Business Associate Agreement

Version Date: November 11, 2021

This Business Associate Agreement (this “BAA”) is entered into between Customer and Vital Interaction.  The Terms and Conditions between the parties, together with any sales or work order entered into by the parties, collectively constitute the “Underlying Agreement.” Capitalized terms used but not otherwise defined herein have the meanings ascribed to them in the Underlying Agreement.

BY ACCEPTING THIS BAA OR USING THE SERVICES, AS DEFINED IN THE UNDERLYING AGREEMENT, YOU AGREE TO THIS BAA. IF YOU ARE ENTERING INTO THIS BAA AS AN INDIVIDUAL, THE TERM “CUSTOMER” REFERS TO YOU. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THIS BAA, IN WHICH CASE THE TERM “CUSTOMER” SHALL REFER TO SUCH ENTITY. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS BAA, YOU MUST NOT ACCEPT THIS BAA AND MAY NOT USE VITAL INTERACTION SERVICES FOR THE STORAGE OR TRANSMISSION OF PROTECTED HEALTH INFORMATION (“PHI”).

Background

I. The parties wish to comply with the Health Insurance Portability and Accountability Act of 1996, as amended from time to time and including changes made under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), and all pertinent regulations issued by the U.S. Department of Health and Human Services, as amended from time to time (collectively, “HIPAA”), and other applicable federal and state confidentiality, privacy, and security laws.

II. Customer is a “covered entity” as defined or construed under HIPAA.

III. Customer is entering into a business relationship with Vital Interaction that is more specifically memorialized in the Underlying Agreement, pursuant to which Vital Interaction will have access to “protected health information” and will be considered a “business associate” and “limited data set recipient” of Customer as those terms are defined or construed under HIPAA.

Terms

1. Definitions. For purposes of this BAA, the following terms have the following meanings:
   (a) Breach. “Breach” has the same meaning as the term “breach” defined in 45 C.F.R. § 164.402.
   (b) Designated Record Set. “Designated Record Set” has the same meaning as the term “designated record set” defined in 45 C.F.R. § 164.501.
   (c) Protected Health Information. “Protected Health Information” (or “PHI”) has the same meaning as the term “protected health information” defined in 45 C.F.R. § 160.103.
   (d) Privacy Rule. “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information found at 45 C.F.R. Part 160 and Part 164 Subparts A and E.
   (e) Required By Law. “Required by Law” has the same meaning as the term “required by law” defined in 45 C.F.R. § 164.103.
   (f) Secretary. “Secretary” means the Secretary of the U.S. Department of Health and Human Services or his or her designee.
   (g) Security Incident. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI maintained by Vital Interaction or the attempted or successful interference with system operations in an information system maintained by Vital Interaction that contains PHI received from Customer.
   (h) Unsecured Protected Health Information. “Unsecured Protected Health Information” (or “Unsecured PHI”) means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance issued pursuant to (or as otherwise defined in) § 13402(h)(2) of the HITECH Act.

2. Vital Interaction Obligations.I. Vital Interaction agrees, to the extent that Vital Interaction creates, maintains, or receives any PHI or Unsecured PHI on behalf of or from Customer, that Vital Interaction will:

(a) not use or further disclose the PHI or Unsecured PHI other than as permitted or required by the Underlying Agreement (or this BAA) or as Required by Law;
(b) use appropriate safeguards and comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, designed to prevent use or disclosure of the PHI or Unsecured PHI other than as provided for in this BAA;
(c) report to Customer any Security Incident, any use or unauthorized disclosure of the PHI not provided for by this BAA, or any Breach involving Unsecured PHI, of which Vital Interaction becomes aware, without unreasonable delay . The parties acknowledge and agree that this Section 2(c) constitutes notice by Vital Interaction to Customer of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents for which no additional notice to Customer shall be required.  Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on Vital Interaction’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above or similar, so long as such incidents do not result, to the extent Vital Interaction is aware, in unauthorized access, use or disclosure of Electronic Protected Health Information;
(d) ensure that any subcontractors it may engage that create, receive, maintain, or transmit the PHI agree, with respect to such PHI, to substantially the same restrictions and conditions that apply to Vital Interaction through this BAA;
(e) to the extent applicable, provide access to the PHI to Customer or, if properly directed by Customer in a signed writing, to another individual in a Designated Record Set at reasonable times in order to meet the requirements of and in accordance with 45 C.F.R. § 164.524 of the Privacy Rule;
(f) make the PHI available to Customer for amendment and incorporate any amendments Customer makes or directs to be made to the PHI in accordance with 45 C.F.R. § 164.526 of the Privacy Rule;
(g) make Vital Interaction’s internal practices, books, and records relating to the use and disclosure of the PHI available to the Secretary for purposes of determining Customer’s compliance with the Privacy Rule;
(h) document and make available pursuant to commercially reasonable directions of Customer such information necessary to provide an accounting of disclosures of the PHI in accordance with 45 C.F.R. § 164.528 of the Privacy Rule;
(i) return or destroy all the PHI or Unsecured PHI received from Customer (or created or received by Vital Interaction on behalf of Customer) that Vital Interaction maintains in any form at the termination of this BAA, except as may be required or permitted by federal or state laws or regulations, this BAA, or the Underlying Agreement;
(j) to the extent Vital Interaction is to carry out an obligation of Customer under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E of 45 C.F.R. Part 164 that apply to Customer in the performance of such obligation.

II. General Purposes for which Protected Health Information may be Used or Disclosed. Vital Interaction may use or disclose PHI to:

a. for the purpose of performing Vital Interaction’s obligations under the Underlying Agreement. Except as otherwise provided in this BAA, Vital Interaction may use or disclose PHI to perform functions, activities, or services for or on behalf of Customer if such use or disclosure by Vital Interaction complies with the Privacy Rule and if such use or disclosure of PHI would not violate the requirements of Subpart E of 45 C.F.R. Part 164 if made by Customer;
b. provide data aggregation services relating to the health care operations of Customer;
c. Vital Interaction may use PHI received by Vital Interaction in its capacity as a business associate to Customer as necessary for the proper management and administration of Vital Interaction or to carry out the legal responsibilities of Vital Interaction;
d. Vital Interaction may disclose PHI received by Vital Interaction in its capacity as a business associate to Customer for the proper management and administration of Vital Interaction or to carry out the legal responsibilities of Vital Interaction if:

i. the disclosure is Required by Law; or
ii. Vital Interaction obtains reasonable assurances from any person or entity to whom PHI is disclosed that: (i) the PHI will be held confidential and further used and disclosed only as Required by Law or for the purposes for which it was disclosed to the person or entity and (ii) the person or entity will notify Vital Interaction of any instances of which it is aware in which confidentiality of the PHI has been breached.

III. De-identified Information. Vital Interaction may de-identify PHI obtained by Vital Interaction under this BAA in compliance with 45 C.F.R. § 164.502(d) and 45 C.F.R. § 164.514(a) and (b). Pursuant to 45 C.F.R. § 164.502(d)(2), de-identified information does not constitute PHI and is not subject to the terms of this BAA.

IV. Data Use. Vital Interaction may use and disclose PHI obtained by Vital Interaction under this BAA to create a limited data set without any of the identifiers listed in 45 C.F.R. § 164.514(e) (“Limited Data Set”) for research, public health, and health care operations purposes. Vital Interaction may not use or further disclose a Limited Data Set for any other purpose, except as may otherwise be Required by Law. Vital Interaction must use appropriate safeguards to prevent use or disclosure of a Limited Data Set other than as provided for herein. Vital Interaction must report to Customer any use or disclosure of a Limited Data Set not provided for herein of which Vital Interaction becomes aware. Vital Interaction may disclose a Limited Data Set to any recipient that agrees to the same restrictions and conditions that apply to Vital Interaction with respect to such information. Vital Interaction must ensure that any persons to whom Vital Interaction provides a Limited Data Set agree to the same restrictions and conditions that apply to Vital Interaction with respect to such information. With respect to any particular Limited Data Set, Vital Interaction will not use the Limited Data Set in such a way as to identify any individual whose data is incorporated in the Limited Data Set or to contact any such individual.

3.   Customer Obligations. Customer agrees that Customer:
   (a) shall provide Vital Interaction a copy of Customer’s Notice of Privacy Practices (“Notice”) produced in accordance with 45 C.F.R. § 164.520 as well as any changes to Customer’s Notice;
   (b) shall notify Vital Interaction of any changes in, or revocation of, authorizations by individuals relating to the use or disclosure of PHI, if such changes or revocation affects Vital Interaction’s permitted or required uses or disclosures;
   (c) shall notify Vital Interaction of any restriction to the use or disclosure of PHI to which Customer has agreed in accordance with 45 C.F.R. § 164.522;
   (d)     shall notify Vital Interaction of any amendment to PHI to which Customer has agreed that affects a Designated Record Set maintained for Customer by Vital Interaction, if any;
   (e) shall, if Vital Interaction maintains for Customer a Designated Record Set, provide Vital Interaction with a copy of its policies and procedures related to an individual’s right to: access PHI, request an amendment to PHI, request confidential communications of PHI, or request an accounting of disclosures of PHI;
   (f) shall not request Vital Interaction to use or disclose PHI in any manner that would not be permissible under HIPAA or other federal or state law;
   (g) is and will remain in compliance with all applicable federal, state, and local laws, including but not limited to fraud and abuse laws, and will not request, require, or influence Vital Interaction to violate any applicable law.
4.  Term and Termination.
   (a) Term. This BAA will be effective as of the date the Underlying Agreement is effective and will terminate when all PHI provided by Customer to Vital Interaction, or created or received by Vital Interaction on behalf of Customer, is destroyed or returned to Customer. However, with respect to any PHI that cannot feasibly be returned or destroyed, the protections of this BAA will be extended to such PHI in accordance with the termination provisions in Section 4(c)(ii).
   (b) Termination for Cause. Notwithstanding anything in this BAA to the contrary, upon Customer’s knowledge of a material breach or violation of this BAA by Vital Interaction, Customer:

(i) will provide notice of and a reasonable opportunity for Vital Interaction to cure the breach or end the violation of this BAA and then, if Vital Interaction does not cure the breach or end the violation of this BAA within a reasonable time frame afforded of at least thirty (30) days, may terminate this BAA if feasible; or
(ii) may, if Vital Interaction has breached a material term of this BAA and a cure is not possible, immediately terminate this BAA if feasible.

(c) Effect of Termination.

(i) Except as provided in Section 4(c)(ii), upon termination of this BAA for any reason, Vital Interaction will, if feasible:

(1) return or destroy all PHI received from Customer or created or received by Vital Interaction on behalf of Customer; and
(2) not retain any copies of the PHI.

(ii) If Vital Interaction determines that the return or destruction of any PHI is infeasible, Vital Interaction will extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make return or destruction infeasible, for so long as Vital Interaction maintains such PHI.

5.  Notice of Privacy Practices. Vital Interaction agrees that it will abide by the limitations of any Notice published by Customer of which Vital Interaction has knowledge. Any use or disclosure permitted by this BAA may be amended by changes to Customer’s Notice if Customer specifically informs Vital Interaction of the amendment; provided, however, that the amended Notice will not affect permitted uses and disclosures on which Vital Interaction relied prior to receiving notice of such amended Notice from Customer.
6. Withdrawal of Authorization. If the use or disclosure of PHI is based upon an individual’s specific authorization for the use of his or her PHI and the individual revokes such authorization in writing, such authorization has expired, or the authorization is found to be defective in any manner that renders it invalid, then Vital Interaction agrees, if it has notice of such revocation or invalidity, to cease the use and disclosure of any such individual’s PHI except to the extent it has relied on such use or disclosure, or where an exception under HIPAA expressly applies.
7. Third Party Rights and Assignment and Delegation of Duties. The terms of this BAA are not intended and should not be construed to grant any rights to parties other than Vital Interaction and Customer. However, this BAA is binding upon and inures to the benefit of the parties hereto and their respective successors and assigns.
8. Applicable Law. This BAA will be interpreted and construed in accordance with the laws of the State of Delaware.
9. Waiver. No delay or omission on the part of either party in exercising any right hereunder will operate as a waiver of such right or of any other right under this BAA. A waiver on any one occasion will not be construed as a bar to or waiver of any right or remedy on any subsequent occasion. The election of either party of a particular remedy on default will not be exclusive of any other remedy, and all rights and remedies of the parties hereto will be cumulative.
10. Amendments. Vital Interaction may amend this BAA from time to time as it deems necessary, including to comply with the requirements of HIPAA and other applicable federal and state confidentiality, privacy, and security laws. This BAA will be posted on Vital Interaction’s website and the date of last amendment will be published on the page in the following format “Version Date: [●].” Customer’s continued use of Vital Interaction’s products and services constitute Customer’s acknowledgement of the terms of this BAA at any given time—thus, Customer is obligated to review this BAA from time to time in order to ensure Customer’s compliance with the terms herein.
11. Notices. Any notices required or permitted under this BAA must be in writing and delivered in person or sent by registered or certified mail, return receipt requested, proper postage prepaid, properly addressed to the address of the addressee set forth in the Underlying Agreement or to such other more recent address of the addressee of which the sending party has received written notice.
12. Authority. Each party has full power and authority to enter into and perform this BAA, and the person agreeing to this BAA on behalf of each party has been properly authorized and empowered to do so.
13. Requests for PHI. Either party will notify the other party in writing, and provide the other party with a copy, of any subpoena or other discovery request or any judicial, governmental, or administrative order requesting or requiring the party to disclose PHI that may be held by the other party pursuant to this BAA.
14. Interpretation of this Contract in Relation to Other Contracts between the Parties. The provisions of this BAA shall be subject to the provisions of the Underlying Agreement, provided that, should there be any conflict between the language of this BAA and any other contract entered into between the parties (either previous or subsequent to the date of this BAA), including the Underlying Agreement, regarding the subject matter of this BAA, the language and provisions of this BAA will control and prevail unless the parties specifically refer in a subsequent written agreement to this BAA by its title and date and specifically state that the provisions of a later written agreement will control over this BAA.
15. Changes in the Law. If: (a) there is a change in any law, regulation, or rule that affects this BAA, the activities of either party under this BAA, or the relationship of the parties or any change in the judicial or administrative interpretation of any such law, regulation, or rule or any of the provisions of this BAA are found to be in violation of any such law, regulation, or rule; and (b) either party reasonably believes in good faith that the change, interpretation, or determination will have a substantial adverse effect on that party’s business operations, then the party may, upon written notice, require the other party to enter into good faith negotiations to renegotiate the terms of this BAA and to take any action necessary to maintain compliance with such laws, rules, or regulations.
16. Ambiguity. Any ambiguity in this BAA will be resolved to permit Customer and Vital Interaction to comply with HIPAA.
17. Entire Agreement. This BAA, together with all schedules, exhibits, addenda, and amendments hereto, constitutes the entire agreement between the parties hereto with respect to the specific subject matter hereof and supersedes all previous written or oral understandings, agreements, negotiations, or commitments and any other writings or communications by or between the parties with respect to the subject matter hereof.
18. Severability. The provisions of this BAA will be severable, and if any provision of this BAA is held or declared to be illegal, invalid, or unenforceable, the remainder of this BAA will continue in full force and effect as though such illegal, invalid, or unenforceable provision had not been contained herein.
19. Regulatory References. A citation in this BAA to the Code of Federal Regulations (C.F.R.) means the cited section as that section may be amended from time to time.