Baudax

Phone: 855-405-9983 | Fax: 844-910-3276

Business Associate Agreement

THIS BUSINESS ASSOCIATE AGREEMENT (this "Agreement") is entered into as of 11/26/2020 (the "Effective Date"), by and between the business submitting information ("Covered Entity") and Copilot Provider Support Services("Business Associate") with an address of 1981 Marcus Avenue, New Hyde Park, NY 11042.

RECITALS WHEREAS, User (or "COVERED ENTITY/CE" for purposes of this Section of this Agreement) may provide health and/or counseling services and maintains certain confidential protected health information ("PHI") and records in written and electronic form concerning its clients; WHEREAS, CoPilot Provider Support Services, Inc. "CPS" (or "BUSINESS ASSOCIATE/BA" for purposes of this Section of this Agreement) provides, Internet-based case management services to health clinicians and has agreed to provide use of the system to CE. WHEREAS, CE and BA are committed to conducting all of their business in compliance with all applicable federal, state and local statutes, regulations, rules and policies, including but not limited to, the Health Insurance Portability and Accountability Act of 1996 privacy rule and regulations enacted under its mandate, including all changes and amendments of HIPAA Privacy and Security Rules caused by the enactment of the Health Information Technology for Economic and Clinical Health Act ("HITECH") as part of the American Recovery and Reinvestment Act of 2009 and relevant rules and regulations (collectively "the HIPAA rules"); WHEREAS, in the course of the performance of the Services, BA, and its shareholders, directors, officers, and employees, sub-contractors, and agents (the "Agents"), will be provided with access to individually identifiable health information, including demographic information, collected from individuals, or otherwise created or received by CE which relates to the past, present or future health or condition of such individuals, the provision of health care to such individuals, or the past, present, or future payment for the provision of health care to an individual, which information identifies such individuals or with respect to which there is a reasonable basis upon which to believe that the information can be used to identify such individuals (collectively, the "Protected Health Information" or "PHI"); WHEREAS, BA may also be provided access to electronic PHI ("EPHI"), as defined in HIPAA, in the course of performing the Services; and WHEREAS, CE is willing to provide BA and its Agents with access to PHI and EPHI such that BA can perform the Services, provided BA executes and complies with this Agreement, as required by the HIPAA Rules: Definitions. Capitalized terms herein shall have the specific meaning assigned within this Agreement or, if no meaning is assigned herein, the meaning set forth in HIPAA. Permitted and Required Uses and Disclosures. BA agrees to use and/or disclose PHI and EPHI received from, or created or received on behalf of, CE only as is necessary for the purpose of adequately rendering the Services for CE, except as herein otherwise permitted. General Privacy and Security Compliance. BA shall maintain and safeguard the privacy, security and confidentiality of all PHI and the confidentiality, availability, and integrity of all EPHI received from, or created or received by BA on behalf of CE, in connection with the provision of the Services, in accordance with the provisions of HIPAA, as amended, and in accordance with all applicable federal, state and local statutes, regulations and policies regarding the confidentiality of health information. Privacy and Security Obligations. As required by HIPAA and/or HITECH, BA will: i.Not use or further disclose PHI or EPHI other than as permitted or required by this Agreement and HIPAA, for performance of the Services; ii.Use appropriate safeguards to prevent the use or disclosure of PHI and EPHI other than as permitted or required by this Agreement and HIPAA for performance of the Services, or as required by law; iii.Use administrative, physical and technical safeguards to reasonably and appropriately protect the confidentiality, integrity and availability of EPHI; iv.Promptly report to CE any use or disclosure of PHI not permitted or required by this Agreement for performance of the Services, or as required by law, or any Security Incident regarding EPHI, as contemplated in HIPAA, of which BA becomes aware; v.Notify CE in the event BA discovers an unauthorized acquisition, access, use or disclosure (collectively "Breach") of Unsecured PHI ("PHI") by any person, including employees and Agents of BA, such notification to include the identity of each individual whose PHI has been or is reasonably believed to have been accessed, acquired or disclosed all other information reasonably requested by the CE and shall be made without unreasonably delay, but in no case later than ten (10) business days after discovery. except where: (i) such Breach was by a workforce member and was unintentional, made in good faith and within the course of employment, and the information was not further acquired, accessed, used or disclosed, or (ii) an inadvertent disclosure was made by an individual otherwise authorized to access PHI at a facility operated by BA to another authorized individual at the same facility and the information was not further acquired, accessed, used or disclosed. vi.Be responsible for demonstrating that such notification to CE was properly made in light of the fact that any Breach is considered "discovered" as of the first day on which such Breach becomes known to BA, including any person (other than the individual committing the breach) that is an employee, officer or agent of BA, or the first day upon which the BA should have known of the Breach; vii.Ensure that any Agents, including subcontractors of BA or of any Agent, if any, to whom BA or CE provides PHI or EPHI received from, or created or received by the BA on behalf of, CE agree in writing to the same restrictions and conditions that apply to BA with respect to such PHI and EPHI; viii.Make available to CE within ten business days after CE's request, PHI and/or EPHI for inspection and copying in accordance with Section 164.524 of HIPAA (45 CFR 164.524) or for electronic transmission as contemplated in HITECH where BA or CE maintains an Electronic Health Record ("EHR"); ix.Make available to CE within ten business days after CE's request, PHI for amendment and incorporate any amendments to PHI, if appropriate, in accordance with Section 164.526 of HIPAA (45 CFR 164.526); x.Make available to CE within ten business days after CE's request information in its possession required to provide an accounting of disclosures to participants in accordance with Section 164.528 of HIPAA (45 CFR 164.528), including accountings of disclosures made through an electronic medical record system as and if applicable in accordance with relevant rules and regulations; xi.Make BA's internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of, CE available to the Secretary of Health and Human Services ("HHS") for purposes of determining CE's compliance with HIPAA and advise CE immediately upon receipt of any such request; xii.At termination of this Agreement, extend the protections of this Agreement to the PHI and EPHI which will be retained by BA and limit further uses and disclosures to those purposes authorized by the HIPAA rules and this agreement. xiii. Only disclose PHI and EPHI as minimally necessary to perform its BA obligations. Other Uses and Disclosures. Unless otherwise expressly limited by this Agreement, BA may also: i. Use PHI and EPHI for the proper management and administration of BA or to carry out the legal responsibilities of BA; ii. Disclose PHI and EPHI for the proper management and administration of BA, provided that such disclosures are required by law or that BA obtains reasonable assurances from the person to whom the information is disclosed that the PHI and EPHI will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to that person; and that the person to which it is disclosed will notify the BA of any instances of which it is aware in which the confidentiality of the PHI and EPHI has been breached; and Use PHI and EPHI to provide Data Aggregation services as permitted by 45 CFR 164.504(e)(2)(i)(B). Obligations of CE. i. CE shall notify its PATIENTS and BA of its privacy practices and restrictions as follows: a. Provide BA with a Notice of Privacy Practices that CE produces in accordance with 45 CFR 164.520, and distributes to its patients, as well as any changes to such Notice; b. Provide BA with any changes in or revocation of permission by any individual to use or disclose PHI if such changes may affect BA'S permitted and required uses and disclosures under this Agreement; and c. Notify BA of any restriction on the use or disclosure of PHI that CE may agree to in accordance with Section 164.522 of HIPAA, if such agreement may affect BA'S permitted or required uses and disclosures under this Agreement. d. CE shall not request BA to use or disclose PHI or EPHI in any manner that would not be permissible under HIPAA if done by CE. e. CE shall be solely responsible for making any decisions regarding, and for all administrative actions concerning, the exercise of any individual's rights, under Sections 164.524 through 164.528 of the HIPAA rules. De-Identification. Notwithstanding anything herein to the contrary, BA may store, analyze, access and use components of PHI and EPHI that have been "De-identified" as defined by the HIPAA rules, and that do not contain individually identifiable health information, provided that any such use is then consistent with applicable law. Breach of Agreement; Termination. i. In the event that either party becomes aware of an act or omission of the other party that constitutes a material breach or violation of the parties' obligations under this Agreement, which breach is not cured within fifteen (15) days after notice is provided to the breaching party, this Agreement may be terminated by the non-breaching party for cause. Further, if in the non-breaching party's discretion, more than one breach occurs which constitutes a pattern or practice of conduct or breach of the Agreement by the breaching party, the non-breaching party may terminate this Agreement immediately without prior notice or cure period. ii. If, upon breach of this Agreement by either party, it is not feasible, in the opinion of the non-breaching party to terminate this Agreement, the non-breaching party shall notify HHS of such situation. Re-Negotiation. The parties agree to negotiate in good faith any modification to this Agreement that may be necessary or required to ensure consistency with amendments to and changes in applicable federal and state laws and regulations, including but not limited to, regulations promulgated pursuant to HIPAA. Breach Notification. In complying with the obligations set forth above: i. BA shall use appropriate reasonable, technical and physical safeguards, and, as of September 23, 2013, comply, where applicable, with the HIPAA Security Rule with respect to Electronic Protected Health Information (EPHI), to prevent use or disclosure of the EPHI and PHI. ii. BA will mitigate any harmful effect of a use or disclosure of Protected Health Information by BA in violation of the requirements of this Agreement. iii. BA will promptly report to CE: (i) any use or disclosure of Protected Health Information not provided for by this Agreement of which it becomes aware in accordance with 45 CFR §164.504(e)(2)(ii)(C); and/or (ii) any Security Incident of which BA becomes aware in accordance with 45 CFR § 164.314(a)(2)(i)(C). BA will notify the CE within ten (10) business days after BA's Discovery of any incident that involves an unauthorized acquisition, access, use, or disclosure of Protected Health Information. BA agrees that such notification will meet the requirements of the HIPAA Breach Notification Rule set forth in 45 CFR §164.410. BA will provide to the CE the names and contact information of all individuals whose Protected Health Information was or is believed to have been involved, all other information reasonably requested by the CE to enable the CE to perform and document a risk assessment in accordance with the HIPAA Breach Notification Rule with respect to the incident to determine whether a Breach occurred, and all other information reasonably necessary to provide notice to Individuals, the Department of Health and Human Services and/or the media in accordance with the HIPAA Breach Notification Rule. Upon making such disclosure to the CE, BA shall have fulfilled its obligation under this agreement regarding breach notification to any individuals whose PHI or EPHI has, or may have been involved in any breach of the privacy and security provisions of this agreement. iv BA will promptly investigate each Breach and assist CE and their agents in connection with any investigation that CE may desire to conduct with respect to such Breach. BA will take all steps reasonably requested by CE to limit, stop or otherwise remedy any Breach. v. In accordance with 45 CFR 164.502(e)(1)(ii) and 45 CFR 164.308(b)(2), BA will ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of BA, agree to the same restrictions and conditions, in writing, that apply through this Agreement to BA with respect to such Protected Health Information, including but not limited to the extent that subcontractors create, receive, maintain, or transmit Electronic Protected Health Information on behalf of the BA, it will require the subcontractors to comply with the HIPAA Security Rule. This BAA supersedes any and all agreements in place regarding such activity and reporting obligations.

ANJESO is a trademark of Baudax Bio, Inc.
©2020 Baudax Bio, Inc. All rights reserved.

Anjeso