Business Associate Agreement

THIS BUSINESS ASSOCIATE AGREEMENT (“the Agreement”) is entered into on and between Customer (“Covered Entity”) and Millin Associates, LLC (“Business Associate”) (each a “Party” and collectively, the “Parties”).

WHEREAS, Covered Entity is a “Covered Entity” as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the regulations promulgated thereunder by the Secretary of the U.S. Department of Health and Human Services (“Secretary”), including, without limitation, the regulations codified at 45 C.F.R. Parts 160 and 164 (the “HIPAA Regulations”); and

WHEREAS, Business Associate provides billing software and/or performs related services for or on behalf of Covered Entity under a written agreement (“Service Agreement”) signed by Business Associate and Covered Entity, and in providing these products and services, Business Associate creates, receives, maintains, or transmits Protected Health Information (“PHI”) on behalf of Covered Entity; and

WHEREAS, the Parties intend to protect the privacy and provide for the security of the individually identifiable health information Disclosed by Covered Entity to Business Associate, or accessed, received, created, or transmitted by Business Associate, when providing Services, Such PHI will be protected in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act (“the “HITECH Act”) and its implementing regulations and guidance issued by the Secretary, and other applicable state and federal laws, all as amended from time to time; and

WHEREAS, Covered Entity is required under the HIPAA Regulations to enter into a Business Associate Agreement that meet certain requirements with respect to the Use and Disclosure of PHI, which are met by this Agreement.

Definitions

The following terms shall have the meaning set forth below. Capitalized terms used in this BAA and not otherwise defined shall have the meanings ascribed to them in HIPAA, the HIPAA Regulations, or the HITECH Act, as applicable.

Protected Health Information and PHI mean any information, whether oral or recorded in any form or medium provided by Covered Entity to Business Associate, that: (a) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; (b) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (c) shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. § 160.103. Protected Health Information includes electronic PHI (“ePHI”).

Services shall mean the services, products and other functions performed by Business Associate on behalf of Covered Entity pursuant to the Service Agreement between Covered Entity and Business Associate.

Obligations of Business Associate

1.1 Permitted Uses and Disclosures of Protected Health Information.

Business Associate shall not Use or Disclose PHI other than for the purposes of performing the Services, as permitted, or required by this Agreement, or as Required by Law. Business Associate shall not Use or Disclose PHI in any manner that would constitute a violation of the HIPAA Regulations if so Used or Disclosed by Covered Entity.

Without limiting the generality of the foregoing, Business Associate is permitted to (i) Use PHI for the proper management and administration of Business Associate; (ii) Use and Disclose PHI to carry out the legal responsibilities of Business Associate, provided that with respect to any such Disclosure either: (a) the Disclosure is Required by Law; or (b) Business Associate obtains an agreement from the person to whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will not Use and further Disclose such PHI except as Required by Law and for the purpose(s) for which it was Disclosed by Business Associate to such person, and that such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; (iii) Use PHI for Data Aggregation purposes in connection with the Health Care Operations of Covered Entity; and (iv) Use PHI for purposes of de-identification of the PHI. To the extent Business Associate is carrying out any of Covered Entity's obligations under the Privacy Rule pursuant to the terms of the Service Agreement or this BAA, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s).

1.2 Adequate Safeguards of PHI.

Business Associate shall implement and maintain appropriate safeguards and shall comply with the applicable requirements of Subpart C of 45 C.F.R. Part 164 to prevent Use or Disclosure of PHI other than as provided for by this Agreement.

1.3 Reporting Security Incidents and Non-Permitted Uses or Disclosures of PHI.

Business Associate shall use reasonable and diligent efforts to review and investigate any potential use or disclosure of PHI not provided for by this Agreement.

Business Associate shall notify Covered Entity of any Use or Disclosure by Business Associate or its Subcontractors that is not specifically permitted by in this Agreement and each Security Incident, including Breaches of Unsecured PHI, within ten (10) days of becoming aware.

Notwithstanding the foregoing, Business Associate and Covered Entity acknowledge the ongoing existence and occurrence of attempted but ineffective Security Incidents that are trivial in nature, such as pings and other broadcast service attacks, and Covered Entity acknowledges and agrees that no additional notification to Covered Entity of such ineffective Security Incidents is required, as long as no such incident results in unauthorized access, Use or Disclosure of PHI. If Business Associate determines that a Breach of Unsecured PHI has occurred, Business Associate shall provide a written report to Covered Entity without unreasonable delay but no later than ten (10) calendar days after discovery of the Breach. To the extent that information is available to Business Associate, Business Associate’s written report to Covered Entity shall be in accordance with 45 C.F.R. §164.410(c).

1.4 Use of Subcontractors.

Business Associate shall require each of its Subcontractors that creates, maintains, receives, or transmits PHI on behalf of Business Associate, to execute a Business Associate Agreement that imposes on such Subcontractors substantially the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement with respect to PHI. No Subcontractor shall be permitted to use or disclose PHI received from Business Associate other than to as permitted or required by this Agreement or as Required by Law.

1.5 Access to Protected Health Information.

To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall make the PHI it maintains (or which is maintained by its Subcontractors) in such Designated Record Sets available to Covered Entity for inspection and copying to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524 within fifteen (15) business days of a request by Covered Entity.

1.6 Amendment of Protected Health Information.

To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Entity shall amend the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets to enable the Covered Entity to fulfill its obligations under 45 C.F.R. §164.526 within fifteen (15) business days of a request by Covered Entity.

1.7 Accounting.

To the extent that the Business Associate maintains a Designated Record Set on behalf of Covered Entity, within thirty (30) days of receipt of a request from Covered Entity or an individual for an accounting of disclosures of PHI, Business Associate and its Subcontractors shall make available to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under 45 C.F.R. §164.528.

1.8 Governmental Access.

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of determining Covered Entity's compliance with the Privacy Rule.

1.9 Minimum Necessary.

Business Associate (and its Subcontractors) shall, to the extent practicable, limit its request, Use, or Disclosure of PHI to the minimum amount of its PHI necessary to accomplish the purpose of the request, Use, or Disclosure in accordance with 45 C.F.R. §164.502(b)(1) or any other applicable guidance issued thereunder.

1.10 Mitigation.

To the extent practicable, Business Associate will reasonably cooperate with Covered Entity's efforts to mitigate a harmful effect that is known to Business Associate of a use or disclosure of PHI that is not permitted by this BAA.

Obligations of Covered Entity

2.1 Covered Entity’s Obligations.

2.1.1. Covered entity shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity in accordance with 45 C.F.R. §164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.

2.1.2 Covered entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to Use or Disclose his or her PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.

2.1.3 Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.

2.1.4 Covered Entity agrees to obtain any consent or authorization that may be required under HIPAA or any other applicable law and/or regulation prior to furnishing Business Associate with PHI.

2.1.5 Covered Entity shall not request Business Associate to make any Use or Disclosure of PHI that would not be permitted under HIPAA if made by Covered Entity.

2.1.6 Covered Entity agrees to fulfill its obligations under this BAA in a timely manner.

Term and Termination

3.1 Term.

The term of the Agreement shall be effective as of the Effective Date and shall terminate as of the date that all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy the PHI, protections are extended to such information.

3.2 Termination for Cause.

In addition to and notwithstanding the termination provisions set forth in the Service Agreement, upon Covered Entity’s or Business Associate’s knowledge of a material breach or violation of this BAA by the other Party, the non-breaching Party shall either:

3.2.1 Notify the breaching Party of the breach in writing, and provide an opportunity for the breaching Party to cure the breach or end the violation within thirty (30) business days of such notification; provided that if the breaching Party fails to cure the breach or end the violation within such time period to the satisfaction of the non-breaching Party, the non-breaching Party may immediately terminate this BAA upon written notice to the breaching Party; or

3.2.2 Upon thirty (30) business days’ written notice to the breaching Party, immediately terminate this BAA if the non-breaching Party determines that such breach cannot be cured.

3.3 Disposition of Protected Health Information Upon Termination.

Upon termination of this Agreement, Business Associate shall either return or destroy all PHI received from, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and retain no copies of such PHI.

If return or destruction is not feasible, Business Associate shall continue to extend the protections of this Agreement to the PHI for as long as Business Associate retains the PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction of the PHI infeasible.

Miscellaneous

4.1 Amendment.

Parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to ensure compliance with such developments. Parties agree to take such action as is necessary to implement the standards and requirements of the Privacy Rule and other applicable laws relating to the security or confidentiality of PHI.

4.2 No Third-Party Beneficiaries.

This Agreement is intended for the sole benefit of Covered Entity and Business Associate and does not create any third-party beneficiary rights, except as required under the Privacy Rule.

4.3 Interpretation.

This Agreement shall be interpreted as broadly as necessary to implement and comply with the Privacy Rule and applicable state laws. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the HITECH Act, and any applicable regulations.

4.4 Relationship of the Parties.

The Parties agree that Business Associate is not the agent of Covered Entity and that Covered Entity is not the agent of Business Associate.

4.5 Survival.

The respective rights and obligations of Business Associate under Section 3.3 of this Agreement shall survive the termination of this Agreement and the Service Agreement.

4.6 Notice.

All notices, requests, consents and other communications required or provided under this Agreement shall be in writing and shall be delivered in person or mailed by certified or registered mail, return receipt requested, at the address set forth below in the signature block of this Agreement or at such other address provided by such Party in writing to the other Party.