercising its rights under this Agreement shall operate as a waiver of such rights, and no waiver of any breach shall constitute a waiver of any other breach. This Agreement shall be binding upon and inure to the benefit of the respective legal successors of the parties. Except as provided in this Section, it is not the intent of the parties to make any third party the beneficiary of this Agreement.
   • Independent Contractors. For purposes of this Agreement, Subcontractor and Business Associate are and will act at all times as independent contractors. None of the provisions of this Agreement are intended to create any partnership, agency, employment agreement or joint venture between the parties, or any relationship other than that of independent entities.

IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed by their authorized representatives.