Business Associate Agreement

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

Last Updated: February 5th, 2019

THIS BUSINESS ASSOCIATE AGREEMENT is between Customer and 9zest, Inc. and is intended to govern the parties’ relationship with respect to the use and disclosure of certain data protected by law, such as Protected Health Information (defined below), which may be processed, transmitted, accessed or disclosed by or through use of the 9zest Platform. In relation to the service provided to Customer, either party may be deemed a Business Associate (as defined under 45 C.F.R. 160.103), or a subcontractor of a Business Associate, and subject to certain obligations under law. In conformity with the regulations at 45 C.F.R. Parts 160-164 (the “Privacy and Security Rules”), a party with access to, or a party creating, maintaining, transmitting and/or receiving Protected Health Information, necessitates a written agreement that meets the applicable requirements of the Privacy and Security Rules. Accordingly, the parties agree as follows for purposes of their respective roles in the services being provided to Customer:


1. DEFINITIONS

The following terms shall have the meaning set forth below:

A. “ARRA” means the American Recovery and Reinvestment Act of 2009

B. “Breach” has the same meaning as the term “breach” in 45 C.F.R. 164.402.

C. “Business Associate” shall refer to either Customer or 9zest, and will be applied to the party when accessing, creating, maintaining, transmitting and/or receiving Protected Health Information on behalf of the other.

D. “C.F.R.” means the Code of Federal Regulations.

E. “Designated Record Set” has the meaning assigned to such term in 45 C. F. R. 160.501.

F. “Discovery” shall mean the day on which a breach is treated as discovered as described in 45 C.F.R. 164.410(a)(2).

G. “Electronic Protected Health Information” means information that comes within paragraphs 1 (i) or 1 (ii) of the definition of “Protected Health Information”, as defined in 45 C. F. R. 160.103.

H. “Individual” shall have the same meaning as the term “individual” in 45 C. F. R. 160.103 and shall include a person who qualifies as personal representative in accordance with 45 C. F. R. 164.502 (g).

I. “Protected Health Information” shall have the same meaning as the term “Protected Health Information”, as defined by 45 C. F. R. 160.103, limited to the information created or received by Business Associate from or on behalf of the other party or the subject Covered Entity.

J. “Required by Law” shall have the same meaning as the term “required by law” in 45 C. F. R. 164.103.

K. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.

L. “Security Incident” shall have the same meaning as the term “security incident” in 45 C.F.R. 164.304.

M. “Standard Transactions” means the electronic health care transactions for which HIPAA standards have been established, as set forth in 45 C. F. R., Parts 160-162.

N. “Unsecured Protected Health Information” has the meaning assigned to such term in 45 C.F.R. 164.402.


2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

A. Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by this Agreement or as Required by Law. Business Associate shall also comply with any further limitations on uses and disclosures agreed by the other party in accordance with 45 C.F.R. 164.522 provided that such agreed upon limitations have been communicated to Business Associate in accordance with this Agreement.

B. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement, including but not limited to the safeguards described in Section 2M of this agreement.

C. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.

D. Business Associate agrees to promptly report to the other party any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware.

E. Business Associate agrees to report to the other party any Breach of Unsecured Protected Health Information promptly and without unreasonable delay and in no case later than ten (10) business days after Discovery of a Breach. Such notice shall include the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate, to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by the other party for purposes of investigating the Breach.

F. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree in writing to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.

G. Business Associate agrees to provide access, at the request of the other party, and in the time and manner designated by the other party, to Protected Health Information in a Designated Record Set, to the other party or, as directed by the other party, to an Individual in order to meet the requirements under 45 C.F.R. 164.524. If Business Associate provides copies or summaries of Protected Health Information to an Individual it may impose a reasonable, cost-based fee in accordance with 45 C.F.R. 164.524 (c)(4).

H. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the other party directs or agrees to pursuant to 45 C.F.R. 164.526 at the request of the other party or an Individual, and in the time and manner designated by the other party. Business Associate shall not charge any fee for fulfilling requests for amendments.

I. Business Associate agrees to make (i) internal practices, books, and records, including policies and procedures, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, the other party, and (ii) policies, procedures, and documentation relating to the safeguarding of Electronic Protected Health Information available to the other party, or at the request of the other party to the Secretary or to the subject Covered Entity, in a time and manner designated by the other party, the subject Covered Entity or the Secretary, for purposes of the Secretary determining compliance with the Privacy and Security Rules.

J. Business Associate agrees to document such disclosures of Protected Health Information as would be required for the other party or the subject Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528.

K. Business Associate agrees to provide to the other party, or subject Covered Entity, in the time and manner described below, the information collected in accordance with Section 2J of this Agreement, to permit the other party or Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528.

L. Business Associate shall request and disclose Protected Health Information only in a manner that is consistent with guidance issued by the Secretary from time to time.

M. With respect to Electronic Protected Health Information, Business Associate shall implement and comply with (and ensure that its subcontractors implement and comply with) the administrative safeguards set forth at 45 C.F.R. 164.308, the physical safeguards set forth at 45 C.F.R. 310, the technical safeguards set forth at 45 C.F.R. 164.312, and the policies and procedures set forth at 45 C.F.R. 164.316 to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the other party.

N. With respect to Electronic Protected Health Information, Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit Electronic Protected Health Information on behalf of Business Associate, agree to comply with the applicable requirements of Subpart C of 45 C.F.R. Part 164 by entering into a contract that complies with 45 C.F.R. Section 164.314.

O. Business Associate shall report to the other party any Security Incident of which it becomes aware, including Breaches of Unsecured Protected Health Information as required by 45 C.F.R. Section 164.410. For those Security Incidents deemed unsuccessful, this section shall constitute notice of the ongoing existence of attempted but unsuccessful Security Incidents for which no additional notice shall be required.

P. If Business Associate conducts any Standard Transactions on behalf of the other party, Business Associate shall comply with the applicable requirements of 45 C.F.R. Parts 160-162.


3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

A. General Use and Disclosure. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform its obligations and services to the other party, provided that such use or disclosure would not violate the Privacy and Security Rules or the minimum necessary policies and procedures of the other party.

B. Specific Use and Disclosure Provisions.

i. Except as otherwise prohibited by this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

ii. Except as otherwise prohibited by this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached in accordance with the Breach and Security Incident notifications requirements of this Agreement.

iii. Business Associate shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an Individual without prior written approval from the other party or subject Covered entity and notice from the other party or Covered Entity that it has obtained from the Individual, in accordance with 45 C.F.R. 164.508, a valid authorization that includes a specification of whether the Protected Health Information can be further exchanged for remuneration by Business Associate. The foregoing shall not apply to payments to Business Associate for services delivered by Business Associate.

iv. Business Associate shall not de-identify any Protected Health Information except as permitted by 42 C.F.R. 164.504(e)(2)(i)(B).

v. Business Associate may use Protected Health Information to report violation of law to appropriate Federal and State authorities, consistent with 164.502 (j)(1).


4. OBLIGATIONS OF THE OTHER PARTY

A. Provisions for other party to Inform Business Associate of Privacy Practices and Restrictions.

i. The other party shall notify Business Associate of any limitation(s) in the other party’s notice of privacy practices that the party produces in accordance with 45 C.F.R. 164.520 (as well as any changes to that notice), to the extent that such limitation(s) may affect Business Associate’s use or disclosure of Protected Health Information.

ii. The other party shall provide Business Associate with any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes affect Business Associate’s use or disclosure of Protected Health Information.

iii. The other party shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that the other party has agreed to in accordance with 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.

B. Permissible Requests. Except as may be set forth in Section 3B, a party shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy and Security Rules.


5. TERM AND TERMINATION

A. Term. The provisions of this Agreement shall take effect on the date Customer executes an agreement to use the 9ZEST Solution and shall terminate when all of the Protected Health Information provided to Business Associate, or created, maintained, transmitted or received by Business Associate, is destroyed or returned, or in accordance with Section 5A.

B. Termination for Cause. Without limiting the termination rights of the parties pursuant to any other agreement between them, and upon a material breach of this Agreement by Business Associate, the other party shall either:

i. Provide an opportunity for Business Associate to cure the breach or end the violation, and terminate the any other agreements between them if Business Associate does not cure the breach or end the violation,

ii. Immediately terminate the Agreement, if cure of such breach is not possible.

C. Effect of Termination.

i. Except as provided in Section 5A, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from the other party, or created, maintained, transmitted or received by Business Associate on behalf of the other party. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.

ii. In the event the Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to the other party notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of Protected Health Information is infeasible, Business Associate shall continue to extend the protection of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information for so long as Business Associate maintains such Protected Health Information.


6. MISCELLANEOUS

A. Regulatory References. A reference in this Agreement to a section in the Privacy and Security Rules means the section as in effect or as amended, and for which compliance is required.

B. Amendment.

i. Change in Laws. Upon the enactment of any law or regulation affecting the use or disclosure of Protected Health Information or the safeguarding of Electronic Protected Health Information, or the publication of any decision of a court of the United States or any state relating to any such law or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, either party may, by written notice to the other party, propose to amend this Agreement in such manner as such party determines necessary to comply with such law or regulation. If the other party disagrees with such amendment, it shall so notify the first party in writing within thirty (30) days of the notice. If the parties are unable to agree on an amendment within thirty (30) days thereafter, then either of the parties may terminate this Agreement and any other related agreements between them on thirty (30) days written notice to the other party.

ii. Modification by 9zest. 9zest, in its sole discretion, may modify or amend the terms of this Agreement from time to time. The modified or amended terms will supersede any prior version. 9zest will notify customer of such modification or amendment, either in writing delivered to Customer’s designated contact representative (including via email) or through notice in the Customer’s account and administration portal available to Customer within the platform. Upon Customer’s receipt of notice, or the placement of the notice within the account and administration portal, Customer will have (thirty) 30 days to provide 9zest with written notice of its objection to the modified or amended terms. To the extent Customer effectively delivers notice, and the parties are unable to otherwise reach agreement on 9zest’s changes to this Agreement, then the prior version of the Agreement between the parties will remain in full force and effect, except with regard to modifications based on changes in law which permit termination as described further in this Agreement. If Customer fails to provide written notice of its objection within the 30-day period described above, Customer hereby agrees that its continued use of 9zest’s products and services to which these terms apply will be deemed acceptance of the modified or amended terms.

iii. Survival. The respective rights and obligations of Business Associate under Section 5A of this Agreement shall survive termination.

iv. Interpretation. Any ambiguity in this Appendix shall be resolved in favor of a meaning that permits compliance with the Privacy and Security Rules. In the event of any inconsistency or conflict between this Agreement and any other agreement between the parties, the terms, provisions and conditions of this Agreement shall govern and control.

v. No third party beneficiary. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.

vi. Execution. The parties agree that execution of an Order Form by the parties shall be deemed execution of this Agreement for all purposes.