Business Associate Agreement

Recitals

Covered Entity is a covered entity as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the regulations promulgated thereunder, including the HIPAA Privacy Rule (45 C.F.R. Part 164, Subparts A and E), the HIPAA Security Rule (45 C.F.R. Part 164, Subparts A and C), and the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH") and the HIPAA Omnibus Rule (collectively, "HIPAA Rules").

Business Associate provides technology consulting, infrastructure management, and related services to Covered Entity pursuant to a separately executed service agreement ("Service Agreement"), which may involve the creation, receipt, maintenance, or transmission of Protected Health Information ("PHI") on behalf of Covered Entity. The parties therefore enter into this Agreement to satisfy the requirements of 45 C.F.R. § 164.504(e).

1. Definitions

Capitalized terms used but not otherwise defined in this Agreement have the meanings assigned to them under the HIPAA Rules. The following definitions apply:

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as necessary to perform the services described in the Service Agreement, as Required By Law, or as otherwise permitted by this Agreement. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as permitted under Section 2.2.

2.2 Additional Permitted Uses

Business Associate may use PHI for the proper management and administration of Business Associate's operations and to fulfill legal responsibilities of Business Associate, provided that disclosures are Required By Law, or that Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or disclosed only as Required By Law or for the purpose for which it was disclosed, and that the recipient will notify Business Associate of any instances of which it is aware in which the confidentiality has been breached.

2.3 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI created, received, maintained, or transmitted on behalf of Covered Entity, in accordance with 45 C.F.R. Part 164, Subpart C (the Security Rule). Business Associate shall document and keep current such safeguards as required by 45 C.F.R. § 164.316.

2.4 Prohibition on Unauthorized Use

Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required By Law. Business Associate shall not use PHI for marketing purposes, sell PHI, or use or disclose PHI in a manner that constitutes a violation of 42 U.S.C. § 17935.

2.5 Minimum Necessary

Business Associate shall, to the extent practicable, use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 C.F.R. § 164.502(b) and 45 C.F.R. § 164.514(d).

2.6 Subcontractors

Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees, in writing, to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement, in accordance with 45 C.F.R. § 164.504(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2).

2.7 Reporting

Business Associate shall report to Covered Entity, without unreasonable delay and in no event later than ten (10) business days of becoming aware:

2.8 Individual Rights

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make available such PHI to Covered Entity as necessary for Covered Entity to fulfill its obligations under 45 C.F.R. §§ 164.524 (access), 164.526 (amendment), and 164.528 (accounting of disclosures). Business Associate shall respond to such requests within fifteen (15) calendar days of receipt.

2.9 Accounting of Disclosures

Business Associate shall document and make available to Covered Entity information required for Covered Entity to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, and shall maintain such documentation for a minimum of six (6) years from the date of the disclosure or the date it was last in effect, whichever is later.

2.10 Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from or created or received by Business Associate on behalf of Covered Entity available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with the HIPAA Rules, in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(I).

3. Obligations of Covered Entity

3.1 Notice of Privacy Practices

Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity's Notice of Privacy Practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI.

3.2 Changes in Authorization

Covered Entity shall notify Business Associate of any changes in, or revocation of, authorization by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.

3.3 Restrictions

Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

3.4 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as permitted under Section 2.2 of this Agreement.

4. Term and Termination

4.1 Term

This Agreement is effective as of the Effective Date and shall remain in effect until terminated in accordance with this Section or until the underlying Service Agreement expires or is terminated, whichever occurs first.

4.2 Termination for Cause

Either party may terminate this Agreement immediately upon written notice if the other party has materially breached a material provision of this Agreement and has failed to cure such breach within thirty (30) days of written notice specifying the breach in reasonable detail. Where cure is not possible, the non-breaching party may terminate this Agreement immediately.

4.3 Effect of Termination

Upon termination of this Agreement for any reason, Business Associate shall, at the election of Covered Entity, return or destroy all PHI received from or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form, and shall retain no copies of such PHI. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as Business Associate maintains such PHI.

4.4 Survival

The obligations of Business Associate under Section 4.3 and any obligations arising from a Breach discovered prior to termination shall survive termination of this Agreement.

5. Miscellaneous

5.1 Regulatory References

A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended at the time the obligation is performed or the reference is applied.

5.2 Amendment

The parties agree to take such action as is necessary to amend this Agreement from time to time to comply with the requirements of the HIPAA Rules and other applicable law. No amendment to this Agreement shall be valid unless made in writing and signed by authorized representatives of both parties.

5.3 Interpretation

This Agreement shall be interpreted as broadly as necessary to implement and comply with the HIPAA Rules. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.

5.4 No Third-Party Beneficiaries

Nothing in this Agreement shall confer any rights, remedies, obligations, or liabilities upon any person or entity other than Covered Entity and Business Associate and their respective successors and permitted assigns.

5.5 Governing Law

This Agreement shall be governed by and construed in accordance with federal law, including the HIPAA Rules, and to the extent not preempted by federal law, the laws of the State of Michigan, without regard to conflict of law principles.

5.6 Entire Agreement

This Agreement, together with the Service Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, negotiations, and discussions between the parties relating to such subject matter. In the event of a conflict between this Agreement and the Service Agreement with respect to PHI, this Agreement shall control.

Signatures

The parties have executed this Business Associate Agreement as of the Effective Date first written above.