Business Associate Agreement

1. Definitions

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations at 45 CFR Parts 160, 162, and 164 ("HIPAA Rules").

2. Obligations and Activities of Business Associate

Business Associate agrees to:

1. Not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.
2. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
3. Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured PHI as required by 45 CFR 164.410.
4. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
5. Make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524.
6. Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.526.
7. Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528.
8. Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

3. Permitted Uses and Disclosures by Business Associate

• Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Service Agreement.
• Business Associate may use or disclose PHI as Required by Law.
• Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity's minimum necessary policies and procedures.
• Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.
• Business Associate may provide Data Aggregation services relating to the health care operations of the Covered Entity.

4. Appropriate Safeguards

Business Associate shall implement and maintain appropriate safeguards to prevent the use or disclosure of PHI other than as permitted by this Agreement, including but not limited to:

5. Breach Notification

Business Associate shall notify Covered Entity without unreasonable delay and in no case later than sixty (60) calendar days after discovery of a Breach of Unsecured PHI.

Such notification shall include, to the extent possible:

• The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach
• A description of what happened, including the date of the Breach and the date of discovery
• A description of the types of Unsecured PHI involved
• Any steps Individuals should take to protect themselves from potential harm
• A description of what Business Associate is doing to investigate the Breach, mitigate harm, and protect against future Breaches

6. Termination

Termination for Cause:

Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall either:

Effect of Termination:

Except as provided in paragraph 9.3, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.

In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon determination that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

7. Indemnification

Business Associate shall indemnify, defend, and hold harmless Covered Entity, its officers, directors, employees, and agents from and against any claim, cause of action, liability, damage, cost, or expense (including reasonable attorneys' fees and costs of litigation) arising out of or in connection with any breach of this Agreement by Business Associate or any violation of HIPAA by Business Associate.

Covered Entity shall indemnify, defend, and hold harmless Business Associate, its officers, directors, employees, and agents from and against any claim, cause of action, liability, damage, cost, or expense (including reasonable attorneys' fees and costs of litigation) arising out of or in connection with any negligent or wrongful acts or omissions of Covered Entity in connection with its obligations under this Agreement or HIPAA.

8. Interpretation

• Regulatory References: A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
• No Third-Party Beneficiaries: Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
• Ambiguities: Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
• Governing Law: This Agreement shall be governed by the laws of Singapore, without regard to its conflict of law provisions.

9. Execution

This Business Associate Agreement is executed electronically through the Ajentik platform. By clicking "Accept" or using our services for PHI processing, you acknowledge that you have read, understood, and agree to be bound by the terms of this Agreement.