Business Associate Agreement

This Business Associate Agreement (this “Agreement”) is between Health Cloud LLC, a Tennessee limited liability company (“Health Cloud”), and you, the user of Health Cloud’s services who is a HIPAA Covered Entity (“Covered Entity”). This Agreement governs how Health Cloud will handle Protected Health Information in providing services to you. By using the Health Cloud services (the “Services”), you acknowledge that you are a Covered Entity as defined under HIPAA and that you have read, understood, and agree to be bound by this Business Associate Agreement. You and Health Cloud are collectively referred to as the “Parties” (each a “Party”).

NOW, THEREFORE, in consideration of the mutual promises and the exchange of information described herein, the Parties agree as follows:

    Definitions

    • HIPAA: The Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and its implementing regulations. This includes the HIPAA Privacy Rule (45 CFR Parts 160 and 164, Subparts A & E), the HIPAA Security Rule (45 CFR Parts 160 and 164, Subparts A & C), and the Breach Notification Rule, as each may be amended from time to time.
    • Protected Health Information (PHI): “Protected health information,” as defined at 45 CFR 160.103. In general, this means individually identifiable health information that is created, received, maintained, or transmitted by Health Cloud from or on your behalf, in any form or medium.
    • Covered Entity: Has the same meaning as defined at 45 CFR 160.103. In this Agreement, “Covered Entity” refers to you, the user of the Services who is subject to HIPAA.
    • Business Associate: Has the same meaning as defined at 45 CFR 160.103. In this Agreement, “Business Associate” refers to Health Cloud.
    • Breach: “Breach” means the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI, as defined in 45 CFR 164.402 (subject to the exceptions provided in that regulation).
    • Electronic PHI (ePHI): PHI that is created, received, maintained, or transmitted in electronic form.
    • Required by Law: A mandate contained in law or regulation that compels use or disclosure of PHI (for example, a court order or statute that requires disclosure).

    Any capitalized term used but not otherwise defined in this Agreement shall have the meaning given to it under the HIPAA Rules.

    Obligations of Health Cloud (Business Associate)

    Health Cloud agrees to perform the following obligations to protect PHI:

    • Permitted Uses/Disclosures Only: Health Cloud will not use or disclose your PHI other than as permitted or required by this Agreement or as Required by Law. Health Cloud will not use or disclose PHI in any manner that would violate the HIPAA Privacy Rule if done by you (except as specifically allowed in this Agreement). • Safeguards: Health Cloud will use appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. In particular, Health Cloud will comply with the HIPAA Security Rule with respect to all electronic PHI.
    • Subcontractors: If Health Cloud uses any subcontractors or agents who need access to your PHI to assist in providing the Services, Health Cloud will ensure those subcontractors agree in writing to the same restrictions and conditions that apply to Health Cloud under this Agreement. (In other words, any subcontractor who handles PHI on our behalf will be held to the same privacy and security standards.)
    • Reporting of Improper Use or Breach: Health Cloud will promptly report to you any use or disclosure of your PHI not permitted by this Agreement of which it becomes aware. This includes reporting any Breach of unsecured PHI as required by 45 CFR 164.410. Such report will be made without unreasonable delay and in no case later than ten (10) business days after discovery of the Breach. Health Cloud will also report to you any security incident (as defined by 45 CFR 164.304) of which it becomes aware. However, you agree that this section constitutes notice, and no additional report, of any trivial unsuccessful security incidents that do not result in unauthorized access, use, or disclosure of PHI (for example, unsuccessful attempts at login, ping sweeps, or other routine network scans).
    • Access to PHI: To the extent you direct, and in order to allow you to comply with your obligations under 45 CFR 164.524, Health Cloud will make PHI in a Designated Record Set available to you or, at your direction, to the individual who is the subject of the PHI. Upon your written request, Health Cloud will provide you with access to the PHI (in the format requested, if readily producible) so that you can meet your obligations to provide individuals access to their PHI.
    • Amendment of PHI: Upon your request, and to enable you to comply with 45 CFR 164.526, Health Cloud will make any requested amendment to PHI in a Designated Record Set. If an individual asks Health Cloud directly to amend their PHI, Health Cloud will promptly forward the request to you for handling.
    • Accounting of Disclosures: Health Cloud will document disclosures of PHI as needed for you to respond to an individual’s request for an accounting of disclosures under 45 CFR 164.528. Upon your request, Health Cloud will provide you with information about such disclosures so that you can fulfill your obligation to provide an accounting to the individual.
    • Privacy Rule Obligations if Delegated: To the extent that Health Cloud is required to carry out any of your obligations under the HIPAA Privacy Rule, Health Cloud will comply with the requirements of the Privacy Rule that apply to you in the performance of such obligations.
    • HHS Access: Health Cloud will make its internal practices, books, and records (including policies and procedures) relating to the use and disclosure of PHI received from you (or created or received by us on your behalf) available to the Secretary of the U.S. Department of Health and Human Services (HHS) for purposes of determining your compliance with HIPAA. Health Cloud will notify you if HHS requests such access to our records.
    • Handling Individual Requests: If Health Cloud receives any request or inquiry directly from an individual (e.g. an individual’s request for access, amendment, or accounting of their PHI), Health Cloud will forward that request to you promptly. Health Cloud will not respond directly to the individual without your authorization, except as Required by Law or as otherwise provided in this Agreement.

    Permitted Uses and Disclosures by Health Cloud

    to perform the Services for you, Health Cloud is permitted to use and disclose PHI as follows:

    • To Provide Services: Health Cloud may use and disclose your PHI as necessary to perform the Services and other functions agreed upon with you. This includes uses and disclosures of PHI to manage and administer the Services we provide to you.
    • Proper Management and Administration: Health Cloud may use your PHI for the proper management and administration of Health Cloud’s business and to carry out our legal responsibilities. Health Cloud may also disclose your PHI for our proper management and administration or to fulfill our legal responsibilities if: (a) the disclosure is Required by Law (for example, if we are compelled by a valid legal demand), or (b) we obtain reasonable assurances from the person or entity to whom we disclose your PHI that the information will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which we disclosed it, and that the person or entity will notify us of any instances of breach of confidentiality.
    • Data Aggregation Services: Health Cloud is permitted to use your PHI to provide Data Aggregation services related to your health care operations. “Data Aggregation” means combining your PHI with that of other covered entities we serve, to develop analyses related to the operations of the covered entities (as allowed by 45 CFR 164.504(e)(2)(i)(B)). Any such aggregated data that relates to your operations will be provided back to you upon request to support your health care operations.
    • De-Identification: Health Cloud may de-identify any PHI in accordance with 45 CFR 164.514(a)-(c). De-identified information is not considered PHI and is not subject to this Agreement. Health Cloud may use or disclose de-identified data for any lawful purpose (for example, for product improvement, analytics, or research). If you prefer that your PHI not be used for de-identification purposes, you may notify Health Cloud in writing, and we will not use your PHI for such purposes.

    For clarity, any use or disclosure of PHI by Health Cloud that is not listed above or otherwise expressly permitted by this Agreement is prohibited unless you authorize it in writing or it is Required by Law.

    Term and Termination

    • Term: This Agreement is effective immediately once you begin using the Services and will remain in effect as long as you continue to use the Services. This Agreement will automatically terminate if you discontinue use of the Services and all PHI provided to Health Cloud is returned or destroyed as described below.
    • Termination for Cause: If you become aware of a pattern of activity or any practice by Health Cloud that constitutes a material breach or violation of this Agreement, you may terminate this Agreement. In such event, you agree to provide Health Cloud written notice of the breach or violation and give Health Cloud an opportunity to cure the breach or end the violation within thirty (30) days of receiving the notice. If Health Cloud does not cure the breach or if the breach is not capable of cure, you may terminate this Agreement immediately thereafter.
    • Obligations Upon Termination: Upon termination of this Agreement for any reason, Health Cloud will return or destroy all PHI received from you, or created or received by Health Cloud on your behalf, that Health Cloud still maintains in any form. Health Cloud will not retain any copies of your PHI after termination, if it is feasible to return or destroy such information. If Health Cloud determines that returning or destroying PHI is not feasible (for example, if the PHI is stored in backups or archives that cannot be easily accessed or separated), Health Cloud will extend the protections of this Agreement to the retained PHI and will limit any further uses or disclosures of that PHI to the purposes that make return or destruction infeasible. These obligations survive termination of the Agreement.

    Covered Entity’s Obligations

    As a Covered Entity using Health Cloud’s Services, you agree to the following in order to enable compliance with HIPAA:

    • Necessary Permissions: You represent and warrant that you have obtained all necessary authorizations, consents, and other permissions required by law to disclose PHI to Health Cloud for the purposes of this Agreement. In other words, you confirm that you have the legal right to share the PHI with us and to allow Health Cloud to use and disclose PHI to provide the Services and perform its obligations under this Agreement.
    • Notice of Privacy Practices: To the extent applicable, you will notify Health Cloud of any limitations in your Notice of Privacy Practices (as required by 45 CFR 164.520) that would affect Health Cloud’s use or disclosure of PHI. (For example, if your Notice of Privacy Practices restricts certain uses of PHI that would apply to the Services we perform, you must let us know.)
    • Changes in Individual’s Authorization: You will notify Health Cloud of any changes in, or revocation of, permission by an individual to use or disclose his or her PHI, if such changes affect Health Cloud’s permitted uses or disclosures. (For example, if a patient revokes consent for you to use or disclose their information, and that revocation means we can no longer use it on your behalf, you need to inform us.)
    • Restrictions on PHI Use/Disclosure: You will notify Health Cloud of any restriction on the use or disclosure of PHI that you have agreed to in accordance with 45 CFR 164.522 (Requests for restrictions by individuals), to the extent that such restriction would affect Health Cloud’s use or disclosure of PHI.
    • No Impermissible Requests: You shall not request or require Health Cloud to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule if done by you directly (except for uses and disclosures expressly permitted to Health Cloud under this Agreement, such as those for management and administration, data aggregation, or de-identification).

    Miscellaneous

    • Amendment: The Parties agree to take such action as is necessary to amend this Agreement from time to time if required to maintain compliance with HIPAA or other applicable law. Any amendment must be in writing and signed (or otherwise accepted) by both Parties.
    • No Third-Party Beneficiaries: Nothing in this Agreement is intended to confer any rights, remedies, or benefits to any person or entity other than you and Health Cloud. This Agreement creates obligations only between the Parties, and no third party shall be considered a beneficiary of this Agreement.
    • Interpretation: This Agreement shall be interpreted to allow compliance with the HIPAA Rules. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits compliance with HIPAA. In the event of any conflict between a provision of this Agreement and a provision of any other agreement between the Parties, the provisions of this Business Associate Agreement shall control with respect to the subject matter of PHI.
    • Notices: All notices required to be given under this Agreement shall be provided in writing. Each Party is responsible for providing the other with its current contact information for such notices. Notices shall be deemed given and effective when actually received by the other Party (or when delivery is attempted, if the receiving Party refuses or fails to accept delivery). Notices may be delivered by secure electronic means, certified mail (postage prepaid), or reputable courier service.
    • Survival: The obligations of Health Cloud to protect the privacy and security of PHI, as well as other provisions which by their nature should survive, shall survive termination of this Agreement. This includes, for example, obligations regarding return or destruction of PHI, the prohibition on using or disclosing PHI except as permitted, no third-party beneficiaries, and this Survival clause itself.