Business Associate Agreement

This Business Associate Agreement (“BAA”) is incorporated by reference through an Order Form into the Terms of Service (“Terms”) between the customer identified in the Order Form (“Customer”) and Insight Health AI, Inc. (“Business Associate” or “Insight Health”). Each of Business Associate and Customer may be referred to herein as a “Party” and together as the “Parties.”

1. Customer is a “covered entity” as such terms are defined under HIPAA and as such is required to comply with the requirements thereof regarding the confidentiality and privacy of Protected Health Information.
2. In connection with the provision of the Services (as defined in the Terms) to Customer, the parties anticipate that Insight Health may receive Protected Health Information for or on behalf of Customer.
3. By providing services pursuant to the Terms and creating and/or receiving Protected Health Information for or on behalf of Customer, Business Associate shall become a business associate of Customer, as such terms are defined under HIPAA, and will therefore have obligations regarding the confidentiality and privacy of Protected Health Information that Business Associate creates for, or receives from or on behalf of, Customer.
4. This BAA applies only to the extent Customer is a “covered entity” as those terms are defined by HIPAA.

1. Definitions. For the purposes of this BAA, capitalized terms shall have the meanings ascribed to them below. All capitalized terms used but not otherwise defined herein will have the meaning ascribed to them by HIPAA.

• “HIPAA” means,collectively, the administrative simplification provision of the HealthInsurance Portability and Accountability Act enacted by the United StatesCongress, and its implementing regulations (referred to herein as the “HIPAARules”), including the Privacy Rule, the Breach Notification Rule, the SecurityRule and the Enforcement Rule, as amended from time to time, including by theHealth Information Technology for Economic and Clinical Health (HITECH) Act andby the Modifications to the HIPAA Privacy, Security, Enforcement, and BreachNotification Rules under the Health Information Technology for Economic andClinical Health Act and the Genetic Information Nondiscrimination Act: Othermodifications to the HIPAA Rules; Final Rule (commonly referred to as theOmnibus Final Rule).

• “Protected Health Information” or “PHI” has the same meaning as the term “protected health information” or “electronic protected health information,” respectively, in 45 CFR § 160.103; provided that, for purposes of this BAA, such term is limited to protected health information that is received and maintained by Insight Health from or on behalf of Customer through the Services.

• “Secretary” shall refer to the Secretary of the U.S. Department of Health and Human Services.

• “Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). This definition applies to both hard copy PHI and electronic PHI.

• “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Insight Health’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of PHI.

2. Business Associate’s Obligations.

• Use and Disclosure of PHI.

  1. Business Associate warrants that it, its agents and its subcontractors: (i) shall use or disclose PHI only in connection with fulfilling its duties and obligations under this BAA and the Terms; (ii) shall not use or disclose PHI other than as permitted or required by this BAA and the Terms or required by law; (iii) shall not use or disclose PHI in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by Customer; and (iv) shall only use and disclose the minimum necessary PHI for its specific purposes. Customer agrees that Business Associate may rely on Customer’s instructions to determine if uses and disclosures meet this minimum necessary requirement.
  2. Business Associate may use the information received from Customer if necessary for (i) the proper management and administration of Business Associate; or (ii) to carry out the legal responsibilities of Business Associate.
  3. Business Associate may disclose PHI for the proper management andadministration of Business Associate, provided that (1) disclosures arerequired by law; or (2) Business Associate obtains reasonable assurances fromthe person or entity to whom the information is disclosed that it will remainconfidential and used or further disclosed only as required by law or for thepurpose for which it was disclosed to the person or entity, and the person orentity notifies the Business Associate of any instances of which it is aware inwhich the confidentiality of the information has been breached.
  4. Business Associate is permitted, for Data Aggregation purposes to the extent permitted under HIPAA, to use, disclose, and combine PHI created or received on behalf of Customer by Business Associate pursuant to this BAA with protected health information, as defined by 45 C.F.R. 160.103, received by Business Associate in its capacity as a business associate of other covered entities, to permit data analyses that relate to the Health Care Operations of the respective covered entities and/or Customer.
  5. Business Associate may de-identify any and all PHI created or received by Business Associate under this BAA. Once PHI has been de-identified pursuant to 45 CFR 164.514(b), such information is no longer Protected Health Information and no longer subject to this BAA.

• Safeguards. Business Associate shall employ appropriate administrative, technical and physical safeguards to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this BAA or the Terms. Business Associate shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this BAA or the Terms.

• Audits and Records. Business Associate shall, in accordance with HIPAA, make available to the Secretary Business Associate’s internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Customer for purposes of determining Customer’s compliance with its obligations under HIPAA.

• Individuals’ Rights to Their PHI.

  • To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow Customer to respond to a request by an Individual for access to PHI pursuant to 45 CFR Section 164.524, Business Associate, within ten (10) business days upon receipt of written request by Customer, shall make available to Customer such PHI.

    1. If any Individual requests access to PHI directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days.
    2. Customer will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Except as required by law, only Customer will be responsible for releasing PHI to an Individual pursuant to such a request. Any denial of access to PHI determined by Customer pursuant to 45 CFR Section 164.524, and conveyed to Business Associate by Customer, shall be the responsibility of Customer, including resolution or reporting of all appeals and/or complaints arising from denials.

  • To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow Customer to respond to a request by an Individual for an amendment to PHI, Business Associate shall, within ten (10) business days upon receipt of a written request by Customer, make available to Customer such PHI:

    1. If any Individual requests amendment of PHI directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days.
    2. Customer will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment to PHI and Business Associate will make no such determinations. Any denial of amendment to PHI determined by Customer pursuant to 45 CFR Section 164.526, and conveyed to Business Associate by Customer, shall be the responsibility of Customer, including resolution or reporting of all appeals and/or complaints arising from denials.
    3. Within ten (10) business days of receipt of a request from Customer to amend an individual’s PHI in the Designated Record Set, Business Associate shall make available PHI for Customer to incorporate, any approved amendments, statements of disagreement, and/or rebuttals into its Designated Record Set as required by 45 CFR Section 164.526.

  • To allow Customer to respond to a request by an Individual for an accounting pursuant to 45 CFR Section 164.528, Business Associate shall, within ten (10) business days of a written request by Customer for an accounting of disclosures of PHI about an Individual, make available to Customer such PHI. Business Associate shall provide Customer with the following information: (1) the date of the disclosure; (2) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (3) a brief description of the PHI disclosed; and (4) a brief statement of the purpose of such disclosure.

    1. If any Individual requests an accounting of disclosures of PHI directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days.
    2. Customer will be responsible for preparing and delivering an accounting to Individual.
    3. Business Associate shall implement an appropriate record keeping process to enable it to comply with the requirements of this BAA.

• Disclosure to Third Parties. Business Associate shall obtain and maintain a written agreement with each subcontractor or agent that has or will have access to PHI, which is received from, or created or received by, Business Associate for or on behalf of Customer, pursuant to which agreement such subcontractor and agent agrees to be bound by the same types of restrictions, terms, and conditions that apply to Business Associate pursuant to this Terms with respect to such PHI.

• Reporting Obligations

  1. Business Associate shall report any Breach to Customer no later than ten (10) business days after discovery by Business Associate. Notice of a Breach shall include, to the extent such information is available: (1) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Security Breach; (2) the date of the Breach, if known, and the date of discovery of the Breach; (3) the scope of the Breach; and (4) the Business Associate’s response to the Breach.
  2. In the event of a use or disclosure of PHI that is improper under this BAA but does not constitute a Breach, Business Associate shall report such use or disclosure to Customer within fifteen (15) business days after the date on which Business Associate becomes aware of such use or disclosure.
  3. The parties acknowledge that Unsuccessful Security Incidents occur within the normal course of business and the parties stipulate and agree that this paragraph constitutes notice by Business Associate to Customer for such unsuccessful Unsuccessful Security Incidents.

3. Customer Obligations.

• Permissible Requests.

  1. Customer shall not request Business Associate to use or disclose PHI in any manner that would violate applicable federal and state laws if such use or disclosure were made by Customer.
  2. Customer shall be compliant with all applicable laws and regulations pertaining to PHI Customer sends, or directs to be sent, to Business Associate.

• Notifications.

  1. Customer shall notify Business Associate of any limitation in any applicable notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
  2. Customer shall notify Business Associate of any changes in, or revocation of, permission by individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
  3. Customer shall notify Business Associate of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

4. Term and Termination.

• Material Breach. Where either Party has knowledge of a material breach by the other Party, the non-breaching Party shall provide the breaching Party with an opportunity to cure. Where said breach is not cured to the reasonable satisfaction of the non-breaching Party within twenty (20) business days of the breaching Party’s receipt of notice from the non-breaching Party of said breach, the non-breaching Party shall, if feasible, terminate this BAA and the portion(s) of the Terms affected by the breach. Where either Party has knowledge of a material breach by the other Party and cure is not possible, the non-breaching Party shall, if feasible, terminate this BAA and the portion(s) of the Terms affected by the breach.

• Return or Destruction of PHI. Upon termination of this BAA for any reason, Business Associate shall:

  1. If feasible as determined by Business Associate, return or destroy all PHI received from, or created or received by Business Associate for or on behalf of Customer that Business Associate or any of its subcontractors and agents still maintain in any form, and Business Associate shall retain no copies of such information; or
  2. If Business Associate determines that such return or destruction is not feasible, extend the protections of this BAA to such information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible, in which case Business Associate’s obligations under this Section 4(b) shall survive the termination of this BAA.

5. General.

• Amendment. If any of the regulations promulgated under HIPAA are amended or interpreted in a manner that renders this BAA inconsistent therewith, the Parties shall cooperate in good faith to amend this BAA to the extent necessary to comply with such amendments or interpretations.

• Interpretation. Any ambiguity in this BAA shall be resolved to permit the Parties to comply with HIPAA.

• Indemnification and Limitation of Liability. The Parties agree and acknowledge that the indemnification obligations and limitation of liability provisions contained under the Terms shall apply and govern each Party’s performance under this BAA.

• Conflict; Order of Precedence. In the event that any terms of this BAA conflict with any term of the Terms, the terms of this BAA shall govern and control over the conflicting term in the Terms. All other nonconflicting terms of the Terms shall remain valid and enforceable.