Business Associate Agreement

Preamble Business Associate Agreement

This Business Associate Agreement ("Agreement" or "BAA") is entered into as of [EFFECTIVE DATE] ("Effective Date"), by and between:

Covered Entity: [PRACTICE LEGAL NAME], a healthcare practice organized and operating under the laws of the State of [STATE], with its principal place of business at [PRACTICE ADDRESS] ("Covered Entity" or "CE"); and

Business Associate: Fonx Solutions LLC, a limited liability company organized under the laws of the State of Maryland, with its principal place of business in Maryland ("Business Associate" or "BA").

CE and BA are each referred to herein individually as a "Party" and collectively as the "Parties."

Recitals Background

WHEREAS, CE is a Covered Entity as that term is defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 (collectively, "HIPAA"), including without limitation 45 CFR Parts 160 and 164;

WHEREAS, CE has engaged BA to provide certain managed services, operational management, revenue cycle oversight, technology coordination, financial reporting, and related services (collectively, "Services") pursuant to a separate written Service Agreement (the "Service Agreement"), which may result in BA creating, receiving, maintaining, transmitting, or otherwise accessing Protected Health Information on behalf of CE;

WHEREAS, HIPAA requires CE to enter into a written agreement with BA that satisfies the requirements set forth in 45 CFR §§ 164.308(b)(3), 164.314(a), and 164.504(e) before permitting BA to perform functions or activities involving PHI on CE's behalf;

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

01 Definitions

Unless otherwise defined herein, capitalized terms used in this Agreement shall have the same meaning as set forth in HIPAA. The following definitions apply:

1.1 Breach

"Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under 45 CFR Part 164, Subpart E, that compromises the security or privacy of the PHI, as further defined in 45 CFR § 164.402. A Breach excludes any unintentional acquisition, access, or use of PHI by a workforce member or individual acting under the authority of BA or a sub-contractor if (a) such acquisition, access, or use was made in good faith and within the scope of authority; and (b) does not result in further use or disclosure in a manner not permitted under Subpart E.

1.2 Business Associate

"Business Associate" has the meaning set forth in 45 CFR § 160.103. For purposes of this Agreement, Business Associate refers to Fonx Solutions LLC.

1.3 Covered Entity

"Covered Entity" has the meaning set forth in 45 CFR § 160.103. For purposes of this Agreement, Covered Entity refers to [PRACTICE LEGAL NAME].

1.4 Data Aggregation

"Data Aggregation" has the meaning set forth in 45 CFR § 164.501.

1.5 Designated Record Set

"Designated Record Set" has the meaning set forth in 45 CFR § 164.501.

1.6 Electronic Protected Health Information (ePHI)

"Electronic Protected Health Information" or "ePHI" means PHI that is transmitted by, or maintained in, electronic media as defined in 45 CFR § 160.103.

1.7 HITECH Act

"HITECH Act" means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), and implementing regulations.

1.8 Individual

"Individual" has the meaning set forth in 45 CFR § 160.103, and includes a person who qualifies as a personal representative under 45 CFR § 164.502(g).

1.9 Minimum Necessary

"Minimum Necessary" refers to the standard set forth in 45 CFR § 164.502(b) and § 164.514(d), requiring that access to PHI be limited to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request.

1.10 Privacy Rule

"Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.

1.11 Protected Health Information (PHI)

"Protected Health Information" or "PHI" has the meaning set forth in 45 CFR § 160.103, limited to the PHI created, received, maintained, or transmitted by BA on behalf of CE. PHI includes ePHI. For avoidance of doubt, aggregate operational metrics (visit counts, no-show rates, denial rates) that do not identify any individual patient do not constitute PHI for purposes of this Agreement.

1.12 Required by Law

"Required by Law" has the meaning set forth in 45 CFR § 164.103.

1.13 Security Rule

"Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C.

1.14 Subcontractor

"Subcontractor" means any third party that creates, receives, maintains, or transmits PHI on BA's behalf in the course of performing services under this Agreement, as defined in 45 CFR § 160.103.

1.15 Unsecured PHI

"Unsecured PHI" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through a technology or methodology specified by the Secretary in guidance issued under 45 CFR § 164.402.

02 Permitted Uses and Disclosures by Business Associate

2.1 Scope of Permitted Uses

BA may use and disclose PHI only to the extent necessary to perform the Services set forth in the Service Agreement and as permitted or required by this Agreement, the Privacy Rule, and the Security Rule. BA shall not use or disclose PHI in any manner that would violate HIPAA if done by CE, except as permitted in Sections 2.2 and 2.3 below.

2.2 Specific Permitted Uses

In addition to any other uses or disclosures permitted by this Agreement, BA may:

• Use PHI internally for the proper management and administration of BA's business, provided such use is reasonably necessary to perform the Services;
• Disclose PHI for the proper management and administration of BA's business or to carry out BA's legal responsibilities, provided that (a) the disclosure is Required by Law, or (b) BA obtains reasonable assurances from the recipient that the PHI will remain confidential and that the recipient will notify BA of any Breach;
• Use PHI to provide Data Aggregation services to CE relating to CE's health care operations, as permitted under 45 CFR § 164.504(e)(2)(i)(B);
• Use PHI to report violations of law to appropriate Federal or State authorities, consistent with 45 CFR § 164.502(j)(1);
• De-identify PHI in accordance with 45 CFR § 164.514(b) and use or disclose such de-identified information for any lawful purpose.

2.3 Minimum Necessary Standard

BA shall, to the extent practicable, use, disclose, and request only the Minimum Necessary PHI needed to perform the Services. BA shall have in place policies and procedures that restrict access to PHI to those workforce members who need it to perform their job functions related to the Services.

2.4 Prohibited Uses

BA shall not:

• Use or disclose PHI for BA's own independent marketing purposes;
• Sell PHI, as that term is defined under 45 CFR § 164.502(a)(5)(ii);
• Use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by CE;
• Use or disclose PHI except as permitted or required by this Agreement or as Required by Law.

03 Obligations and Activities of Business Associate

3.1 Limits on Use and Disclosure

BA shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.

3.2 Appropriate Safeguards

BA shall implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that BA creates, receives, maintains, or transmits on behalf of CE, as required by the Security Rule (45 CFR Part 164, Subpart C). These safeguards include, without limitation:

• Administrative safeguards: A documented security management process, designated security official, workforce training, and contingency plan;
• Physical safeguards: Facility access controls and workstation and device controls to limit access to ePHI;
• Technical safeguards: Access controls (including unique user identification), audit controls, integrity controls, and transmission security (TLS encryption in transit; AES-256 at rest via Google Cloud infrastructure);
• Organizational safeguards: Role-based access controls limiting PHI access to workforce members whose job functions require it.

3.3 Reporting of Impermissible Uses, Disclosures, and Security Incidents

BA shall notify CE in writing of:

• Any use or disclosure of PHI not provided for by this Agreement of which BA becomes aware, without unreasonable delay and in no event later than five (5) business days after discovery;
• Any Security Incident (as defined in 45 CFR § 164.304) of which BA becomes aware, including attempted unauthorized access, within ten (10) business days of discovery. Notification of routine, unsuccessful Security Incidents (e.g., port scans, pings) may be provided in summary form on a quarterly basis;
• Any Breach of Unsecured PHI as required by 45 CFR § 164.410, without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the Breach. Notice shall include, to the extent reasonably possible: (a) identification of each Individual whose Unsecured PHI was or is reasonably believed to have been accessed; (b) a description of the PHI involved; (c) a description of the Breach; (d) steps CE should take to protect itself; and (e) steps BA is taking to mitigate harm.

3.4 Subcontractors and Agents

BA shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of BA agrees to the same restrictions, conditions, and requirements that apply to BA under this Agreement, by entering into a written agreement that complies with 45 CFR §§ 164.308(b)(3) and 164.314(a)(2)(b). BA shall take reasonable steps to cure any material breach by a Subcontractor or, if cure is not feasible, terminate the subcontractor arrangement.

3.5 Access to PHI by Individuals

To the extent BA maintains PHI in a Designated Record Set, BA shall provide access to such PHI to CE or, as directed by CE, to the Individual, in a reasonable time and manner, as necessary to allow CE to satisfy its access obligations under 45 CFR § 164.524.

3.6 Amendment of PHI

To the extent BA maintains PHI in a Designated Record Set, BA shall make the PHI available to CE for amendment and shall incorporate any amendments to the PHI as directed by CE in accordance with 45 CFR § 164.526.

3.7 Accounting of Disclosures

BA shall document disclosures of PHI and information related to such disclosures as would be required for CE to respond to a request for an accounting of disclosures in accordance with 45 CFR § 164.528. BA shall make such documentation available to CE within fifteen (15) business days upon CE's request.

3.8 Access for Compliance Reviews

BA shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by BA on behalf of, CE available to CE and to the Secretary of the Department of Health and Human Services (or the Secretary's designee) for the purpose of determining CE's or BA's compliance with HIPAA, subject to applicable legal privileges.

3.9 HITECH Compliance

To the extent applicable, BA shall comply with the requirements of the HITECH Act relating to privacy and security of PHI, including without limitation the provisions applicable to Business Associates under Subtitle D of the HITECH Act, as if BA were a Covered Entity, as implemented through 45 CFR Parts 160 and 164.

04 Obligations of Covered Entity

4.1 Notice of Privacy Practices

CE shall notify BA of any limitations in its Notice of Privacy Practices pursuant to 45 CFR § 164.520 that would affect BA's use or disclosure of PHI, and of any changes to such Notice, to the extent such changes affect BA's permitted uses and disclosures.

4.2 Permissions and Restrictions

CE shall notify BA of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes affect BA's permitted uses and disclosures. CE shall notify BA of any restrictions on CE's use or disclosure of PHI that CE has agreed to or is required to abide by under 45 CFR § 164.522, to the extent such restrictions affect BA's permitted uses and disclosures.

4.3 Permissible Requests

CE shall not request BA to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by CE, nor in a manner that violates this Agreement.

4.4 Minimum Necessary

CE shall not provide BA with access to PHI beyond the Minimum Necessary required for BA to perform the Services under the Service Agreement.

4.5 No Patient-Identifying Data in Platform Fields

CE shall not enter individual patient names, dates of birth, Social Security numbers, insurance member IDs, diagnosis codes tied to identifiable individuals, clinical notes, or other individually identifiable health information into the Fonx Intelligence Platform's free-text or data entry fields. The Platform is designed for aggregate operational and financial metrics only. CE acknowledges that entering patient-identifying PHI into Platform fields that are not designed for such data may constitute a use of the Platform outside its intended scope and that BA bears no liability for such unauthorized use.

05 Term and Termination

5.1 Term

This Agreement shall be effective as of the Effective Date and shall continue in full force and effect until the earlier of (a) termination of the Service Agreement, or (b) termination pursuant to this Section 5. This Agreement supersedes and replaces any prior business associate agreement between the Parties relating to the same subject matter.

5.2 Termination for Cause

Either Party may terminate this Agreement and the Service Agreement upon written notice if the other Party has materially breached any provision of this Agreement and has failed to cure such breach within thirty (30) calendar days after written notice specifying the breach; provided, however, that if cure of a material breach is not feasible within thirty (30) days, the non-breaching Party may terminate immediately upon written notice.

5.3 Termination upon Regulatory or Legal Obligation

Either Party may terminate this Agreement immediately if it determines, in good faith, that continued performance under this Agreement would violate applicable law or regulations.

5.4 Reporting in Lieu of Termination

If termination of this Agreement is not feasible, BA shall report the violation to the Secretary of the Department of Health and Human Services as required by 45 CFR § 164.504(e)(1)(ii).

5.5 Obligations Upon Termination

Upon termination of this Agreement for any reason, BA shall, at CE's election:

• Return PHI: Return to CE all PHI that BA or its Subcontractors maintain in any form within sixty (60) calendar days of the termination date; or
• Destroy PHI: Destroy all PHI that BA or its Subcontractors maintain in any form, retain no copies, and certify in writing to CE that such destruction has been completed within sixty (60) calendar days of the termination date.

If CE does not provide written notice of its election within thirty (30) days of termination, BA shall destroy all PHI. If it is not feasible to return or destroy PHI (e.g., PHI is commingled with non-PHI and cannot be separated without disproportionate effort), BA shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for as long as BA maintains such PHI.

5.6 Survival

The obligations of the Parties under this Agreement with respect to PHI that BA retains after termination shall survive termination of this Agreement.

06 Indemnification

Each Party ("Indemnifying Party") shall indemnify, defend, and hold harmless the other Party and its members, managers, officers, employees, and agents ("Indemnified Party") from and against any claims, losses, damages, penalties, fines, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to the Indemnifying Party's material breach of this Agreement or violation of HIPAA. This indemnification obligation is subject to and limited by the liability limitations set forth in the Service Agreement.

07 Miscellaneous

7.1 Amendment

The Parties agree to amend this Agreement to the extent necessary to comply with any changes in HIPAA, the HITECH Act, or applicable law. Any amendment must be in writing and signed by authorized representatives of both Parties. BA will provide CE with at least thirty (30) days' advance notice of any required amendment, except where the amendment is required on a shorter timeline by law.

7.2 Interpretation

This Agreement shall be interpreted in a manner consistent with HIPAA and applicable guidance issued by the Department of Health and Human Services. Any ambiguity in this Agreement shall be resolved to permit the Parties to comply with HIPAA. In the event of a conflict between this Agreement and the Service Agreement, this BAA shall control with respect to matters governed by HIPAA; the Service Agreement shall control with respect to all other matters.

7.3 Regulatory References

Any reference in this Agreement to a section in HIPAA means the section currently in effect or its successor provision, including any amendments thereto.

7.4 No Third-Party Beneficiaries

Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties any rights, remedies, obligations, or liabilities whatsoever, including any right to sue for breach of this Agreement.

7.5 Severability

If any provision of this Agreement is held invalid or unenforceable by a court of competent jurisdiction, the remainder of this Agreement shall remain valid and in full force and effect. In such case, the Parties shall amend this Agreement to give effect to the original intent of the Parties to the fullest extent possible.

7.6 Entire Agreement

This Agreement, together with the Service Agreement, constitutes the entire agreement of the Parties regarding the use and disclosure of PHI, and supersedes all prior oral or written agreements between the Parties on this subject. Except as expressly set forth herein, no modification or waiver of any provision of this Agreement shall be valid unless set forth in a writing signed by both Parties.

7.7 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Maryland, without giving effect to any conflict of law principles. Any disputes arising under this Agreement shall be resolved in the federal or state courts located in Maryland, and the Parties hereby consent to personal jurisdiction and venue in such courts.

7.8 Counterparts; Electronic Signatures

This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, and all of which, when taken together, shall constitute one and the same instrument. Electronic signatures (including signatures via DocuSign or similar platforms) shall be deemed original signatures for all purposes.

7.9 Notices

All notices, requests, and other communications under this Agreement shall be in writing and delivered by email with confirmation of receipt, overnight courier, or certified mail to:

• If to CE: [PRACTICE LEGAL NAME], Attn: [PRACTICE PRIVACY OFFICER NAME AND TITLE], [PRACTICE ADDRESS], Email: [PRACTICE PRIVACY OFFICER EMAIL]
• If to BA: Fonx Solutions LLC, Attn: Jessica Tran, Owner, Email: info@fonxsolutions.com, Phone: 301-276-5940

08 Signatures

IN WITNESS WHEREOF, the Parties have executed this Business Associate Agreement as of the Effective Date written below.