Business Associate Agreement

This Business Associate Agreement (“BAA”) is entered into between [Covered Entity Legal Name] (“Covered Entity”) and Klaxar Inc.(“Business Associate” or “Klaxar”) effective as of the date of execution.

This BAA supplements the underlying Terms of Service or written services agreement (“Service Agreement”) between the parties. In the event of conflict, this BAA controls with respect to PHI.

Capitalized terms not defined here have the meanings given in 45 CFR Parts 160 and 164 (the “HIPAA Rules”), including:

• Breach — as defined in 45 CFR §164.402
• Designated Record Set — as defined in 45 CFR §164.501
• Electronic Protected Health Information (ePHI) — as defined in 45 CFR §160.103
• Individual — as defined in 45 CFR §160.103
• Privacy Rule — Subparts A and E of 45 CFR Part 164
• Protected Health Information (PHI) — as defined in 45 CFR §160.103, limited to information created or received by Business Associate from or on behalf of Covered Entity
• Required by Law — as defined in 45 CFR §164.103
• Secretary — Secretary of the U.S. Department of Health and Human Services or designee
• Security Rule — Subparts A and C of 45 CFR Part 164

Business Associate may use and disclose PHI only as follows:

• To perform the services described in the Service Agreement
• For Business Associate's proper management and administration
• To carry out Business Associate's legal responsibilities
• For data aggregation services as permitted by 45 CFR §164.504(e)(2)(i)(B), if applicable
• As Required by Law

Business Associate will not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted under this BAA.

Business Associate agrees to:

• Not use or disclose PHI other than as permitted by this BAA or required by law
• Use appropriate safeguards (administrative, physical, technical) to prevent unauthorized use or disclosure of PHI
• Comply with the Security Rule with respect to ePHI
• Report to Covered Entity any use or disclosure of PHI not provided for by this BAA, including any Breach of Unsecured PHI as required by 45 CFR §164.410, without unreasonable delay and in no case later than thirty (30) days after discovery
• Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to substantially the same restrictions and conditions that apply to Business Associate under this BAA (45 CFR §164.502(e)(1)(ii))
• Make PHI in a Designated Record Set available to Covered Entity (or to an Individual at Covered Entity's direction) within fifteen (15) days as required by 45 CFR §164.524
• Make PHI available for amendment as directed by Covered Entity per 45 CFR §164.526
• Provide an accounting of disclosures of PHI as required by 45 CFR §164.528 within sixty (60) days of request
• Make internal practices, books, and records relating to PHI available to the Secretary for purposes of determining HIPAA compliance

Covered Entity agrees to:

• Notify Business Associate of any limitation in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI
• Notify Business Associate of any changes in, or revocation of, an Individual's authorization to use or disclose PHI
• Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR §164.522
• Not request Business Associate to use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity

Business Associate will notify Covered Entity of a Breach of Unsecured PHI without unreasonable delay, and in no event more than thirty (30) days after discovery of the Breach. Notification will include, to the extent known, the information required by 45 CFR §164.410(c).

The parties will cooperate in good faith to investigate, mitigate, and remediate any Breach. Business Associate will bear the reasonable costs of investigation and notification arising from a Breach caused by Business Associate's acts or omissions.

This BAA is effective on the date of last signature and remains in effect until the earlier of: (a) termination of the Service Agreement; (b) termination of this BAA by either party.

Termination for cause. Covered Entity may immediately terminate this BAA and the Service Agreement upon a material breach of this BAA by Business Associate that is not cured within thirty (30) days of written notice (or, if cure is not feasible, terminate immediately).

Effect of termination. Upon termination, Business Associate will return to Covered Entity or destroy all PHI it maintains in any form, including PHI maintained by its subcontractors. If return or destruction is infeasible, Business Associate will extend the protections of this BAA to that PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible (45 CFR §164.504(e)(2)(ii)(J)).

Business Associate maintains a current list of subcontractors that may create, receive, maintain, or transmit PHI on its behalf. Business Associate will not engage a new such subcontractor without ensuring the subcontractor has executed a written agreement substantially equivalent to this BAA. The current subcontractor list is available at klaxar.com/legal/subprocessors (coming soon).

• Regulatory references. A reference to a section of HIPAA means the section as in effect or as amended.
• Amendment. The parties agree to amend this BAA as necessary to comply with changes in the HIPAA Rules or other applicable law.
• Survival. The obligations of Business Associate under Sections 4, 6, 7, and 8 survive termination of this BAA.
• No third-party beneficiaries. Nothing in this BAA confers any rights on any person or entity other than the parties.
• Interpretation. Any ambiguity in this BAA will be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.

By executing this BAA, each party represents that the signatory has authority to bind the party.