Business Associate Agreement

This Business Associate Agreement ("BAA") is only applicable if the Customer is within the United States of America ("USA"). If Customer is outside the USA, this BAA shall not apply to any data provided by Customer.

This BAA is effective as of the date of Customer’s acceptance (the “Effective Date”), and is entered into by and between Customer (the “Covered Entity”) and Eko Health, Inc. (“Eko”) (each a “Party” and collectively the “Parties”).

RECITALS

Customer is a HIPAA Covered Entity. Customer and Eko will engage in a business relationship in which Eko provides certain services to Customer. In this relationship, Eko may receive, use, maintain, disclose, or otherwise process PHI as a Business Associate for or on behalf of Customer in the course of performing such services.).

WHEREAS, the Parties are committed to compliance with the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder, as amended from time to time, (“HIPAA”) Title XIII, Subtitle D, of the American Recovery and Reinvestment Act of 2009 (P.L. 111-5), known as the Health Information Technology for Economic and Clinical Health Act, as amended (the “HITECH Act”), and the implementing regulations for HIPAA and the HITECH Act, including, without limitation, the Standards for Privacy of Individually Identifiable Health Information, set forth at 45 C.F.R. Part 160 and Part 164 (Subparts A and E) (the “Privacy Rule”), the Security Standards for the Protection of Electronic Protected Health Information, set forth at 45 C.F.R. Part 160 and Part 164 (Subparts A and C) (the “Security Rule”), the Standards for Electronic Transactions, set forth at 45 C.F.R. Parts 160 and 162 (the “Electronic Transactions Rule”), and the Breach Notification for Unsecured Protected Health Information, set forth at 45 C.F.R. Parts 160 and 164 (Subpart D) (the “Breach Notification Rule”), as such implementing regulations may have been or may in the future be amended from time to time (the Privacy Rule, the Security Rule, the Electronic Transactions Rule and the Breach Notification Rule, as amended from time to time, are referred to collectively as the “Rules”) (HIPAA, the HITECH Act, and the Rules, collectively, the “HIPAA Laws”).

AGREEMENT

1. Definitions.  Unless otherwise defined in this BAA, all capitalized terms used in this BAA have the meanings ascribed to such term in the HIPAA Laws, as applicable.
   1. “Breach” shall have the same meaning as that term is defined and used within the Breach Notification Rule.
   2. "Disclosure” and any variant thereof, whether or not capitalized, shall have the same meaning as that term is defined in the HIPAA Laws.
   3. “Electronic Protected Health Information” or “ePHI” shall have the same meaning as the term “electronic protected health information” in the Security Rule, to the extent such information is created, maintained, received or transmitted by Eko from or on behalf of Covered Entity.
   4. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in the Privacy Rule, to the extent such information is created, maintained, received or transmitted by Eko from or on behalf of Covered Entity. Where applicable, PHI shall also include ePHI.
   5. “Required by Law” shall have the same meaning as “required by law” as used in the Privacy Rule.
   6. “Secretary” shall mean the Secretary of the Department of Health and Human Services. 
   7. “Security Incident” shall have the same meaning as the term “security incident” in the Security Rule.
   8. “Subcontractor” shall mean any agent, subcontractor or other third party with whom Eko shares or otherwise makes available PHI subject to this BAA.
   9. “Use” and any variant thereof, whether or not capitalized, shall have the same meaning as that term is defined in the HIPAA Laws. 
2. Permitted Activities of Eko.  Eko may (i) use and disclose PHI as necessary to perform the services to Covered Entity; (ii) use PHI in its possession as Required by Law or as necessary for its proper management and administration; (iii) disclose PHI in its possession to a third party if necessary for the purposes of its proper management and administration; (iv) use PHI to provide Data Aggregation services relating to the Health Care Operations of the Covered Entity; and (v) de-identify any and all PHI, provided that the de-identification conforms to the requirements of 45 C.F.R. 164.514 of the Privacy Rule and guidance issued by the Secretary from time to time.  The Parties agree that such de-identified information does not constitute “PHI” and the terms of this BAA shall no longer apply.
3. Protection of PHI by Eko.  With regard to its use and/or disclosure of PHI, Eko shall (i) not Use or Disclose PHI other than as permitted or required by this BAA or as Required By Law; (ii) use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this BAA; (iii) implement administrative, physical and technical safeguards and comply with the policies, procedures and documentation requirements of the Security Rule; (iv) report to the Covered Entity any use or disclosure of PHI not provided for by this BAA, including without limitation: (a) any Breach; or (b) Security Incident without unreasonable delay;(v) ensure that any Subcontractor that may receive PHI from Eko enters into an arrangement with Eko which contains substantially similar restrictions and limitations on Subcontractor as those imposed upon Eko in this BAA; (vi) make available to the Covered Entity the information required for the Covered Entity to provide an accounting of disclosures of PHI as required by the Privacy Rule; and (vii) make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Laws. Notwithstanding the foregoing, the Parties acknowledge and agree that no notice is required for Unsuccessful Security Incidents.  “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Eko’s firewall, port scans, unsuccessful log-on attempts, denial of service of attacks, and any combination of the above.
4. Obligations of Covered Entity.  With regard to the use and disclosure of PHI by Eko, Covered Entity agrees to (i) obtain any patient authorizations or consents that may be required under state or federal law or regulation in order to transmit PHI to Eko and to enable Eko and its subcontractors and agents to use and disclose PHI as contemplated by this BAA; (ii) notify Eko of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to comply with in accordance with the Privacy Rule; and (iii) not request that Eko use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
5. Term.  This BAA shall commence as of the earlier of (i) the Effective Date or (ii) the date Eko first held, transmitted, disclosed, received or created PHI and shall continue in effect until terminated as provided in Section 6 of this BAA.
6. Termination.  This BAA shall terminate when all PHI provided by Covered Entity to Eko, or created or received by Eko on behalf of Covered Entity, is returned to Covered Entity or destroyed, or, if it is infeasible to return or destroy all of the PHI, protections are extended to such information in accordance with the provisions of Section 6.2.

1. Termination for Cause.  Should a Party become aware of a material breach of this BAA, including without limitation a practice that constitutes a material breach of a material term of this BAA, the non-breaching Party shall provide the breaching Party with written notice of such breach in sufficient detail to enable the breaching Party to understand the specific nature of the breach.  The non-breaching Party shall be entitled to immediately terminate this BAA associated with such breach if, after the non-breaching Party provides such notice of breach to the breaching Party, the breaching Party fails to cure the breach or end the violation within a reasonable time period from the breaching Party’s receipt of such notice; provided, however, the non-breaching Party shall have the discretion to agree to such longer cure period based on the nature of the breach involved and subject to the HIPAA Laws.
2. Effect of Termination.  Except as provided in this section, upon termination of this BAA for any reason, Eko shall return or destroy all PHI received from Covered Entity or created or received by Eko or any Subcontractor on behalf of Covered Entity and neither Eko nor any Subcontractor shall retain copies of the PHI.  In the event Eko reasonably determines that returning or destroying the PHI is infeasible, Eko shall extend the protections of this BAA to such retained PHI and limit further uses and disclosures of such retained PHI for so long as Eko and its contractors, agents or Subcontractors maintain such PHI.  The respective rights and obligations of Eko set forth within this paragraph shall survive the termination of this BAA, for whatever reason.

7. MISCELLANEOUS.

1. Notice.  Any notice required by this BAA to the Customer shall be sent via the email associated with their Eko account. Any notice required by this BAA to Eko shall be sent by certified mail or electronic mail to the address(es) listed below:

2. Survival.  The respective rights and obligations of Eko and Covered Entity under this BAA which by their nature shall survive this BAA shall survive the expiration or termination of this BAA indefinitely, including without limitation Section 3(i) and (v), Section 6.2, and this Section 7.2. 
   
   
3. Interpretation.  The terms of this BAA shall prevail in the case of any conflict with the terms of any Underlying Contract to the extent necessary to allow Covered Entity and Eko to comply with the HIPAA Laws.  Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Laws.  
   
   
4. Relationship of the Parties.  In the performance of the work, duties and obligations described in this BAA, the Parties acknowledge and agree that each Party is at all times acting and performing as an independent contractor and at no time shall the relationship between the Parties be construed as a partnership, joint venture, employment, principal/agent relationship, or master/servant relationship.
   
   
5. No Third Party Beneficiaries.  Nothing in this BAA shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. 
   
   
6. Entire Agreement and Amendment.  This BAA constitutes the entire agreement between the Parties with respect to PHI, and may be modified or amended upon notification to Customer.
   
   
7. Waiver.  No provision of this BAA may be waived except by an agreement in writing signed by the waiving party. A waiver with respect to one event will not be construed as continuing, or as a bar or waiver of any right or remedy as to subsequent events.  
   
   
8. Headings.  The headings of each section are inserted solely for purposes of convenience and shall not alter the meaning of this BAA.
   
   

Governing Law.  The Parties hereby agree that this BAA shall be governed by, and construed in accordance with, the laws of the state of California, without giving effect to its conflicts of law principles and hereby submit themselves to the jurisdiction and venue of the federal and state courts of California.