This Business Associate Agreement (“Agreement”) is entered into by and between Entelijant Identity Solutions, doing business as Solatis (“Business Associate”) and the customer that entered into the Terms of Use with Business Associate (“Covered Entity”) and is effective as of the Effective Date. Covered Entity and Business Associate are hereinafter referred to collectively as the “Parties.”

‍

WHEREAS, pursuant to these Terms of Use, Business Associate will provide certain services to, for, or on behalf of Covered Entity involving the use or disclosure of Protected Health Information, and pursuant to such Terms of Use, Business Associate may be considered a “business associate” of Covered Entity;

‍

WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as modified by the Health Information Technology for Economic and Clinical Health Act, known collectively as “the Administrative Simplification provisions,” direct the Department of Health and Human Services to develop standards to protect the security, confidentiality, and integrity of health information; and

‍

WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services has issued regulations at 45 CFR Parts 160 and 164, as the same may be amended from time to time (the “HIPAA Security and Privacy Rule”); and

‍

WHEREAS, the Parties wish to enter into or have entered into an arrangement whereby Business Associate will provide certain services to or perform certain functions on behalf of Covered Entity, and, pursuant to such arrangement, Business Associate may be considered a “business associate” of Covered Entity as defined in the HIPAA Security and Privacy Rule; and

‍

WHEREAS, Business Associate may, in the performance of such functions and/or the provision of such services, access Protected Health Information (as defined below) in the possession, custody, or control of Covered Entity, or may create or receive Protected Health Information on behalf of Covered Entity for the limited purposes identified in this Agreement; and

‍

WHEREAS, pursuant to the Federal Standards for Privacy and Security of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164, as established under the Health Insurance Portability and Accountability Act (HIPAA), Covered Entity cannot disclose Protected Health Information to, or authorize the creation or receipt of Protected Health Information on its behalf by, Business Associate unless Covered Entity obtains from Business Associate satisfactory assurances that Business Associate will properly safeguard such information; and

‍

WHEREAS, Business Associate is willing to provide such assurances to Covered Entity under the terms specified herein.

‍

NOW, THEREFORE, in consideration of the Parties’ continuing obligations under the arrangement, compliance with the HIPAA Security and Privacy Rule, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties hereby agree as follows:

‍

I. DEFINITIONS

(a) Except as otherwise defined herein, any and all capitalized terms in this Agreement shall have the definitions set forth in the HIPAA Security and Privacy Rule. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Security and Privacy Rule, as amended, the HIPAA Security and Privacy Rule shall control. Where provisions of this Agreement are different from those mandated in the HIPAA Security and Privacy Rule, but are nonetheless permitted by the HIPAA Security and Privacy Rule, the provisions of this Agreement shall control.

‍

(b) “Protected Health Information.” The term “Protected Health Information” means individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical, and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. “Protected Health Information” includes without limitation “Electronic Protected Health Information” as defined below.

‍

(c) “Electronic Protected Health Information.” The term “Electronic Protected Health Information” means Protected Health Information that is transmitted by Electronic Media (as defined in the HIPAA Security and Privacy Rule) or maintained in Electronic Media.

‍

(d) “Security Incident.” The term “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

‍

Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity’s behalf shall be subject to this Agreement.

‍

II. PERMITTED USES AND DISCLOSURES

‍

(a) Business Associate may use or disclose Protected Health Information only as permitted or required by this Agreement or as required by law. Except as specifically set forth herein, Business Associate may not use or disclose Protected Health Information in a manner that would violate the HIPAA Security and Privacy Rule if such use or disclosure were done by Covered Entity. Specifically, Business Associate may use or disclose Protected Health Information (1) for meeting its obligations as set forth in any agreements between the Parties evidencing their business relationship, or (2) as required by applicable law, rule or regulation, or by an accrediting or credentialing organization to whom Covered Entity is required to disclose such information, or (3) as otherwise permitted under this Agreement, the Parties’ business relationship (if consistent with this Agreement and the HIPAA Security and Privacy Rule), or the HIPAA Security and Privacy Rule, or (4) as would be permitted by the HIPAA Security and Privacy Rule as if such use or disclosure were made by Covered Entity.

(b) Business Associate may de-identify Protected Health Information only at the specific direction of and only for the use of Covered Entity. Business Associate may not sell Protected Health Information except at the direction of Covered Entity and in compliance with the requirements of the HIPAA Security and Privacy Rule.

(c) Notwithstanding the prohibitions set forth in this Agreement, Business Associate may:

(i) Use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate;

(ii) Disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure (A) The disclosure is required by law; or (B) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached;

(iii) Provide data aggregation services relating to the health care operations of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship. For purposes of this Agreement, data aggregation means the combining of Protected Health Information by Business Associate with the Protected Health Information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.

‍

III. CONFIDENTIALITY AND SECURITY REQUIREMENTS

‍

(a) Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by this Agreement or as required by law. To

the extent Business Associate carries out obligations of Covered Entity under the HIPAA Security and Privacy Rule, Business Associate shall comply with the applicable provisions of the HIPAA Security and Privacy Rule as if such use or disclosure were made by Covered Entity. Covered Entity will not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Security and Privacy Rule if done by Covered Entity, except as otherwise provided herein. Business Associate agrees to comply with Covered Entity’s policies regarding the minimum necessary use or disclosure of Protected Health Information.

(b) Business Associate agrees to provide HIPAA training to all of its personnel who service Covered Entity’s account or who otherwise will have access to Covered Entity’s Protected Health Information.

(c) At termination of this Agreement, the Parties’ business arrangement, or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return (in a manner or process approved by the Covered Entity) or destroy all Protected Health Information received from Covered Entity, or created, maintained or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, Business Associate will (i) retain only that Protected Health Information necessary under the circumstances; (ii) return or destroy the remaining Protected Health Information that the Business Associate still maintains in any form; (iii) extend the protections of this Agreement to the retained Protected Health Information; (iv) limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information not feasible; and (v) return or destroy the retained Protected Health Information when it is no longer needed by Business Associate. This paragraph shall survive the termination of this Agreement and shall apply to Protected Health Information created, maintained, or received by Business Associate and any of its subcontractors.

(d) Business Associate agrees to ensure that its agents, including any subcontractors, that create, receive, maintain or transmit Protected Health Information on behalf of Business Associate agree to the same (or greater) restrictions and conditions that apply to Business Associate with respect to such information, and agree to implement reasonable and appropriate safeguards to protect any of such information that is Electronic Protected Health Information. Business Associate agrees to enter into written agreements with any subcontractors in accordance with the requirements of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to take reasonable steps to ensure that its employees’ actions or omissions do not cause Business Associate to breach the terms of this Agreement.

(e) Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule.

(f) To the extent applicable, Business Associate will comply with (i) Covered Entity’s Notice of Privacy Practices; (ii) any limitations to which Covered Entity has agreed in regard to an Individual’s permission to use or disclose his or her Protected Health Information; and (iii) any restrictions to the use or disclosure of Protected Health Information to which Covered Entity has agreed or is required to agree.

(g) Business Associate will make its internal practices, books, and records available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the terms of the HIPAA Security and Privacy Rule, and, at the request of the Secretary, will comply with any investigations and compliance reviews, permit access to information, and cooperate with any complaints, as required by law. Without unreasonable delay and, in any event, no more than 48 hours of receipt of the request or notification, Business Associate will notify Covered Entity in writing of any request by any governmental entity, or its designee, to review Business Associate’s compliance with law or this BAA, to pursue a complaint, or to conduct an audit or assessment of any kind.

(h) Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information that is not in compliance with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of which it becomes aware, without unreasonable delay, and in no event later than three business days after such discovery. Security Incidents and Breaches shall be treated as discovered by Business Associate as of the first day on which such Security Incident or Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Notification to the Covered Entity shall contain the elements required by 45 C.F.R. § 164.410. In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement, as well as to provide complete cooperation to Covered Entity should Covered Entity elect to review or investigate such noncompliance or Security Incident. Business Associate shall cooperate in Covered Entity’s breach analysis and/or risk assessment, if requested. Furthermore, Business Associate shall cooperate with Covered Entity in the event that Covered Entity determines that any third parties must be notified of a Breach, provided that Business Associate shall not provide any such notification except at the direction of Covered Entity. Business Associate shall indemnify and hold harmless Covered Entity for any injury or damages arising from any noncompliance with this Agreement or any Security Incident or Breach attributable to the negligence of Business Associate, including the failure to execute the terms of this Agreement.

‍

IV. AVAILABILITY OF PHI

‍

(a) Business Associate agrees to make available Protected Health Information in a Designated Record Set to Covered Entity to the extent and in the manner required by Section 164.524 of the HIPAA Security and Privacy Rule.

(b) Business Associate agrees to make available Protected Health Information in a Designated Record Set for amendment and to incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Security and Privacy Rule and at the direction of Covered Entity.

(c) Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule. Business Associate will comply with Covered Entity’s policy regarding accounting of disclosures.

(d) Business Associate agrees to comply with any requests for restriction on certain disclosures of Protected Health Information pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity.

(e) In the event an Individual makes a request under this Section IV directly to Business Associate, Business Associate will notify Covered Entity in writing of such request within three (3) business days and shall cooperate with, and act only at the direction of, Covered Entity in responding to such request.

‍

V. TERMINATION

This Agreement shall be effective as of the date first set forth above and shall terminate upon the earlier of (i) the termination of all agreements between the parties, and (ii) the termination by Covered Entity for cause as provided herein. Notwithstanding anything in this Agreement to the contrary, Covered Entity shall have the right to terminate this Agreement immediately if Covered Entity determines that Business Associate has violated any material term of this Agreement. If Covered Entity reasonably believes that Business Associate will violate a material term of this Agreement and, where practicable, Covered Entity gives written notice to Business Associate of such belief within a reasonable time after forming such belief,

and Business Associate fails to provide adequate written assurances to Covered Entity that it will not breach the cited term of this Agreement within a reasonable period of time given the specific circumstances, but in any event, before the threatened breach is to occur, then Covered Entity shall have the right to terminate this Agreement immediately.

‍

VI. MISCELLANEOUS

‍

Except as expressly stated herein or in the HIPAA Security and Privacy Rule, the parties to this Agreement do not intend to create any rights in any third parties. The obligations of Business Associate under this Agreement shall survive the expiration, termination, or cancellation of this Agreement and/or the Parties’ business relationship, and shall continue to bind Business Associate, its agents, employees, contractors, successors, and assigns as set forth herein.

‍

This Agreement may be amended or modified only in a writing signed by the Parties. No Party may assign its respective rights and obligations under this Agreement without the prior written consent of the other Party. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship.

‍

This Agreement will be governed by the laws of the State of California. No change, waiver, or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion.

‍

The parties agree that, in the event that any documentation of the arrangement pursuant to which Business Associate provides services to Covered Entity contains provisions relating to the use or disclosure of Protected Health Information that are more restrictive than the provisions of this Agreement, the more restrictive provisions will control. The provisions of this Agreement are intended to establish the minimum requirements regarding Business Associate’s use and disclosure of Protected Health Information.

‍

In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. In addition, in the event a party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, such party shall notify the other party in writing. For a period of up to thirty days, the parties shall address in good faith such concern and amend the terms of this Agreement, if necessary to bring it into compliance. If, after such thirty-day period, a party believes in good faith that the Agreement fails to comply with the HIPAA Security and Privacy Rule, then either party has the right to terminate upon written notice to the other party.