Business Associate Agreement

This Business Associate Agreement (“Agreement”) is made and entered into by and between Evolve IP, LLC, (“Business Associate”), with a principal address at 630 Allendale Rd, King of Prussia, PA 19406 and Customer (“Covered Entity”), each a “Party” and collectively the “Parties.” Customer may opt out of this BAA by sending electronic notice to Notices@EvolveIP.net, or by sending written notice to 630 Allendale Rd, King of Prussia, PA 19406, ATTN: Customer Notices, both of which are also included in the “Parties/Notices” section of the MSA. In the event that any of the terms of this BAA conflict with any Business Associate Agreement executed separately between Customer and Evolve IP (each a “Standalone BAA”), the Parties agree that the terms of the Standalone BAA shall control.

WHEREAS, Business Associate provides certain cloud-based technology services, e.g., virtual servers, virtual desktops, disaster recovery, unified communications, and contact services (the “Services”) to or on behalf of Covered Entity. In the course of obtaining the Services from Business Associate, it is necessary for Covered Entity, from time to time, to provide Protected Health Information (“PHI”), as such term is subsequently defined herein, to Business Associate;

WHEREAS, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”), and their associated regulations, specifically, 45 CFR §§ 160, 162 and 164, Standards for Privacy of Individually Identifiable Health Information, Final Rule (the “Privacy Rule”) and Health Insurance Reform: Security Standards, Final Rule (the “Security Rule”) (collectively referred to as “HIPAA/HITECH”), require Covered Entity to ensure that Business Associate will appropriately safeguard PHI and use, and, if necessary, disclose PHI only as necessary to provide the Services for Covered Entity, consistent with its engagement by Covered Entity and applicable law;

WHEREAS, Business Associate is directly subject to the Final Security Rule to the same extent as Covered Entity, may use and disclose PHI only in compliance with the terms of this Agreement, and is subject to the privacy subtitle of the HITECH Act to the same extent as Covered Entity by operation of this Agreement;

WHEREAS, the Parties understand and agree that, while Business Associate may technically have access to PHI stored within the Services, given the nature of the Services being provided, Business Associate is unable to identify PHI or associate it to Individuals, and is therefore unable to respond to Individuals’ requests relating to access and control of their PHI, and any such requests will be referred to Covered Entity, who agrees to satisfy such requests;

WHEREAS, the Parties understand and agree that this Agreement shall only be applicable to the cloud-based technology services detailed in Appendix A below (“Covered Services”); and

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein, the worth and sufficiency of which as legal consideration are hereby acknowledged, the parties hereto, intending to be legally bound hereby, agree as follows:
1. Definitions.
A. For the purposes of this Agreement, all capitalized terms not defined herein shall have the meanings defined in the HIPAA Rules, as may be amended from time to time.
B. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 C.F.R. § 160.103, and in reference to this Agreement, shall mean Evolve IP.
C. “Breach” shall mean the unauthorized acquisition, access, use, or disclosure of Unsecured PHI that compromises the security or privacy of such information. A Breach shall not include: (1) any unintentional acquisition, access, or use of PHI by a Workforce member or person acting under the authority of Covered Entity, Business Associate, or Subcontractor if such acquisition, access, or use was made in good faith and within the scope of authority, and the PHI was not further acquired, accessed, used, or disclosed; (2) any inadvertent disclosure by a person who is authorized to access PHI at Covered Entity, Business Associate, or Subcontractor to another person authorized to access PHI at the same entity, or at an organized health care arrangement in which Covered Entity participates, and the information received as a result of such disclosure is not further acquired, accessed, used, or disclosed; or (3) a disclosure of PHI where Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
D. “Electronic Protected Health Information” (“EPHI”) is PHI that is maintained in electronic media or transmitted by electronic media. EPHI is a subset of PHI.
E. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR §§ 160, 162 and 164.
F. “Information System” shall mean an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
G. “Protected Health Information” (“PHI”) shall have the meaning given to such term in 45 C.F.R. § 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
H. “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
I. “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of the HITECH Act.
J. “Workforce” shall mean employees, volunteers, trainees, and other persons whose conduct, in the performance of work for Covered Entity, Business Associate or Subcontractor, is under the direct control of such entity, whether or not they are paid by Covered Entity, Business Associate or Subcontractor.

2. Term and Termination.
A. Term. The Term of this Agreement shall be effective as of the Effective Date and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions of this Section 2.
B. Termination. The Parties authorize termination of this Agreement by the non-breaching Party upon knowledge of a material breach by breaching Party. Upon violation of a material term of this Agreement the non-breaching Party may either:
1. Provide a thirty (30) day opportunity for the non-breaching Party to cure the material breach or end the violation and, the non-breaching Party may terminate this Agreement
2. If a Party has breached a material term of this Agreement and cure is not, in the non-breaching Party’s reasonable determination, possible, the non-breaching Party may immediately terminate this Agreement; or
3. If neither termination nor cure are, in non-breaching Party’s reasonable determination, feasible, the non-breaching Party may report the violation to the Secretary of the U.S. Department of Health and Human Services (“Secretary”).
C. Except as provided in paragraph 2.C.1 below of this Section, upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Business Associate. Neither Business Associate nor any subcontractor or agent of Business Associate shall retain copies of the PHI.
1. If Business Associate reasonably determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon Covered Entity’s written confirmation that return or destruction of PHI is infeasible, Business Associate may retain the PHI that is not feasible to return for so long as it remains infeasible to return such PHI. In such event, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
2. The provisions of this Section 2.C shall survive termination of this Agreement.

3. Obligations of Business Associate.
A. Business Associate shall comply with the use and disclosure provisions of the Privacy Rule in performing its obligations under any agreement for services with Covered Entity and to not use or disclose PHI other than as permitted or required under this Agreement or as Required by Law.
B. Business Associate shall implement and use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement.
C. Business Associate shall implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, and to otherwise comply with the Security Rule in performing Business Associate’s obligations under this Agreement.
D. Business Associate shall use best efforts to secure PHI to make it unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in its annual guidance issued under section 13402(h) of the HITECH Act, codified at 42 U.S.C. § 17932(h).
E. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
F. Business Associate shall, as soon as reasonably practicable and in no event later than sixty (60) days of discovery of the same, report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including, but not limited to, any Security Incident and any unauthorized acquisition, access, use, or disclosure of PHI.
G. Business Associate shall develop policies and procedures to both detect and report Breaches of PHI to the Covered Entity. Copies of such policies and procedures shall be made available to the Covered Entity upon the Covered Entity’s Request.
H. Business Associate shall, following the discovery of a Breach of PHI, notify Covered Entity of such Breach.
1. Business Associate shall provide initial notice of the Breach as soon as reasonably practicable and in no event later than sixty (60) days after the discovery of the Breach. A Breach shall be treated as discovered as of the first day on which the Breach is known to the Business Associate.
2. The initial notice shall include, to the extent possible, the identification of each individual whose PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach. Business Associate shall make best efforts to collect and provide to Covered Entity as soon as possible any such information that Business Associate is unable to provide in the initial notice.
I. Business Associate shall, following notification to Covered Entity of a Breach of PHI, cooperate with Covered Entity in providing any and all information required for Covered Entity to comply with the breach notification provisions of section 13402 of the HITECH Act and the implementing regulations set forth in Subpart D of the Privacy Rule (45 C.F.R. § 164.400 et seq.) and any other applicable breach notification laws and regulations of which Business Associate is informed of by Covered Entity.
J. Business Associate shall enter into legally binding agreements with each of its subcontractors and agents to ensure that any subcontractor agent to whom Business Associate provides PHI received from, or created or received by, Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
K. For purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule and Security Rule, Business Associate shall make available to the Secretary, in a time and manner designated by the Secretary, its internal practices, books, and records (including policies and procedures), relating to the use and disclosure of PHI received from, or created or received by, Business Associate on behalf of Covered Entity.

4. Permitted Uses and Disclosures by Business Associate.
A. Except as otherwise limited by this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
B. Except as otherwise limited by this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
C. Except as otherwise limited by this Agreement, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
D. Business Associate and its agent(s) and subcontractor(s) are prohibited from directly or indirectly receiving any remuneration in exchange for an individual’s PHI unless done with consent of Covered Entity and pursuant to and in compliance with 45 C.F.R. § 508(a)(4).
E. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

5. Obligations of Covered Entity.
A. In addition to any other obligation set forth in this Agreement, Covered Entity agrees that it will: (i) not make any disclosure of PHI to Business Associate if such disclosure would violate HIPAA, the HITECH Act or any applicable federal or state law or regulation; and (ii) not request Business Associate to use or make any disclosure of PHI in any manner that would not be permissible under HIPAA, the HITECH Act or any applicable federal or state law or regulation if such use or disclosure were done by Covered Entity.
B. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity’s notice of privacy practices, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

6. Notice.
Whenever, under the terms of this Agreement, written notice is required or permitted to be given by one Party to the other Party, such notice shall be governed by the notice provisions of the Master Services Agreement executed by the Parties.

7. Indemnification.
Each Party will indemnify and hold harmless the other Party to this Agreement from and against any and all claims, losses, liabilities, costs and other expenses resulting from, or relating to:
A. any misrepresentation, breach of warranty or non-fulfillment of any undertaking on the part of the Party under this Agreement; and
B. any claims, demands, awards, judgments, actions and proceedings made by an person, governmental entity or organization arising out of or in any way connected with the Party’s performance under this Agreement.
C. The Parties’ respective rights and obligations under this Section 7 shall survive termination of the Agreement.

8. Miscellaneous.
A. This Agreement sets forth the entire understanding and agreement between the Parties relating to the use and disclosure of PHI and shall be binding upon the Parties and their respective successors, heirs and assigns. All prior negotiations, agreements, and understandings regarding the use and disclosure of PHI are superseded hereby.
B. This Agreement may not be amended or revised except with the written consent of the Parties. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the parties to comply with the requirements of HIPAA/HITECH, as may be amended from time to time.
C. This Agreement shall be automatically assigned to and assumed by any legal successor or affiliate of the assignor who or which assumes responsibility for assignor’s obligations under any agreement between the Parties concerning the services provided by Business Associate for or on behalf of Covered Entity.
D. This Agreement shall be construed and enforced pursuant to the laws of the Commonwealth of Pennsylvania.
E. The invalidity or unenforceability of any particular provision or part thereof of this Agreement shall not affect the remainder of this Agreement, and this Agreement shall be construed in all respects as if such invalid or unenforceable provision or part thereof had been omitted.
F. This Agreement shall not create nor be deemed to create any relationship between Covered Entity and Business Associate other than that of independent contractors contracting with each other solely for the purpose performing the agreement pursuant to which Business Associate provides the Services to Covered Entity. Neither Covered Entity nor Business Associate shall assume or be responsible for the acts, omissions, liabilities, debts, or other obligations of the other Party, other than as specifically set forth in this Agreement and the Master Services Agreement pursuant to which Business Associate provides the Services to Covered Entity.
G. Any failure or delay by either Party in exercising any right under this Agreement shall not operate as a waiver of such Party’s rights, nor shall any single or partial exercise of any right serve to preclude a subsequent exercise of such right.
H. Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with the HIPAA/HITECH.
I. Notwithstanding anything to the contrary in this Agreement, nothing herein shall be construed to require Business Associate to take any action, the consequence of which could reasonably be foreseen to result in the waiver or loss of any legal right or ethical obligation of either Covered Entity or Business Associate to keep any information confidential.
J. This Agreement may be executed in one or more counterparts and each of such counterparts shall, for all purposes, be deemed to be an original, but all of such counterparts shall constitute one and the same instrument.




APPENDIX A

Covered Services