This Business Associate Agreement (“BAA”) is entered into and made effective as of 10/10/2024 (“Effective Date”) by and between ImpiricusHealth Corp. (“Business Associate”) and Covered Entity (each a “Party” and collectively, the “Parties”). This BAA constitutes a legal, binding contract between the Parties hereto.
WHEREAS, Covered Entity is a “Covered Entity” as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91), as amended, (“HIPAA”), and the regulations promulgated thereunder by the Secretary of the U.S. Department of Health and Human Services (“Secretary”), including, without limitation, the regulations codified at 45 C.F.R. Parts 160 and 164 (“HIPAA Regulations”);
WHEREAS, Business Associate seeks to perform Services for or on behalf of Covered Entity, and in performing said Services, Business Associate will create, receive, maintain, or transmit Protected Health Information or Electronic Protected Health Information;
WHEREAS, the Parties intend to protect the privacy and provide for the security of PHI and ePHI disclosed by Covered Entity to Business Associate, or received or created by Business Associate, when providing Services in compliance with HIPAA, its corresponding regulations, and the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), all as amended from time to time;
WHEREAS, Covered Entity is required under HIPAA to enter into a Business Associate Agreement with Business Associate that meets certain requirements with respect to the Use or Disclosure of PHI; and
WHEREAS, Business Associate is required under HIPAA to comply with the terms of the Business Associate Agreement.
In consideration of the mutual promises and covenants set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties, intending to be legally bound, hereby agree as follows:
The following terms shall have the meanings set forth below. Capitalized terms used in this Business Associate Agreement and not otherwise defined shall have the meanings ascribed to them in HIPAA, the HIPAA Regulations, or the HITECH Act, as applicable.1.1. “Breach” shall have the meaning given under 42 U.S.C. § 17921(1) and 45 C.F.R. § 164.402.
1.2. "Data Aggregation" shall have the meaning given under 45 C.F.R. § 164.501.
1.3. “Designated Record Set” shall have the meaning given to such term under 45 C.F.R. § 164.501.
1.4. “Disclose” and “Disclosure” mean, with respect to PHI, the release, transfer, provision of access to, or divulging in any other manner, of PHI outside of the entity holding the information other than to members of its Workforce, as set forth in 45 C.F.R. § 160.103.
1.5. “Electronic PHI” or “ePHI” means PHI that is transmitted or maintained in electronic media, as set forth in 45 C.F.R. § 160.103.
1.6. “Protected Health Information” and “PHI” shall have the meaning ascribed to it in HIPAA, the HIPAA Regulations, or the HITECH Act, as applicable, but limited to PHI: (1) received by Business Associate from or on behalf of Covered Entity; (2) created, maintained, stored, or transmitted by Business Associate for or on behalf of Covered Entity; or (3) made accessible to Business Associate by or on behalf of Covered Entity. As used herein, the term “PHI” shall include physical PHI and ePHI, as context may require.
1.7. “Services” shall mean the services performed by Business Associate for or on behalf of Covered Entity pursuant to any service agreement(s) or “terms of use” (or similar agreements) between Covered Entity and Business Associate which may be in effect now or from time to time (“Underlying Agreement”), or, if no such agreement is in effect, the services or functions performed by Business Associate that create a Business Associate relationship between the Parties, as set forth in 45 C.F.R. § 160.103 (Defining "Business Associate.”); to the extent (and only to the extent) that such Services involve the access, creation, receipt, maintenance, storage, transmission, or other Use or Disclosure of PHI by Business Associate for or on behalf of Covered Entity.
1.8. “Subcontractor” Subcontractor means a person to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the Workforce of such Business Associate.
1.9. “Successful Security Incident” shall mean a Security Incident that actually results in the unauthorized access, Use, Disclosure, modification, or destruction of PHI in an Information System or interference with system operations in an Information System that stores PHI.
1.10. “Unsecured PHI” shall have the meaning given to such term under 42 U.S.C. § 17932(h) and 45 C.F.R. § 164.402.
1.11. “Unsuccessful Security Incident” shall mean any Security Incident that does not actually result in the unauthorized access, Use, Disclosure, modification, or destruction of PHI or interference with system operations in an Information System, such as pings or other broadcast attacks on a firewall, port scans, attempts to log onto any system or enter a database using an invalid username or password, denial-of-service attacks that do not result in the system being taken off-line, and malware (e.g., worms and viruses).1.12. “Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination, or analysis of such PHI, as set forth in 45 C.F.R. § 160.103.
1.13. “Workforce” shall have the meaning given to such term under 45 C.F.R. § 160.103.
2.1. Permitted Uses and Disclosures of Protected Health Information: Business Associate shall not Use or Disclose PHI other than for the following: (1) to perform the Services; (2) as permitted or required by this BAA; (3) or as Required by Law. Business Associate shall not Use or Disclose PHI in any manner that would constitute a violation of Subpart E of 45 C.F.R. Part 164 (the “Privacy Rule”) if so Used or Disclosed by Covered Entity. However, Business Associate may Use or Disclose PHI (i) for the proper management and administration of Business Associate, or (ii) to carry out the legal responsibilities of Business Associate; provided that with respect to any such Disclosure under subsection (ii) above, either: (a) the Disclosure is Required by Law; or (b) Business Associate obtains a written agreement from the person to whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will not Use or further Disclose such PHI except as Required by Law and for the purpose(s) for which it was Disclosed by Business Associate to such person, and that such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been compromised. To the extent a part of the Services, Business Associate may perform Data Aggregation with regard to the Health Care Operations of Covered Entity. To the extent that Business Associate carries out one or more of Covered Entity’s obligations under the Privacy Rule, Business Associate must comply with the requirements of Privacy Rule that apply to the Covered Entity in the performance of such obligations.
2.2. Prohibited Marketing and Sale of PHI: Notwithstanding any other provision in this BAA, Business Associate shall comply with the following requirements: (i) Business Associate shall not Use or Disclose PHI for fundraising or marketing purposes, except to the extent expressly authorized by Covered Entity or permitted by this BAA and consistent with the requirements of 45 C.F.R. § 164.514(f), and 45 C.F.R. § 164.508(a)(3); and (ii) Business Associate shall not receive remuneration, directly or indirectly, in exchange for PHI, other than from or on behalf of Covered Entity as compensation for the Services.
2.3. Adequate Safeguards of PHI: Business Associate shall implement and maintain appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA. Business Associate shall reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity in compliance with Subpart C of 45 C.F.R. Part 164 (the “Security Rule”) to prevent Use or Disclosure of PHI other than as provided for by this BAA.
2.4. Mitigation: Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this BAA, per 45 C.F.R. § 164.530(f).
2.5. Reporting Non-Permitted Use or Disclosure: Business Associate shall report to Covered Entity, in writing and as soon as practicable, but in any event within fifteen (15) days after discovering or becoming aware of any Successful Security Incident or acquisition, access, Use or Disclosure of PHI that is not permitted by this BAA or the Privacy Rule, including any Breach of Unsecured PHI (each, an “Incident”), which report shall include all relevant details then known to Business Associate, and, as soon as practicable, but in any event within ten (10) business days following the initial report, supplement the initial report with such information as necessary for Covered Entity to provide any notification to affected Individuals, the Secretary, and the media (as applicable), in accordance with 45 C.F.R. Part 164 Subpart D (the “Breach Notification Rule”) and/or other applicable law. The Parties acknowledge and agree that this BAA serves as sufficient written notice by Business Associate to Covered Entity that Unsuccessful Security Incidents may occur, from time to time, and that no further notice need be given by Business Associate to Covered Entity unless there is a Successful Security Incident. Covered Entity shall pay for its costs that are incurred to provide notifications required in accordance with the Breach Notification Rule as the result of a Breach of Unsecured PHI. To the extent a Breach of Unsecured PHI is caused by the negligent acts or omissions of Business Associate or any of its agents or Subcontractors, Business Associate shall pay or otherwise reimburse the reasonable substantiated costs of Covered Entity for providing required notices under HIPAA to affected Individuals, the Secretary, and the media (as applicable).
2.6. Availability of Internal Practices, Books, and Records to Government: Business Associate agrees to make its internal practices, books, and records relating to the Use and Disclosure of PHI received from, created, or received by the Business Associate on behalf of Covered Entity available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA, the HIPAA Regulations, and the HITECH Act. Except to the extent prohibited by law, Business Associate shall notify Covered Entity of all requests served upon Business Associate for information or documentation by or on behalf of the Secretary. Business Associate agrees to provide to Covered Entity proof of its compliance with HIPAA upon reasonable request.
2.7. Access to and Amendment of Protected Health Information: To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, and within fifteen (15) days of a request by Covered Entity, Business Associate shall (a) make the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets available to Covered Entity for inspection and copying, or to an Individual to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524, or (b) amend the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets to enable the Covered Entity to fulfill its obligations under 45 C.F.R. § 164.526. If Business Associate maintains PHI in a Designated Record Set electronically, Business Associate shall provide such information in the electronic form and format requested by the Covered Entity if it is readily reproducible in such form and format, and, if not, in such other form and format agreed to by Covered Entity to enable Covered Entity to fulfill its obligations under 42 U.S.C. § 17935(e) and 45 C.F.R. § 164.524(c)(2). Business Associate shall notify Covered Entity within fifteen (15) days of receipt of an Individual’s request for access to, or to amend, such Individual’s PHI.
2.8. Accounting: To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, within fifteen (15) days of receipt of a request from Covered Entity or an Individual for an accounting of Disclosures of PHI, Business Associate and its Subcontractors shall make available to Covered Entity the information required to provide an accounting of Disclosures to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.528 and its obligations under 42 U.S.C. § 17935(c). Business Associate shall notify Covered Entity within fifteen (15) days of receipt of a request by an Individual or other requesting party for an accounting of Disclosures of PHI.
2.9. Use of Subcontractors: Business Associate shall ensure each of its Subcontractors that creates, maintains, receives, or transmits PHI for or on behalf of Business Associate, to enter into a written agreement with Business Associate pursuant to which such Subcontractor agrees to abide by the restrictions, conditions, and obligations that apply to PHI under this BAA, as required by 45 C.F.R §§ 164.308(b)(2) and 164.502(e)(1)(ii).
2.10. Minimum Necessary: Business Associate (and its Subcontractors) shall, to the extent practicable, limit its request, Use, or Disclosure of PHI to the minimum amount of PHI necessary to accomplish the purpose of the request, Use, or Disclosure, in accordance with 42 U.S.C. § 17935(b) and 45 C.F.R. § 164.502(b)(1) or any other guidance issued thereunder.
2.11. Restrictions: Business Associate shall abide by restrictions on Uses/Disclosures of an Individual’s PHI that such Individual requests and Covered Entity implements per 45 C.F.R. § 164.522(a); provided, that Business Associate is given timely written notice of such restrictions by Covered Entity.
2.12. Confidential Communications: Business Associate shall accommodate reasonable requests for confidential communications of PHI by alternative means or at alternative locations, as directed by Covered Entity on behalf of an individual, in writing, in accordance with 45 C.F.R. § 164.522(b); and, in the event that Business Associate receives an Individual’s request for confidential communications of PHI, Business Associate shall promptly forward such request to Covered Entity.
2.13. Covered Entity Obligations: Covered Entity agrees that it shall:
2.13.1 Restrictions: Promptly notify Business Associate in writing of any restrictions on the Use/Disclosure of PHI that Covered Entity agrees to or must abide by per 45 C.F.R. § 164.522, if such restrictions may affect Business Associate’s Use or Disclosure of PHI.
2.13.2 Authorizations: Obtain all required written authorizations from any Individual under the HIPAA Regulations and promptly notify Business Associate in writing of any changes in, or revocation of, the permissions given by an Individual to Use and/or Disclose PHI, if such changes may affect Business Associate’s Use or Disclosure of PHI.
2.13.3 Permissible Requests: Not request Business Associate, whether in connection with the Services or otherwise, to Use or Disclose PHI in any manner or for any purpose that would not be permissible under the Privacy Rule or Security Rule if such Use or Disclosure was made directly by Covered Entity. Covered Entity represents and warrants to Business Associate that all approvals and authorizations required under the Privacy Rule (if any) have been or will be obtained in order for Covered Entity to Disclose PHI to Business Associate and to permit Business Associate to Use and further Disclose such PHI as may be needed to perform the Services.
3.1. Term: The term of this BAA shall be effective as of the Effective Date and shall remain in full force and effect until the later of (a) expiration or termination of all contracts or Underlying Agreements between Covered Entity and Business Associate that govern the Services, (b) when all PHI is either destroyed or returned to Covered Entity or, in the event it is reasonably infeasible to return or destroy PHI, when protections are extended to such PHI in accordance with Section 3.3, or (c) the date that either Party terminates for cause as authorized in Section 3.2.
3.2. Termination for Cause: Upon either Party’s knowledge of a material breach or violation of this BAA by the other Party, the non-breaching Party shall either:
3.2.1 Notify the other Party of the breach in writing, and provide an opportunity for the breaching Party to cure the breach or end the violation within ten (10) business days of such notification; provided that if the breaching Party fails to cure the breach or end the violation within such time period to the satisfaction of non-breaching Party, the non-breaching Party may immediately terminate this BAA upon written notice to other Party; or3.2.2 Upon written notice to breaching Party, immediately terminate this BAA if non-breaching Party determines that such breach cannot be cured.
3.3 Disposition of Protected Health Information Upon Termination or Expiration: Upon the expiration or termination of this BAA, Business Associate shall, at Covered Entity’s option, return or destroy all PHI in Business Associate’s possession, including PHI in the possession of its Subcontractors and agents (if any). In the event Business Associate reasonably determines that the return or destruction of certain PHI is infeasible, Business Associate shall extend the protections, limitations and restrictions set forth in this BAA to such PHI and shall limit all further Use and Disclosure of such PHI to those purposes that make its return or destruction infeasible for as long as Business Associate maintains such PHI. Furthermore, in the event it is infeasible for any agent or Subcontractor of Business Associate to return or destroy certain PHI, Business Associate shall require such agent or Subcontractor to extend all protections, limitations and restrictions set forth in this BAA to such PHI and to limit all further Use and Disclosure of such PHI to those purposes that make its return or destruction infeasible for as long as such agent or Subcontractor maintains such PHI.
4.1. Amendment to Comply with Law: The Parties agree to take such action as is necessary to amend this BAA from time to time as necessary for Covered Entity or Business Associate to implement its obligations pursuant to HIPAA, the HIPAA Regulations, or the HITECH Act. This BAA may not be supplemented, modified or amended, except in a separate writing as agreed to and signed by each Party hereto.
4.2. Indemnification: Each Party (referred to in this Section 4.2 as the “Indemnitor”) hereby agrees to indemnify and hold harmless the other Party, its affiliates, and their respective officers, directors, managers, members, shareholders, employees, and agents (collectively referred to in this Section 4.2 as the “Indemnitees”) from and against any and all fines, penalties, damage, claims, or causes of action and expenses (including, without limitation, court costs and attorney’s fees) asserted by a third party (each, a “Third-Party Claim”), but only to the extent caused by: (a) the Indemnitor’s breach of any representation, warranty, or obligation contained in this BAA; and/or (b) the Indemnitor’s, or any of its agents’ or Subcontractors’, (i) violation of the HIPAA Regulations or (ii) Use or Disclosure of PHI other than as permitted under this BAA. Upon receipt of notice of any Third-Party Claim giving rise to a right of indemnity hereunder, Covered Entity shall promptly, but in any case within five (5) business days, give Business Associate written notice thereof. Covered Entity shall: (i) permit Business Associate, at Business Associate’s sole option and expense, to assume the complete defense of such Third-Party Claim, including the selection of counsel, provided that Covered Entity may participate in the defense of such Third-Party Claim at its own cost and expense; and (ii) cooperate with Business Associate in connection therewith. As to any Third-Party Claim for which Business Associate does not assume control, Business Associate shall nevertheless be responsible for all reasonable costs of the defense for Business Associate and shall have the right to participate in such defense, at its own cost and expense.
4.3. Limitation of Liability: NOTWITHSTANDING THE PROVISIONS OF THIS BAA OR ANY UNDERLYING AGREEMENT OF THE PARTIES NOW EXISTING OR HEREAFTER MADE, NEITHER PARTY SHALL BE LIABLE FOR THE OTHER PARTY’S LOST PROFITS, OR ANY INDIRECT, INCIDENTAL, PUNITIVE, EXEMPLARY, CONSEQUENTIAL OR OTHER SPECIAL DAMAGES OF ANY KIND ARISING OUT OF OR RELATING TO THIS BAA, HOWEVER THE SAME MAY BE CAUSED AND REGARDLESS OF THE FAULT OR NEGLIGENCE (WHETHER SOLE, JOINT, CONCURRENT, ACTIVE, PASSIVE OR OTHERWISE) OF THE PARTIES. COVERED ENTITY SHALL USE COMMERCIALLY REASONABLE EFFORTS TO MITIGATE ITS LOSSES, TO THE EXTENT PRACTICABLE, INCLUDING BY TIMELY FILING APPLICABLE CLAIMS WITH ITS INSURANCE CARRIER(S) IN THE EVENT OF ANY INCIDENT THAT MIGHT GIVE RISE TO ANY THIRD-PARTY CLAIM FOR WHICH COVERED ENTITY MIGHT SEEK CONTRIBUTION FROM .
4.4. Notices: Any notices required or permitted to be given hereunder by either Party to the other shall be given in writing: (1) by personal delivery; (2) by electronic mail or facsimile with confirmation sent by United States first class registered or certified mail, postage prepaid, return receipt requested; (3) by bonded courier or by a nationally recognized overnight delivery service; or (4) by United States first class registered or certified mail, postage prepaid, return receipt, in each case, addressed to such addresses as the Parties may request in writing by notice given pursuant to this Section 4.4. Notices shall be deemed received on the earliest of personal delivery; upon delivery by electronic facsimile with confirmation from the transmitting machine that the transmission was completed; twenty-four (24) hours following deposit with a bonded courier or overnight delivery service; or seventy-two (72) hours following deposit in the U.S. mail as required herein.
4.5. Relationship of Parties: Business Associate is an independent contractor and not an agent of Covered Entity under this BAA. Business Associate has the sole right and obligation to supervise, manage, contract, direct, procure, perform, or cause to be performed, all Business Associate obligations under this BAA. The Parties do not intend an agency relationship (as defined under the Federal common law of agency) to be established hereby, expressly or by implication, for purposes of liability under HIPAA.
4.6. No Private Cause of Action/Third Party Beneficiaries: This BAA is not intended to, and does not, create a private cause of action by any individual, other than the Parties to this BAA, as a result of any claim arising out of the breach of this BAA, the HIPAA Regulations or other state or federal law or regulation relating to patients’ personally identifiable health information. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the Parties hereto any rights, remedies, obligations, or liabilities whatsoever.
4.7. Reformation and Severability: If any provision of this BAA is found to be invalid or unenforceable by any court of competent jurisdiction, such court should reform such provision to such narrower scope as it determines to be valid and enforceable and, if such provision cannot be reformed as anticipated above, then such provision shall be deemed separate and severable and shall not invalidate or render unenforceable the remaining provisions hereof, the Parties’ intent being to effectuate this BAA to the fullest extent permitted by law.
4.8. Waiver: No waiver of any provision of this BAA shall be binding upon any Party unless consented to in writing by such Party. Any waiver by either Party of any breach or of any provision of this BAA shall not operate as, or be construed as, a waiver of any subsequent breach or other provision of this BAA.
4.9. Assignability: Neither Party may assign, in whole or in part, this BAA or any rights or obligations contained herein, without the prior written consent of the other Party; provided, however, that Business Associate may assign this BAA to a successor in interest in the event of a merger, consolidation, combination or sale of all (or substantially all) of Business Associate’s assets or equity, upon prior written notice to (but without the consent of) the Covered Entity. Any assignment in contravention of this Section shall be null and void ab initio.
4.10. Binding Effect: This BAA is binding upon, and shall inure to the benefit of, the Parties hereto and to their respective successors and permitted assigns.
4.11. Survival: The respective rights and obligations of the Parties under Sections 3.3, 4.2, and 4.3 of this BAA shall survive the termination of this BAA.
4.12. Applicable Law and Venue: This BAA shall be governed by and construed in accordance with the laws of the state of Georgia (without regards to conflict of laws principles). The Parties agree that all actions or proceedings arising in connection with this BAA shall be tried and litigated exclusively in the state or federal (if permitted by law and if a Party elects to file an action in federal court) courts located in the county of Fulton, Georgia.
4.13. Counterparts: This BAA may be executed in multiple counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. The Parties may execute this BAA using any electronic signature complying with the U.S. ESIGN Act of 2000 and may exchange executed counterparts by facsimile, email or other transmission method, and the receipt of such executed counterparts shall be binding on the Parties and shall be treated as if an original.
IN WITNESS WHEREOF, the Parties hereto have duly executed this agreement as of the Effective Date.
BUSINESS ASSOCIATE: ImpiricusHealth Corp.