Business Associate Agreement.

Capitalized terms used but not otherwise defined in this Business Associate Agreement (the “BAA”) carry the meanings given in the HIPAA Rules, including 45 C.F.R. Parts 160 and 164. The terms “Breach”, “Covered Entity”, “Business Associate”, “Designated Record Set”, “Electronic Protected Health Information” (“ePHI”), “Individual”, “Protected Health Information” (“PHI”), and “Security Incident” have the meanings ascribed in the HIPAA Rules.

For purposes of this BAA, [FIRM] is the “Covered Entity” and Interline, Inc. is the “Business Associate.”

This BAA applies to PHI that Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity in the course of providing the Service under the Agreement, beginning [EFFECTIVE_DATE]. PHI is the only category of Customer Data that triggers HIPAA obligations under this BAA; non-PHI Customer Data continues to be governed by the Master Subscription Agreement and the Data Processing Addendum.

Business Associate may use or disclose PHI only:

• To perform the functions, activities, or services for, or on behalf of, Covered Entity as set forth in the Agreement.
• For the proper management and administration of Business Associate, provided that the disclosure is required by law or that Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used only as required by law and that the recipient will notify Business Associate of any breach.
• To carry out its legal responsibilities.
• For data aggregation services relating to the health care operations of Covered Entity, but only when expressly authorized by Covered Entity in writing.

Business Associate will not use or further disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity, except for the purposes permitted above.

Business Associate will use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA. Specific safeguards in effect during the term include:

• Encryption of ePHI at rest using AES-256 or equivalent and in transit using TLS 1.2 or higher.
• Field-level encryption for designated PHI columns provisioned with a per-tenant key envelope.
• Tenant isolation enforced at the database row through a non-nullable tenant identifier and a session-scoped tenant filter.
• Append-only audit logging covering authentication, record access, and record modification, with hash chaining for integrity verification.
• Multi-factor authentication required on all personnel accounts that can access production systems.
• Access reviews on at least an annual cadence and prompt revocation on personnel changes.

Business Associate will report to Covered Entity:

• Any use or disclosure of PHI not provided for by this BAA, of which Business Associate becomes aware, without unreasonable delay and in any event within ten (10) business days.
• Any Security Incident of which Business Associate becomes aware. The parties agree that successful and unsuccessful but trivial attempts (such as unsuccessful authentication attempts and routine port scans) are reported only on aggregate request and are not subject to the individualized notice obligation in this paragraph.
• Any Breach of Unsecured PHI as required by 45 C.F.R. § 164.410, without unreasonable delay and in any event within sixty (60) days of discovery, including the information described in 45 C.F.R. § 164.410(c).

In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI. The current list of subcontractors with potential access to PHI is published at /legal/subprocessors.

Business Associate will, within fifteen (15) business days of a written request from Covered Entity, make PHI in a Designated Record Set available to Covered Entity (or, at Covered Entity's direction, to an Individual) as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524.

Business Associate will, within thirty (30) days of a written request from Covered Entity, make any amendment to PHI in a Designated Record Set that Covered Entity directs or agrees to, in accordance with 45 C.F.R. § 164.526.

Business Associate will document and make available to Covered Entity, within sixty (60) days of a written request, the information necessary to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity's compliance with the HIPAA Rules.

This BAA takes effect on [EFFECTIVE_DATE] and remains in force for as long as Business Associate maintains PHI on behalf of Covered Entity. Either party may terminate this BAA on written notice to the other if the other party has materially breached an obligation hereunder and has failed to cure the breach within thirty (30) days of written notice describing the breach. If cure is not feasible, the non-breaching party may terminate immediately and, where required by 45 C.F.R. § 164.504(e)(1)(ii), report the breach to the Secretary.

On termination of this BAA, Business Associate will, where feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate still maintains in any form, and will retain no copies of such PHI. Where return or destruction is not feasible, Business Associate will extend the protections of this BAA to the PHI for so long as Business Associate maintains it and limit further use or disclosure to those purposes that make the return or destruction infeasible. PHI residing in routine backups is treated as infeasible to immediately destroy and is governed by the standard backup rotation, which ages out within twelve (12) months.

Business Associate will, when using or disclosing PHI or when requesting PHI from Covered Entity, make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, consistent with 45 C.F.R. § 164.502(b) and § 164.514(d) and HHS guidance.

A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with changes to the HIPAA Rules. In the event of an inconsistency between this BAA and the underlying Master Subscription Agreement with respect to PHI, this BAA prevails. Any ambiguity in this BAA will be resolved to permit the parties to comply with the HIPAA Rules.