Business Associate Agreement

This Business Associate Agreement ("BAA" or "Agreement") is entered into by and between:

Covered Entity: _________________________________ ("Covered Entity" or "Customer")

Business Associate: Vocarep ("Business Associate" or "Vocarep")

1. Purpose

This Agreement establishes the terms under which Business Associate may receive, create, maintain, use, or disclose Protected Health Information ("PHI") on behalf of Covered Entity in connection with the services provided under the applicable Service Agreement between the parties.

2. Definitions

Terms used in this Agreement shall have the same meaning as those terms defined in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations at 45 CFR Parts 160 and 164 ("HIPAA Rules"), as amended from time to time.

• "Protected Health Information" or "PHI" means any information, whether oral or recorded in any form or medium, that: (i) relates to the past, present, or future physical or mental health condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (ii) identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
• "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted or maintained in electronic media.
• "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
• "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI.

3. Obligations of Business Associate

Business Associate agrees to:

1. Permitted Uses and Disclosures: Use or disclose PHI only as permitted or required by this Agreement, the Service Agreement, or as required by law.
2. Safeguards: Implement appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement, and to comply with the Security Rule requirements applicable to Business Associates.
3. Reporting: Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured PHI and any Security Incident, without unreasonable delay and in no case later than thirty (30) days after discovery.
4. Subcontractors: Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate with respect to such PHI.
5. Access to PHI: Make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, to satisfy Covered Entity's obligations under 45 CFR § 164.524.
6. Amendment of PHI: Make available PHI for amendment and incorporate any amendments to PHI as directed by Covered Entity pursuant to 45 CFR § 164.526.
7. Accounting of Disclosures: Make available the information required to provide an accounting of disclosures to Covered Entity pursuant to 45 CFR § 164.528.
8. Government Access: Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
9. Minimum Necessary: Limit the use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose.

4. Permitted Uses and Disclosures

Business Associate may use or disclose PHI:

1. To perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Service Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.
2. For the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that: (i) the disclosures are required by law; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3. To aggregate PHI in its possession with the PHI of other covered entities that Business Associate has in its possession through its capacity as a business associate to such other covered entities, provided that the purpose of such aggregation is to provide data analyses relating to the health care operations of the respective covered entities.
4. To de-identify PHI in accordance with 45 CFR § 164.514(a)-(c).

5. Obligations of Covered Entity

Covered Entity agrees to:

1. Notify Business Associate of any limitations in Covered Entity's notice of privacy practices that may affect Business Associate's use or disclosure of PHI.
2. Notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose their PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
3. Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
4. Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

6. Security Requirements

Business Associate shall implement and maintain the following security measures:

1. Encryption: All ePHI transmitted over public networks shall be encrypted using TLS 1.2 or higher. All ePHI at rest shall be encrypted using AES-256 or equivalent.
2. Access Controls: Role-based access controls shall be implemented to ensure that only authorized personnel have access to PHI, and only to the extent necessary to perform their duties.
3. Authentication: Multi-factor authentication shall be required for all administrative access to systems containing PHI.
4. Audit Logging: Business Associate shall maintain audit logs of all access to and actions performed on PHI.
5. Workforce Training: Business Associate shall ensure that all workforce members with access to PHI receive appropriate training on HIPAA requirements and security procedures.

7. Breach Notification

In the event of a Breach of Unsecured PHI, Business Associate shall:

1. Notify Covered Entity without unreasonable delay, and in no case later than thirty (30) days after discovery of the Breach.
2. Provide Covered Entity with the following information, to the extent known:
   • The identification of each Individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
   • A brief description of what happened, including the date of the Breach and the date of discovery;
   • A description of the types of PHI involved;
   • Any steps Individuals should take to protect themselves;
   • A description of what Business Associate is doing to investigate, mitigate harm, and protect against future Breaches.
3. Cooperate with Covered Entity in investigating and responding to the Breach.

8. Term and Termination

1. Term: This Agreement shall become effective upon execution by both parties and shall remain in effect until terminated as provided herein or until all PHI provided by Covered Entity to Business Associate is destroyed or returned.
2. Termination for Cause: Either party may terminate this Agreement if it determines that the other party has violated a material term of this Agreement. The non-breaching party shall provide written notice to the breaching party and allow thirty (30) days for the breaching party to cure the violation before termination.
3. Effect of Termination: Upon termination of this Agreement, Business Associate shall, if feasible, return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, and retain no copies. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

9. Miscellaneous

1. Amendment: This Agreement may not be modified except by a written document signed by both parties. The parties agree to negotiate in good faith any amendments to this Agreement that may be necessary to comply with changes to HIPAA or HITECH requirements.
2. Survival: The obligations of Business Associate under Section 8(c) shall survive the termination of this Agreement.
3. Interpretation: Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
4. No Third-Party Beneficiaries: Nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns, any rights or remedies.
5. Governing Law: This Agreement shall be governed by federal law, including HIPAA and HITECH. To the extent not preempted by federal law, this Agreement shall be governed by the laws of the state in which Covered Entity is located.