This Business Associate Agreement (this "BAA") is entered into by and between you (herein “Provider”) and Headlamp, (herein “Business Associate”) effective upon your registration and initial access to the Services and is effective until you terminate your use of the Services as provided for in the Agreement and BAA. This BAA is effective on the date of the date it is accepted by Provider (through acceptance or Business Associate’s online terms of service).

R E C I T A L S:

WHEREAS, Provider and Business Associate have entered into the Agreement under which Business Associate may create, receive, transmit and store information on behalf of Provider and its patients as a subcontractor business associate, that is subject to protection under state or federal law; and

WHEREAS, the information created, received, transmitted, or stored by Business Associate may include Protected Health Information, Individually Identifiable Health Information; and

WHEREAS, in order to protect the confidentiality, privacy, and security of such information and to comply with applicable law, the parties intend to supplement and amend the terms of the Agreement with the terms of this BAA; and

NOW, THEREFORE, in consideration of the promises and covenants set forth herein, the sufficiency of which is hereby acknowledged, Provider and Business Associate hereby agree as follows:

I. DEFINITIONS 

“Applicable Privacy Law” means, collectively, HIPAA, HITECH, and any other laws and regulations of any applicable jurisdiction, federal, state (e.g., CCPA), or otherwise, that apply to or restrict the use or disclosure of Protected Health Information, personal information, or any other information or data provided or made available to Business Associate in connection with the Agreement, or that otherwise apply to Business Associate’s performance under the Agreement or this BAA.

"Data Aggregation" means, with respect to Protected Health Information received by Business Associate in its capacity as a business associate of Provider, the combining of such Protected Health Information by Business Associate with the Protected Health Information transmitted or stored by Business Associate in its capacity as a business associate of another business associate other than Provider, to permit data analyses that relate to the health care operations of the respective covered entities.

"Electronic Protected Health Information" means individually identifiable health information that is transmitted or maintained by electronic media as described in the HIPAA Rules.

“HHS” means the United States Department of Health and Human Services.

“HIPAA” means, collectively, the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), and all regulations, guidance, and standards promulgated thereunder.

“HIPAA Breach” means the acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under 45 C.F.R. Part 164, Subpart E, and which compromises the security or privacy of the Protected Health Information.

“HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160, 162 and 164, as amended by the HITECH Act.

“HITECH” means, collectively, the Health Information Technology for Economic and Clinical Health Act that forms Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5), and all regulations, guidance, and standards promulgated thereunder.

"Individual" means the person who is the subject of the Protected Health Information, has the same meaning as the term "individual" as defined by the HIPAA Rules and shall include a personal representative in accordance with 45 C.F.R. 164.502(g).

"Individually Identifiable Health Information" means information that (a) is a subset of health information, including demographic information collected from an Individual; (b) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (c) relates to the past, present, or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual; and (i) identifies the Individual, or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.

"Protected Health Information" means Individually Identifiable Health Information that is (a) transmitted by electronic media, (b) maintained in electronic media; or (c) transmitted or maintained in any other form or medium.  "Protected Health Information" does not include Individually Identifiable Health Information (i) in education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. § 1232g; (ii) in records described at 20 U.S.C. § 1232g(a)(4)(B)(iv); (iii) in employment records held by Provider in its role as employer; or (iv) regarding a person who has been deceased for more than 50 years.

“Secretary” means the Secretary of the U.S. Department of Health and Human Services.

“Security Breach” means any unauthorized, improper, or prohibited access to, or acquisition, use, disclosure, loss, or theft of, Protected Health Information that compromises the security, confidentiality, or integrity of any such information or that otherwise gives rise to an obligation under any data or security breach notification law of any applicable jurisdiction to notify the Individuals who are the subject of the information or to whom the information otherwise pertains.  

"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

II.  PERMITTED USES AND DISCLOSURES

2.1  General.  The parties agree to adhere to Applicable Privacy Law with respect to any data processed pursuant to this Agreement. Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Provider and disclosed or made available to Business Associate in any form or is created or received by Business Associate on Provider’s behalf, shall be subject to this BAA. Business Associate may use and disclose Protected Health Information only as necessary and appropriate for Business Associate to fulfill its obligations under the Agreement and as otherwise permitted by this BAA or required by Applicable Law. To the extent the Business Associate is to carry out one or more of Provider’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Provider in the performance of such obligation(s).  All other uses and disclosures of Protected Health Information are prohibited.  Business Associate shall not, and shall ensure that its directors, officers, employees, contractors, and agents do not, use or disclose Protected Health Information in any manner that would constitute a violation of Applicable Law if such use or disclosure was made by Provider. The Parties understand and agree that any information collected by Business Associate pursuant to the Services that is not Protected Health Information shall not be subject to this BAA. Except as otherwise permitted herein or required by Applicable Law, Business Associate shall use Protected Health Information (i) solely for Business Associate’s benefit and only for the purpose of performing the Services described in the Agreement, and (ii) as necessary for the proper management and administration of the Business Associate or to carry out its legal responsibilities, provided that such uses are permitted under federal and state law. Except as otherwise limited in this BAA, Business Associate may use Protected Health Information to provide Data Aggregation services as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B). Business Associate may de-identify any and all Protected Health Information provided that the de-identification conforms to the requirements of the HIPAA Rule. The parties acknowledge and agree that de-identified data does not constitute Protected Health Information and is not subject to the terms of the Agreement, BAA, or the HIPAA Regulations.

2.2 Minimum Necessary.  Except as expressly otherwise permitted by this BAA or Applicable Law, when using or disclosing Protected Health Information, or when requesting or receiving Protected Health Information from Provider, Business Associate shall limit the Protected Health Information, to the extent practicable, the Limited Data Set (as defined in 45 C.F.R. § 164.514(e)), or, if needed, the minimum necessary (as described in 45 C.F.R. § 164.514(d)), required to accomplish the intended purpose of the use, disclosure, or request.  Business Associate shall also comply with any other relevant provisions of Applicable Law regarding the use or disclosure of the minimum necessary Protected Health Information.

2.3  Management and Administration.  To the extent consistent with the other provisions of this BAA and not prohibited by Applicable Law, Business Associate may, if and as necessary: 

(a) Use Protected Health Information received by Business Associate in its performance under the Agreement for the proper management and administration of Business Associate and to fulfill any present or future legal responsibilities of Business Associate; and

(b) Disclose Protected Health Information received by Business Associate in its performance under the Agreement to a third party for the purpose of the proper management and administration of Business Associate, and to fulfill any present or future legal responsibilities of Business Associate, if:  (i) the disclosure is required by Applicable Law; or (ii)(1) Business Associate has obtained from the third party to which the Protected Health Information is disclosed reasonable written assurances that such Protected Health Information shall be held confidentially and used and further disclosed only as required by Applicable Law or for the purpose for which such Protected Health Information was disclosed to such third party; and (2) such third party notifies Business Associate of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached.

2.4 Other Activities.  Except for the other permitted uses and disclosures of Protected Health Information described in this BAA, Business Associate shall make no other uses or disclosures of Protected Health Information. 

III.  OBLIGATIONS OF BUSINESS ASSOCIATE

3.1 Not Use or Further Disclose Information Unless Permitted.  Business Associate shall not use or further disclose Protected Health Information other than as permitted or required by this BAA or as required by Applicable Law.  

3.2 Additional Limits on Use or Disclosure.  Business Associate shall not use or disclose Protected Health Information provided or made available by Provider other than as expressly permitted by the Agreement between the parties, or required by, this BAA or required by applicable law, including Applicable Privacy Law. Business Associate may not use or disclose Protected Health Information in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Provider, except for the specific uses and disclosures set forth herein or by the Agreement between the Parties.  

3.3 Safeguards Against Misuse of Information.  Business Associate shall use appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as permitted under this BAA.

3.4  Report Disclosures of Protected Health Information.  Business Associate shall report to Provider, in writing, any use or disclosure of Protected Health Information that is not permitted or required by this BAA or Applicable Law of which Business Associate becomes aware, immediately upon becoming aware thereof (but, in any event, within five (5) business days after becoming aware thereof).  

3.5  Mitigation.  Business Associate shall establish policies and procedures for mitigating, and as directed by Provider, mitigate, to the greatest extent practicable, any harmful effects of any unauthorized or improper use or disclosure of Protected Health Information of which Business Associate becomes aware.

3.6 Agents, Subcontractors, and Employees.  Business Associate shall ensure that each agent, including a subcontractor, that transmits and stores Protected Health Information on behalf of Business Associate agrees in writing, prior to any disclosure, to the same restrictions and conditions that apply to Business Associate with respect to such information hereunder.  In addition, Business Associate agrees to take reasonable steps to ensure that its employees’ or agents’ actions or omissions do not cause Business Associate to breach the terms of this BAA. With respect to Amazon Web Services (AWS), the parties agree that the current terms offered by AWS meet the requirements of this Section and Subcontractor will inform Business Associate of any changes to AWS’ terms or practices that negatively impact Subcontractors compliance with this Business Associate Agreement.

3.7 Access to Information.

(a) Business Associate shall make Protected Health Information maintained by Business Associate in a designated record set available to Provider, or as directed by Provider, to the Individual identified as being entitled to access and copy that Protected Health Information, within the time frame and in a manner specified by Provider.

(b) If Business Associate uses or maintains Electronic Protected Health Information, Business Associate must provide access to such Protected Health Information in an electronic format if so requested by an Individual if the Protected Health Information is readily producible in such form or format; or if not, in a readable copy form or such other form and format as agreed by the Individual, Provider, and Business Associate.

3.8. Availability of Protected Health Information for Amendment.  Business Associate shall make Protected Health Information maintained by Business Associate in a designated record set available to Provider for the purpose of amendment and incorporating such amendments into Protected Health Information within the time and in such a manner specified by Provider.

3.9  Accounting of Disclosures.  Upon receiving a written request from Provider, Business Associate shall, as directed by, and in the time and manner reasonably designated by, Provider, provide to Provider the information relating to disclosures of Protected Health Information made by Business Associate, as applicable, in order for Provider to provide an applicable Individual with an accounting of disclosures in accordance with 45 C.F.R. § 164.528.  To allow Provider to comply with the requirements of 45 C.F.R. § 164.528, Business Associate shall maintain reasonable written or electronic records of any disclosures of Protected Health Information made by Business Associate (other than disclosures falling within the exceptions set forth in 45 C.F.R. § 164.528) for at least six (6) years after the date of the respective disclosures.  In the event an Individual requests an accounting of disclosures directly from Business Associate, Business Associate shall, within five (5) business days after receipt, forward such request, in writing, to Provider.  

3.10 Availability of Books and Records.  Business Associate shall make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from or created or received by Business Associate on behalf of, Provider available to the Secretary for purposes of determining compliance with HIPAA, HITECH, and other Applicable Law.

3.11 Appropriate Safeguards. Business Associate will establish and maintain reasonable and appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as such use or disclosure is permitted by this BAA.

3.12 Subcontractor Safeguards.  Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits Electronic Protected Health Information on behalf of Business Associate agrees in writing, prior to any disclosure, to implement and utilize reasonable and appropriate safeguards to protect all such information, as required by Applicable Law, and shall require that subcontractor to enter into a Business Associate Agreement with Business Associate on terms comparable to the terms set forth in this BAA.

3.13 Report Security Incidents.  Business Associate shall report to Provider any Security Incident within five (5) business days after such Security Incident is discovered by Business Associate.

3.14 Breach Notification.  

(a) Security Systems and Measures.  Business Associate shall implement and maintain, throughout the term of the Agreement, reasonable and appropriate systems and security measures for the detection, prevention, and prompt reporting of HIPAA Breaches and other Security Breaches.  

(b) Notification. Upon discovery by Business Associate of any HIPAA Breach or any other Security Breach or suspected Security Breach, Business Associate shall immediately notify Provider of the occurrence, nature, and extent of such breach.  Such notice shall include: (i) to the extent possible, the identification of each Individual whose information was, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the breach; and (ii) any other available information that Provider is required by Applicable Law to include in a notification to the applicable Individual.  

(c) Other Duties.  After notifying Provider of a HIPAA Breach or other Security Breach, Business Associate shall promptly:  (i) assist and cooperate with Provider (and, as directed by Provider, with law enforcement officials) in any investigation of the breach, regardless of whether such investigation is conducted by Provider, any State Attorney General or State Consumer Affairs Department (or their respective agents), HHS, law enforcement officials, or others; (ii) as directed by Provider, mitigate, to the greatest extent practicable, any harmful effects of the breach; (iii) assist and cooperate with Provider, as directed by Provider, in notifying affected Individuals of the breach; and (iv) confer and discuss with Provider any necessary or appropriate steps to be taken to prevent further breaches, and promptly implement any such steps that are mutually agreed upon by the parties or otherwise reasonably required.  

3.15  State Law Breach Notification.  In addition to the requirements of Section 3.14, Business Associate shall implement reasonable systems for the discovery and prompt reporting of any misuse, disclosure, loss, or theft of Protected Health Information, or any other information provided to Business Associate by Provider that, if misused, disclosed, lost, or stolen, would trigger an obligation under one or more state data breach notification laws to notify the Individuals who are the subject of the information (“State Breach”).  In the event of a State Breach, Business Associate shall:  (a) immediately notify Provider that the State Breach has occurred; (b) cooperate and assist Provider with any investigation into any State Breach or alleged State Breach; (c) comply with Provider’s determinations regarding Provider’s and Business Associate’s obligations to mitigate, to the extent practicable, any potential harm to the Individuals impacted by the State Breach; and (d) assist with the implementation of any decision by the Provider or any state agency or official, including, but not limited to, any State Attorney General or State Consumer Affairs Department, to notify Individuals impacted or potentially impacted by a State Breach.

3.16 Notice of Request for Data.  To the extent permitted by Applicable Law, Business Associate shall notify Provider immediately upon (but, in any event, within five (5) business days after) Business Associate’s receipt of any request or subpoena for Protected Health Information and allow Provider the opportunity to challenge the request or otherwise seek appropriate protective action, cooperating fully with Provider in any such actions except as prohibited by Applicable Law.  

3.17 Policies and Procedures.  Business Associate shall:

(a) Use reasonable efforts to maintain the confidentiality of any user ID, password, or other access control device provided by the Provider to the Business Associate and will not disclose such user ID, password, or other access control device to any third party, except as expressly authorized by the Agreement or by other written instructions provided by Provider to Business Associate;

(b) Not attempt to access any data or systems which are not necessary for the Business Associate’s authorized purposes as set forth in the Agreement or in other written instructions provided by Provider to Business Associate, and shall terminate access to such data or systems whenever Business Associate ceases to have a need to access such data or systems;

(c) Not tamper with, compromise, or attempt to circumvent, or bypass any security pertaining to Provider’s systems, electronic or otherwise (any of which may be referred to as a “Security Violation”), and, to that end, Business Associate assumes responsibility and liability for any access to data or systems arising out of or resulting in any Security Violation; 

(d) Take reasonable precautions not to allow entry of any virus or any other contaminant codes, commands, or instructions that may be used to access, alter, delete, damage, or disable Provider’s data, systems, or other software or property;

(e) Not install or download any unauthorized software;

(f) Maintain the confidentiality of any data and systems to which Business Associate has access and use such data and systems only as expressly authorized by the Agreement or in other written instructions provided by Provider to Business Associate; and

(g) Notify Provider immediately in the event that Business Associate suspects that its network connection or any data or systems to which Business Associate has access has been compromised, or in the event that Business Associate suspects or knows of a breach of any of the foregoing.

By providing Business Associate access to Provider’s data and systems, Provider does not grant Business Associate any license or right, by implication or otherwise, to use such access for any purpose other than as expressly authorized by the Agreement and this BAA.

IV. TERMINATION OF AGREEMENT WITH BUSINESS ASSOCIATE

4.1  Term.  This BAA shall become effective upon Provider’s registration and initial access to the Services and is effective until Provider terminates Provider’s use of the Services as provided herein.

4.2 Termination.  If Provider has breached a material term of this BAA, Business Associate shall promptly provide written notice to Provider describing the breach.  Business Associate shall reasonably cooperate with Provider with respect to curing such breach or otherwise finding a mutually satisfactory resolution to the matter.  If, in such case, the parties cannot cure the breach or otherwise agree upon a mutually satisfactory resolution to the matter within a period of ten (10) days after receipt of such notice, Business Associate shall have the right to, after notifying Provider thereof, report the breach to the Secretary, notwithstanding any other provision of this BAA or the Agreement to the contrary,  and may terminate this BAA and the Agreement, or any portion thereof, upon providing written notice thereof to Business Associate. Either party may terminate this BAA on thirty (30) days written notice, for any or no reason, in the event the Agreement is terminated.

4.3  Effects of Termination.  Upon termination or expiration of the Agreement, Business Associate shall, to the extent feasible, promptly destroy all Protected Health Information received from or created or received by Business Associate on behalf of, Provider that Business Associate still maintains in any form, retaining no copies thereof.  To the extent that such return or destruction is infeasible, Business Associate shall promptly notify Provider thereof in writing, including in such notification: (i) a statement that Business Associate has determined that it is infeasible to return or destroy certain Protected Health Information; and (ii) the specific reasons for such determination.  The protections of this BAA with respect to Protected Health Information shall be extended, and shall continue to apply, to any Protected Health Information retained by Business Associate (or its subcontractors) for so long as it is retained, and Business Associate shall limit any further uses and disclosures of such Protected Health Information to the purposes that make the return or destruction thereof infeasible.

V. LIMITATION ON LIABILITY

Business Associate will not be liable to Covered Entity in connection with this Agreement for any incidental, special, or consequential damages, even if foreseeable.