BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“Agreement”) is entered into as of the date of electronic acceptance by and between the accepting healthcare practice or entity (“Covered Entity”) and Vibility, Inc., a Delaware corporation (“Business Associate”).

Recitals

A. Covered Entity is designated as a “Covered Entity” as defined by the federal Health Insurance Portability and Accountability Act of 1996 and its promulgating regulations (“HIPAA”), as amended by regulations pursuant to the Health Information Technology for Economic and Clinical Health Act (“HITECH”).

B. Business Associate has an underlying business relationship (“Underlying Contract”) with Covered Entity, in which Business Associate performs functions or activities, or provides certain services, on behalf of Covered Entity through the Vibility platform.

C. In the course of providing such services, Business Associate may have access to, receive from, maintain, transmit, create, and/or receive on behalf of Covered Entity, Protected Health Information (“PHI”).

D. Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed to Business Associate pursuant to this Agreement and in order to comply with HIPAA and its implementing regulations including the Privacy Rule, the Security Rule, and the Breach Notification Rule (each as defined below).

NOW, THEREFORE, in consideration of these recitals and the mutual promises contained in this Agreement, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Covered Entity and Business Associate agree as follows:

I. Definitions

A. “Breach” shall have the meaning given to such term at 45 C.F.R. § 164.402.

B. “Breach Notification Rule” shall mean the rule related to breach notification for Unsecured Protected Health Information at 45 C.F.R. Parts 160 and 164.

C. “Electronic Protected Health Information” or “EPHI” shall have the same meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

D. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules.

E. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and Part 164, Subparts A and E.

F. “Protected Health Information” or “PHI” shall have the meaning given to such phrase under the Privacy and Security Rules at 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of the Covered Entity.

G. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. § 164, Subparts A and C.

H. “Unsecured PHI” shall have the meaning given to such phrase under the Breach Notification Rule at 45 C.F.R. § 164.402.

I. Other terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy, Security, or Breach Notification Rules and the Underlying Contract. Where there is a conflict, the meanings in this Agreement together with the HIPAA Rules shall govern.

II. Obligations of the Parties with Respect to PHI

A. Obligations of Business Associate

A. Business Associate shall:

1. Not use or disclose PHI other than as permitted or required by the Underlying Contract or as required by law.
2. Not use or disclose PHI in a manner that would violate the Privacy Rule if done by the Covered Entity, unless expressly permitted pursuant to the Privacy Rule and this Agreement, provided that if Business Associate carries out one or more of Covered Entity’s obligations under the Privacy Rule pursuant to the Underlying Contract, Business Associate shall fully comply with the applicable Privacy Rule requirements.
3. Use appropriate safeguards, and comply with the Security Rule at Subpart C of 45 CFR Part 164 with respect to EPHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
4. Report to Covered Entity immediately, and in no case later than five (5) calendar days of Business Associate’s discovery, any use or disclosure of PHI not provided for by this Agreement, any Breaches of Unsecured PHI as required at 45 CFR 164.410, any security incident, or any breach under relevant state data breach laws (“State Law Breach”). Such notice shall include the results of the risk assessment and, to the extent possible, identification of each affected individual. Business Associate shall be responsible for the cost of risk assessment and breach mitigation expenses arising from violations of this Agreement or applicable law.
5. Make available PHI in a Designated Record Set to Covered Entity within five (5) business days as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524.
6. Provide access to PHI in a Designated Record Set, at the request of Covered Entity, within five (5) business days, to Covered Entity or to an Individual designated by the Individual, in the requested format if readily producible.
7. Make PHI available for amendment purposes within five (5) business days per 45 C.F.R. §164.526. If an Individual requests an amendment directly from Business Associate, Business Associate shall forward the request to Covered Entity within two (2) business days.
8. Maintain and make available the information required to provide an accounting of disclosures to Covered Entity under 45 CFR 164.528. If requested by an Individual directly, Business Associate shall forward the request to Covered Entity within two (2) business days.
9. To the extent Business Associate carries out Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the applicable requirements, including 45 CFR 164.522 regarding requested restrictions on health plan disclosures.
10. Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS and to Covered Entity for compliance purposes.
11. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of EPHI as required by the Security Rule, and comply with all applicable state information security breach laws.
12. Ensure that any agents and subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply through this Agreement, and implement reasonable and appropriate safeguards to protect EPHI.
13. To the extent permitted by law, cooperate with Covered Entity to ensure that legal process conforms with HIPAA Rules, including obtaining qualified protective orders when necessary.

B. Permitted Uses or Disclosures by Business Associate

Business Associate may use or disclose PHI only:

1. As necessary to perform the services set forth in the Underlying Contract, provided that Business Associate must be specifically authorized in writing to de-identify PHI in accordance with 45 CFR 164.514(a)-(c).
2. As required by law.
3. If uses, disclosures, and requests for PHI are consistent with Covered Entity’s minimum necessary policies and procedures.
4. In a manner that would not violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except that Business Associate may use PHI to carry out its legal responsibilities only if it obtains reasonable assurances that the information will remain confidential.
5. To provide data aggregation services relating to Covered Entity’s health care operations only if authorized in the Underlying Contract.

C. Covered Entity Privacy Practices and Restrictions

Covered Entity shall notify Business Associate of:

1. Any limitation(s) in Covered Entity’s notice of privacy practices under 45 CFR 164.520 that may affect Business Associate’s use or disclosure of PHI.
2. Any changes in, or revocation of, permission by an individual to use or disclose his or her PHI that may affect Business Associate’s use or disclosure of PHI.
3. Any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522 that may affect Business Associate’s use or disclosure of PHI.

III. Term and Termination

A. Term. This Agreement shall be effective as of the date of electronic acceptance and shall continue until Business Associate ceases to perform the services defined in the Underlying Contract.

B. Termination for Cause. Covered Entity may immediately terminate this Agreement if Business Associate materially breaches any provision, and such breach is not cured within thirty (30) days after receipt of written notice.

C. Obligations Upon Termination. Upon expiration or termination, Business Associate shall:

1. Retain only PHI necessary for Business Associate’s proper management, administration, or legal responsibilities.
2. Return to Covered Entity or destroy all other PHI in any form, including PHI in possession of subcontractors, and retain no copies if feasible.
3. If return or destruction is not feasible, extend all protections of this Agreement to any retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
4. Not use or disclose retained PHI other than for the purposes for which it was retained, subject to the same permitted use conditions.
5. Return retained PHI to Covered Entity when no longer needed.

The termination obligations and breach reporting provisions shall survive the termination or expiration of this Agreement and any Underlying Contract.

IV. Miscellaneous

A. Amendment. This Agreement may be amended as necessary to comply with modifications to the HIPAA Rules. Covered Entity and Business Associate agree to use good-faith efforts to develop and execute any required amendments. This Agreement may be amended or modified only in writing agreed to by both parties.

B. Severability. If any provision is held unenforceable, the remainder shall remain in full force and effect.

C. Independent Contractor. Business Associate is an independent contractor of Covered Entity and shall not be considered an agent of Covered Entity.

D. Equitable Remedies. Business Associate stipulates that unauthorized use or disclosure of PHI could cause irreparable harm to Covered Entity, entitling Covered Entity to seek damages and injunctive relief in any court of competent jurisdiction.

E. No Third Party Beneficiaries. Nothing in this Agreement is intended to confer upon any person other than Covered Entity, Business Associate, and their respective affiliates, employees, directors, officers, subcontractors, agents, successors, or assigns, any rights, remedies, obligations, or liabilities.

F. Waiver. No provision of this Agreement shall be deemed waived unless such waiver is in writing and signed by the waiving party. No waiver of a breach shall constitute a waiver of any subsequent breach.

G. Assignment. Neither Party may assign its rights or delegate its obligations without prior written consent, except that Covered Entity may assign to an affiliate or successor without Business Associate’s approval.

H. Construction. This Agreement shall be construed as broadly as necessary to implement and comply with the HIPAA Rules. Any ambiguity shall be interpreted to permit compliance.

I. Electronic Acceptance. This Agreement may be executed by electronic acceptance. By checking the acceptance box and providing the required identifying information below, Covered Entity’s authorized representative agrees to be bound by the terms of this Agreement. Electronic acceptance constitutes a legally binding signature under the Electronic Signatures in Global and National Commerce Act (ESIGN Act, 15 U.S.C. § 7001 et seq.) and the Uniform Electronic Transactions Act (UETA). Facsimile or electronic signatures shall be treated as original signatures.