Business Associate Agreement

This Business Associate Agreement (“Agreement”) is entered into as of the Effective Date (as set forth in the Underlying Agreement) by and between the covered entity(“Covered Entity”) and Digital EMS Solutions Inc., a California corporation (“Business Associate”).

Recitals

A. Business Associate performs certain functions, activities, or services for, or on behalf of, Covered Entity (the "Services") pursuant to one or more underlying agreements (the "Underlying Agreement(s)"), and in the course of performing the Services, Business Associate creates, receives, maintains, or transmits Protected Health Information ("PHI").

B. The parties are entering into this Agreement to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations, including the Privacy, Security, Breach Notification, and Enforcement Rules (45 C.F.R. Parts 160 and 164).

1. DEFINITIONS

Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules.

Breach shall have the meaning given to the term in 45 C.F.R. § 164.402.
Electronic Protected Health Information (EPHI) shall have the meaning given to the term in 45 C.F.R. § 160.103.
HITECH Act shall mean the Health Information Technology for Economic and Clinical Health Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009.
Protected Health Information (PHI) shall have the meaning given to the term in 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.
Unsecured Protected Health Information shall have the meaning given to the term in 45 C.F.R. § 164.402.

2. OBLIGATIONS OF BUSINESS ASSOCIATE

2.1 Use and Disclosure of PHI. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, the Underlying Agreement, or as Required by Law. Business Associate shall not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity.

2.2 Safeguards. Business Associate shall implement and use appropriateadministrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI. Business Associate shall comply with the applicable requirements of the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) with respect to EPHI.

2.3 Reporting Obligations. Business Associate agrees to report the following to Covered Entity:

a. Non-Permitted Uses or Disclosures. Any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured PHI.
b. Breaches of Unsecured PHI. Business Associate shall notify Covered Entity following the discovery of any Breach of Unsecured PHI without unreasonable delay, and in no event later than five (5) calendar days after discovery. A Breach shall be treated as "discovered" as of the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known. The notice shall include, to the extent possible, the identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed, and any other available information that Covered Entity is required to include in its notification to individuals.
c. Security Incidents. Business Associate shall report any successful Security Incident. Unsuccessful attempts (such as pings, port scans, or unsuccessful log-on attempts) are excluded from this reporting requirement.

2.4 Subcontractors. Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement.

2.5 Access to Designated Record Set. To the extent Business Associate maintains PHI in a Designated Record Set, it shall, upon request from Covered Entity, provide access to such PHI to Covered Entity to meet the requirements under 45 C.F.R. § 164.524.

2.6 Amendment of PHI. To the extent Business Associate maintains PHI in a Designated Record Set, it shall make any amendment(s) to PHI as directed by Covered Entity pursuant to 45 C.F.R. § 164.526.

2.7 Accounting of Disclosures. Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 C.F.R. § 164.528.

2.8 Direct HIPAA Compliance. Business Associate acknowledges that it is directly subject to certain provisions of the HIPAA Rules and is liable for any violations thereof.

2.9 Records and Audits. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

2.10 Mitigation. Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI in violation of this Agreement.

3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

3.1 General Use and Disclosure. Business Associate may use or disclose PHI as necessary to perform the Services, provided that such use or disclosure complies with the Minimum Necessary principle and would not violate the HIPAA Rules if done by Covered Entity.

3.2 Specific Uses. Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out its legal responsibilities. Business Associate may use PHI to create de-identified health information in accordance with 45 C.F.R. § 164.514(b).

4. OBLIGATIONS OF COVERED ENTITY

4.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices that may affect Business Associate’s use or disclosure of PHI.

4.2 Notice of Changes. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s duties.

4.3 Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

5. TERM AND TERMINATION

5.1 Term. This Agreement shall be effective as of the Effective Date and shall terminate when all PHI is returned to Covered Entity or destroyed.

5.2 Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach within thirty (30) business days. If Business Associate does not cure the breach within the specified timeframe, Covered Entity may terminate this Agreement and the Underlying Agreement(s).

5.3 Return or Destruction of PHI. Upon termination, Business Associate shall return or destroy all PHI. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible. Destruction must render the PHI unusable, unreadable, or indecipherable.

6. MISCELLANEOUS

6.1 Indemnification. Business Associate agrees to indemnify, defend, and hold harmless Covered Entity and its officers, directors, employees, and agents from and against any and all claims, losses, liabilities, costs, and other expenses (including reasonable attorneys' fees) resulting from or arising out of any material breach of this Agreement or violation of the HIPAA Rules by Business Associate or its subcontractors.

6.2 Insurance. Business Associate shall maintain, at its sole expense, a policy or policies of professional liability (errors and omissions) and/or cyber liability insurance in an amount not less than $1,000,000 per occurrence and $2,000,000 in the aggregate.

6.3 Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

6.4 Amendment. The Parties agree to amend this Agreement as necessary for compliance with the HIPAA Rules.

6.5 Survival. The respective rights and obligations of Business Associate under Section 5.3 shall survive the termination of this Agreement.

6.6 Governing Law. This Agreement shall be governed by the laws of the State of California.