Business Associate Agreement

Last reviewed by counsel: [08-06-24]

This Business Associate Agreement (“Agreement”) between Client Name (“Covered Entity”) and FxMedSupport (a d/b/a of NutrimentRx, LLC) (“Business Associate”) is made pursuant to and governed by the Master Subscription Agreement by and between the Parties (the “MSA”). All terms not defined herein have the meaning set forth in the MSA.

§ 1Recitals

The Parties desire to comply with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended and supplemented (including by the HITECH Act and its implementing regulations), and the regulations promulgated thereunder (the “HIPAA Rules”) to the extent applicable.

Business Associate provides middleware integration, automation, and development services that connect Covered Entity’s Cerbo electronic health record system with other authorized enterprise applications at Covered Entity’s direction. In the course of these functions, Business Associate may transmit, briefly process, or temporarily access Protected Health Information (“PHI”). The Parties agree that this Agreement applies to safeguard PHI as required by the HIPAA Rules.

§ 2Definitions

Capitalized terms used, but not otherwise defined, in this Agreement have the same meaning as those terms in the HIPAA Rules.

1. “Secretary” means the Secretary of the U.S. Department of Health and Human Services or their duly appointed designee.
2. “Security Incident” has the same meaning as the term defined in the HIPAA Security Rule, but does not include trivial incidents that occur on a daily basis (such as scans, pings, or routine attempts to penetrate computer networks or servers maintained or utilized by Business Associate), provided that none of the foregoing compromise the privacy, integrity, or security of PHI.
3. “Service Agreement” means the MSA and any present or future agreement(s) between Covered Entity and Business Associate under which Business Associate provides services to Covered Entity that involve the use or disclosure of PHI.
4. “Encrypted Patient ID” means an encrypted mapping of a patient identifier (as assigned by Cerbo or another upstream system) used by Business Associate solely for the purpose of cross-referencing patient records between Covered Entity’s authorized systems. Encrypted Patient IDs do not contain any medical, demographic, or otherwise descriptive information about the patient.

§ 3Obligations and Activities of Business Associate

a. Security and Confidentiality

To the extent that Business Associate receives, transmits, or briefly processes PHI in the course of performing services on Covered Entity’s behalf, Business Associate will comply with the HIPAA Rules applicable to a “Business Associate”. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules and shall maintain the security and confidentiality of PHI in accordance with all applicable laws.

b. Use and Disclosure of PHI

1. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, the MSA, or as otherwise Required by Law.
2. Business Associate may use and disclose PHI only to the minimum extent necessary to provide the Services or to evaluate or set up provision of the Services.
3. If Business Associate must provide PHI to any of Business Associate’s agents or subcontractors, Business Associate shall ensure that such agents or subcontractors agree in writing to substantially the same restrictions and conditions that apply through this Agreement.
4. Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by the HIPAA Rules. Business Associate may use and disclose properly de-identified data unless prohibited by applicable law.
5. Business Associate shall not receive any remuneration in exchange for PHI, except as permitted under applicable law. Nothing herein prohibits payment to Business Associate by Covered Entity for the Services.
6. Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate or to carry out its legal responsibilities, except as otherwise limited herein or as Required By Law.

c. Safeguards

Business Associate agrees to use appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI in accordance with the HIPAA Rules. These safeguards include AWS-hosted infrastructure with HIPAA-eligible services, encryption of patient ID mappings at rest, TLS 1.2+ encryption in transit, role-based access controls, audit logging, automatic session timeout, and incident response procedures.

d. Reporting

If Business Associate becomes aware of any use or disclosure of PHI that is impermissible under this Agreement, or any Security Incident affecting PHI, Business Associate shall notify Covered Entity without unreasonable delay, and in any event no later than required by the HIPAA Rules. Business Associate agrees to mitigate, to the extent practicable, any harmful effect known to Business Associate of such use or disclosure.

e. Access and Amendments to PHI

The Parties acknowledge that Business Associate does not maintain a designated record set on behalf of Covered Entity. Accordingly, Business Associate typically has no obligation to provide an individual with access to, or make amendments to, PHI. However, should Business Associate receive such requests, Business Associate agrees to promptly forward them to Covered Entity to process in accordance with the HIPAA Rules.

f. Documenting and Accounting of Disclosures

Business Associate shall maintain the information necessary to provide an accounting of disclosures made by Business Associate of PHI for the term of this Agreement as required by the HIPAA Rules.

g. Access to Business Associate’s Policies and Records

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary, in a time and manner designated by the Secretary, for purposes of determining Covered Entity’s or Business Associate’s compliance with the HIPAA Rules.

§ 4Architecture & Encrypted Patient ID Mapping

a. Middleware Architecture

The Parties acknowledge that Business Associate operates as middleware between Covered Entity’s Cerbo system and other major enterprise applications authorized by Covered Entity. Business Associate does not maintain a primary store of PHI on its infrastructure. PHI continues to live within Cerbo’s HIPAA-compliant systems where it has always lived. Business Associate’s role is the secure transmission of data between Covered Entity’s authorized systems.

b. Storage of Encrypted Patient IDs

In order to function as middleware and reliably cross-reference patient records across Covered Entity’s authorized systems, Business Associate stores Encrypted Patient IDs on its bifurcated AWS infrastructure. These encrypted identifiers are stored only as needed for active automations or integrations to function. They contain no medical, demographic, financial, or otherwise descriptive information about any patient.

c. Decryption Keys

Decryption keys for Encrypted Patient IDs are held exclusively within Business Associate’s secure key vault. Access to such keys is strictly limited to a minimal number of authorized Business Associate personnel (currently the Founder and Lead Engineer of FxMedSupport). The Parties acknowledge that, even in the unlikely event of an unauthorized disclosure of decryption keys, the resulting decrypted patient identifiers do not, standing alone, constitute PHI under the HIPAA Rules because they contain no medical or otherwise descriptive information about any patient.

d. Express Authorization

Covered Entity hereby expressly authorizes Business Associate to store and use Encrypted Patient IDs as necessary to provide the Services. Such authorization is implicit in Covered Entity’s election to use Business Associate as a middleware layer connecting Cerbo to other systems and is consistent with standard middleware industry practice.

§ 5Responsibilities of Covered Entity

a. Minimum Disclosure

Covered Entity shall provide to Business Associate the minimum PHI necessary for Business Associate to provide the Services or to evaluate or set up provision of the Services.

b. Special Restrictions on Use and Disclosure

Unless Covered Entity notifies Business Associate of any restrictions or limitations that limit Business Associate’s ability to use or disclose PHI as permitted or required under this Agreement, and Business Associate agrees to honor such restrictions, Covered Entity shall not provide Business Associate with PHI subject to additional restrictions.

c. Safeguards

Covered Entity shall maintain administrative, physical, and technical safeguards to ensure the confidentiality, privacy, and security of PHI in accordance with the standards and requirements of HIPAA and its implementing regulations.

d. Consent

Covered Entity shall obtain any consent or authorization that may be required by applicable federal or state laws and regulations prior to transmitting PHI to Business Associate.

e. Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules. Covered Entity shall limit disclosure of PHI to Business Associate to only that PHI which is reasonably required for Business Associate to perform the Services.

f. Authorization of Integrations

Because Business Associate’s role is to facilitate the movement of data between Covered Entity’s systems and third-party services at Covered Entity’s direction, Covered Entity is solely responsible for: (i) selecting which third-party integrations to enable, (ii) reviewing the data-handling and HIPAA compliance posture of each such third party, (iii) executing any required Business Associate Agreements directly with those third parties where applicable, and (iv) maintaining authorization records.

§ 6Termination & Data Disposition

a. Term

This Agreement is effective as of the date that it is signed by both Parties (or, if not separately signed, the effective date of the MSA), and terminates at the earlier of (i) the termination of all engagements between the Parties under the MSA, or (ii) when all Encrypted Patient IDs and any other PHI in Business Associate’s possession is deleted or returned to Covered Entity.

b. Material Breach

If either Party knows of a pattern of activity or practice of the other Party that constitutes a material breach of this Agreement, the non-breaching Party shall provide written notice specifying the nature of the breach. The breaching Party must cure the breach on or before thirty (30) days after receipt of the written notice. In the absence of a cure reasonably satisfactory to the non-breaching Party, the non-breaching Party may (i) terminate this Agreement, if feasible, or (ii) if termination is infeasible, report the issue to the U.S. Department of Health and Human Services.

c. Data Disposition Upon Termination

Upon termination of this Agreement, Business Associate shall:

• Delete all Encrypted Patient IDs associated with Covered Entity from Business Associate’s infrastructure within one to two (1–2) business days of the termination effective date, treated as an important task within normal business standards;
• Disable and remove all integrations, automations, and connections specific to Covered Entity;
• Retain only a record of Covered Entity’s name and the fact of having been a customer. No PHI, no Encrypted Patient IDs, no integration configurations, and no other operational data shall be retained;
• Provide Covered Entity with confirmation of completion via email or support ticket response.

In the rare event that Business Associate determines in its reasonable judgment that complete deletion of any specific element is not feasible, Business Associate shall promptly notify Covered Entity, retain such element, and extend the protections of this Agreement to such element until disposition is feasible.

§ 7Miscellaneous

a. Regulatory References

A reference in this Agreement to a section in HIPAA or other applicable law or regulation means the section in effect on the effective date of this Agreement, together with any subsequent amendments.

b. Change in Applicable Law or Regulation

Upon the enactment of any law or regulation affecting the use or disclosure of PHI, the Parties agree to amend this Agreement as necessary to comply with such law or regulation. Failure to amend this Agreement does not relieve either Party of its obligations to comply with all applicable laws.

c. Interpretation

Any ambiguity in this Agreement should be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with HIPAA and other applicable law.

d. No Third-Party Beneficiaries

There are no third-party beneficiaries to this Agreement.

e. Relationship of the Parties

The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the Parties.

f. Severability

If any provision of this Agreement is held to be unenforceable, the remaining provisions will remain in full force and effect, and the unenforceable provision will be modified to the minimum extent necessary to make it enforceable while preserving compliance with HIPAA.

g. Execution

This Agreement may be executed in counterparts, each of which constitutes an original. Electronic and facsimile signatures are deemed valid for all purposes of this Agreement.

h. Cooperation

Each Party shall cooperate in good faith with the other Party in connection with any requests by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action, or other inquiry.

i. Entire Agreement

This Agreement, together with the MSA between the Parties, contains the entire agreement between the Parties with respect to the management of PHI. No provision may be modified, amended, or waived other than by a supplemental writing signed by the Parties.

j. Jury Trial Waiver

Each Party hereby irrevocably waives any and all right to a jury trial for any and all claims arising out of or relating to this Agreement.

k. Governing Law & Dispute Resolution

The law of the State of California shall govern this Agreement, without regard to its conflict-of-laws provisions. Disputes arising under this Agreement shall be resolved by binding arbitration administered by JAMS in San Francisco, California, in accordance with the JAMS Comprehensive Arbitration Rules and Procedures, except that nothing herein limits either Party’s right to seek injunctive or equitable relief in a court of competent jurisdiction.

Last reviewed by counsel: [08-06-24]