Business Associate Agreement

THIS BUSINESS ASSOCIATE AGREEMENT (“Agreement”) is effective as of the date on which Business Associate first provides Services to Company or creates, receives, maintains, or transmits any Protected Health Information for or on behalf of Company. This Agreement is made by and between:

Asembia LLC, a Delaware limited liability company, with an address at 200 Park Avenue, Suite 300, Florham Park, New Jersey 07932 (including any subsidiary, division or affiliated business units under common control or ownership, collectively “Asembia”) (hereinafter collectively referred to as “Business Associate”); and Participant (hereinafter referred to as “Participant” or “Company”), a HIPAA Covered Entity.

The purpose of this Agreement is to comply with the requirements of the federal Health Insurance Portability and Accountability Act of 1996, the federal Health Information Technology for Economic and Clinical Health Act, and the implementing privacy, security, enforcement and transactions regulations codified at 45 C.F.R. Parts 160, 162 and 164 (collectively referred to herein as “HIPAA”).

Terms not otherwise defined herein shall have the same meanings as ascribed to such terms in HIPAA. All definitions are limited to the extent such terms are applicable to the parties with respect to Protected Health Information (Protected Health Information includes, without limitation, electronic Protected Health Information) created, received, maintained or transmitted by Business Associate for or on behalf of Company.

A. Privacy of Protected Health Information

1. Permitted and Required Uses and Disclosures. Business Associate is permitted to use or disclose Protected Health Information it creates, receives, maintains or transmits for or on behalf of Company as permitted or required under the terms and conditions of this Agreement, as permitted or required by HIPAA or as Required by Law.

(a) Performance of Services. Except as and to the extent otherwise prohibited or limited by any applicable law, rule or regulation, Business Associate may use or disclose Protected Health Information of Company to perform the services contracted to be performed by Business Associate for or on behalf of Company (the “Services”), provided that (i) such use or disclosure involves only the minimum amount of Protected Health Information as is necessary for such performance and (ii) the use or disclosure would not violate HIPAA if done by the Company.

(b) Business Associate Operations. Business Associate is permitted to use and disclose Protected Health Information it creates, receives, maintains or transmits for or on behalf of Company as follows:

(i) Use of PHI. Business Associate may use such Protected Health Information as necessary for Business Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities.

(ii) Disclosure of PHI. Business Associate may disclose such Protected Health Information as necessary for Business Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities only if:

1. The disclosure is Required by Law; or

2. Business Associate obtains reasonable assurance from any person or organization to whom Business Associate will disclose such Protected Health Information that the person or entity will:

a. Hold such Protected Health Information confidentially and use or further disclose it only for the purpose for which Business Associate disclosed it to the person or entity or as Required by Law; and

b. Notify Business Associate of any instance of which the person or organization becomes aware in which the confidentiality of such Protected Health Information was breached.

(c) Disclosure to Subcontractor Business Associates. Business Associate may disclose Protected Health Information to a Subcontractor and may permit such Subcontractor to create, receive, maintain or transmit Protected Health Information, on its behalf, but only in accordance with Section A.2 below.

(d) Compliance with HIPAA in Performing Obligations of Company. Business Associate shall comply with the applicable requirements of Subpart E of 45 C.F.R. Part 164. To the extent that Business Associate, in providing the Services, is carrying out one or more of the Company’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate shall comply with the requirements of Subpart E of 45 C.F.R. Part 164 that apply to Company in the performance of such obligations.

(e) Data Aggregation Services. If specifically authorized by the Company, the Business Associate may provide Data Aggregation Services relating to the health care operations of the Company.

(f) Disclosure to Proper Authorities. Business Associate may disclose Protected Health Information as Required by Law.

(g) Use and Disclosure of De-Identified Data. Business Associate may de-identify Protected Health Information in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and may use or disclose such de-identified data unless prohibited by applicable law.

(h) Minimum Necessary Information. In any instance when Business Associate uses, requests or discloses Protected Health Information under this Agreement or in accordance with other agreements that exist between Company and Business Associate, Business Associate may use or disclose only the minimum amount of Protected Health Information necessary to accomplish the intended purpose.

(i) Use by Workforce. Business Associate shall advise members of its workforce of their obligations to protect and safeguard Protected Health Information. Business Associate shall take appropriate disciplinary action against any member of its workforce who uses or discloses Protected Health Information in contravention of this Agreement. Background checks shall be performed at the cost and expense of third parties on individuals accessing PHI, including but not limited to criminal background checks, OIG background checks and credit background checks.

2. Sub-Contractors. Business Associate will require any of its Subcontractors to whom Business Associate delegates a function or activity involving the Subcontractor’s creation, use, maintenance or disclosure of Company’s Protected Health Information to provide reasonable assurance, evidenced by written contract in conformance with 45 C.F.R. § 164.504(e)(2)(ii)(D), that the Subcontractor will comply with the same privacy and security obligations as Business Associate with respect to such Protected Health Information.

3. Information Safeguards. Business Associate will develop, implement, maintain and use appropriate administrative, technical and physical safeguards, in compliance with 45 C.F.R. Part 160, and Subparts A and C of Part 164, and any other implementing regulations issued by the U.S. Department of Health and Human Services governing the Business Associate, to preserve the integrity, availability and confidentiality of electronic Protected Health Information created on behalf of or received for or from Company. All data required to be adequately protected shall be stored in physical locations within the United States, and all PHI shall only be accessed from locations within the United States.

Business Associate shall provide Company with such information concerning such safeguards as Company may from time to time reasonably request but in no case more than once a calendar year except in the case where Business Associate has committed a Breach of Company’s Protected Health Information. Nothing in this section shall require Business Associate to disclose any confidential information of the Business Associate or any of its customers.

B. Compliance with Standard Transactions
If Business Associate conducts in whole or part Standard Transactions, for or on behalf of Company, Business Associate will comply, and will require any Subcontractor or agent involved with the conduct of such Standard Transactions to comply, with each applicable requirement of 45 C.F.R. Part 162. Business Associate further agrees to comply with any guidelines or requirements adopted by Company consistent with the requirements of HIPAA and any regulations promulgated thereunder, governing the exchange of information between Business Associate and the Company.

C. Protected Health Information Access, Amendment and Disclosure Accounting

1. Access. Business Associate will promptly upon Company’s request make available to Company or, at Company’s direction, to the individual (or the individual’s properly authorized personal representative) for inspection and obtaining copies of any Protected Health Information about the individual which Business Associate created or received for or from Company and that is in Business Associate’s custody or control, so that Company may meet its access obligations pursuant to and required by applicable law, including but not limited to 45 C.F.R. § 164.524. Notwithstanding the foregoing, all requests for access and copies shall be forwarded to Company, and Business Associate shall be obligated to provide such access and copies only if it is impracticable or impossible for Company to comply with such a request.
2. Amendment. Business Associate will, upon receipt of notice from Company, promptly amend or permit Company access to amend any portion of the Protected Health Information which Business Associate created or received for or from Company, pursuant to and required by applicable law, including but not limited to 45 C.F.R. § 164.526. Business Associate will not respond directly to an individual’s request for an amendment of his/her Protected Health Information held in the Business Associate’s Designated Record Set. Business Associate will refer the individual to Company so that Company can coordinate and prepare a timely response to the individual, and amend its records if so required or agreed.
3. Disclosure Accounting. Business Associate shall make available such information as is required for Company to provide an accounting of disclosures as required in accordance with 45 C.F.R. § 164.528.
4. Disclosure to U.S. Department of Health and Human Services. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from Company (or created or received by Business Associate on behalf of Company) available to the Secretary of the United States Department of Health and Human Services, for purposes of determining Company’s compliance with 45 C.F.R. Parts 160 and 164.

D. Breach of Privacy Obligations

1. Reporting of Unpermitted Disclosures and Breaches. Business Associate will report to Company any use or disclosure of Protected Health Information not permitted by this Agreement, including a Breach of Unsecured Protected Health Information. Business Associate will promptly make the report to Company’s Legal Department or other responsible official, without unreasonable delay, after Business Associate discovers such non-permitted or violating use or disclosure. Business Associate’s report will, to the extent practicable:

(a) Identify the nature of the non-permitted or violating use or disclosure;
(b) Identify the Protected Health Information used or disclosed;
(c) Identify who made the non-permitted or violating use or received the non-permitted or violating disclosure;
(d) Identify what corrective action Business Associate took or will take to prevent further non-permitted or violating uses or disclosures;
(e) Identify what Business Associate did or will do to mitigate any deleterious effect of the non-permitted or violating use or disclosure; and
(f) Provide such other information, including a written report, as Company may reasonably request.

2. Reporting of Security Incidents. Business Associate shall report to the Company any Security Incident involving Unsecured Protected Health Information of which it becomes aware in the following manner:

(a) Any actual, successful Security Incident of which Business Associate becomes aware will be reported to the Company in writing without unreasonable delay and if practicable within ten (10) business days.
(b) The parties stipulate and agree that this paragraph constitutes continuous notice by Business Associate to Company with respect to any attempted, unsuccessful Security Incident, which is defined for purposes of this Agreement as any Security Incident that does not result in unauthorized access, use, disclosure, modification or destruction of electronic protected health information of Company or interference with system operations adversely affecting the ability of Business Associate to maintain, process or safeguard electronic protected health information of Company. By way of example, such unsuccessful Security Incidents may include: (i) pings on the firewall of Business Associate; (ii) port scans; (iii) attempts to log on to a system or enter a database with an invalid password or username; (iv) denial-of-service attacks that do not result in a server being taken offline; or (v) malware (worms, viruses, etc.). The parties further stipulate and agree that with respect to any such unsuccessful Security Incident, no further or more detailed report to Company is needed or required under this Agreement.

3. Mitigation. Following a Breach of Unsecured Protected Health Information or successful Security Incident involving Unsecured Protected Health Information, Business Associate shall take reasonable measures to mitigate any harmful effects to the individual, to the extent reasonably practicable.

E. Obligations of Company

1. Arrangements that May Impact Business Associate. Company agrees to timely notify Business Associate, in writing, of any arrangements between the Company and the individual that is the subject of Protected Health Information that may impact in any manner the use and/or disclosure of that Protected Health Information by Business Associate, including any limitations in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, or any changes in, or revocation of, permission by an individual to use or disclose Protected Health Information, or any restriction to the use or disclosure of PHI that Company has agreed to in accordance with 45 C.F.R. § 164.522.
2. Impermissible Requests. Company shall not request or require Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA if done directly by Company.
3. Minimum Necessary. Company represents that, to the extent that Company provides Protected Health Information to Business Associate, such Protected Health Information is the minimum necessary Protected Health Information for the accomplishment of Business Associate’s Services.
4. Authorizations and Consents. Company represents that, to the extent Company provides Protected Health Information to Business Associate, Company has obtained the consents, authorizations and/or other forms of legal permission required under HIPAA and other applicable laws and regulations, including but not limited to all consents, authorizations and/or other forms of legal permission for Business Associate to perform the Services.

F. Breach and Termination

1. Breach; Termination.

(a) Should the Company become aware of a pattern of activity or practice that constitutes a material breach of a material term of this Agreement by Business Associate, the Company shall provide Business Associate with written notice of such breach in sufficient detail to enable Business Associate to understand the specific nature of the breach.
(b) Company may terminate this Agreement and the underlying Services agreement if, after the Company provides the notice to Business Associate, Business Associate fails to cure the breach to the reasonable satisfaction of the Company within thirty (30) days after Business Associate’s receipt of such notice.
(c) Notwithstanding the foregoing, Company may immediately terminate this Agreement and the underlying Services agreement if the Company reasonably and in good faith determines that the Business Associate has materially breached a material term of this Agreement and no cure is possible.
(d) This Agreement shall automatically terminate (i) if the Services are no longer provided by Business Associate to Company or (ii) HIPAA is no longer applicable to the parties.

2. Obligations Upon Termination.

(a) Upon termination, cancellation, expiration or other conclusion of the Agreement, Business Associate will if feasible return to Company or destroy all Protected Health Information, in whatever form or medium (including in any electronic medium under Business Associate’s custody or control), that Business Associate created or received for or from Company, including all copies of and any data or compilations derived from and allowing identification of any individual who is a subject of the Protected Health Information. The determination as to the feasibility of such return or destruction of Protected Health information shall be made in sole discretion of Company. Company shall be solely responsible for any costs to return or destroy Protected Health Information. If the return or destruction of Protected Health Information is not feasible, in the sole discretion of Business Associate, Business Associate shall extend the protections of this Agreement to the Protected Health Information and limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information infeasible.

G. General Provisions

1. Amendment. From time to time local, state or federal legislative bodies, boards, departments or agencies may enact or issue laws, rules, or regulations pertinent to this Agreement. In such event, the parties agree to immediately abide by all said pertinent laws, rules, or regulations and to cooperate with each other to carry out any responsibilities placed upon the parties by said laws, rules, or regulations, subject to Business Associate’s right to terminate this Agreement with thirty (30) days advance written notice to Company.
2. Conflicts. The terms and conditions of this Agreement will override and control any conflicting term or condition of any other existing agreement between the parties. All non-conflicting terms and conditions of the other agreement remain in full force and effect.
3. Waiver. A waiver of any obligation, condition or requirement hereunder shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
4. Subpoenas. Business Associate agrees to relinquish to Company control over subpoenas Business Associate receives with regard to Protected Health Information belonging to Company, and Company agrees to take control of and handle all obligations with respect to such subpoenas.
5. Choice of Law; Jurisdiction. The parties expressly agree that this Agreement shall be construed and interpreted in accordance with HIPAA and the laws of the State of New Jersey. Venue and jurisdiction for any action hereunder shall reside in the State and Federal courts located within the State of New Jersey.
6. Notices. Notices shall be sent to the parties at the addresses first set forth above or such other address as shall be provided by a party in accordance with this paragraph. Notices shall be sent via certified mail, return receipt requested, or overnight delivery with confirmation receipt, and shall be deemed given three (3) business days after being sent by certified mail and on the next business day if sent by overnight delivery.
7. Intent. The parties agree that there are no intended third party beneficiaries under this Agreement.
8. Preparation. This Agreement was prepared solely to comply with the requirements of HIPAA, and unless so provided in such law does not affect or change the legal relationship between Company and Business Associate. In the event that there is any conflict between the terms of this Agreement and HIPAA, this Agreement shall be deemed amended to comply with HIPAA.