Business Associate Agreement

This Business Associate Agreement ("Agreement") is entered into as of            ("Effective Date") between:

CE and BA are each a "Party" and together the "Parties." This Agreement supplements, and is incorporated into, any underlying services agreement between the Parties ("Services Agreement").

1. Definitions

Capitalized terms used but not defined herein have the meanings given in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations (collectively, "HIPAA Rules").

• "PHI" means Protected Health Information as defined in 45 C.F.R. § 160.103.
• "Electronic PHI" or "ePHI" means PHI maintained in or transmitted by electronic media.
• "Security Incident" has the meaning at 45 C.F.R. § 164.304.
• "Breach" has the meaning at 45 C.F.R. § 164.402.

2. Obligations of BA

BA agrees to:

1. Use or disclose PHI only as permitted or required by this Agreement, the HIPAA Rules, or as required by law.
2. Implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI that BA creates, receives, maintains, or transmits on behalf of CE, in accordance with 45 C.F.R. Part 164, Subpart C.
3. Report to CE any Security Incident, Breach of Unsecured PHI, or use or disclosure of PHI not provided for by this Agreement, without unreasonable delay and in no case later than thirty (30) calendar days after BA becomes aware of such event.
4. Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of BA agree to the same restrictions and conditions that apply to BA under this Agreement.
5. Make PHI available to CE as necessary to satisfy CE's obligations to individuals under 45 C.F.R. § 164.524 (access), § 164.526 (amendment), and § 164.528 (accounting).
6. Return or destroy all PHI received from, or created or received by BA on behalf of, CE upon termination of this Agreement, if feasible. Where return or destruction is not feasible, BA shall extend the protections of this Agreement to the PHI and limit further use or disclosure to those purposes that make the return or destruction infeasible.

3. Permitted uses and disclosures by BA

BA may use and disclose PHI as follows:

1. Services. BA may use PHI to provide the services described in the Services Agreement, and may disclose PHI as directed by CE or as required by the HIPAA Rules.
2. BA's own management and administration. BA may use PHI for BA's proper management and administration or to carry out BA's legal responsibilities, provided that disclosures for this purpose are required by law, or BA obtains reasonable assurances from the recipient that PHI will be kept confidential and used/disclosed only as required by law or for the purposes for which it was disclosed.
3. Data aggregation. BA may use PHI to provide data aggregation services relating to the health care operations of CE, as permitted under 45 C.F.R. § 164.504(e)(2)(i)(B).

4. Obligations of CE

CE agrees to:

1. Notify BA of any restriction on the use or disclosure of PHI that CE has agreed to with individuals, to the extent that such restriction may affect BA's use or disclosure of PHI.
2. Not request BA to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by CE.
3. Obtain any necessary authorizations from individuals before providing PHI to BA for uses outside the scope of treatment, payment, or health care operations.

5. Term and termination

1. Term. This Agreement is effective as of the Effective Date and continues until the Services Agreement terminates, unless terminated earlier in accordance with this Section.
2. Termination for cause. Either Party may terminate this Agreement immediately upon written notice if the other Party materially breaches this Agreement and fails to cure such breach within thirty (30) days after receipt of written notice.
3. Effect of termination. Upon termination, BA shall return or destroy PHI as described in Section 2(f).

6. Miscellaneous

1. Amendment. This Agreement may only be amended in writing, signed by both Parties. The Parties agree to amend this Agreement as necessary to comply with changes in applicable law.
2. No third-party beneficiaries. Nothing in this Agreement confers any right or benefit on any person other than the Parties.
3. Governing law. This Agreement is governed by the laws of the State of Delaware, without regard to conflict-of-law principles, except to the extent superseded by federal law.
4. Entire agreement. This Agreement, together with the Services Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof, and supersedes all prior and contemporaneous agreements relating to that subject matter.
5. Regulatory references. Any reference to a HIPAA regulation in this Agreement refers to the most current version of that regulation.