Business Associate Agreement

1.Definitions

For purposes of this BAA, the following terms shall have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meanings given in HIPAA (45 CFR Parts 160 and 164):

• Covered Entity: The healthcare organization, provider, or health plan that uses the Dox2Dox platform and is subject to HIPAA
• Business Associate: Dox2Dox, Inc., which creates, receives, maintains, or transmits Protected Health Information on behalf of the Covered Entity
• Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, as defined under 45 CFR § 160.103
• Electronic Protected Health Information (ePHI): PHI that is transmitted or maintained in electronic media
• Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system
• Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA that compromises the security or privacy of the PHI, as defined under 45 CFR § 164.402

2.Obligations of Business Associate

Business Associate agrees to:

• Not use or disclose PHI other than as permitted or required by this BAA or as required by law
• Use appropriate safeguards, including implementing administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of ePHI
• Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of unsecured PHI as required by 45 CFR § 164.410
• Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions and conditions
• Make PHI available to Covered Entity as necessary to satisfy Covered Entity's obligations under HIPAA
• Make its internal practices, records, and books relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance
• Comply with the HIPAA Security Rule requirements applicable to Business Associates

3.Permitted Uses and Disclosures of PHI

Business Associate may use or disclose PHI only as follows:

• As necessary to perform services for or on behalf of Covered Entity under the Terms of Service, provided that such use or disclosure would not violate HIPAA if done by Covered Entity
• As required by law, including but not limited to compliance with HIPAA, court orders, or lawful government requests
• For the proper management and administration of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially
• To provide data aggregation services relating to the healthcare operations of Covered Entity, if permitted under the Terms of Service

4.Safeguards

Business Associate shall implement and maintain safeguards including:

Administrative Safeguards

• Designation of a Security Officer and Privacy Officer
• Workforce training on HIPAA compliance and information security
• Risk analysis and management program
• Sanction policies for workforce violations
• Contingency planning and disaster recovery procedures

Physical Safeguards

• Facility access controls for data centers and offices
• Workstation and device security policies
• Media disposal and re-use procedures

Technical Safeguards

• AES-256 end-to-end encryption for all communications and file transfers
• TLS 1.3 encryption for data in transit
• Encryption of data at rest
• Unique user identification and role-based access controls
• Automatic session timeouts and audit logging
• Integrity controls to prevent unauthorized data alteration

5.Reporting of Breaches & Security Incidents

Business Associate shall report to Covered Entity:

• Any Breach of unsecured PHI without unreasonable delay and in no case later than sixty (60) calendar days after discovery
• Any Security Incident of which Business Associate becomes aware, within a commercially reasonable timeframe
• The identification of each individual whose PHI has been or is reasonably believed to have been affected
• A description of the nature of the Breach, including the types of PHI involved
• Recommended steps individuals should take to protect themselves
• A description of what Business Associate is doing to investigate and mitigate the Breach and prevent future occurrences

6.Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA. Business Associate shall remain responsible for the acts and omissions of its subcontractors to the same extent as if performed by Business Associate itself.

7.Access to PHI / Amendment Rights

Business Associate shall make PHI maintained in a Designated Record Set available to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524 (individual access) and 45 CFR § 164.526 (amendment). Business Associate shall respond to such requests within fifteen (15) business days and shall cooperate with Covered Entity to fulfill its obligations to individuals.

8.Accounting of Disclosures

Business Associate shall maintain and make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528. Business Associate shall maintain such records for a period of six (6) years from the date of the disclosure. The accounting shall include the date of disclosure, name and address of the recipient, a description of the PHI disclosed, and the purpose of the disclosure.

9.Return or Destruction of PHI upon Termination

Upon termination of this BAA or the underlying Terms of Service, Business Associate shall, if feasible, return or destroy all PHI received from or created on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible. Business Associate shall certify in writing to Covered Entity that PHI has been returned or destroyed, or that return or destruction is not feasible.

10.Term and Termination

This BAA shall be effective as of the date Covered Entity first uses the Service and shall terminate when all PHI received from or created on behalf of Covered Entity has been returned or destroyed. Either party may terminate this BAA if it determines that the other party has violated a material term of this BAA.

Covered Entity may terminate this BAA and the underlying Terms of Service if Business Associate has breached a material term and has not cured the breach within thirty (30) days of receiving written notice. Termination of this BAA shall constitute termination of the Terms of Service to the extent PHI processing is involved.

11.Miscellaneous

• Survival: The obligations of Business Associate under Sections 5, 8, and 9 shall survive termination of this BAA
• Interpretation: Any ambiguity in this BAA shall be resolved in favor of a meaning that permits compliance with HIPAA. In the event of a conflict between this BAA and the Terms of Service, this BAA shall prevail with respect to PHI
• Amendment: This BAA may be amended only in writing signed by both parties. The parties agree to amend this BAA as necessary to comply with changes in HIPAA regulations
• No third-party beneficiaries: Nothing in this BAA shall confer any rights upon any person other than the parties and their respective successors and assigns
• Governing law: This BAA shall be governed by the laws of the State of Delaware, consistent with applicable federal law including HIPAA

12.Contact Information

For questions about this Business Associate Agreement or to report a potential breach: