Business Associate Agreement

• CE is a "covered entity" as defined by 45 C.F.R. 160.103.
• In connection with BA providing services to CE under the Agreement, BA may create, receive, maintain, or transmit PHI on behalf of CE.
• The parties intend to protect the privacy and security of PHI in accordance with HIPAA.
• The purpose of this BAA is to satisfy applicable requirements of HIPAA, including 45 C.F.R. 164.308(b), 164.314(a), 164.502(e), and 164.504(e).

NOW, THEREFORE, the parties agree as follows:

Capitalized terms not defined in this BAA have the meanings set forth in HIPAA and HITECH. "Breach" has the meaning in 45 C.F.R. 164.402. "Security Incident" has the meaning in 45 C.F.R. 164.304. "Unsecured PHI" has the meaning in 45 C.F.R. 164.402.

Except as otherwise limited in this BAA or the Agreement, BA may:

1. Use and disclose PHI to perform services for or on behalf of CE as permitted by the Agreement.
2. Use PHI for proper management and administration of BA or to fulfill BA's legal responsibilities.
3. Disclose PHI as Required by Law or with reasonable assurances from the recipient that the PHI will remain confidential and used only as required by law or for the stated purpose.
4. De-identify PHI in accordance with 45 C.F.R. 164.514 and use or disclose de-identified data for analytics and service improvement. BA will not sell PHI.

BA agrees to:

1. Use or disclose PHI only as permitted by this BAA, the Agreement, or as Required by Law.
2. Implement administrative, physical, and technical safeguards consistent with 45 C.F.R. 164.308, 164.310, and 164.312.
3. Report to CE any Security Incident or Breach of Unsecured PHI without unreasonable delay and in no event later than ten (10) business days after discovery.
4. Ensure that subcontractors who create, receive, maintain, or transmit PHI on BA's behalf agree to the same restrictions and conditions.
5. Make PHI available to CE as necessary to satisfy CE obligations under 45 C.F.R. 164.524 and 164.526.
6. Provide information necessary for CE to meet its obligations under 45 C.F.R. 164.528.
7. Make BA's internal practices, books, and records relating to PHI available to the Secretary of HHS for purposes of determining CE's compliance with HIPAA.

CE agrees to:

1. Notify BA of any limitations in CE's notice of privacy practices that affect BA's use or disclosure of PHI.
2. Provide BA with any changes or revocations of authorization that affect BA's use or disclosure of PHI.
3. Notify BA of any restriction to use or disclosure of PHI that CE has agreed to under 45 C.F.R. 164.522.
4. Ensure that CE has obtained required consents or authorizations for PHI that CE provides to BA.

This BAA is effective on the Effective Date and remains in effect until terminated by either party in accordance with the Agreement. CE may terminate this BAA if BA is in material breach and fails to cure within a reasonable time, or immediately if cure is not feasible.

1. Return or Destruction of PHI. Upon termination, BA will return or destroy PHI if feasible. If return or destruction is infeasible, BA will extend the protections of this BAA and limit further use or disclosure.
2. No Third-Party Beneficiaries. Nothing in this BAA creates rights in any third party.
3. Interpretation. This BAA will be interpreted in a manner consistent with HIPAA. If any provision is invalid, the remainder will remain in effect.
4. Order of Precedence. If there is a conflict between this BAA and the Agreement regarding PHI, this BAA controls.

Questions about this BAA: legal@oseight.com.