1. General Definitions. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

2. Specific Definitions.

• 2.1 Business Associate shall generally have the same meaning as the term “business associate” at 45 CFR § 160.103, and in reference to the party to this Agreement, shall mean Business Associate.
• 2.2 Covered Entity shall generally have the same meaning as the term “covered entity” at 45 CFR § 160.103, and in reference to the party to this Agreement, shall mean Covered Entity.
• 2.3 Protected Health Information (PHI) shall generally have the same meaning as the term “protected health information” at 45 CFR § 160.103, and shall include any individually identifiable information that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity that relates to an individual’s past, present, or future physical or mental health, health care, or payment for health care, whether such information is in oral, hard copy, electronic, or any other form or medium.
• 2.4 Terms used but not otherwise defined in this Agreement shall be defined as set forth in 45 C.F.R. Part 160 and Part 164, Subparts A, C, D, and E, as they shall be amended.

Aggrement

3. Relationship of the Parties. Business Associate is and at all times during this Agreement shall be acting as an independent contractor to Covered Entity, and not as Covered Entity’s agent. Business Associate shall not have authority to bind Covered Entity to any liability unless expressly authorized by Covered Entity in writing. Business Associate shall not represent itself as the agent of Covered Entity. Nothing in this Agreement shall be deemed to establish an agency, partnership, joint venture or other relationship except that of independently contracting entities.

4. Business Associate Responsibilities. Business Associate agrees to:

• 4.1 Fully comply with the HIPAA Rules as they apply to Business Associate.
• 4.2 Not use or disclose protected health information except as permitted by this Agreement or as otherwise required by law.
• 4.3 Use appropriate safeguards to prevent the use or disclosure of protected health information other than as permitted by this Agreement. Business Associate shall comply with the requirements in 45 CFR Part 164, Subpart C applicable to business associates, including the use of administrative, physical and technical safeguards to protect electronic protected health information and conducting risk assessments of Business Associate’s information technology systems and environment as well as training its personnel regarding the requirements of the HITECH Act, HIPAA Rules, and other applicable law.
• 4.4 Immediately report to Covered Entity’s Privacy Officer any use or disclosure of protected health information not permitted by this Agreement, or the HIPAA Rules of which Business Associate becomes aware, including reporting breaches of unsecured protected health information as required by 45 CFR § 164.410, and reporting security incidents as required by 45 CFR § 164.314(a)(2)(i)(C). Business Associate further agrees to immediately report to Covered Entity’s Privacy Officer any attempted or successful unauthorized access, use, disclosure, modification, or destruction of electronic protected health information or interference with information system operations involving electronic protected health information.
• 4.5 Mitigate, to the extent practicable, and at its sole expense, any harmful effect caused by a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. Also, to fully cooperate with Covered Entity’s efforts to promptly investigate, mitigate, and notify third parties of breaches of unsecured protected health information or security incidents as required by the HIPAA Rules.
• 4.6 Ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of Business Associate agree to the same restrictions, conditions, and requirements set forth in this Agreement and the HIPAA Rules applicable to such subcontractors. Business Associate may fulfill this requirement by executing a written agreement with the subcontractor incorporating the terms of this Agreement and otherwise complying with the requirements in 45 CFR §§ 164.502(e)(1)(ii), 164.502(e)(2) and 164.308(b)(2),(3).
• 4.7 Make available protected health information in a designated record set to the Covered Entity, within 10 days of request, to satisfy Covered Entity’s obligations under 45 CFR 164.524. Should Business Associate or its subcontractors receive a direct request from an individual, Business Associate will promptly forward the individual’s request to the Covered Entity.
• 4.8 Make any amendment(s) to protected health information in a designated record set, within 10 days of request, as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526 or take other measures as necessary to satisfy Covered Entity’s obligations under 45. CFR 164.526. Should Business Associate or its subcontractors receive a direct request from an individual, Business Associate will promptly forward the individual’s request to the Covered Entity.
• 4.9 Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity, within 10 days of request, to satisfy Covered Entity’s obligations under 45 CFR 164.528.  Should Business Associate or its subcontractors receive a direct request from an individual, Business Associate will promptly forward the individual’s request to the Covered Entity.
• 4.10 To the extent Business Associate is to carry out Covered Entity’s obligations under 45 CFR Part 164, Subpart E, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
• 4.11 Make its internal practices, books, and records (including policies and procedures and Protected Health Information) relating to the use and disclosure of Protected Health Information on behalf of Covered Entity available for inspection to Covered Entity or to the Secretary of Health and Human Services, or their designees, for purposes of determining compliance with the HIPAA Rules. Business Associate shall make such materials available in the time and manner reasonably requested by the Covered Entity or the Secretary of Health and Human Services.

5. Uses and Disclosures by Business Associate.

• 5.1 Permissible Uses and Disclosures. Business Associate may use or disclose protected health information only as follows:
• 5.1.1 As necessary to perform the services set forth in the Service Agreement.
• 5.1.2 As authorized, to de-identify protected health information in accordance with 45 CFR § 164.514(a)-(c).
• 5.1.3 As required by law.
• 5.1.4 Covered Entity shall not request, and Business Associate may not use or disclose protected health information in a manner that would violate 45 CFR Part 164, Subpart E, if done by Covered Entity.
• 5.1.5 Business Associate agrees to use or disclose the minimum amount of protected health information necessary for a permitted purpose pursuant to this Section 5, 45 CFR § 164.502(b), and Covered Entity’s policies and procedures which limit disclosures to the minimum necessary.
• 5.2 Additional Use and Disclosure Provisions
• 5.2.1 Except as otherwise limited in the underlying Agreement, Business Associate may use protected health information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
• 5.2.2 Except as otherwise limited in the underlying Agreement, Business Associate may disclose protected health information for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided that any disclosures for these purposes (i) are required by law, or (ii)(a) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and (ii)(b) the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
• 5.2.3 Except as otherwise limited in the underlying Agreement, Business Associate may use protected health information to provide data aggregation services relating to the health care operations of Covered Entity as defined in 45 CFR § 164.501.

6. Term and Termination. Unless otherwise agreed in writing by the parties, this Agreement shall be effective as of the Effective Date executed by the parties and shall continue until terminated as provided below.

• 6.1 Termination. This Agreement shall terminate on the date the Solution Agreement is terminated. In addition, this Agreement may be terminated earlier as follows:
• 6.1.1 Covered Entity may terminate this Agreement upon sixty (60) days prior notice if Covered Entity determines that Business Associate or any subcontractor has violated HIPAA Rules or otherwise engaged in conduct that may compromise the protected health information of Covered Entity.  Subject to Section 6.1.2, Business Associate shall have the opportunity to cure the breach or violation within the 60-day notice period. If Business Associate fails to cure the breach or violation within the 60-day notice period, Covered Entity may declare this Agreement terminated.
• 6.1.2 Notwithstanding Section 6.1.1, Covered Entity may terminate this Agreement immediately if Business Associate or any subcontractor engages in any conduct that Covered Entity reasonably believes may result in adverse action against Covered Entity by any governmental agency.
• 6.2 Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason, Business Associate shall, with respect to protected health information received from Covered Entity, or created, maintained, used, or received by Business Associate on behalf of Covered Entity:
• 6.2.1 If feasible, return all protected health information to Covered Entity or, if Covered Entity agrees, destroy such protected health information.
• 6.2.2 If the return or destruction of protected health information is not feasible, continue to extend the protections of this Agreement and the HIPAA Rules to such information and not use or further disclose the information in a manner that is not permitted by this Agreement or the HIPAA Rules.
• 6.3 Survival. Business Associate’s obligations under Section 6 shall survive termination of this Agreement.

7. Regulatory References. A reference in this Agreement to a section in the HITECH Act or HIPAA Rules means the section as in effect or as amended.

8. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time to comply with the requirements of the HITECH Act, HIPAA Rules, and any other applicable laws and regulations.

9. Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HITECH Act, HIPAA Rules, and other applicable law.

10. Governing Law. This Agreement shall be construed to comply with the requirements of the HIPAA Rules, and any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

11. Assignment/Subcontracting. This Agreement shall inure to the benefit of and be binding upon the parties and their respective legal representatives, successors and assigns. Business Associate may assign or subcontract rights or obligations under this Agreement to subcontractors or third parties without the express written consent of Covered Entity provided that Business Associate complies with Section 4.6, above. Covered Entity may assign its rights and obligations under this Agreement to any successor or affiliated entity.

12. Cooperation. The parties agree to cooperate with each other’s efforts to comply with the requirements of the HITECH Act, the HIPAA Rules, and other applicable laws; to assist each other in responding to and mitigating the effects of any breach of protected health information in violation of the HIPAA Rules or this Agreement; and to assist the other party in responding to any investigation, complaint, or action by any government agency or third party relating to the performance of this Agreement. In addition to any other cooperation reasonably requested by Covered Entity, Business Associate shall make its officers, members, employees, and agents available without charge for interview or testimony.

13. Relation to Solution Agreement. This Agreement supplements the Solution Agreement. The terms and conditions of the Solution Agreement shall continue to apply to the extent not inconsistent with this Agreement. If there is a conflict between this Agreement and the Services Agreement, this Agreement shall control.

14. No Third-Party Beneficiaries. Nothing in this Agreement is intended to nor shall it confer any rights on any other persons except Covered Entity and Business Associate and their respective successors and assigns.

15. Entire Agreement. This Agreement contains the entire agreement between the parties as it relates to the use or disclosure of protected health information, and supersedes all prior discussions, negotiations and services relating to the same to the extent such other prior communications are inconsistent with this Agreement.

16. Indemnification. Business Associate hereby agrees to indemnify, defend and hold harmless the Covered Entity and its shareholders, directors, officers, partners, members, employees, agents and/or contractors against any losses, liabilities, fines, penalties, costs or expenses (including reasonable attorneys’ fees) which may be imposed upon Covered Entity by reason of any suit, claim, action, proceeding or demand by any third party which results from Business Associate’s breach of this Agreement. This obligation of Business Associate to indemnify Covered Entity shall survive the termination of this Agreement for any reason.

17. Encryption. Business Associate and its subcontractors, if applicable, shall employ adequate data and device encryption to render the Covered Entity’s protected health information data unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology tested by the National Institute of Standards and Technology and judged to meet the standard. Such protections shall also extend to any databases or collections of PHI containing information derived from the PHI as well as to PHI backups and archives.