Business Associate Agreement

This Business Associate Agreement (“BAA”) is incorporated into and made part of the Master Services Agreement (“MSA”) and any applicable Statements of Work (“SOWs”) between the parties.

Purpose

The parties enter into this Business Associate Agreement (“BAA”) to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and all related regulations.

The parties acknowledge that Business Associate may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of Covered Entity while providing services.

Definitions

Terms used in this Agreement shall have the meanings assigned under HIPAA and HITECH, including:

• Protected Health Information (“PHI”)
• Electronic Protected Health Information (“ePHI”)
• Breach
• Security Incident
• Covered Entity
• Business Associate
• Unsecured Protected Health Information

Permitted Uses and Disclosures

Business Associate may use and disclose PHI solely:

• To perform services for Covered Entity.
• For proper management and administration of Business Associate.
• To carry out legal responsibilities of Business Associate.
• As required by law.

Business Associate shall not use or disclose PHI in any manner that would violate HIPAA if performed by Covered Entity.

Safeguards

Business Associate shall:

• Implement reasonable and appropriate administrative, technical, and physical safeguards to protect PHI.
• Comply with applicable HIPAA Security Rule requirements.
• Protect against reasonably anticipated threats to the confidentiality, integrity, and availability of PHI.
• Limit workforce access to PHI to those individuals who require access to perform authorized services.
• Maintain appropriate policies regarding the protection of PHI.

Reporting

Business Associate shall report to Covered Entity:

• Any use or disclosure of PHI not permitted by this Agreement.
• Any Security Incident involving PHI.
• Any Breach of Unsecured PHI.

Business Associate shall provide such notice without unreasonable delay and no later than thirty (30) days after discovery.

Subcontractors

Business Associate may engage subcontractors or service providers in connection with Services.

Business Associate shall require any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate to agree in writing to restrictions and safeguards substantially similar to those contained in this Agreement.

Examples may include:

• Hosting providers
• Cloud storage providers
• Email service providers
• CRM providers
• Marketing automation platforms
• Analytics providers

Access, Amendment, and Accounting

To the extent required by HIPAA and applicable to the Services provided:

• Business Associate shall provide access to PHI maintained in a Designated Record Set.
• Business Associate shall make requested amendments to PHI.
• Business Associate shall provide information necessary for Covered Entity to respond to requests for an accounting of disclosures.

Business Associate shall not be required to create information that does not otherwise exist.

Availability of Records

Business Associate shall make its internal practices, books, records, and policies relating to the use and disclosure of PHI available to the Secretary of the United States Department of Health and Human Services for purposes of determining HIPAA compliance.

Minimum Necessary Standard

Business Associate shall make reasonable efforts to limit uses, disclosures, and requests for PHI to the minimum necessary information required to accomplish the intended purpose.

Ownership of PHI

All PHI remains the property of Covered Entity.

Nothing in this Agreement grants Business Associate any ownership rights in PHI.

Return or Destruction of PHI

Upon termination of Services involving PHI, Business Associate shall, where feasible:

• Return PHI to Covered Entity; or
• Destroy PHI.

If return or destruction is not feasible, Business Associate shall continue to protect such information and limit further use and disclosure as required by HIPAA.

Business Associate may retain archival backup copies maintained through routine backup processes until overwritten or deleted in accordance with standard retention practices.

Term and Termination

This Agreement shall remain in effect for as long as Business Associate maintains PHI on behalf of Covered Entity.

Covered Entity may terminate this Agreement upon written notice if Business Associate materially breaches this Agreement and fails to cure such breach within thirty (30) days.

If termination is not feasible, Covered Entity may report the violation to the Secretary of Health and Human Services.

Limitation of Scope

The parties acknowledge that Business Associate provides marketing, consulting, website development, website support, advertising management, content creation, email marketing, analytics, and related services.

Business Associate is not responsible for:

• Clinical operations
• Patient treatment
• Medical record management
• HIPAA compliance programs of Covered Entity
• Compliance decisions made by Covered Entity

Covered Entity remains solely responsible for its own HIPAA compliance obligations.

Limitation of Liability

To the maximum extent permitted by law:

• Neither party shall be liable for indirect, incidental, consequential, punitive, or special damages.
• Business Associate’s aggregate liability arising from this Agreement shall be limited to the liability cap set forth in the Master Services Agreement.
• Nothing in this section limits liability for violations of law that cannot legally be limited by contract.

Relationship to MSA

Except as expressly modified by this BAA, all terms of the Master Services Agreement remain in full force and effect.

In the event of a conflict between this BAA and the MSA, this BAA shall control solely with respect to PHI and HIPAA-related matters.

Governing Law

This Agreement shall be governed by the laws of the State of South Carolina, except to the extent preempted by federal law.