BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor (as defined in the Agreement), this Business Associate Agreement is hereby incorporated by reference into the Agreement. 1. Definitions 1.1. Agreement means the Master Subcontract Agreement or Subcontractor Services Agreement, as applicable, between EMC and Subcontractor to which the BAA relates. 1.2. Business Associate means Subcontractor as defined in the Agreement, to the extent Subcontractor is a Business Associate subject to the HIPAA Standards in connection with its performance under the Agreement with EMC. 1.3. HIPAA means the Health Insurance Portability and Accountability Act of 1996, as amended by the American Recovery and Investment Act of 2009. 1.4. HIPAA Standards means, collectively, HIPAA and its implementing regulations codified at 45 C.F.R. Parts 160, 162, and 164, as such regulations may be amended from time to time and to the extent such regulations (i) are in effect and are being enforced by the Department of Health and Human Services, and (ii) are applicable to the performance of the parties respective functions, activities, services, or obligations under the Agreement. 1.5. Protected Health Information or PHI has the meaning set forth in the HIPAA Standards, but is limited to the PHI created, received, maintained, or transmitted by Business Associate from or on behalf of EMC. All capitalized terms used but not defined in this BAA or the Agreement shall have the meaning set forth in the HIPAA Standards. 2. Permitted Uses and Disclosures by Business Associate a) Except as otherwise limited in this Business Associate Agreement or the Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, EMC as specified in the Agreement, provided that such use or disclosure would not violate the HIPAA Standards if done by EMC. b) Except as otherwise limited in this Business Associate Agreement or the accompanying Agreement, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. c) Except as otherwise limited in this Business Associate Agreement or the accompanying Agreement, Business Associate may disclose PHI for the performance of the functions, activities, or services described in the Agreement, or for the proper management and administration of Business Associate, provided that such disclosures are Required by Law, or Business Associate ensures by contract that any subcontractor of Business Associate (e.g., an organization that provides data transmission, or a vendor that offers personal health records) to whom it discloses PHI agrees to the same restrictions,
conditions, and requirements that apply through this Business Associate Agreement and/or the Agreement to Business Associate with respect to such PHI. d) Unless requested in writing by EMC, Business Associate may not use PHI to provide Data Aggregation services. 3. Obligations of EMC a) EMC shall notify Business Associate of any changes of which it becomes aware in, or revocation of, permission by an Individual to use or disclose the Individual s PHI, if such change or revocation affects Business Associate s permitted or required uses and disclosures of PHI under this Business Associate Agreement. b) EMC shall notify Business Associate of any restriction to the use or disclosure of PHI that EMC or another relevant party has agreed to in accordance with 45 C.F.R. 164.522, if such restriction affects Business Associate s permitted or required uses or disclosures of PHI under this Business Associate Agreement. c) EMC shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Standards if done by EMC, except as otherwise provided herein. d) EMC shall undertake commercially reasonable efforts to assist Business Associate with responding to an investigation or compliance audit by the Secretary, or an action by an attorney general having jurisdiction. 4. Obligations and Activities of Business Associate a) Business Associate shall not use or further disclose PHI other than as permitted or required by this Business Associate Agreement or as Required by Law. Business Associate shall limit, to the extent practicable, the disclosure of PHI to the limited data set (as defined in 45 C.F.R. 164.514(e)(2)) or the minimum necessary to accomplish the intended purpose of the use or disclosure of the PHI or as required pursuant to the Agreement. Business Associate shall restrict disclosures or communicate confidentially with Individuals as required by the HIPAA Standards and as requested by EMC. b) Business Associate shall report to EMC (i) any use or disclosure of PHI by Business Associate not provided for by this Business Associate Agreement, or (ii) any Security Incident (as defined in the Agreement) involving PHI in Business Associate s possession or control, of which Business Associate becomes aware. For any Security Incident, Business Associate shall comply with the requirements of the Agreement, including in particular Exhibit B. c) If Business Associate maintains PHI in a Designated Record Set, Business Associate shall: (1) provide access to such PHI to EMC in the time and manner designated by EMC; (2) make any amendment(s) in the time and manner designated by EMC; and
(3) provide access to, or a copy of, such PHI to a requesting Individual as directed by EMC and consistent with Exhibit B of the Agreement. Business Associate shall not charge any fee greater than the lesser of the amount permitted by State law or Business Associate s actual cost of labor for complying with the request. d) Business Associate shall make internal practices, books, and records relating to its use and disclosure of PHI available to EMC or the Secretary, in a time and manner reasonably designated by EMC or the Secretary, for purposes of the Secretary determining EMC s or Business Associate s compliance with the HIPAA Standards. e) Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for EMC under the HIPAA Standards to respond to a request by an Individual for an accounting of disclosures of PHI. Business Associate shall provide to EMC or an Individual, in the time and manner reasonably designated by EMC, an accounting of disclosures required by the HIPAA Standards made by Business Associate. f) Business Associate shall use appropriate safeguards and comply with the HIPAA Standards (including, without limitation, Subpart C of 45 C.F.R. Part 164) with respect to electronic PHI to prevent use or disclosure of PHI other than as provided for by this Business Associate Agreement. Business Associate agrees to assess potential risks and vulnerabilities to PHI in its possession and to develop, implement, and maintain appropriate administrative, physical, and technical safeguards, consistent with applicable HIPAA Standards (including, without limitation, the HIPAA Security Rule ) and the accompanying Agreement, to protect the confidentiality, availability, and integrity of, and to prevent the unauthorized use or disclosure of, any PHI that Business Associate accesses, receives, creates, maintains, or transmits on behalf of EMC. These measures must be documented and kept current, and must include, at a minimum, those measures that fulfill the requirements outlined in the HIPAA Standards and all guidance issued by the Secretary, as well as the requirements of the accompanying Agreement, to the extent such requirements and guidance are applicable to Business Associate s performance of its functions, activities, services, or obligations under the Agreement. g) Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI. h) Business Associate recognizes that violation of any HIPAA Standard by Business Associate may subject Business Associate to civil and criminal penalties, including those set forth in 42 U.S.C. 1320d-5 and 1320d-6. i) Business Associate shall not directly or indirectly receive any remuneration in exchange for any PHI unless approved in advance in writing by EMC in accordance with the HIPAA Standards. j) Business Associate shall not engage in any Marketing or fundraising that uses or discloses PHI.
k) Business Associate shall undertake commercially reasonable efforts to respond to and assist EMC with responding to an investigation or compliance audit by the Secretary, or an action by an attorney general having jurisdiction. l) To the extent Business Associate is to carry out EMC s obligations under the HIPAA Standards (including, without limitation, the HIPAA Privacy Rule ), Business Associate must comply with the requirements of the HIPAA Standards (including, without limitation, the HIPAA Privacy Rule ) that apply to EMC in the performance of such obligations. 5. Term and Termination a) Term. The Term of this Business Associate Agreement shall be effective as of the Effective Date and shall terminate upon termination of the Agreement; provided, however, that to the extent any PHI is maintained by Business Associate on behalf of EMC, then prior to the Term of this Business Associate Agreement terminating, such PHI must be properly and completely Destroyed (as defined in the Agreement) or returned to EMC, or, if it is infeasible to return or Destroy the PHI, protections must be extended to such PHI in accordance with the termination provisions in this section. b) Termination for Cause. Upon EMC's knowledge of a material breach of this Business Associate Agreement by Business Associate, EMC shall provide a reasonable opportunity for Business Associate to cure the breach or end the violation -- but in no event less than thirty (30) calendar days from the notification of the breach -- and EMC may terminate this Business Associate Agreement and the Agreement if Business Associate does not cure the breach or end the violation within the time period specified by EMC. EMC may immediately terminate this Business Associate Agreement and the Agreement if Business Associate has breached a material term of this Business Associate Agreement and cure is not possible, as determined by EMC in its reasonable discretion after consultation with Business Associate. c) Effect of Termination. (1) Except as provided in subparagraph (2) of this subsection (c), upon termination of the Agreement or this Business Associate Agreement, for any reason, Business Associate shall return or Destroy any PHI maintained by Business Associate on behalf of EMC. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. Upon EMC s request, Business Associate shall promptly certify in writing to EMC that it has Destroyed or returned, as applicable, all PHI. (2) In the event that Business Associate determines that returning or Destroying the PHI is infeasible, Business Associate shall (i) provide to EMC notification of the conditions that make return or destruction infeasible, and (ii) extend the protections of this Business Associate Agreement and the Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
6. Miscellaneous (3) The parties hereto understand and agree that the terms of this Business Associate Agreement are reasonable and necessary to protect the interests of EMC and Business Associate. The parties further agree that EMC would suffer irreparable harm if Business Associate breached this Business Associate Agreement. Thus, in addition to any other rights or remedies, all of which shall be deemed cumulative, EMC shall be entitled to obtain equitable relief (including a restraining order, injunctive relief, specific performance, and any other relief that may be available from any court) to enforce the terms of this Business Associate Agreement. a) Interpretation. Any ambiguity in this Business Associate Agreement shall be resolved in favor of a meaning that permits EMC to comply with the HIPAA Standards. b) Application of State Law. Where any applicable provision of State law relates to the privacy or security of health information and is not preempted by HIPAA, as determined by application of the HIPAA Standards, the parties shall comply with the applicable provisions of such State law. c) No Private Cause of Action. This Business Associate Agreement is not intended to and does not create a private cause of action for or by any individual, other than the parties to this Business Associate Agreement, as a result of any claim arising out of the breach of this Business Associate Agreement, the Agreement, the HIPAA Standards, or any other State or Federal law or regulation.