Business Associate Agreement

Recitals

WHEREAS, Covered Entity and Business Associate have entered into or intend to enter into a service agreement (the “Underlying Agreement”) pursuant to which Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity; and

WHEREAS, the parties intend to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and the regulations promulgated thereunder, including the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) and the Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”), codified at 45 CFR Parts 160 and 164;

NOW, THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

1. Definitions

Terms used but not otherwise defined in this BAA shall have the meanings assigned to them in 45 CFR §§ 160.103 and 164.501. The following definitions apply:

• “Breach” — The acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR § 164.402.
• “Designated Record Set” — A group of records maintained by or for a Covered Entity as defined in 45 CFR § 164.501.
• “Electronic Protected Health Information” (“ePHI”) — Protected Health Information transmitted by or maintained in electronic media, as defined in 45 CFR § 160.103.
• “Individual” — The person who is the subject of the PHI, including a person who qualifies as a personal representative per 45 CFR § 164.502(g).
• “Protected Health Information” (“PHI”) — Individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
• “Required by Law” — As defined in 45 CFR § 164.103, a mandate contained in law that compels an entity to make a use or disclosure of PHI.
• “Secretary” — The Secretary of the U.S. Department of Health and Human Services or the Secretary's designee.
• “Security Incident” — The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR § 164.304.
• “Subcontractor” — A person to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the Business Associate's workforce.
• “Unsecured PHI” — PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance issued under 42 USC § 17932(h)(2).

2. Obligations of Business Associate

Business Associate agrees to:

• (a) Not use or disclose PHI other than as permitted or required by this BAA or as Required by Law.
• (b) Use appropriate safeguards, and comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
• (c) Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI as required by 45 CFR § 164.410, and any Security Incident of which it becomes aware.
• (d) In accordance with 45 CFR § 164.502(e)(1)(ii), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA.
• (e) Make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524.
• (f) Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526, or take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.526.
• (g) Maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.528.
• (h) To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s).
• (i) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

3. Permitted Uses and Disclosures

• (a) Service Performance — Business Associate may use or disclose PHI as necessary to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
• (b) Business Associate's Operations — Business Associate may use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that such uses are permitted under the Privacy Rule.
• (c) Disclosure for BA's Administration — Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that (i) the disclosure is Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and will be used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
• (d) De-Identification — Business Associate may use PHI to de-identify the information in accordance with 45 CFR § 164.514(a)-(c).
• (e) Data Aggregation — Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
• (f) Minimum Necessary — Business Associate shall limit its uses and disclosures of, and requests for, PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 CFR § 164.502(b).

4. Safeguards

Business Associate shall implement and maintain appropriate safeguards as follows:

4.1 Administrative Safeguards

• Designate a Security Officer and Privacy Officer responsible for development and implementation of security policies
• Conduct periodic risk assessments per 45 CFR § 164.308(a)(1)(ii)(A)
• Implement workforce training on PHI handling and security awareness
• Apply appropriate sanctions against workforce members who violate security policies
• Implement procedures for authorizing and supervising workforce access to ePHI
• Maintain contingency plans including data backup, disaster recovery, and emergency mode operations

4.2 Physical Safeguards

• Implement facility access controls to limit physical access to systems containing ePHI
• Implement workstation use and security policies
• Implement device and media controls for hardware and electronic media containing ePHI

4.3 Technical Safeguards

• Implement access controls including unique user identification, emergency access procedures, automatic logoff, and encryption
• Implement audit controls to record and examine access to ePHI
• Implement integrity controls to protect ePHI from improper alteration or destruction
• Implement transmission security (encryption of ePHI in transit using TLS 1.2 or higher)
• Implement authentication mechanisms to verify identity of persons seeking access to ePHI

4.4 Specific Security Measures

Without limiting the foregoing, Business Associate currently implements: AES-256 encryption at rest; TLS 1.3 encryption in transit; multi-factor authentication for all PHI access; role-based access controls; immutable audit logging; annual SOC 2 Type II attestation; annual penetration testing; continuous vulnerability scanning; 24/7 security monitoring; and documented incident response procedures.

5. Breach Notification and Reporting

• (a) Breach of Unsecured PHI — Business Associate shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay, and in no case later than thirty (30) calendar days after discovery of the Breach. Discovery occurs on the first day the Breach is known or, by exercising reasonable diligence, would have been known to Business Associate.
• (b) Content of Notification — Breach notifications shall include, to the extent available: (i) identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed; (ii) a brief description of what happened, including the date of the Breach and the date of discovery; (iii) a description of the types of Unsecured PHI involved; (iv) any steps Individuals should take to protect themselves from potential harm; and (v) a description of what Business Associate is doing to investigate, mitigate harm, and protect against further Breaches.
• (c) Security Incidents — Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. Reports of unsuccessful Security Incidents (e.g., pings, port scans, unsuccessful log-on attempts) shall be provided upon request in summary form.
• (d) Cooperation — Business Associate shall cooperate with Covered Entity in Covered Entity's investigation and notification obligations, including providing all information necessary for Covered Entity to comply with 45 CFR §§ 164.404, 164.406, and 164.408.
• (e) Mitigation — Business Associate shall take prompt corrective action to mitigate any harmful effect of any Breach or Security Incident, at Business Associate's expense.
• (f) Law Enforcement Delay — If Business Associate is notified by a law enforcement official that notification would impede a criminal investigation or cause damage to national security, notification may be delayed per 45 CFR § 164.412.

6. Subcontractors

• (a) Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI, in accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2).
• (b) Business Associate shall conduct reasonable due diligence regarding the information security practices of prospective Subcontractors prior to engagement.
• (c) Business Associate remains responsible for the acts and omissions of its Subcontractors to the same extent as if Business Associate were performing such functions directly.
• (d) Upon Covered Entity's written request, Business Associate shall provide a list of Subcontractors with access to PHI and a summary of the safeguards each Subcontractor has in place.

7. Access to PHI — Individual Rights

• (a) Access — Within fifteen (15) business days of a request from Covered Entity, Business Associate shall make available PHI in a Designated Record Set to Covered Entity for purposes of fulfilling an Individual's request for access under 45 CFR § 164.524. Business Associate shall provide PHI in the form and format requested by Covered Entity if readily producible, or in a readable hard copy or other agreed-upon format.
• (b) Amendment — Within fifteen (15) business days of a request from Covered Entity, Business Associate shall make PHI available for amendment and shall incorporate amendments as directed by Covered Entity per 45 CFR § 164.526.
• (c) Accounting of Disclosures — Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting under 45 CFR § 164.528. Business Associate shall make such information available to Covered Entity within fifteen (15) business days of a request, covering at minimum the six (6) years preceding the request.
• (d) Restrictions — Business Associate shall comply with any restrictions on use or disclosure of PHI that Covered Entity notifies Business Associate of in writing, to the extent such restrictions are required by 45 CFR § 164.522 or agreed to by Covered Entity.
• (e) Confidential Communications — Business Associate shall accommodate reasonable requests by Covered Entity to communicate PHI by alternative means or at alternative locations, consistent with 45 CFR § 164.522(b).

8. Access by the Secretary

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of HHS for purposes of determining Covered Entity's compliance with the HIPAA Rules, subject to any applicable legal privileges. This obligation shall survive termination of this BAA.

9. Return or Destruction of PHI

• (a) Upon termination of this BAA for any reason, Business Associate shall, at Covered Entity's election, return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form. Business Associate shall not retain any copies of PHI except as provided below.
• (b) If return or destruction is not feasible (as determined by Business Associate and communicated to Covered Entity in writing with explanation), Business Associate shall extend the protections of this BAA to such PHI and shall limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
• (c) Business Associate shall complete return or destruction within sixty (60) days following termination and, upon request, shall certify in writing that all PHI has been returned or destroyed.
• (d) Destruction shall be conducted in accordance with NIST SP 800-88 guidelines (cryptographic erasure for encrypted media, degaussing or physical destruction for hardware).

10. Term and Termination

• (a) Term — This BAA is effective as of the date of execution and shall remain in effect for the duration of the Underlying Agreement, unless terminated earlier as provided herein.
• (b) Termination for Cause — Either party may terminate this BAA if it determines that the other party has violated a material term of this BAA and the violation has not been cured within thirty (30) days of written notice of the violation. If cure is not reasonably possible, the non-breaching party may terminate immediately upon written notice.
• (c) Automatic Termination — This BAA automatically terminates upon the termination or expiration of the Underlying Agreement.
• (d) Effect of Termination — Upon termination of this BAA, the obligations of Business Associate under Section 9 (Return or Destruction of PHI) shall apply. Sections 1, 5, 8, 9, and 11 shall survive termination.
• (e) Reporting to Secretary — If Business Associate determines that cure of a material breach by Covered Entity is not possible, Business Associate may, if termination is not feasible, report the violation to the Secretary of HHS.

11. Miscellaneous

• (a) Regulatory References — Any reference in this BAA to a section of the HIPAA Rules means that section as in effect or as amended.
• (b) Survival — The respective rights and obligations of Business Associate and Covered Entity under Sections 5 (Breach Notification), 8 (Access by Secretary), 9 (Return or Destruction of PHI), and this Section 11 shall survive the termination of this BAA.
• (c) Interpretation — Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules. In the event of an inconsistency between this BAA and the Underlying Agreement with respect to PHI, this BAA shall control.
• (d) Amendment — This BAA may not be modified except by a written agreement signed by both parties. The parties agree to negotiate in good faith any amendments necessary to comply with changes to HIPAA Rules or other applicable law. If the parties cannot agree on an amendment required by law within sixty (60) days, either party may terminate this BAA upon thirty (30) days' written notice.
• (e) No Third-Party Beneficiaries — Nothing in this BAA shall confer upon any person other than the parties and their respective successors or assigns any rights, remedies, obligations, or liabilities. Individuals whose PHI is subject to this BAA are not third-party beneficiaries.
• (f) Governing Law — This BAA shall be governed by federal law (HIPAA, HITECH) and, to the extent not preempted, the laws of the State of New York.
• (g) Indemnification — Business Associate shall indemnify and hold harmless Covered Entity from any claims, damages, penalties, or expenses arising from Business Associate's violation of this BAA, including costs of breach notification and credit monitoring required as a result of Business Associate's unauthorized use or disclosure of PHI.
• (h) Insurance — Business Associate maintains cyber liability insurance with coverage limits adequate to cover its obligations under this BAA, including breach notification costs, regulatory defense, and penalties.