Business Associate Agreement

This Business Associate Agreement (this “BAA”) by and between the Company set forth the Principal Agreement (as such term is defined below), (“Company” or the “Covered Entity”) and Coralogix Ltd. and its Affiliates  (the “Business Associate,” in accordance with the meaning given to those terms at 45 CFR §164.501), for the purpose of setting forth Business Associate Agreement terms for the Company. 

Each may hereinafter be individually referred to as a “Party” and collectively as the “Parties”. This BAA shall commence upon its execution (“Effective Date”).

WHEREAS, this BAA forms an integral part of, and is subject to, the Coralogix’ Master Subscription Terms (“Principal Agreement”), entered into by the Covered Entity and the Business Associate (the BAA together with the Principal Agreement – “Agreement”). 

WHEREAS, the Covered Entity is either a “covered entity” or “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);

WHEREAS, the Parties have entered into or will enter into one or more agreements under which the Business Associate provides or will provide certain specified services to the Covered Entity that require the Business Associate to use, disclose, receive, access, create, maintain and/or transmit health information that is protected by state and/or federal law; (collectively, the “Business Arrangements”);

WHEREAS, in providing services pursuant to the Principal Agreement, the Business Associate may have access to Protected Health Information;

WHEREAS, by providing the services pursuant to the Principal Agreement, the Business Associate will become a “business associate” of the Covered Entity as such term is defined under HIPAA;

WHEREAS, both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”); and

WHEREAS, both Parties intend to protect the privacy and provide for the security of Protected Health Information actually disclosed to the Business Associate pursuant to the terms of the Agreement, HIPAA and other applicable laws.

 NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and with respect to PHI actually provided by the Covered Entity to the Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:

1. Definitions. For purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1 below. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law. 

1.1. “Affiliate” means an entity that, directly or indirectly, owns or controls, is owned or is controlled by or is under common ownership or control with a party, where “ownership” means the beneficial ownership of more than fifty percent (50%) of an entity’s voting equity securities or other equivalent voting interests and “control” means the power to direct the management or affairs of an entity..  

1.2. “Breach” means the acquisition, access, use, or disclosure of PHI disclosed to and held by Business Associate in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402. 

1.3. “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164. 

1.4. “Data Aggregation” means, with respect to PHI received by the Business Associate in its capacity as the “business associate” under HIPAA of the Covered Entity, the combining of such PHI by the Business Associate with other protected health information (as such term defined in in 45 CFR §§164.501 and 160.103) received by the Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule. 

1.5. “Designated Record Set” has the meaning given to such term under the Privacy Rule, including 45 CFR §164.501.B. 

1.6. “De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b). 

1.7. “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103. 

1.8. “Health Care Operations” has the meaning given to that term in 45 CFR §164.501. 

1.9. “HHS” means the U.S. Department of Health and Human Services. 

1.10. “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005. 

1.11. “Individual” has the same meaning given to that term in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g). 

1.12. “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.

1.13. “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information actually received by the Business Associate from or on behalf of the Covered Entity in connection with the services provided under the Principal Agreement.

1.14. “Security Incident” means the unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

1.15. “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.

1.16. “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h).

2. Scope.

2.1. This BAA applies to the extent that Company is acting as a Covered Entity and Business Associate receives, maintains, or transmits PHI, and Business Associate is deemed to be acting as a business associate or subcontractor of Company under HIPAA (as such terms defined therein). 

3. Use and Disclosure of PHI.

3.1. Except as otherwise provided in this BAA, the Business Associate may use or disclose PHI as reasonably necessary to provide the services to the Covered Entity as described in the Principal Agreement, and to undertake other activities of the Business Associate permitted or required of the Business Associate by this BAA or as required by law.

3.2. Except as otherwise limited by this BAA or federal or state law, the Covered Entity authorizes the Business Associate to use the PHI in its possession for the proper management and administration of the Business Associate’s business and to carry out its legal responsibilities. The Business Associate may disclose PHI for its proper management and administration, provided that: (i) the disclosures are required by law; or (ii) the Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify the Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.

3.3. The Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. The Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI.

3.4. Upon request, the Business Associate will make available to the Covered Entity any of the Covered Entity’s PHI that the Business Associate or any of its agents or subcontractors have in their possession.

3.5. The Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1). 

4. Safeguards Against Misuse of PHI. The Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Principal Agreement or this BAA and the Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of the Covered Entity. The Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause the Business Associate to breach the terms of this BAA. 

5. Reporting Disclosures of PHI and Security Incidents. The Business Associate will report to the Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware, and the Business Associate agrees to report to the Covered Entity any Security Incident affecting Electronic PHI of the Covered Entity of which it becomes aware. The Business Associate agrees to report any such event within five business days of becoming aware of the event.

6. Reporting Breaches of Unsecured PHI. The Business Associate will notify the Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of a Breach. The Business Associate will reimburse the Covered Entity for any costs incurred by it in complying with the requirements of Subpart D of 45 CFR §164 that are imposed on the Covered Entity as a result of a Breach committed by the Business Associate. 

7. Mitigation of Disclosures of PHI. The Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of any use or disclosure of PHI by the Business Associate or its agents or subcontractors in violation of the requirements of this BAA. 

8. Agreements with Agents or Subcontractors. 

8.1. The Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of the Business Associate or, through the Business Associate, the Covered Entity. 

8.2. The Business Associate shall notify the Covered Entity, or the upstream Business Associate, of all subcontracts and agreements relating to the Agreement, where the subcontractor or agent receives PHI as described in Section ‎1.13 of this BAA. Such notification shall occur within 30 (thirty) calendar days of the execution of the subcontract by placement of such notice on the Business Associate’s primary website or by providing the Covered Entity with an email notification, at Business Associate’s sole discretion. The Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security as this BAA. 

8.3. For the avoidance of doubt, Business Associates obligations under this subsection do not apply to service providers who only provide data transmission services, including storage of PHI necessary and incident to such transmission (i.e., the “conduit” exception”).

9. Audit Report. Upon request, the Business Associate will provide the Covered Entity, or upstream the Business Associate, with a copy of its most recent independent HIPAA compliance report (AT-C 315), HITRUST certification or other mutually agreed upon independent standards based third party audit report. The Covered Entity agrees not to re-disclose the Business Associate’s audit report. 

10. Access to PHI by Individuals. 

10.1. Upon request, the Business Associate agrees to furnish the Covered Entity with copies of the PHI maintained by the Business Associate in a Designated Record Set in the time and manner designated by the Covered Entity to enable the Covered Entity to respond to an Individual’s request for access to PHI under 45 CFR §164.524. 

10.2. In the event any Individual or personal representative requests access to the Individual’s PHI directly from the Business Associate, the Business Associate within ten business days, will forward that request to the Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of the Covered Entity.

11. Amendment of PHI. 

11.1. Upon request and instruction from the Covered Entity, the Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, the Business Associate as directed by the Covered Entity in accordance with procedures established by 45 CFR §164.526. Any request by the Covered Entity to amend such information will be completed by the Business Associate within 15 business days of the Covered Entity’s request. 

11.2. In the event that any Individual requests that the Business Associate amend such Individual’s PHI or record in a Designated Record Set, the Business Associate within ten business days will forward this request to the Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of the Covered Entity.

12. Accounting of Disclosures. 

12.1. The Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). The Business Associate also will make available information related to such disclosures as would be required for the Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, the Business Associate will furnish the Covered Entity the following with respect to any covered disclosures by the Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure. 

12.2. The Business Associate will furnish to the Covered Entity information collected in accordance with this Section 10, within ten business days after written request by the Covered Entity, to permit the Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528, or in the event that the Covered Entity elects to provide an Individual with a list of its business associates, the Business Associate will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act. 

12.3. In the event an Individual delivers the initial request for an accounting directly to the Business Associate, the Business Associate will within ten business days forward such request to the Covered Entity.

13. Availability of Books and Records. The Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining the Covered Entity’s and the Business Associate’s compliance with HIPAA, and this BAA. 

14. Responsibilities of the Covered Entity. With regard to the use and/or disclosure of Protected Health Information by the Business Associate, the Covered Entity agrees to: 

14.1 Notify the Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect the Business Associate’s use or disclosure of PHI. 

14.2. Notify the Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect the Business Associate’s use or disclosure of PHI. 

14.3. Notify the Business Associate of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect the Business Associate’s use or disclosure of PHI. 

14.4. Except for data aggregation or management and administrative activities of the Business Associate, the Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by the Covered Entity. 

15. Data Ownership. The Business Associate’s data stewardship does not confer data ownership rights on the Business Associate with respect to any data shared with it under the Agreement, including any and all forms thereof.

16. Term and Termination.

16.1. This BAA will become effective on the date first written above, and will continue in effect until all obligations of the Parties have been met under the Agreement.

16.2. The Covered Entity may terminate immediately this BAA, the Principal Agreement, and any other related agreements if the Covered Entity makes a determination that the Business Associate has breached a material term of this BAA and the Business Associate has failed to cure that material breach, to the Covered Entity’s reasonable satisfaction, within 30 days after written notice from the Covered Entity. The Covered Entity may report the problem to the Secretary of HHS if termination is not feasible.

16.3. If the Business Associate determines that the Covered Entity has breached a material term of this BAA, then the Business Associate will provide the Covered Entity with written notice of the existence of the breach and shall provide the Covered Entity with 30 days to cure the breach. the Covered Entity’s failure to cure the breach within the 30-day period will be grounds for immediate termination of the Principal Agreement and this BAA by the Business Associate. The Business Associate may report the breach to HHS.

16.4. Upon termination of the Principal Agreement or this BAA for any reason, all PHI maintained by the Business Associate will be returned to the Covered Entity or destroyed by the Business Associate. The Business Associate will not retain any copies of such information. This provision will apply to PHI in the possession of the Business Associate’s agents and subcontractors. If return or destruction of the PHI is not feasible, in the Business Associate’s reasonable judgment, the Business Associate will furnish the Covered Entity with a notification, in writing, of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, the Business Associate will extend the protections of this BAA to such information for as long as the Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Section 14.D. will survive any termination of this BAA. 

17. Effect of BAA. 

17.1. This BAA is a part of and subject to the terms of the Principal Agreement, except that to the extent any terms of this BAA conflict with any term of the Principal Agreement, the terms of this BAA will govern. 

17.2. Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party. 

18. Regulatory References. A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time. 

19. Notices. All notices, requests and demands or other communications to be given under this BAA to a Party will be made via either first class mail, registered or certified or express courier, or electronic mail to the Party’s address given in the Principal Agreement. 

20. Amendments and Waiver. This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. 

21. HITECH Act Compliance. The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach agreement on such a modification, either Party will have the right to terminate this BAA upon 30 days’ prior written notice to the other Party. 

22. No Warranty. PHI IS PROVIDED TO THE BUSINESS ASSOCIATE SOLELY ON AN “AS IS” BASIS.  THE COVERED ENTITY AND ITS CLIENTS DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

23. Waiver. No provision of this BAA or any breach thereof shall be deemed waived unless such waiver is in writing and signed by the Party claimed to have waived such provision or breach. No waiver of a breach shall constitute a waiver of or excuse any different or subsequent breach.

24. Miscellaneous.

24.1 Assignment. Other than as expressly permitted pursuant to the Business Arrangements and subject to the terms thereof, neither Party may assign (whether by operation of law or otherwise) any of its rights or delegate or subcontract any of its obligations under this BAA without the prior written consent of the other Party.  Notwithstanding the foregoing, the Business Associate shall have the right to assign its rights and obligations hereunder to any entity that is an Affiliate or successor of the Business Associate, whether by merger, acquisition, change in control, or other transaction involving the sale of all or substantially all of the Business Associate’s assets, without the prior approval of Covered Entity. 

24.2. Amendment. The Parties agree to amend this BAA from time to time as is necessary for compliance with HIPAA and any other applicable law or regulation.

24.3. Severability. Any provision of this BAA that is determined to be invalid or unenforceable will be ineffective to the extent of such determination without invalidating the remaining provisions of this BAA or affecting the validity or enforceability of such remaining provisions.

24.4. Governing Law. This BAA shall be governed by, and interpreted in accordance with, the laws of the State of Delaware, excluding its conflicts of laws provisions.  Jurisdiction and venue for any dispute relating to this BAA shall exclusively rest with the state and federal courts in Delaware having jurisdiction over the Business Arrangements .

24.5. Equitable Relief. The Business Associate understands and acknowledges that any disclosure or misappropriation of any PHI in violation of this BAA will cause the Covered Entity and the applicable Client(s) irreparable harm, the amount of which may be difficult to ascertain, and therefore agrees that the Covered Entity shall have the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further disclosure or breach and for such other relief as the Covered Entity shall deem appropriate.  Such right of the Covered Entity is to be in addition to the remedies otherwise available to the Covered Entity at law or in equity.  The Business Associate expressly waives the defense that a remedy in damages will be adequate and further waives any requirement in an action for specific performance or injunction for the posting of a bond by the Covered Entity.

24.6. Nature of Agreement; Independent Contractor. Nothing in the Agreement shall be construed to create: (i) a partnership, joint venture or other joint business relationship between the Parties or any of their As; or (ii) a relationship of employer and employee between the Parties.  The Business Associate is an independent contractor and not an agent of the Covered Entity.  This BAA does not express or imply any commitment to purchase or sell goods or services.

24.7. Counterparts; Execution. This BAA and any amendments hereto may be executed by the Parties individually or in any combination, in one or more counterparts, each of which shall be an original and all of which shall together constitute one and the same agreement.  Execution and delivery of this BAA and any amendments by the Parties shall be legally valid and effective through: (i) executing and delivering the paper copy of the document, (ii) transmitting the executed paper copy of the document by facsimile transmission or electronic mail in “portable document format” (“.pdf”) or other electronically scanned format, or (iii) creating, generating, sending, receiving or storing by electronic means this BAA and any amendments, the execution of which is accomplished through use of an electronic process and executed or adopted by a Party with the intent to execute this BAA (i.e., “electronic signature” through a process such as DocuSign®).

24.8. Entire Agreement. This BAA constitutes the complete agreement between The Business Associate and the Covered Entity relating to the matters specified in this BAA and supersedes all prior representations or agreements, whether oral or written, with respect to such matters.  In the event of any conflict between the terms of this BAA and the terms of the Business Arrangements or any such later agreement(s), the terms of this BAA shall control unless the terms of such Business Arrangements are stricter with respect to PHI and comply with the Confidentiality Requirements, or the Parties specifically otherwise agree in writing.  No oral modification or waiver of any of the provisions of this BAA shall be binding on either Party to this BAA; provided, however, that upon the enactment of any law, regulation, court decision or relevant government publication and/or interpretive guidance or policy that the Covered Entity believes in good faith will adversely impact the use or disclosure of PHI under this BAA, the Covered Entity may amend the BAA to comply with such law, regulation, court decision or government publication, guidance or policy by delivering a written amendment to the Business Associate which shall be effective thirty (30) calendar days after receipt.  No obligation on either Party to enter into any transaction is to be implied from the execution or delivery of this BAA.  This BAA is for the benefit of, and shall be binding upon, the Parties, their Affiliates and respective successors and assigns.