For purposes of this BAA, the following terms shall have the meanings set forth below. Capitalized terms not otherwise defined in this BAA shall have the meanings assigned to them under HIPAA.

“Breach” means a breach of unsecured protected health information that is transmitted or maintained by Business Associate from or on behalf of Covered Entity, as defined at 45 C.F.R. § 164.402.

“Data Aggregation” has the meaning set forth at 45 C.F.R. § 164.501 and refers to the combining of PHI from multiple covered entities for health care operations purposes.

“Designated Record Set” has the meaning set forth at 45 C.F.R. § 164.501.

“Electronic Protected Health Information” or“ePHI” means protected health information that is transmitted or maintained by Business Associate from or on behalf of Covered Entity, as defined at 45 C.F.R. § 160.103.

“Individual” has the meaning set forth at 45 C.F.R. § 160.103 and includes a personal representative as defined under 45 C.F.R. § 164.502(g).

“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information set forth at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as amended.

“Protected Health Information” or“PHI” has the meaning set forth at 45 C.F.R. § 160.103 and includes all information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.

“Reportable Event” means any

“Required by Law” has the meaning set forth at 45 C.F.R. § 164.103.

“Secretary” means the Secretary of the U.S. Department of Health and Human Services or his or her designee.

“Security Incident” has the meaning set forth at 45 C.F.R. § 164.304 and includes the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information.

“Subcontractor” has the meaning set forth at 45 C.F.R. § 160.103 and includes any person or entity to whom Business Associate delegates a function involving PHI.

“Unsecured PHI” has the meaning set forth at 45 C.F.R. § 164.402.

Any ambiguity in the interpretation of these definitions shall be resolved in favor of a meaning that permits compliance with HIPAA.

2.1 Use or Disclosure Under the Agreement.Business Associate may use and disclose PHI as necessary to perform the services and functions for, or on behalf of, Covered Entity as described in the Agreement, provided that such use or disclosure would not violate the HIPAA Privacy Rule or applicable state law if performed by Covered Entity.

2.2 Use for Management and Administration.Business Associate may use PHI for its internal management and administrative purposes or to carry out its legal responsibilities.

2.4 Use for Reporting Violations.Business Associate may use PHI to report violations of law to appropriate federal, state, or local authorities, in accordance with 45 C.F.R. § 164.502(j).

2.5 Data Aggregation.Business Associate may use PHI to provide Data Aggregation services relating to the health care operations of Covered Entity, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

2.6 De-Identified Information.Business Associate may use PHI to create de-identified information in compliance with 45 C.F.R. §§ 164.502(d) and 164.514(a)–(c). De-identified information is no longer considered PHI and may be used or disclosed by Business Associate for any lawful purpose, subject to applicable law.

3.1 Permitted Uses and Disclosures.Business Associate shall not use or disclose PHI except as permitted or required by this BAA, the Agreement, or as Required by Law.

3.2 HIPAA Compliance.To the extent Business Associate is required to perform an obligation of Covered Entity under HIPAA, Business Associate shall comply with the applicable HIPAA requirements in performing such obligation.

3.3 Safeguards.Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI and ePHI, in accordance with the HIPAA Security Rule (45 C.F.R. Part 160 and Part 164, Subpart C), to prevent unauthorized use or disclosure.

3.5 Subcontractors.Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to restrictions and safeguards substantially similar to those set forth in this BAA, in compliance with 45 C.F.R. §§ 164.504(e) and 164.314.

3.6 Access to PHI.To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall provide access to such PHI to Covered Entity or, at Covered Entity’s direction, to an Individual, in accordance with 45 C.F.R. § 164.524 and Section 13405(c) of HITECH, within a reasonable timeframe.

3.7 Amendment of PHI.If Business Associate maintains PHI in a Designated Record Set, Business Associate shall amend such PHI as directed by Covered Entity, in accordance with 45 C.F.R. § 164.526, within a reasonable time.

3.8 Accounting of Disclosures.Business Associate shall provide Covered Entity with information necessary to respond to an Individual’s request for an accounting of disclosures, as required by 45 C.F.R. § 164.528, within thirty (30) days of Covered Entity’s request.

3.9 Request from Individuals.If Business Associate receives a request directly from an Individual regarding access, amendment, or accounting of disclosures, Business Associate shall redirect the Individual to Covered Entity.

3.10 Government Access.Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining HIPAA compliance.

3.11 Minimum Necessary.Business Associate shall comply with HIPAA’s minimum necessary requirements.

3.12 Communication with other Business Associates.Business Associate may disclose PHI to other business associates of Covered Entity as necessary to perform services, provided Covered Entity has appropriate agreements in place with such business associates.

3.13 Prohibition on Sale and Marketing Access.Business Associate shall not sell PHI or use PHI for marketing or fundraising purposes without the prior written authorization of Covered Entity, except as permitted by applicable law.

4.1 Notice of Privacy Practices.Covered Entity shall provide Business Associate with its Notice of Privacy Practices and any material changes thereto, to the extent such changes affect Business Associate’s use or disclosure of PHI.

4.2 Authorizations and Revocations.Covered Entity shall notify Business Associate of any revocation or modification of an Individual’s authorization that may affect Business Associate’s permitted uses or disclosures of PHI.

4.3 Restrictions on Use or Disclosure.Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of PHI agreed to under 45 C.F.R. § 164.522 that may affect Business Associate’s obligations.

4.4 Accounting Modifications.Covered Entity shall notify Business Associate of any changes to accounting of disclosure requirements applicable under HIPAA or HITECH.

4.5 Permissible Requests.Covered Entity shall not request that Business Associate use or disclose PHI in a manner that would violate HIPAA or applicable law.

4.6 Minimum Necessary.Covered Entity shall disclose to Business Associate only the minimum PHI necessary for Business Associate to perform the services.

5.1 Term.This Business Associate Agreement (“BAA”) shall become effective as of the effective date of the Agreement and shall remain in effect for the duration of the Agreement. This BAA shall automatically terminate upon the earliest of the following events:
1. Termination or expiration of the Agreement for any reason;
2. Termination of this BAA for cause as described below;
3. Mutual written agreement of the parties to terminate this BAA; or
4. Termination as required by applicable federal, state, or local law.

5.2 Termination for Cause.

A. By Covered Entity
If Covered Entity determines that Business Associate has materially breached this BAA, Covered Entity shall provide written notice describing the breach in reasonable detail and allow Business Associate thirty (30) days to cure the breach. If Business Associate fails to cure the breach within such period, Covered Entity may terminate this BAA and the Agreement.

B. By Business Associate
If Business Associate determines that Covered Entity has materially breached this BAA, Business Associate shall provide written notice describing the breach in reasonable detail and allow Covered Entity thirty (30) days to cure the breach. If Covered Entity fails to cure the breach within such period, Business Associate may terminate this BAA and the Agreement.

C. Immediate Termination
Notwithstanding the foregoing, either party may immediately terminate this BAA and the Agreement if a material breach cannot be cured or if termination is required to comply with applicable law.

5.3 Effect of Termination.

A. Return or Destruction of PHI
Upon termination of this BAA for any reason, Business Associate shall, to the extent feasible, return to Covered Entity or destroy all PHI received from or created or received by Business Associate on behalf of Covered Entity that remains in its possession or control, including PHI maintained by its Subcontractors. Business Associate shall not retain copies of such PHI.

B. Infeasibility of Return or Destruction
If return or destruction of some or all PHI is not feasible, Business Associate shall:
• Retain only the PHI for which return or destruction is not feasible;
• Continue to protect such PHI in accordance with this BAA, the HIPAA Security Rule, and HITECH;
• Not use or disclose such PHI except for the limited purposes that make return or destruction infeasible and subject to the same restrictions that applied prior to termination; and
• Return to Covered Entity or destroy such PHI when it becomes feasible to do so.

C. Survival
The obligations of Business Associate under this Section V shall survive termination of this BAA for so long as Business Associate retains PHI.

6.1 Notices.All notices, requests, demands, or other communications required under this BAA must be in writing and will be effective when received or when delivery is attempted. Notices may be delivered by personal delivery, certified or registered mail (return receipt requested), overnight courier service, or any other method agreed upon by the parties.

Notices to the Business Associate shall be sent to the address designated by the Business Associate.

Notices to the Covered Entity shall be sent to the contact information provided by the Covered Entity.

Each party may change its address for receiving notices by providing written notice of the change to the other party.

6.2 Regulatory References.Any reference in this BAA to HIPAA or its regulations means HIPAA as currently in effect or as amended from time to time.

6.3 Amendment, No Waiver.This BAA will automatically be amended to comply with any changes to HIPAA, including new or revised laws, regulations, or official guidance, to the extent such changes apply to this BAA. The parties agree to take reasonable steps to document such amendments if needed.

Except as stated above, no change or modification to this BAA is valid unless it is in writing and signed by both parties. A failure by either party to enforce any provision of this BAA shall not be considered a waiver of the right to enforce that provision in the future.

6.4 Interpretation.This BAA shall be interpreted in a manner that allows both parties to comply with HIPAA. Section titles and headings are included for convenience only and do not affect the meaning of this BAA.

If there is a conflict between this BAA and applicable HIPAA requirements, the HIPAA requirements shall control.

6.5 Entire Agreement; Effect on Other Agreements.This BAA, together with the underlying services agreement, represents the entire agreement between the parties regarding the protection of PHI and supersedes any prior discussions or agreements related to this subject. If any provision of this BAA conflicts with the services agreement, this BAA shall control to the extent necessary to comply with HIPAA.

6.6 Relationship of the Parties.The parties are independent contractors. Nothing in this BAA creates a partnership, joint venture, agency, or employment relationship between the parties.

6.7 No Third-Party Beneficiaries.This BAA is intended solely for the benefit of the Covered Entity and the Business Associate. Nothing in this BAA creates any rights or obligations for any third party.

6.8 Severability.If any provision of this BAA is found to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

6.9 Assignment.Any assignment of this BAA shall be governed by the assignment provisions in the underlying services agreement. This BAA shall be binding upon and benefit the parties and their permitted successors and assigns.

6.10 Governing Law.This BAA shall be governed by and interpreted in accordance with the governing law specified in the services agreement, except where federal law preempts such law.

6.11 Dispute Resolution.Any dispute arising under this BAA shall be resolved in accordance with the dispute resolution procedures set forth in the services agreement.

6.12 Survival.The obligations of the Business Associate regarding the use, disclosure, and protection of PHI shall survive termination of this BAA for as long as the Business Associate maintains PHI.