Dharma Platform Business Associate Agreement (BAA)

Last Updated: March 12, 2018

This Business Associate Agreement (“BAA”) is incorporated into and made a part of the Dharma Customer Terms of Service between Dharma Platform, Inc. (“Business Associate”) and the person or entity agreeing to these terms (“Covered Entity”) to permit Business Associate to create, receive, maintain, and transmit Protected Health Information (including Electronic Protected Health Information) for or on behalf of Covered Entity, so that Business Associate may render services (“Services”) to Covered Entity under the terms of this Agreement.

1. Definitions.

Capitalized terms used but not otherwise defined in this BAA will have the same meaning as those terms in final regulations relating to privacy and security of individually identifiable health information at 45 CFR parts 160, 162, and 164 implementing the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), as amended from time to time.

a. “Breach Notification Rule” means the final regulatory provisions set forth at 45 CFR Parts 160 and 164, Subparts A and D.

b. “Compliance Date” means the later of (i) the date that compliance is required under the relevant provision of the HIPAA Rules, and (ii) the date this BAA takes effect between the Parties.

c. “Electronic Protected Health Information or ePHI” means “electronic protected health information” as defined in 45 CFR § 160.103 but limited to the ePHI created, received, maintained, or transmitted by Business Associate for or on behalf of Covered Entity.

d. “HIPAA Rules” means, collectively, the Breach Notification Rule, Privacy Rule, and Security Rule.

e. “Individual” has the same meaning as in the HIPAA Rules, as well as a person who qualifies as a personal representative in accordance with the HIPAA Rules.

f. “Internal Material” means Business Associate’s documented internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI created, received, maintained, or transmitted by, Business Associate for or on behalf of Covered Entity.

g. “Privacy Rule” means final regulatory provisions set forth at 45 CFR Parts 160 and 164, Subparts A and E.

h. “Protected Health Information or PHI” have the same meaning as “protected health information” in 45 CFR § 160.103, but limited to the information created, received, maintained, or transmitted by Business Associate for or on behalf of Covered Entity.

i. “Security Rule” means final regulatory provisions set forth at 45 CFR Parts 160 and 164, Subparts A and C.

2. Obligations and Activities of Business Associate.

a. Business Associate agrees not to use or disclose PHI other than as necessary to render Services, as permitted or required by this BAA, or as Required by Law.

b. Business Associate agrees to (i) use appropriate safeguards to (x) prevent use or disclosure of PHI other than as provided for by this BAA, and (y) appropriately protect the confidentiality, integrity, and availability of PHI; and (ii) comply, where applicable, with the Security Rule with respect to ePHI.

c. Business Associate agrees to report to Covered Entity any use or disclosure of PHI that is not permitted by this BAA, including but not limited to any successful Security Incident and any Breach of Unsecured PHI. Any such report will be made within 30 calendar days after Business Associate Discovers such use or disclosure unless law enforcement requests a delay in such notice as permitted under 45 CFR § 164.412. Following notice to Covered Entity of any Breach of Unsecured PHI, Business Associate will provide information required by 45 CFR § 164.404(c), if available, that would permit Covered Entity to comply with its notice obligations. Business Associate is under no other obligation to make any report of a Breach of Unsecured PHI, including to any individual, state, federal, or other government agency or attorney general, or the media.

d. Covered Entity and Business Associate acknowledge and agree that unsuccessful Security Incidents include but are not limited to: (i) unsuccessful attempts to penetrate computer networks or services maintained by Business Associate; (ii) immaterial incidents such as “pinging,” or “denial of services” attacks, port scans, unsuccessful log-on attempts; and (iii) any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. This paragraph hereby constitutes notice to Covered Entity and no further notification is required regarding unsuccessful Security Incidents.

e. Business Associate agrees to ensure that any of its Subcontractors that create, receive, maintain or transmit PHI for or on behalf of Business Associate agree in writing to comply with the Security Rule and substantially similar restrictions and conditions to those that apply through this BAA to Business Associate with respect to such PHI or ePHI.

f. Upon request by the Secretary, Business Associate agrees to make available to the Secretary Business Associate’s Internal Material for use by the Secretary in determining whether Covered Entity or Business Associate is in compliance with the HIPAA Rules.

g. Business Associate agrees to document any disclosures of PHI and to provide to Covered Entity, within 30 calendar days after request, information related to such disclosures as is necessary for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.

h. If Business Associate maintains a Designated Record Set for or on behalf of Covered Entity, Business Associate agrees to provide to Covered Entity, within 15 calendar days after request, all PHI that is part of the Designated Record Set as necessary for Covered Entity to respond to an Individual’s request for access to PHI pursuant to 45 CFR § 164.524. If PHI subject to this paragraph is maintained electronically, Business Associate will provide the PHI in the electronic form and format requested by Covered Entity, if it is readily producible in such form and format; if the PHI is not readily producible by Business Associate in the requested form and format, Business Associate will provide the PHI to Covered Entity in a readable electronic form as agreed by Covered Entity and Business Associate.

i. Within 30 calendar days after receipt of written instructions from Covered Entity, Business Associate agrees to incorporate any amendment to PHI that is part of a Designated Record Set agreed to by Covered Entity pursuant to 45 CFR § 164.526.

j. To the extent that Business Associate has agreed to carry out any of Covered Entity’s obligations under the Privacy Rule in this Agreement, Business Associate will comply with the requirements of the Privacy Rule that would apply to Covered Entity in the performance of such obligations.

3. Permitted Uses and Disclosures by Business Associate.

a. Except as otherwise permitted or limited by this BAA, Business Associate may use or disclose PHI to render Services to or on behalf of Covered Entity, provided that such use or disclosure would not violate the HIPAA Rules if made by Covered Entity.

b. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out Business Associate’s legal responsibilities, provided that (i) such disclosures are Required by Law, or (ii) Business Associate obtains reasonable assurances from the recipient of the PHI (x) that the PHI will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the recipient; and (y) that the recipient will notify Business Associate of any instances of which the recipient is aware in which the confidentiality of the PHI has been breached. Any disclosure of PHI by Business Associate under this provision will not create a Subcontractor relationship with the entity to which the disclosure is made and Business Associate will not be required to obtain a business associate agreement with such entity.

c. Business Associate may disclose PHI for any purpose under 45 CFR § 164.512 and to report violations of law to state and federal authorities under 45 CFR § 164.502(j).

d. Business Associate may de-identify PHI in accordance with 45 CFR § 164.514. The parties agree that once de-identified, the information is no longer PHI and is the property of Business Associate.

e. Business Associate may use and disclose PHI to provide Data Aggregation services to Covered Entity.

4. Obligations of Covered Entity.

a. Covered Entity will notify Business Associate of any limitations in the Covered Entity’s Notice of Privac1. y Practices, to the extent such limitations may affect Business Associate’s use or disclosure of PHI.

b. Covered Entity will notify Business Associate of any changes in, or revocation of, permission granted by any Individual to use or disclose PHI, to the extent such changes or revocations may affect Business Associate’s use or disclosure of PHI.

c. Covered Entity will notify Business Associate of any (i) restrictions on the use or disclosure of PHI; or (ii) requests for confidential communications that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent such restrictions may affect Business Associate’s use or disclosure of PHI.

d. All notifications to Business Associate under this Section 4 of this BAA will include such detail as Business Associate reasonably requires in order to honor the limitations, restrictions, or requests for confidential communications.

e. Permissible Requests by Covered Entity. Subject to Section 3 of this BAA, Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if made by Covered Entity.

6. Term and Termination.

a. This BAA will terminate upon termination of the Customer Terms of Service.

b. Termination for Cause: Upon either party’s knowledge of a breach of a material term of this BAA by the other party, the non-breaching party will notify the breaching party of such breach and (i) provide an opportunity for the breaching party to cure the breach and, if the breaching party does not cure the breach within 30 days after the non-breaching party gives notice, terminate this BAA; or (ii) immediately terminate this BAA if the breaching party has breached a material term of this BAA and cure is not possible.

c. Effect of Termination: (i) Upon termination of this BAA for any reason, Business Associate will return all PHI to Covered Entity or destroy all PHI, and (ii) if Business Associate, in its sole discretion, determines that returning or destroying the PHI is infeasible, Business Associate will extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make return or destruction infeasible, for so long as Business Associate retains such PHI.

d. If Business Associate determines that it is not reasonably able (i) to comply with any final new or amended provision of the HIPAA Rules, or (ii) to accommodate any restrictions or limitations to which Covered Entity has agreed pursuant to Section 3, Business Associate may terminate this BAA upon notice to Covered Entity.

7. Miscellaneous.

a. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or amended, if such amendment is final and the Compliance Date for such amendment has passed.

b. The rights and obligations of Business Associate under Section 6(c)(ii) of this BAA will survive the termination of this BAA.

c. Nothing in this BAA confers on any person other than Business Associate and Covered Entity any rights, remedies, obligations, or liabilities.

d. If any provision of this BAA is held by a court of competent jurisdiction to be illegal, invalid, or unenforceable, the remaining provisions of this BAA will not be affected.

e. The parties have evidenced their consent to this BAA by entering into the Customer Terms of Service.

f. A waiver by Business Associate or Covered Entity of any requirement of this BAA will not be construed as a continuing waiver, a waiver of any other requirement, or a waiver of any right or remedy otherwise available.

g. Any notice required by this BAA will be provided to the address below, using a national courier service for next business day delivery, fax, or by e-mail. An address for notice may be changed by giving notice as required by this paragraph.