1. Definitions

As used in this Agreement, capitalized terms have the meanings set forth in HIPAA and the HITECH Act, as amended. Key defined terms include:

• "Covered Entity" means a healthcare provider, health plan, or healthcare clearinghouse that is subject to HIPAA and that transmits PHI in electronic form.
• "Business Associate" (BA) means a person or entity that performs functions or activities on behalf of a Covered Entity that involve the use or disclosure of PHI.
• "Protected Health Information" (PHI) means individually identifiable health information transmitted or maintained in any form or medium.
• "Breach" has the meaning set forth in 45 C.F.R. § 164.402.
• "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164.

2. Obligations of Business Associate

The Business Associate agrees to:

1. Use or disclose PHI only as permitted or required by this Agreement or as required by law, and not in a manner that would violate the HIPAA Privacy Rule if done by the Covered Entity.
2. Implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI) in accordance with 45 C.F.R. § 164.306.
3. Report to the Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any Security Incidents or Breaches of Unsecured PHI, without unreasonable delay and no later than 60 calendar days after discovery.
4. Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate under this Agreement.
5. Make PHI available to the Covered Entity and to individuals as necessary to satisfy the Covered Entity's obligations under 45 C.F.R. § 164.524 (right of access).
6. Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules.
7. Return or destroy all PHI received from the Covered Entity upon termination of this Agreement, if feasible; if not feasible, extend the protections of this Agreement to such PHI.

3. Permitted Uses and Disclosures

The Business Associate may use or disclose PHI only as follows:

1. Performance of Services: To perform functions, activities, or services for or on behalf of the Covered Entity as specified in the underlying services agreement, provided such use or disclosure would not violate the HIPAA Privacy Rule if done by the Covered Entity.
2. Management and Administration: For the Business Associate's proper management and administration or to carry out its legal responsibilities, provided that any disclosure for this purpose is required by law, or the Business Associate obtains reasonable assurances from recipients that they will maintain confidentiality and report violations.
3. Data Aggregation: To provide data aggregation services relating to the healthcare operations of the Covered Entity, as permitted under 45 C.F.R. § 164.504(e)(2)(i)(B).
4. De-identified Data: PHI may be de-identified in accordance with 45 C.F.R. § 164.514(b) and used without restriction once properly de-identified.

The Business Associate shall not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity, except as permitted above.

4. Obligations of Covered Entity

The Covered Entity agrees to:

1. Notify the Business Associate of any limitation in the Covered Entity's Notice of Privacy Practices that may affect the Business Associate's use or disclosure of PHI.
2. Notify the Business Associate of any changes in, or revocation of, authorization by an individual to use or disclose PHI.
3. Notify the Business Associate of any restriction on the use or disclosure of PHI that the Covered Entity has agreed to, to the extent such restriction may affect the Business Associate's use or disclosure.
4. Not request the Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule.

5. Term and Termination

Term: This Agreement is effective as of the date of execution and shall remain in effect until terminated by either party.

Termination for Cause: Either party may terminate this Agreement upon 30 days' written notice if the other party materially breaches a provision of this Agreement and fails to cure such breach within the notice period.

Effect of Termination: Upon termination, the Business Associate shall return or destroy all PHI that the Business Associate maintains in any form. If return or destruction is not feasible, the Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those that make the return or destruction infeasible.

6. Miscellaneous

Amendment: This Agreement may be amended by mutual written agreement of the parties. The parties agree to amend this Agreement as necessary to comply with any changes in applicable law.

Interpretation: This Agreement shall be interpreted in accordance with applicable federal and state law. Any ambiguity shall be resolved in favor of the interpretation that permits the Covered Entity to comply with HIPAA.

Survival: Obligations related to the security, protection, and return or destruction of PHI shall survive termination of this Agreement.

Governing Law: This Agreement is governed by the laws of the State of California and applicable federal law.

Entire Agreement: This Agreement, together with the underlying services agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof.

7. Signatures

By signing below, each party agrees to comply with the terms of this Business Associate Agreement.