Business Associate Agreement

1. Definitions

Terms used but not defined in this BAA shall have the same meaning as defined in the HIPAA Rules (45 CFR Parts 160 and 164), including but not limited to:

• Breach
• Data Aggregation
• Designated Record Set
• Disclosure
• Health Care Operations
• Individual
• Minimum Necessary
• Protected Health Information (PHI)
• Security Incident
• Subcontractor
• Use

2. Permitted Uses and Disclosures

2.1 Performance of Services

Business Associate may use or disclose PHI as necessary to perform the services outlined in the Service Agreement.

2.2 Management & Administration

Business Associate may use PHI for its proper management and administration and to fulfill its legal responsibilities.

2.3 Data Aggregation & Product Improvement

Business Associate may:

• Provide Data Aggregation services relating to the Health Care Operations of the Covered Entity
• De-identify PHI in accordance with 45 CFR § 164.514(b) (HIPAA Safe Harbor method). Once de-identified, such data is no longer PHI and may be used by Business Associate for any lawful purpose, including but not limited to: software development, benchmarking, machine learning model training, and statistical analysis.

3. Obligations of Business Associate

3.1 Safeguards

Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA, including complying with the HIPAA Security Rule (45 CFR Part 164 Subpart C) regarding Electronic PHI.

3.2 Reporting

Business Associate shall report to Covered Entity:

• Any Use or Disclosure of PHI not provided for by this BAA
• Any Security Incident (provided that trivial, routine security events such as automated port scans, unsuccessful login attempts, or firewall probes shall not require individual reporting)
• Any Breach of Unsecured PHI

3.3 Reporting Timeline

3.3.1 Unsuccessful Security Incidents

The parties acknowledge that ongoing unsuccessful security incidents (including but not limited to pings, port scans, brute force login attempts, denial of service attacks that do not result in data exposure, and malware blocked by security controls) do not require individual notification. Business Associate will maintain aggregate logs of such events for security monitoring purposes.

3.4 Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on its behalf enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a), with restrictions substantially similar to those in this BAA.

Stedi's BAA and security practices can be reviewed atlegal.stedi.com.

3.5 Access to PHI

Business Associate shall make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet Covered Entity's obligations under 45 CFR § 164.524.

3.6 Amendment of PHI

Business Associate shall make any amendment(s) to PHI in a Designated Record Set as directed by Covered Entity or as agreed to by Covered Entity, in accordance with 45 CFR § 164.526.

3.7 Accounting of Disclosures

Business Associate shall document and make available information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528.

4. Obligations of Covered Entity

• Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
• Covered Entity is responsible for obtaining any necessary patient consents or authorizations required for Business Associate to perform the Services.
• Covered Entity shall notify Business Associate of any limitation(s) in its Notice of Privacy Practices, to the extent that such limitation may affect Business Associate's use or disclosure of PHI.

5. Term and Termination

5.1 Term

This BAA shall remain in effect for the duration of the Service Agreement.

5.2 Termination for Cause

If either party knows of a material breach by the other, they must provide written notice and an opportunity to cure. If the breach is not cured within thirty (30) days, the non-breaching party may terminate this BAA and the Service Agreement.

5.3 Effect of Termination

Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity.

6. Miscellaneous

6.1 Liability

The liability of Business Associate under this BAA shall be subject to the limitations of liability and indemnification set forth in the underlying Service Agreement.

6.2 Regulatory References

A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended. This BAA shall be interpreted in a manner consistent with the HIPAA Rules.

6.3 Amendment

The parties agree to amend this BAA as necessary to comply with changes in the HIPAA Rules or other applicable law.

6.4 Conflict

In the event of a conflict between this BAA and the Service Agreement regarding PHI, this BAA shall control.

7. Acceptance

By using the FluxPT Service to process Protected Health Information, you ("Covered Entity") agree to be bound by the terms of this Business Associate Agreement.