EasyMindCare Business Associate Agreement (BAA)

1. Definitions

Unless otherwise defined in this BAA, capitalized terms shall have the same meaning as those terms in the HIPAA Rules.

"Protected Health Information" (PHI) means individually identifiable health information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.

"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

2. Obligations of Business Associate

Business Associate agrees to:

• a. Use and Disclosure: Not use or disclose PHI other than as permitted or required by the Agreement, this BAA, or as Required by Law.
• b. Safeguards: Use appropriate administrative, physical, and technical safeguards, and comply with the HIPAA Security Rule with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
• c. Reporting: Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR § 164.410, and any Security Incident of which it becomes aware.
• d. Subcontractors: Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
• e. Access: Make available PHI in a designated record set to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524.
• f. Amendment: Make any amendment(s) to PHI in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR § 164.526.
• g. Accounting of Disclosures: Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.528.
• h. HHS Audits: Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services (HHS) for purposes of determining compliance with the HIPAA Rules.

3. Permitted Uses and Disclosures by Business Associate

• a. Service Provision: Business Associate may use or disclose PHI as necessary to perform the services set forth in the Terms of Service.
• b. Management and Administration: Business Associate may use or disclose PHI for its proper management and administration or to carry out its legal responsibilities, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed.
• c. Data Aggregation: Business Associate may use PHI to provide Data Aggregation services relating to the health care operations of the Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
• d. De-identification: Business Associate may de-identify any and all PHI in accordance with 45 CFR § 164.514(b).

4. Obligations of Covered Entity

Covered Entity agrees to:

• a. Notifications: Notify Business Associate of any limitations in its notice of privacy practices, changes in or revocation of permission by an individual to use or disclose PHI, or any restriction on the use or disclosure of PHI that Covered Entity has agreed to, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
• b. Permissible Requests: Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

5. Term and Termination

• a. Term: This BAA shall become effective on the date Covered Entity accepts the Terms of Service and begins utilizing the platform. It shall terminate when all PHI is destroyed or returned to the Covered Entity.
• b. Termination for Cause: Upon Covered Entity's knowledge of a material breach of this BAA by Business Associate, Covered Entity may terminate this BAA and the underlying Service Agreement upon thirty (30) days written notice, provided Business Associate fails to cure the breach within that time frame.
• c. Effect of Termination: Upon termination of this BAA for any reason, Business Associate shall, if feasible, return or destroy all PHI received from Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to the retained PHI and limit further uses and disclosures to those purposes that make the return or destruction unfeasible.

6. Miscellaneous

• a. Regulatory References: A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
• b. Amendment: The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
• c. Interpretation: Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.