HIPAA BUSINESS ASSOCIATE AGREEMENT

Capitalized terms used, but not otherwise defined, in this Agreement shall have the same meanings as those terms in the HIPAA Rules, except that the terms “Protected Health Information” (“PHI”) and “Electronic Protected Health Information” (“ePHI”) shall have the same meanings as set forth in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Subscriber in connection with the EULA set forth herein.

Permitted Uses and Disclosures. Business Associate may use and disclose PHI as necessary to perform the functions, activities, and services contemplated by the EULA. Business Associate may also use or disclose PHI as Required by Law.

Limit on Disclosures. Business Associate agrees to not use or disclose PHI other than (i) as permitted or required by this Agreement; or (ii) as Required by Law. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Subscriber, except that Business Associate may use or disclose PHI (i) for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, (provided that any disclosures for the purposes described in clause (i) of this sentence are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached); or (ii) to provide Data Aggregation services related to the Health Care Operations of Subscriber.

Appropriate Safeguards. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement and to comply with applicable provisions of Subpart C of 45 C.F.R. Part 164 with respect to ePHI.

Reporting of Security Incident, Improper Use or Disclosure and Breach. Business Associate agrees to report to Subscriber any Security Incident and any use or disclosure of the PHI non-permitted by this Agreement, of which Business Associate becomes aware. Such report shall be made without unreasonable delay and no later than sixty (60) days after Business Associate's discovery of the Security Incident or non-permitted use or disclosure. Notwithstanding the foregoing, the Parties acknowledge and agree that this section constitutes notice by Business Associate to Subscriber of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Subscriber shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of ePHI. In addition, Business Associate shall notify the Subscriber in accordance with 45 C.F.R. § 164.410 of any Breach of PHI that is Unsecured Protected Health Information. Such notification shall be made without unreasonable delay and no later than sixty (60) days after the Breach is discovered by Business Associate. To the extent possible, Business Associate shall also provide the applicable Subscriber such information that the Subscriber is required to include in notification to the individual under 45 C.F.R. § 164.404(c) at the time of the notification, or as promptly thereafter as such information becomes available.

Mitigations. Business Associate agrees to mitigate, to the extent practicable, harmful effects from any non-permitted use or disclosure of PHI by Business Associate.

Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any Subcontractor, that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions and conditions that apply to Business Associate with respect to such information.

Designated Record Set. To the extent it holds information in a Designated Record Set, Business Associate agrees to make available and provide access to, at the request of Subscriber, PHI in a Designated Record Set, to Subscriber as necessary to satisfy Subscriber's obligations under 45 C.F.R.. § 164.524. Business Associate shall forward any requests for access that Business Associate receives directly from an individual to Subscriber to fulfill. To the extent it holds information in a Designated Record Set, Business Associate agrees to incorporate any amendment of PHI in a Designated Record Set, in accordance with 45 C.F.R. § 164.526 as directed by Subscriber. Business Associate shall forward any requests for amendment that Business Associate receives directly from an individual to Subscriber to fulfill.

Accounting. With respect to disclosures by Business Associate, Business Associate agrees to maintain and make available to Subscriber the information required by 45 C.F.R. § 164.528 to permit Subscriber to respond to a written request for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate shall forward any requests for accountings of disclosures that Business Associate receives directly from an individual to Subscriber to fulfill.

Government Access. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of the Secretary determining compliance with the HIPAA Rules.

Compliance. To the extent Business Associate is to carry out any of Subscriber's obligations under Subpart E of 45 C.F.R. Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Subscriber in the performance of that obligation.

Minimum Necessary. Business Associate agrees to make uses and disclosures and requests for PHI consistent with the minimum necessary requirements of the HIPAA Rules.

Notification. Subscriber shall notify Business Associate of any limitation(s) in its notice of privacy practices of Subscriber in issued pursuant to 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI. Subscriber shall notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI. Subscriber shall notify Business Associate of any restriction to the use or disclosure of PHI that Subscriber has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

Obtaining Consents. Subscriber shall obtain all consents, permissions or authorizations, if any, required for Subscriber to disclose PHI to Business Associate and for Business Associate to use and disclose PHI as permitted herein.

Minimum Necessary. Subscriber agrees to limit its disclosure of PHI to Business Associate to the minimum necessary to accomplish the intended purpose of such disclosure.

Permissible Requests by Subscriber. Subscriber shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by Subscriber.

Term. The term of this Agreement shall be effective as of the Effective Date, and shall terminate upon the earlier to occur of: (i) the termination of this Agreement for cause pursuant to Section 4(b) below; or (ii) termination of the EULA.

Termination for Cause. Either Party may terminate this Agreement due to a material breach of this Agreement by one Party upon giving the other Party thirty (30) days prior written notice, provided the breaching Party does not cure the breach prior to the effective date of termination.

Effect of Termination. Upon the termination of this Agreement for any reason, Business Associate shall return or destroy all PHI and require its Subcontractors to do the same. Notwithstanding the foregoing, in the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible for as long as Business Associate maintains such PHI. The provisions of this Section 4(c) shall survive the termination or expiration of this Agreement.

IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR ITS AFFILIATES OR THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, AND AGENTS FOR LOSS OR DAMAGE OF LOST PROFITS OR REVENUES OR SIMILAR ECONOMIC LOSS OR FOR ANY CONSEQUENTIAL, SPECIAL, INCIDENTAL, INDIRECT OR PUNITIVE DAMAGES, WHETHER IN CONTRACT, TORT OR OTHERWISE, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, EVEN IF SUCH PARTY HAS BEEN ADVISED OF SUCH CLAIM.

All of the provisions contained in Sections 11 and 15 of the EULA, including but not limited to dispute resolution and contract construction, shall apply with equal force and effect to this Business Associate Agreement and the rights and obligations of Service Provider and Covered Entity.