Business Associate Agreement.

Capitalized terms used but not otherwise defined in this BAA shall have the meanings ascribed to them under HIPAA, the HITECH Act, and their implementing regulations at 45 CFR Parts 160 and 164, as amended from time to time. The following terms shall have the meanings set forth below:

• "Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the Protected Health Information, as defined in 45 CFR 164.402.
• "Designated Record Set" means a group of records maintained by or for a Covered Entity as defined in 45 CFR 164.501.
• "Electronic Protected Health Information" or "ePHI" means Protected Health Information that is transmitted or maintained in electronic media, as defined in 45 CFR 160.103.
• "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and their implementing regulations.
• "Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR 160.103.
• "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR 164.304.

Business Associate may use and disclose PHI solely for the following purposes:

• To perform its obligations under the Terms of Service and any applicable service agreement, including the generation, validation, transmission, and reconciliation of ANSI X12 834 enrollment transactions.
• To carry out the legal responsibilities of Business Associate, including as required by law.
• For the proper management and administration of Business Associate, provided that any disclosure for such purpose is required by law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially.
• To provide data aggregation services relating to the health care operations of Covered Entity, provided such data is de-identified in accordance with 45 CFR 164.514.

Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the HIPAA Privacy Rule if done by Covered Entity, except as expressly permitted in this BAA or as required by law. Business Associate shall not use PHI for marketing purposes or sell PHI.

Business Associate shall implement and maintain appropriate safeguards to prevent the unauthorized use or disclosure of PHI, including:

Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no event later than sixty (60) calendar days after discovery of the Breach, in accordance with 45 CFR 164.410. A Breach shall be treated as discovered on the first day on which the Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.

The notification shall include, to the extent available:

• The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach.
• A description of the nature of the Breach, including the types of PHI involved.
• The date of the Breach and the date of discovery.
• A description of what Business Associate is doing to investigate the Breach, mitigate harm to affected individuals, and protect against further Breaches.
• Contact information for individuals who can provide additional information about the Breach.

Business Associate shall also report any Security Incident of which it becomes aware to Covered Entity. The parties acknowledge that unsuccessful security incidents (such as port scans, failed login attempts, or denial-of-service attacks that do not result in unauthorized access) occur routinely and shall be addressed through periodic summary reports rather than individual notifications.

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2).

Business Associate shall maintain an up-to-date list of subcontractors that have access to PHI and shall make such list available to Covered Entity upon request. Business Associate remains responsible for the acts and omissions of its subcontractors to the same extent as if such acts or omissions were performed by Business Associate itself.

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall:

• Make PHI available to Covered Entity within fifteen (15) business days of a request, to enable Covered Entity to fulfill its obligations under 45 CFR 164.524 (right of access).
• Make PHI available for amendment and incorporate any amendments directed by Covered Entity within fifteen (15) business days, in accordance with 45 CFR 164.526.
• Make information available to Covered Entity as required to provide an accounting of disclosures in accordance with 45 CFR 164.528.

Upon termination of the underlying service agreement for any reason, Business Associate shall, at the direction of Covered Entity:

• Return all PHI received from, or created or received by Business Associate on behalf of, Covered Entity; or
• Destroy all such PHI using NIST 800-88 compliant methods and certify such destruction in writing to Covered Entity within thirty (30) days.

If return or destruction is not feasible (for example, due to legal retention requirements), Business Associate shall extend the protections of this BAA to such PHI for as long as it is retained, limit further uses and disclosures to those purposes that make the return or destruction infeasible, and destroy the PHI when the purpose requiring retention no longer applies. Business Associate acknowledges that certain PHI may be subject to HIPAA's minimum seven (7) year retention requirement and shall maintain security protections throughout such retention period.

This BAA shall become effective on the date Covered Entity first transmits PHI to Business Associate and shall remain in effect for the duration of the underlying service agreement, including any renewals, and for so long as Business Associate retains any PHI.

Either party may terminate this BAA if the other party materially breaches any provision of this BAA and fails to cure such breach within thirty (30) days of receiving written notice specifying the nature of the breach. In the event of a material breach that is not cured, the non-breaching party may also terminate the underlying service agreement.

If Covered Entity determines that Business Associate has violated a material term of this BAA and cure is not feasible, Covered Entity may immediately terminate both this BAA and the underlying service agreement and report the violation to the Secretary of the U.S. Department of Health and Human Services.

The parties agree to take such action as is necessary to amend this BAA from time to time to comply with the requirements of HIPAA, the HITECH Act, and any regulations promulgated thereunder, including but not limited to 45 CFR Parts 160 and 164. Any amendment to this BAA must be in writing and signed by authorized representatives of both parties.

Business Associate shall notify Covered Entity of any changes to applicable HIPAA regulations that may materially affect this BAA and shall propose appropriate amendments within sixty (60) days of such regulatory changes taking effect.

Regulatory References. Any reference in this BAA to a section of HIPAA or its implementing regulations shall mean the section as in effect or as amended from time to time, and for which compliance is required.

Survival. The obligations of Business Associate under Sections 4 (Breach Notification), 7 (Return and Destruction of PHI), and this Section 10 shall survive the termination of this BAA.

Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA. In the event of a conflict between this BAA and the underlying service agreement, the terms of this BAA shall prevail with respect to PHI.

Governing Law. This BAA shall be governed by federal law, including HIPAA and the HITECH Act, and to the extent not preempted, the laws of the State of Delaware.

For questions regarding this Business Associate Agreement or to request execution of a BAA, please contact: