BUSINESS ASSOCIATE AGREEMENT ADDENDUM

This Business Associate Agreement Addendum (BAA) is made and entered into between CerteDrive Corp. and its Affiliates (Company) and customer agreeing to the terms and conditions to which this BAA is attached (Customer). Company and Customer have also entered into an arrangement for Company to provide services or products, which may be addressed by Company’s terms and conditions (Agreement). 

  1. Acknowledgements. Company acknowledges that the products and services it provides under the Agreement may make Company a Business Associate of Customer and Customer acknowledges that it is Covered Entity.
  2. Applicability and Purpose of BAA.
    1. Company and Customer agree that it may become necessary for Company to receive, create, maintain, transfer, use or disclose PHI or ePHI in order to provide the products and services agreed to be provided under the Agreement. This BAA is entered into on the date last signed below, but shall be effective only upon the application of HIPAA to the products, services or both being provided by Company to Customer.
    2. This BAA shall apply only to (a) the receipt, creation, maintenance or transfer of PHI or ePHI to Company by or on behalf of Customer; and (b) any other time or circumstances under which HIPAA applies.
    3. The purpose of this BAA is to set out the rights and responsibilities of Company and Customer under HIPAA.
  3. Definitions.
    1. “Affiliates” means, with respect to a party, any other party that directly or indirectly controls, is controlled by or is under common control with that party, including any level of parent, any level of affiliate or any level of subsidiary of such party. “Control” (including “controlled by” and “under common control”) means ownership of or the right to acquire, directly or indirectly, ownership of at least 50% by vote or value.
    2. “Business Associate” shall have the meaning provided at 45 C.F.R. 160.103, and in reference to this BAA, shall mean Company.
    3. “Covered Entity” shall have the meaning provided at 45 C.F.R. 160.103, and in reference to this BAA, shall mean Customer.
    4. “ePHI” means Electronic Protected Health Information, which shall have the meaning provided at 45 C.F.R. 160.103.
    5. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the authority promulgated thereunder, as may be amended.
    6. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
    7. “PHI” means Protected Health Information, which shall have the meaning provided at 45 C.F.R. 160.103.
    8. Unless otherwise provided herein, all capitalized terms in this BAA will have the meanings ascribed to them in HIPAA.
  4. Compliance with HIPAA. To comply with HIPAA, Company and Customer agree as follows:
    1. That any information received by Company that is PHI or ePHI shall be kept and used only as set forth in this BAA.
    2. As a Business Associate, Company agrees:
      1. To not use or disclose PHI other than as permitted or required by this BAA, the Agreement or as Required by Law.
      2. To only use or disclose PHI as necessary to perform the services set forth in the Agreement.
      3. To make uses, disclosures and requests for PHI consistent with Customer’s minimum necessary policies and procedures, which Customer shall provide. If Customer does not provide minimum necessary policies and procedures, Company will follow its own minimum necessary policies and procedures.
      4. To not use or disclose PHI, ePHI or both in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Company.
      5. To use appropriate safeguards to comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI and to prevent use or disclosure of PHI other than as provided in the Agreement or the BAA.
      6. To implement administrative, physical, and technical safeguards (including written policies and procedures) that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that Customer creates, receives, maintains, or transmits on behalf of Company as required by the HIPAA Rules.
      7. To mitigate, to the extent it is practical, any harmful effect that is known to Company of a use or disclosure of PHI by Company in violation of the requirements of this BAA and HIPAA.
      8. To report to Customer any use or disclosure of PHI not provided for by the Agreement, or this BAA, of which Company becomes aware, including breaches of unsecured PHI as required at 45 C.F.R. 164.410, and any security incident of which it becomes aware.
      9. To, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI or ePHI on behalf of Company agree to the same restrictions, conditions, and requirements that apply to Company with respect to PHI and ePHI.
      10. To make PHI maintained in a Designated Record Set available to Customer, the Individual or the Individual’s designee as necessary to satisfy Customer’s obligations under 45 C.F.R. 164.524.
      11. To make any amendments to PHI maintained in a Designated Record Set as directed or agreed to by Customer pursuant to 45 C.F.R. 164.526, or take other measures as necessary to satisfy Company’s obligations under 45 C.F.R. 164.526.
      12. To make internal practices, books and records, including policies and procedures relating to the use and disclosure of PHI received from, or created or received by Company on behalf of Customer, available to the Secretary, in a time and manner designated by the Secretary or the HIPAA Rules, for purposes of determining compliance with the HIPAA Rules.
      13. To maintain and make available the information required to provide an accounting of disclosures to Customer or the Individual as necessary to satisfy Customer’s obligations under 45 C.F.R. 164.528.
      14. To receive no remuneration, directly or indirectly, for the exchange of PHI except for services performed under this BAA or the Agreement.
      15. To the extent Company carries out one or more of Customer’s obligations under Subpart E of 45 C.F.R. Part 164, to comply with the requirements of Subpart E that apply to Customer in the performance of such obligations.
      16. Company shall report to Customer any use or disclosure of PHI and ePHI, any Security Incidents or both, of which Company becomes aware that is not provided for by this BAA.
        1. Company shall provide a report as soon as administratively feasible, but in no event later than the time prescribed in HIPAA for the type of use or disclosure or the Security Incident. Notwithstanding the foregoing, the parties acknowledge that Company is likely to experience security incidents that do not result in unauthorized access, use, or disclosure of PHI. The parties agree that this paragraph constitutes notice to Client of any such unsuccessful security incident. By way of example, unsuccessful security incidents covered by this paragraph include firewall pings and port scans of Company. 
        2. In the event of a Breach Company shall provide the information required by HIPAA to Customer as soon as administratively possible, but in no event later than 15 business days, or mutually agreed to timeframe, including:
          1. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach;
          2. A description of the type of unsecured PHI or unsecured ePHI that was involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other type of information were involved);
          3. Any steps Individuals (or an Individual’s Personal Representative, as used in 45 C.F.R. 164.502(g)) should take to protect themselves from potential harm resulting from the Breach;
          4. A brief description of what Company is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any further Breaches; and
          5. Contact procedures for Individuals to ask questions or learn additional information regarding the Breach, which shall include a toll-free telephone number, an e-mail address, website, or postal address.
    3. Customer agrees:
      1. To notify and provide Company with any privacy practices or restrictions required by applicable law or regulation that would be relevant to the Agreement. If Company determines any practices or restrictions required by applicable law or regulation cannot or will not be followed by Company, then Company may terminate the Agreement immediately.
      2. To notify Company of any changes in, or revocation of, permission by Individuals to use or disclose PHI and ePHI.
      3. To notify Company of any restrictions to the use of the disclosure of PHI and ePHI that Customer or an Individual has agreed to.
      4. That Company may de-identify PHI in accordance with the HIPAA Rules and may use or disclose such de-identified data unless prohibited by applicable law.
      5. Not to require or request Company to use or disclose PHI and ePHI in any manner that would not be permissible under HIPAA, or the Agreement, including this BAA, if done by Customer.
  5. Amendment and Termination.
    1. Company and Customer agree to take such action as is necessary to further amend this BAA as is necessary for Company and Customer to comply with the requirements of HIPAA.
      1. When HIPAA necessitates amendment of this BAA, Company may unilaterally amend this BAA to ensure ongoing compliance by preparing and executing an amendment and providing Customer with notice. If Customer does not provide written notice requesting negotiation of the amendment within 30 days of receipt of the notice, or mutually agreed to timeframe, the amendment is effective on the date indicated in the amendment. If Customer provides timely written notice of a request to negotiate, Company and Customer shall negotiate in good faith and with the intent of timely and completely complying with HIPAA.
      2. Amendments to this BAA, other than those required to comply with HIPAA, shall be in writing and executed by Company and Customer.
    2. This BAA shall terminate on the earlier of the date Customer terminates for cause as authorized Section 5.3 or all PHI and ePHI has been returned or destroyed.
    3. Company authorizes Customer to terminate this BAA and any agreement for which having a Business Associate Agreement is deemed necessary by Company. If Customer determines Company has violated a material term of this BAA and Company has not cured the breach or ended the violation within the reasonable time specified by Customer.
    4. Upon termination of this BAA for any reason, Company (including Company’s agents and subcontractors), shall, with respect to PHI and ePHI received from Customer, or created, maintained, or received by Company on behalf of Customer:
      1. Retain only that PHI or ePHI which is necessary for Company to carry out its legal responsibilities;
      2. Return to Customer (or, if agreed to by Customer in writing, destroy) the remaining PHI or ePHI that Company still maintains in any form;
      3. Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 5.4, for as long as Company retains the PHI, ePHI or both;
      4. Not use or disclose the PHI or ePHI retained by Company other than for the purposes for which such PHI or ePHI was retained, and subject to the same conditions set forth in this BAA which applied prior to termination; and
      5. Return to Customer (or, if agreed to by Customer in writing, destroy) the PHI or ePHI retained by Company when it is no longer needed by Customer to carry out its legal responsibilities.
    5. The obligations of Business Associate under this Section 5 shall survive the termination of this BAA.
  6. General.
    1. Company is not the owner or licensor of any of the PHI or ePHI to which this BAA applies.
    2. This BAA incorporates by reference Agreement and the terms of Agreement shall apply to this BAA to the extent not inconsistent with language in this BAA. In the event of an inconsistency between this BAA and Agreement or any other agreement, arrangement, document or understanding between Company and Customer, this BAA shall control. FOR PURPOSES OF CLARITY, NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR CONSEQUENTIAL, INCIDENTAL, PUNITIVE, SPECIAL, EXEMPLARY OR INDIRECT DAMAGES, OR LOST PROFITS IN CONNECTION WITH CLAIMS MADE BY ANY PARTY, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT OR TORT.
    3. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Company and Customer to comply with HIPAA.
    4. This BAA may be executed in any one or more counterparts, each of which shall be deemed an original, and all of which shall constitute the entire binding agreement. Any signature delivered by electronic mail or facsimile will be treated for all purposes as an original.

IN WITNESS WHEREOF, the parties have executed and delivered this BAA as of the date of Customer acceptance of the terms and conditions to which this BAA is attached.  Customer’s acceptance of such terms and conditions is deemed to be effective execution of this BAA.