Business Associate Agreement

This Business Associate Agreement (the “BAA”) is entered into by and between Resolver Inc., an Ontario corporation, on behalf of itself and its affiliates (“Business Associate”) and the counterparty which has signed below or is named in the applicable Order Form (“Covered Entity”) pursuant to the Resolver Terms of Service or other, similar agreement entered into by and between Business Associate and Covered Entity (the “Terms of Service”). Business Associate and Covered Entity may each be referred to herein as a “Party,” and collectively, the “Parties.” The Parties agree that this BAA is entered into pursuant to and incorporated by reference into the Terms of Service.

  1. To the extent that Business Associate may be providing qualifying services to Covered Entity under the Terms of Service, and Covered Entity wishes to disclose certain information to Business Associate pursuant to the Terms of Service, some of which may constitute Protected Health Information (as defined below), this BAA will apply.

  2. Covered Entity and Business Associate intend to protect the privacy and provide for the security of Protected Health Information (“PHI”) disclosed to Business Associate pursuant to the Terms of Service and in compliance with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996, as amended from time to time (“HIPAA”), including Sections 13400 through 13424 of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), and the corresponding Privacy Rule, Security Rule, and the Notification in the Case of Breach of Unsecured PHI (the “Breach Notification Rule”) and related regulations promulgated by the Secretary (collectively “HIPAA Regulations”), Business Associate and Covered Entity agree to be bound by the following terms and conditions.

  3. The Parties agree that this BAA is intended to supplement, and is incorporated into, the Terms of Service for the delivery of services which may involve the creation, receipt, maintenance, or transmission of PHI by Business Associate to the extent from or on behalf of Covered Entity.

  1. Defined Terms

    1. Capitalized terms used but not defined herein have the meanings set forth under HIPAA, the HITECH Act and HIPAA Regulations as in effect or as amended from time to time, or as otherwise defined in the Services Agreement, which definitions are incorporated in this BAA by reference.

    2. For the purposes of this BAA, Client shall be referred to as “Covered Entity,” and Resolver Inc. as “Business Associate.”

  2. Obligations and Activities of Business Associate

    1. Use and Disclosure. Business Associate agrees not to use or disclose PHI other than as permitted or required by the Terms of Service, this BAA or as Required By Law. Business Associate may not use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity, except as permitted or required by this BAA or as Required By Law.

    2. Appropriate Safeguards. Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of the PHI other than as provided for by this BAA. Without limiting the generality of the foregoing sentence, Business Associate will:

      1. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity, as required by the Security Rule.

      2. Require that each subcontractor, to whom Business Associate provides Electronic PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees to substantially similar restrictions and conditions that apply through this BAA to Business Associate with respect to such information through a contractual arrangement that complies with 45 CFR § 164.314.

      3. Promptly report to Covered Entity any Security Incident of which Business Associate becomes aware. In addition, Business Associate agrees to promptly notify Covered Entity following the discovery of a Breach of Unsecured PHI. A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Business Associate or any employee, or officer of Business Associate, other than the individual committing the Breach. However, if a Law Enforcement Official states to the Business Associate that any notification required under 45 C.F.R. §§ 164.404 to 164.410 would impede a criminal investigation or cause damage to national security, the Business Associate shall:

        1. if the statement from the Law Enforcement Official is in writing and specifies the time for which a delay is required, delay such notification to Covered Entity for the time period specified by the Law Enforcement Official; or

        2. if the statement from the Law Enforcement Official is made orally, document the statement, including the identity of the Law Enforcement Official making the statement, and delay the notification to Covered Entity temporarily and no longer than thirty (30) calendar days from the date of the oral statement, unless a written statement is submitted during that time (in which case Section 2(b)(iii)(a) shall apply).

      4. Any notice to Covered Entity of a Breach of Unsecured PHI shall include, to the extent possible:

        1. the identification of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been used, accessed, acquired, or disclosed during such Breach;

        2. a brief description of what happened including the date of the Breach and the discovery of the Breach, if known;

        3. a description of the types of Unsecured PHI that were involved in the Breach;

        4. any steps Individuals should take to protect themselves from potential harm resulting from the Breach;

        5. a brief description of what the Business Associate is doing or will be doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any further breaches; and

        6. any other relevant information regarding the Breach that Covered Entity determines it needs to include in notifications to the Individual(s) under 45 CFR § 164.404(c).

      5. Covered Entity acknowledges the ongoing existence and occurrence of ordinary attempted but Unsuccessful Security Incidents (as defined below) which shall not constitute a Security Incident and shall not require Business Associate to provide notice to Covered Entity (and if notice is required, this provision shall be deemed to provide notice to Covered Entity of Unsuccessful Security Incidents). “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.

    3. Reporting. Business Associate agrees to promptly report to Covered Entity any use or disclosure of PHI not permitted or required by this BAA or the Terms of Service of which Business Associate becomes aware.

    4. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate resulting from a use or disclosure of PHI by Business Associate or its employees, or officers in violation of the requirements of this BAA (including, without limitation, any Security Incident of which it becomes aware or Breach of Unsecured PHI as required by 45 CFR § 164.410). Business Associate agrees to reasonably cooperate and coordinate with Covered Entity in the investigation of any violation of the requirements of this BAA and/or any Security Incident or Breach. Business Associate shall also reasonably cooperate and coordinate with Covered Entity in the preparation of any reports or notices to the Individual, a regulatory body or any third party required to be made under HIPAA, HIPAA Regulations, the HITECH Act, or any other Federal or State laws, rules or regulations, provided that any such reports or notices shall be subject to the prior written approval of Covered Entity.

    5. Business Associate’s Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), as applicable, Business Associate will enter into a written agreement with each subcontractor that creates, receives, maintains or transmits PHI on behalf of Business Associate for services provided to Covered Entity, providing that the subcontractor agrees to restrictions and conditions that are substantially similar to those that apply through this BAA to Business Associate with respect to such PHI.

    6. Access to Designated Record Sets. To the extent that Business Associate possesses or maintains PHI in a Designated Record Set, Business Associate agrees to make such information available to Covered Entity pursuant to 45 C.F.R. § 164.524, within twenty (20) days of Business Associate’s receipt of a written request from Covered Entity; provided, however, that Business Associate is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Covered Entity. If an Individual makes a request for access to PHI directly to Business Associate pursuant to 45 C.F.R. § 164.524, or inquiries about his or her right to access, Business Associate will either forward such request to Covered Entity or direct the Individual to Covered Entity.

    7. Amendments to Designated Record Sets. To the extent that Business Associate possesses or maintains PHI in a Designated Record Set, Business Associate agrees to make such information available to Covered Entity for amendment pursuant to 45 C.F.R. § 164.526 within twenty (20) days of Business Associate’s receipt of a written request from Covered Entity. If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to Business Associate, or inquiries about his or her right to amendment, Business Associate will either forward such request to Covered Entity or direct the Individual to Covered Entity.

    8. Access to Books and Records. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.

    9. Accountings. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.

    10. Requests for Accountings. Business Associate agrees within thirty (30) days of Business Associate’s receipt of a written request from Covered Entity, information collected in accordance with Section 2(i) above, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. If an Individual submits a written request for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528 directly to Business Associate, or inquiries about his or her right to an accounting, Business Associate will direct the Individual to Covered Entity.

    11. Minimum Necessary. Business Associate agrees to request from Covered Entity, and disclose to its subcontractors, only the minimum PHI necessary to fulfill a specific function required or permitted under the Services Agreement or this BAA.

    12. De-Identification Services. Business Associate may de-identify PHI in accordance with the de-identification safe harbor of the Privacy Rule set forth in 45 C.F.R. § 164.514(b)(2).

  3. Permitted Uses and Disclosures by Business Associate

    1. Services Delivery. Except as otherwise limited in this BAA, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Terms of Service, provided that such use or disclosure would not violate 45 CFR Subpart E if done by Covered Entity, except as otherwise specified in this BAA, and is consistent with the minimum necessary policies and procedures of the Covered Entity.

    2. Use for Administration of Business Associate. Except as otherwise limited in this BAA, Business Associate may use PHI for the proper management and administration of the Business Associate, to carry out the legal responsibilities of the Business Associate or to provide data aggregation services to Covered Entity which relate to the health care operations of Covered Entity in accordance with the Privacy Rule.

    3. Disclosure for Administration of Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that (i) disclosures are permitted or Required by Law or permitted or required by the Terms of Service or BAA, or (ii) Business Associate obtains reasonable assurances from the third party to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the third party, and the third party notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

  4. Obligations of Covered Entity

    1. Privacy Notice. Covered Entity shall notify Business Associate in writing of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. Covered Entity will provide such notice no later than thirty (30) days prior to the effective date of the limitation.

    2. Changes of Permission of Individual. Covered Entity will obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing Business Associate with PHI. Covered Entity shall notify Business Associate in writing of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. Covered Entity will provide such notice no later than thirty (30) days prior to the effective date of the change.

    3. Restrictions on Use or Disclosure. Covered Entity shall notify Business Associate in writing of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. Covered Entity will provide such notice no later than thirty (30) days prior to the effective date of the restriction. If Business Associate reasonably believes that any restriction agreed to by Covered Entity pursuant to this Section may materially impair Business Associate’s ability to perform its obligations under the Terms of Service or this BAA, the Parties will mutually agree upon any necessary modification of Business Associate’s obligations under such agreements.

    4. Permissible Requests by Covered Entity. Covered Entity will not cause or request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule, the Security Rule or the HITECH Act if done by Covered Entity, except as permitted pursuant to the provisions of Section 3 of this BAA.

    5. Limited Disclosure Obligations. Covered Entity will limit the PHI provided to Business Associate to only that necessary for Business Associate to provide services to Covered Entity under the Services Agreement. Prior to the transmission of PHI to Business Associate, Covered Entity will notify Business Associate of the need to transmit PHI and will arrange with Business Associate for the proper and secure transmission of such PHI.

    6. Safeguards. Covered Entity shall be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate pursuant to this BAA, in accordance with the standards and requirements of the Privacy Rule, until such PHI is received by Business Associate.

    7. Other Third Parties. Covered Entity shall have entered into Business Associate Agreements with any third parties (e.g., cloud services providers) to which Covered Entity directs and authorizes Business Associate to disclose PHI.

  5. Term and Termination

    1. Term. This BAA shall be effective as of the first date on which Business Associate creates, receives, maintains, or transmits PHI for or on behalf of Covered Entity (prior to which Covered Entity shall provide specific notice to Business Associate), and shall remain in effect for the duration of the relationship, functions or services giving rise to the necessity of a BAA. Otherwise, if this BAA is terminated in accordance with this Section and it is infeasible to return or destroy PHI, applicable protections are extended to such information, in accordance with the termination provisions in this Section, and will survive such termination.

    2. Termination.

      1. Automatic Termination. This BAA will automatically terminate without any further action of the Parties upon the termination or expiration of the Terms of Service.

      2. Termination for Cause by Business Associate. Business Associate may promptly terminate this BAA if Covered Entity fails to meet its obligations under this BAA, HIPAA, or HIPAA Regulations, including the Privacy Rule and the Security Rule, and such failure prevents or hinders Business Associate’s performance under this BAA or the Services Agreement, or renders or would render Business Associate in violation of law.

      3. Termination for Cause by Covered Entity. If Covered Entity determines that Business Associate has breached or violated a material term of this BAA, Covered Entity shall either:

        1. Provide a reasonable opportunity for Business Associate to cure the breach or otherwise end the violation. If Business Associate does not cure the breach or otherwise end the violation within the reasonable time specified by Covered Entity, Covered Entity may terminate: (A) this BAA; and (B) all of the provisions of the Services Agreement that involve the creation, receipt, maintenance or transmission of PHI by Business Associate on behalf of Covered Entity; or

        2. If Business Associate has breached a material term of this BAA and cure is not possible, immediately terminate: (A) this BAA; and (B) all of the provisions of the Services Agreement that involve the use or disclosure of PHI.

    3. Effect of Termination.

      1. Except as provided in this Section 5(c), upon termination of this BAA, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, except for such retention as may be required by applicable law, regulation or legal process and/or in connection with routine data back-ups on Business Associate’s computer systems and as required by Business Associate’s document retention policies and procedures, provided that Business Associate shall continue to maintain any such retained PHI in confidence in accordance with this BAA. This provision (and its exceptions) shall apply to PHI that is in the possession of subcontractors of Business Associate. Except as otherwise outlined above, Business Associate shall retain no copies of the PHI.

      2. In the event that Business Associate determines that returning or destroying the PHI is infeasible (other than as described herein), Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

  6. Miscellaneous

    1. Amendment and Interpretation. The Parties agree to take such action as is necessary to amend the Terms of Service and this BAA as is necessary to comply with, and any ambiguity in this BAA shall be resolved to permit the Parties to comply with HIPAA, HIPAA Regulations and the HITECH Act.

    2. Survival. The respective rights and obligations of Business Associate under Section 5(c) of this BAA shall survive the termination of the Terms of Service.

    3. No Third Party Rights. The parties have not created and do not intend to create by this BAA any third party rights, including, but not limited to, third party rights for Covered Entity’s patients and members.

    4. Independent Contractor. The parties acknowledge and agree that Business Associate is at all times acting as an independent contractor of Covered Entity and not as an agent or employee of Covered Entity under the Services Agreement and this BAA.

    5. Conflict. The terms of this BAA are hereby incorporated into the Services Agreement. However, in the event of a conflict between the terms of this BAA and of the Services Agreement with regard to PHI, HIPAA, the HITECH Act or the HIPAA Regulations, the terms of the BAA shall prevail; with regard to other provisions, the terms of the Services Agreement shall prevail.

    6. Governing Provisions. For avoidance of doubt, the governing law and dispute resolution, indemnification and limitation of liability provisions of the Terms of Service shall apply and are incorporated herein by this reference, to this BAA.

    7. Notices. All notices hereunder will be in writing and will be deemed to have been given upon the day of personal delivery, the third business day after mailing, or the first business day after sending by email. Notice to Business Associate will be to: Resolver Inc., 111 Peter Street, Suite 804, Toronto, Ontario, M5V 2H1 Canada, Attention: Law Department and/or legal@resolver.com. Notices to the Covered Entity will be to the mailing and email address set forth in the applicable Order Form.

    8. Counterparts. This BAA is automatically incorporated into the Terms of Service if the customer identified in an Order Form is a “Covered Entity” as defined by HIPAA, unless the Parties execute a different BAA. If this BAA is to be formally executed by the Parties, then this BAA may be executed in two counterparts, each of which shall be deemed an original but both of which together shall constitute one and the same instrument. Copies of signatures sent by facsimile transmission or scanned and sent by email are deemed to be originals for purposes of execution and proof of this BAA.

IN WITNESS WHEREOF, the Parties have caused this Business Associate Agreement to be executed by their undersigned duly authorized representatives on the dates set forth below.

RESOLVER INC.

Name:

 

Title:

 

Date:

 

Signature:

 

COVERED ENTITY

Name:

 

Title:

 

Date:

 

Signature: