Business Associate Agreement

This Business Associate Agreement (“BAA”) governs Your use of all pMD’s Services (as defined in the Product Order and Master Services Agreement, or “MSA”, available at (https://www.pmd.com/Master-services-agreement). In this BAA, “You” and “Covered Entity” mean the same thing, and “pMD” and “BusinessAssociate” also mean the same thing. You understand and agree that by executing a Product Order with pMD, You are hereby agreeing to  the terms of this BAA as set forth herein. In the case of any conflict between the MSA and this BAA, the BAA will control the relevant content.

1.        Definitions. Capitalized terms used without definition herein shall have the respective meanings assigned to them under the Health Insurance Portability and Accountability Act of 1996 and the privacy, security, breach notification and other rules promulgated thereunder(collectively “HIPAA”) or in the MSA.

2.        Permitted Uses and Disclosures. Business Associate may use or disclose PHI to perform the services set forth in the MSA and as otherwise permitted therein, as permitted herein and as Required by Law. Business Associate may not use or disclose PHI if such use or disclosure would violate the Privacy Rule if done by Covered Entity.

3.        Minimum Necessary. Both Parties agree they shall not use or disclose more than the minimum amount of PHI necessary to accomplish the intended purpose of the permitted use or disclosure under the MSA(s) or this Business Associate Agreement. Both Parties agree to comply with any guidance issued by the Secretary with respect to what constitutes minimum necessary.

4.        Activities by Business Associate. Business Associate shall:

        4.1.           Not use or disclose PHI other than as permitted or required by this Agreement, except that Business Associate may use and disclose PHI for the following  purposes: (a) the proper management and administration of Business Associate, (b) to carry out the legal responsibilities of Business Associate, (c) to provide data aggregation services relating to the health care operations of the Covered Entity, and (d) to de-identify PHI received or created by Business Associate in accordance with HIPAA, and such de-identified information shall no longer be subject to this Agreement and may be used and disclosed on Business Associate’s own behalf in accordance with the de-identification requirements of the Privacy Rule. Not withstanding the foregoing, if Business Associate discloses PHI for the proper management and administration of Business Associate and such disclosures are not Required by Law, Business Associate must first obtain reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as  Required by Law or for the purpose for which it was disclosed to the person, and the person agrees to notify Business Associate of any breaches of the confidentiality of the information of which such person becomes aware.

        4.2.           Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement.

        4.3.           Implement administrative, physical, and technical safeguards (including written policies and procedures) that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity as required by the Security Rule. In addition, BusinessAssociate shall comply with Sections 164.308, 164.310, 164.312, 164.314, and 164.316 of the Security Rule in the same manner that such sections apply to covered entities with respect to Business Associate’s use or disclosure of PHI.

        4.4.           Report to Covered Entity any: (a) use or disclosure of PHI not provided for by this Agreement without unreasonable delay, but in no case later than ten (10) days after it is Discovered by Business Associate; or (b) Security Incident of which  Business Associate becomes aware; provided however, that the parties  acknowledge and agree that this Section 3.4 constitutes notice by Business  Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “UnsuccessfulSecurity Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewalls,  port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.

        4.5.           Require that any subcontractor, that creates, receives, maintains or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions and conditions that apply to Business Associate in this Agreement related to such information, including compliance with Sections 164.308, 164.310, 164.312, 164.314, and 164.316 of the Security Rule and compliance with the applicable provisions of the Privacy Rule.

        4.6.           At the request of Covered Entity, provide access to PHI in a Designated Record Set in order for Covered Entity to meet the requirements under 45 CFR§ 164.524.

        4.7.           At the request of Covered Entity, make available to Covered Entity PHI for amendment and, if requested by Covered Entity, incorporate any amendment(s) to PHI in accordance with45 CFR § 164.526.

        4.8.           Make available the information required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.

        4.9.           Make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with HIPAA.

        4.10.        Comply with all requirements of the Health Information Technology for Economic and Clinical Health Act under the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”) that relate to security or privacy and that the HITECH Act makes applicable to business associates, and all such requirements are incorporated into this Agreement by reference for such purposes.

        4.11.        To the extent that BusinessAssociate is to carry out an obligation of Covered  Entity under the Privacy Rule, comply withthe requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.

5.        Obligations of Covered Entity.

        5.1.           Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR § 164.520 to the extent that such limitation may affect Business Associate’s use or disclosure of PHI or Business Associate’s obligations under applicable law or regulation with respect thereto.

        5.2.           Notification of Changes Regarding Individual Permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclosePHI to the extent that such changes may affect Business Associate’s use or disclosure of PHI or Business Associate’s obligations under applicable law or regulation with respect thereto.

        5.3.           Notification of Restrictions to Use or Disclosure of PHI. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522 to the extent that such  restriction may affect Business Associate’s use or disclosure of PHI or Business Associate’s obligations under applicable law or regulation.

        5.4.           Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible for Covered Entity under HIPAA, the HITECH Act or any other applicable law or regulation.

6.        Term and Termination.

        6.1.           Term. The term of this Agreement shall commence as of the Effective Date of the MSA, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions in this Section 6.3 of this Agreement.

        6.2.           Termination for Cause. In the event a party has knowledge of a material breach by the other, such party may either: (a) provide an opportunity for the breaching party to cure the breach or end the violation and terminate this Agreement and  the MSA if the breaching party does not cure the breach within thirty (30) days; or (b) immediately terminate this Agreement and the MSA if cure of the breach is not possible.

        6.3.           Effect of Termination.

                6.3.1.        Except as provided in Section 6.3.2 or otherwise required by applicable law or regulation, upon termination of this Agreement, for any reason, Business Associate shall, for a period of thirty (30) days after such termination, retain all PHI received fromCovered Entity, or created or received by Business Associate on behalf of Covered Entity, and shall  return all such PHI to Covered Entity (in accordance with the Agreement) if Covered Entity requests such return within such thirty (30) day period. If Covered Entity does not request return of such PHI within such thirty (30) day period, Business Associate shall destroy all such PHI and retain  no copies of such PHI. This provision shall apply to PHI that is in the  possession of subcontractors or agents of Business Associate.

                6.3.2.        In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon the determination by Business Associate that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible for so long as Business Associate maintains such PHI.

7.        Miscellaneous. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of HIPAA, the HITECH Act, and other applicable law or  regulation. The respective rights and obligations of the parties under Section 6.3 of this Agreement shall survive the termination of this Agreement and the MSA. Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein  confer, any rights, remedies, obligations or liabilities whatsoever upon any person other  than Covered Entity, Business Associate and their respective successors or assigns. In the event of a direct conflict between the terms of this MSA and this Agreement with respect to the subject matter of this Agreement, this Agreement shall control. This Agreement expressly supersedes and replaces any prior HIPAA business associate agreement between the parties. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits each party to comply with HIPAA, the HITECH Act and any other applicable law or regulation.