Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

Last Updated: May 12, 2023

THIS BUSINESS ASSOCIATE AGREEMENT (this “BAA”) “”is by and between the Customer accepting an Underlying Agreement (as defined below and which includes the VerifyTX software-as-a-service (SAAS) Terms of Service), which references and incorporates this BAA (“Covered Entity”) and SYSTEMSTX LLC, a Florida limited liability company (“Business Associate”) effective on even date of the Underlying Agreement (the “Effective Date”). Covered Entity and Business Associate are sometimes referred to herein as a “Party” or collectively as the “Parties.”

RECITALS

WHEREAS, Covered Entity and Business Associate have entered into an arrangement, and may in the future enter into additional arrangements (collectively, the “Underlying Agreements”) pursuant to which Business Associate performs functions on behalf of or provides certain services to Covered Entity or for its patients, clients or customers; and

WHEREAS, the Underlying Agreements may from time to time require the receipt, Use and/or Disclosure of Protected Health Information (“PHI”); and

WHEREAS, Covered Entity and Business Associate acknowledge that each Party has obligations to maintain the privacy and security of PHI under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended from time to time, and its implementing regulations, 45 C.F.R. Parts 160 and 164, and as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and may have additional obligations under legislation or rules passed, enacted, or promulgated in the future relating to the privacy and security of PHI (collectively, “HIPAA Rules”); and

WHEREAS, the Parties intend this BAA to satisfy the requirements for a written agreement pursuant to the HIPAA Rules and the Federal Confidentiality of Alcohol and Drug Abuse Patient Records law and regulations, 42 U.S.C. §290dd-2 and 42 C.F.R. Part 2 (“42 C.F.R. Part 2”), if applicable.

NOW THEREFORE, in consideration of the mutual promises and conditions contained herein, and for other good and valuable consideration, the Parties agree as follows:

SECTION 1

Definitions

  1. Business Associate. ”Business Associate” shall have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this BAA, shall mean SystemsTX LLC.
  1. Covered Entity. ”Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this BAA, shall mean the entity identified as the Covered Entity in the signature block below.
  1. QSO. “QSO” shall mean a Qualified Service Organization as defined by 42 C.F.R. Part 2.
  1. Unless otherwise provided in this BAA, capitalized terms, including the following: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Part 2 program, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and Use shall have the same meaning as those terms in the HIPAA Rules or 42 C.F.R. Part 2, as applicable.

SECTION 2

Effect and Interpretation

The provisions of this BAA apply to the Use or Disclosure of any PHI by the Parties under the BAA. In the event of any conflict or inconsistency between the Underlying Agreements and this BAA concerning the Use or Disclosure of PHI, the terms of this BAA will prevail unless the Parties mutually agree that the applicable terms of the Underlying Agreements would be more protective of PHI. The provisions of this BAA are intended in their totality to comply with the HIPAA Rules as they concern Business Associate Agreements. The provisions of the Underlying Agreements will remain in full force and effect and are supplemented by this BAA only to the extent necessary to effectuate the provisions set forth herein.

SECTION 3

Obligations and Activities of Business Associate

  1. Business Associate will comply with the HIPAA Rules, including those that impose certain administrative, physical, and technical safeguards, including policy, procedure, and documentation requirements to protect the confidentiality, integrity, and availability of the PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by HIPAA Rules.
  1. Business Associate will not Use or Disclose PHI, other than as permitted or required by this BAA, the Underlying Agreements, or as Required by Law.
  1. Business Associate will use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA.
  1. Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this BAA, the Underlying Agreements, and/or HIPAA Rules.
  1. Business Associate will report to Covered Entity any Use or Disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI as required at 45 CFR 164.410, within ten (10) days of Business Associate’s discovery of such unauthorized Use and/or Disclosure. Such notice will include the information required for Covered Entity to report the Breach to the extent reasonable known, including identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed, a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known, and a description of the types of PHI that were involved in the Breach in accordance with HIPAA Rules.
  1. Business Associate will report to Covered Entity any successful Security Incident as soon as practicable but no later than five (5) days after Business Associate becomes aware of such Security Incident. Upon Covered Entity’s request, Business Associate will report any attempted but unsuccessful Security Incident of which Business Associate becomes aware. If the HIPAA Rules are amended to remove the requirement to report unsuccessful attempts at unauthorized access, the requirement hereunder to report such unsuccessful attempts will no longer apply as of the effective date of the amendment. A Security Incident that results in a Breach of Unsecured PHI shall be reported to the Covered Entity as described in paragraph (E) of this Section.

Notwithstanding the foregoing, the parties agree to the following reporting procedure for Security Incidents that do not result in unauthorized access, use, disclosure, modification, destruction of information, or interference with system operations (“Unsuccessful Security Incidents”). For Unsuccessful Security Incidents, the parties agree that this paragraph constitutes notice of such Unsuccessful Security Incidents. By way of example, the parties consider the following to be illustrative of Unsuccessful Security Incidents when they do not result in actual unauthorized access, use, disclosure, modification, destruction of electronic PHI, or interference with an information system: (i) pings on firewall; (ii) port scans; (iii) attempts to log on to a system or enter a database with an invalid password or username; (iv) denial-of service attacks that do not result in a server being taken off-line; and (v) malware (worms, viruses, etc.).

  1. Business Associate will ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agrees in writing to privacy and security restrictions and conditions at least as stringent as those that govern Business Associate under this BAA with respect to such information.
  1. In the event that Business Associate maintains PHI in a Designated Record Set, Business Associate will make available PHI in a Designated Record Set, within ten (10) days of Covered Entity’s request and in the manner requested, to Covered Entity, or as directed by Covered Entity to an Individual, in order to meet the requirements under 45 C.F.R. §164.524. If a request for access to PHI from an Individual is sent directly to Business Associate, such request will be forwarded immediately to Covered Entity.
  1. In the event that Business Associate maintains PHI in a Designated Record Set, Business Associate will make any amendment(s) to PHI in its possession contained in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. If Business Associate receives a request by an Individual for amendment(s) to PHI in accordance with 45 C.F.R. §164.526, Business Associate will immediately forward such request to Covered Entity.
  1. Business Associate will document and maintain Disclosures of PHI, including the date of the Disclosure, the name and address of the entity or person who received the PHI, a brief description of the PHI disclosed, a brief statement of the purpose of the Disclosure, and any other information related to such Disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with HIPAA Rules. The Business Associate will provide to Covered Entity information required to provide an accounting of Disclosures to the Covered Entity as reasonably necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528 within ten (10) days of receipt of a request by Covered Entity or an Individual.
  1. To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and
  1. Business Associate will make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary within normal business hours and in the manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s and Business Associate’s compliance with the HIPAA Rules.

SECTION 4

Permitted Uses and Disclosures by Business Associate

  1. Except as otherwise described in this BAA, Business Associate may only use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as necessary to perform the services specified in the Underlying Agreements.
  1. Business Associate may de-identify PHI pursuant to 45 CFR 164.514(a)-(c) as needed to perform functions, activities, or services for, or on behalf of, Covered Entity as necessary to perform the services specified in the Underlying Agreements.
  1. Business associate may Use or Disclosure PHI as Required by Law.
  1. Business Associate agrees to Use or Disclosure the minimum amount of PHI necessary to accomplish the intended purpose of the Use, or Disclosure.
  1. Business associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity except for the specific uses and disclosures set forth below.
  1. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided that Disclosures are Required by Law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate, in writing, within ten (10) days of becoming aware of any instances in which the confidentiality of the information has been Breached.
  1. Business Associate may Use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. §164.502(j)(1).
  1. Except as otherwise provided in this BAA, Business Associate may use PHI to provide data aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Except as otherwise provided in this BAA, Business Associate may use PHI to create de-identified data and limited data sets, each as defined under HIPAA, for the express purpose of improving Business Associate’s Products, Services and Practice Portal (each as defined in the Underlying Agreement). Business Associate may further use and disclose such limited data sets for the same purpose, provided Business Associate, as an agent for the Covered Entity, enters into a data use agreement that satisfies HIPAA requirements concerning limited data sets with each recipient of a limited data set.
  1. Except as otherwise limited in this BAA, Business Associate may use and disclose Protected Health Information for the proper management and administration of the Business Associate and to carry out the legal responsibilities of Business Associate, provided that any such disclosures are permitted or Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as permitted Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
  1. On behalf of Covered Entity, Business Associate may use and disclose PHI for purposes set forth in 45 C.F.R. § 164.512.

SECTION 5

Obligations of Covered Entity

  1. Covered Entity will notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, pursuant to 45 C.F.R. §164.508, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
  1. Covered Entity will notify Business Associate in writing, in a timely manner, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with HIPAA Rules, to specifically include 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
  1. Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
  1. Covered Entity represents and warrants that it will comply with HIPAA as amended.

SECTION 6

Term and Termination

  1. Term. This BAA commences on the Effective Date and terminates in accordance with the terms of this Section 6.
  1. Termination of Underlying Agreements. Upon the termination of all Underlying Agreements, either Party may terminate this BAA by providing written notice to the other Party.
  1. Termination for Cause. Upon Covered Entity’s or Business Associate’s knowledge of a pattern of activity or a practice that constituted a material breach by the other Party, the non-breaching Party may immediately terminate this BAA and any Underlying Agreements, or in the non-breaching Party ‘s sole discretion, may provide an opportunity for the breaching Party to cure the breach. If an opportunity to cure the breach is provided, and the breaching Party does not cure the breach within thirty (30) days, the non-breaching Party shall terminate this BAA and the Underlying Agreements if feasible.
  1. Effect of Termination. Except as provided in Section 6(E), upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
  1. Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
  1. Return to Covered Entity or, if agreed to by Covered Entity, destroy the remaining PHI that the Business Associate still maintains in any form;
  1. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent Use or Disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI.
  1. Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions which applied prior to termination; and
  1. Return to Covered Entity or, if agreed to by Covered Entity, destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities. This Section 6(D) applies to PHI that is in the possession of subcontractors or agents of Business Associate. Neither Business Associate nor subcontractors or agents of Business Associate will retain any copies of the PHI.
  1. In the event Business Associate determines that returning or destroying the PHI is infeasible, Business Associate will extend the protections of this BAA to such PHI and limit further Uses or Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. If it is infeasible for Business Associate to obtain from a Subcontractor or agent any PHI in the possession of the Subcontractor or agent, Business Associate will require the Subcontractors and agents to agree to extend any and all protections, limitations, and restrictions contained in their written agreement with Business Associate to the Subcontractors’ and/or agents’ Use and/or Disclosure of any PHI retained after the termination of this BAA, and to limit any further Uses and/or Disclosures to the purposes that make the return or destruction of the PHI infeasible for so long as the subcontractor or agent maintains such PHI.
  1. Survival. The Parties’ obligations under this Section 6 shall survive the termination of this BAA.

SECTION 7

Responsibilities of Qualified Service Organization

  1. To the extent that Covered Entity operates a drug and alcohol treatment program (Part 2 program) pursuant to 42 C.F.R. Part 2 and Business Associate is considered a QSO, with access to protected substance abuse treatment information, Business Associate agrees to the following:
  1. In receiving, storing, processing or otherwise dealing with any protected substance abuse information from Covered Entity, Business Associate is fully bound by the provisions of the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2.
  1. If necessary, Business Associate will resist in judicial proceedings any efforts to obtain access to protected substance abuse information unless access is expressly permitted under 42 C.F.R. Part 2.
  1. Business Associate acknowledges that any unauthorized disclosure of information under this section is a federal criminal offense.

SECTION 8

Miscellaneous

  1. Penalties. Business Associate acknowledges that civil and criminal penalties for violation of HIPAA Rules apply to Business Associate in the same manner as they apply to Covered Entity.
  1. Title. Business Associate acknowledges and agrees that it acquires no title or rights to the PHI, including any de-identified information, as a result of this BAA.
  1. Regulatory References. A reference in this BAA to a section of HIPAA or 42 C.F.R. Part 2 means the section as in effect or as amended.
  1. Preemption. In the event of an inconsistency between the provisions of this BAA and mandatory provisions of the Privacy Standards, Security Standards, HIPAA or 42 C.F.R. Part 2, as amended, the Privacy Standards, Security Standards, HIPAA and 42 C.F.R. Part 2 shall control. In the event of an inconsistency between the provisions of the Privacy Standards, Security Standards, HIPAA, 42 C.F.R. Part 2 and other applicable confidentiality laws, the provisions of the more restrictive rule will control.
  1. Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Standards, Security Standards, HIPAA, 42 C.F.R. Part 2 and any future regulations, statutes or other guidance concerning HIPAA or 42 C.F.R. Part 2 that may affect this BAA.
  1. Interpretation. Any ambiguity in this BAA will be resolved to permit the Parties to comply with HIPAA Rules and 42 C.F.R. Part 2.
  1. Waiver. No provision of this BAA may be waived except by an agreement in writing signed by the waiving Party, and the failure of either Party to insist on the strict performance of any term or condition in this BAA, or to exercise any option in this BAA, will not be construed as a waiver of such term, condition, or option in any other instance.
  1. Choice of Law and Jurisdiction. This BAA will be governed by and construed in accordance with the laws of the State of Florida, without regard to choice of law rules.
  1. Entire Agreement. This BAA constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior oral or written agreements, commitments, or understandings with respect thereto. In the event of a conflict between the terms and conditions of this BAA and the Underlying Agreements or any related exhibits, the terms of this BAA take precedence and control over those of the Underlying Agreements and exhibits, unless otherwise agreed to in writing by all Parties.
  1. Assignment. Covered Entity has entered into this BAA in specific reliance on the expertise and qualifications of Business Associate. Consequently, Business Associate’s interest under this BAA may not be transferred or assigned or assumed by any other person, in whole or in part, without the prior written consent of Covered Entity; provided that Business Associate may assign this BAA without the consent of Covered Entity as part of a corporate reorganization, consolidation, merger, or sale of all or substantially all of its assets or business to which this BAA relates.
  1. Severability. Whenever possible, each provision of this BAA will be interpreted so as to be effective and valid under applicable law. If any provision of this BAA should be prohibited or found invalid under applicable law, such provision is ineffective to the extent of such prohibition or invalidity without invalidating the other remaining provisions of this BAA; provided, however, that if any such invalid provision is material, then such Party may terminate the BAA upon thirty (30) days’ prior written notice to the other Party.
  1. Headings. The paragraph headings are for convenience only and are not to be construed to define, modify, expand, or limit the terms and provisions of this BAA.
  1. Authority. The individual(s) signing this BAA on behalf of Covered Entity and on behalf of Business Associate are duly authorized representatives of the respective Parties with full power and authority to execute this BAA on behalf of Covered Entity and Business Associate.
  1. Notices. All notices, requests, demands and other communications that are required to be given, or may be given, under this BAA will be in writing and will be deemed to have been duly given when: received, if personally delivered; the day after it is sent, if sent by recognized expedited delivery service; and three (3) days after it is sent, if mailed, first class mail, postage prepaid, return receipt requested. Notices to Covered Entity will go to Covered Entity’s address on record in Business Associate’s account information. Notices to Business Associate will be sent to SystemsTX LLC, 601 N. Congress Ave., Ste. 415, Delray Beach, FL 33445, ATTN: Manager. The Parties may change their address by notice in writing to the other Party.
  1. Third-Party Beneficiaries. This BAA is solely for the benefit of the Parties hereto and will in no way be construed to entitle any other third party to any compensation or benefit, does not create any third-party beneficiaries, and does not confer any rights or remedies upon any person or entity other than the Parties and their respective successors and permitted assigns.