Business Associate Agreement

Recitals

WHEREAS, the Covered Entity is a HIPAA-covered entity that provides healthcare services and is subject to the Health Insurance Portability and Accountability Act of 1996, as amended, and the regulations promulgated thereunder, including the Privacy Rule (45 CFR Parts 160 and 164, Subparts A and E), the Security Rule (45 CFR Parts 160 and 164, Subparts A and C), and the Breach Notification Rule (45 CFR Part 164, Subpart D); and

WHEREAS, the Business Associate will assist the Covered Entity in providing healthcare services and may have access to, receive, maintain, or transmit Protected Health Information ("PHI") as defined herein;

WHEREAS, in order to establish the permitted uses and disclosures of such PHI and to set forth the terms and conditions under which the Business Associate will protect such PHI, the parties desire to enter into this Agreement.

NOW, THEREFORE, in consideration of the mutual covenants and agreements herein contained, the parties agree as follows:

Article 1: Definitions

For purposes of this Agreement, the following terms shall have the meanings set forth below:

Breach: The unauthorized acquisition, access, use, or disclosure of Protected Health Information which compromises the security or privacy of such information, as defined in 45 CFR § 164.400 et seq.

Business Associate: A person or entity, other than a member of the workforce of the Covered Entity, that on behalf of such Covered Entity: (i) creates, receives, maintains, or transmits Protected Health Information; or (ii) performs legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

Covered Entity: A health plan, healthcare clearinghouse, or healthcare provider as defined in 45 CFR § 160.103.

Electronic Protected Health Information (ePHI): Protected Health Information that is maintained, stored, processed, or transmitted in electronic format.

Protected Health Information (PHI): Individually identifiable health information, including demographic information, that is created, received, maintained, or transmitted by the Covered Entity or Business Associate in the course of providing healthcare services.

Required by Law: A mandate contained in law that compels the Covered Entity or Business Associate to use or disclose Protected Health Information.

Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Subcontractor: Any person or entity, other than a member of the Business Associate's workforce, who on behalf of such Business Associate creates, receives, maintains, or transmits Protected Health Information.

Article 2: Obligations of Business Associate

2.1 Permitted Uses and Disclosures

The Business Associate may use or disclose Protected Health Information only:

• As necessary to perform the functions, activities, or services specified in the underlying business arrangement(s) with the Covered Entity
• As required by law
• With prior written authorization from the Covered Entity

2.2 Safeguards for Protected Health Information

The Business Associate shall implement and maintain appropriate safeguards to protect Protected Health Information from misuse, loss, alteration, destruction, and unauthorized access, use, or disclosure. These safeguards shall include:

• Administrative Safeguards: Reasonable administrative policies and procedures, including workforce security, information access management, security awareness and training, and security incident procedures
• Physical Safeguards: Physical safeguards to protect facilities and equipment containing PHI, including facility access controls, workstation use policies, and device and media controls
• Technical Safeguards: Technology-based safeguards to protect PHI and control access, including access controls, audit controls, integrity controls, and transmission security

2.3 Reporting Security Incidents and Breaches

The Business Associate shall report any Security Incident or suspected Breach to the Covered Entity without unreasonable delay and in no case later than 24 hours after discovery. The report shall include:

• Identification and description of the Protected Health Information involved
• Description of the circumstances of the Security Incident or Breach
• Steps taken by the Business Associate to mitigate the effect of the incident
• Contact information for a Business Associate representative

2.4 Subcontractors

The Business Associate shall not use or disclose Protected Health Information through any Subcontractor unless the Subcontractor agrees to comply with all applicable terms and conditions of this Agreement. The Business Associate shall remain fully liable for any breach or failure by a Subcontractor.

2.5 Access to Protected Health Information by Individuals

The Business Associate shall, at the request of the Covered Entity and within 30 days, provide the Covered Entity with access to Protected Health Information in the possession or control of the Business Associate, to the extent required under 45 CFR § 164.524.

2.6 Amendment of Protected Health Information

The Business Associate shall, at the request of the Covered Entity and within 30 days, amend Protected Health Information in the possession or control of the Business Associate, to the extent required under 45 CFR § 164.526.

2.7 Accounting of Disclosures

The Business Associate shall provide the Covered Entity with information and documentation regarding all disclosures of Protected Health Information, consistent with 45 CFR § 164.528.

2.8 Compliance with HIPAA Regulations and HHS Access

The Business Associate shall:

• Comply with all applicable provisions of the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and any amendments
• Make available to the Covered Entity all Protected Health Information in response to individual access requests
• Make internal practices, books, and records relating to the use and disclosure of PHI available to the Covered Entity and HHS for compliance purposes
• Report to the Covered Entity any use or disclosure not permitted by this Agreement

2.9 Minimum Necessary Standard

The Business Associate shall limit the use and disclosure of, and requests for, Protected Health Information to the minimum necessary to accomplish the stated purpose, consistent with 45 CFR § 164.502(b).

Article 3: Obligations of Covered Entity

3.1 Permitted Uses and Disclosures

The Covered Entity shall not request the Business Associate to use or disclose Protected Health Information in any manner that would violate the Privacy Rule, Security Rule, or Breach Notification Rule if done by the Covered Entity itself.

3.2 Notification of HIPAA Changes

The Covered Entity shall notify the Business Associate of any changes in law, regulation, or court decision that may affect the obligations of either party under this Agreement.

Article 4: Permitted Uses and Disclosures

The Business Associate may use or disclose Protected Health Information:

• To perform functions and services on behalf of the Covered Entity
• As required by law, regulation, or court order
• For the proper management and operation of the Business Associate
• To the extent necessary to comply with this Agreement and applicable law
• With the express written authorization of the Covered Entity

Article 5: Term and Termination

5.1 Term

This Agreement shall be effective as of February 6, 2026, and shall continue for an initial term of one (1) year, automatically renewing for successive one-year periods unless either party provides written notice of non-renewal at least thirty (30) days prior to expiration.

5.2 Termination for Cause

Either party may terminate this Agreement if the other party materially breaches a provision and fails to cure within thirty (30) days of written notice. If termination is necessary because the Business Associate is in violation or unable to mitigate a Breach, the Covered Entity may terminate immediately.

5.3 Effect of Termination

Upon termination, the Business Associate shall return to the Covered Entity or securely destroy all Protected Health Information received from or created on behalf of the Covered Entity. The Business Associate shall certify in writing that all PHI has been returned or destroyed.

5.4 Survival

All obligations regarding the return or destruction of PHI shall survive termination. All confidentiality obligations and restrictions on use and disclosure shall survive termination indefinitely.

Article 6: Breach Notification

6.1 Breach Discovery and Notification

The Business Associate shall provide prompt notification to the Covered Entity of a Breach of unsecured PHI without unreasonable delay and no later than 24 hours after discovery.

6.2 Content of Breach Notification

All breach notifications shall include:

• The name, title, and contact information of a representative
• A description of the Protected Health Information involved
• The cause of the Breach, if known
• The number of individuals whose PHI may have been involved
• The discovery timeline and mitigation steps taken

6.3 Sixty-Day Notification Requirement

The Covered Entity shall be responsible for notifying affected individuals and the media within 60 days of discovery of a Breach. The Business Associate shall cooperate fully in preparing and delivering such notifications.

Article 7: Miscellaneous

7.1 Regulatory References

This Agreement is intended to comply with the Privacy Rule, Security Rule, Breach Notification Rule, and applicable amendments. The parties acknowledge that if HIPAA regulations are modified, this Agreement will be amended as necessary.

7.2 Amendment

No amendment shall be effective unless made in writing and executed by authorized representatives of both parties.

7.3 Interpretation

Any ambiguity or conflict shall be interpreted to carry out the purposes of HIPAA and its regulations.

7.4 Indemnification

The Business Associate shall indemnify and hold harmless the Covered Entity from any losses, claims, damages, penalties, fines, and liabilities arising out of the Business Associate's breach of this Agreement or violation of HIPAA.

7.5 Governing Law and Jurisdiction

This Agreement shall be governed by the laws of the United States and the laws of the state in which the Covered Entity is located.

7.6 Entire Agreement

This Agreement, together with any underlying business arrangement(s), constitutes the entire agreement between the parties with respect to the subject matter hereof.

---

Last Updated: February 6, 2026