Business Associate Agreement (BAA)

This Business Associate Agreement (the “Agreement”) governs the relationship between Intelligent Health Partners Inc ("Business Associate" or "IHP") and any health care provider organization or other entity to which IHP provides services in connection with Medicare’s Chronic Care Management program (each, a “Covered Entity”) regarding the privacy and protection of information exchanged pursuant to such services. Each is a “Party” and collectively the “Parties.”

Recitals

• The Parties have entered into a separate services agreement (the “Services Agreement”) in connection with the provision by Covered Entity of certain services, including Chronic Care Management services, to Medicare patients.
• In connection with the Services Agreement, IHP may have access to certain Protected Health Information ("PHI") and may be considered a “business associate” of Covered Entity for purposes of the HIPAA Rules.
• The Parties wish to address the requirements of the HIPAA Rules and ensure that IHP establishes appropriate safeguards, including administrative requirements, with respect to PHI.

NOW, THEREFORE, in consideration of the mutual promises and covenants herein, the Parties agree as follows:

A) Definitions

Capitalized terms used but not defined herein have the meanings set forth in the HIPAA Rules (45 CFR Parts 160 and 164), including: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information ("PHI"), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and Use.

• Business Associate: As defined at 45 CFR 160.103; here, Intelligent Health Partners Inc.
• Covered Entity: As defined at 45 CFR 160.103; the provider entity entering this Agreement with IHP.
• HIPAA Rules: The Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.

B) Purposes for which PHI may be disclosed to Business Associate

In connection with the Services Agreement, Covered Entity may disclose PHI to IHP for the purposes described therein, including the implementation by IHP of a Medicare Chronic Care Management program for certain providers with which Covered Entity has a contractual relationship.

C) Obligations of Covered Entity

• Comply fully with all obligations under the HIPAA Rules.
• Not request IHP to use or disclose PHI in any manner not permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
• Provide IHP with its Notice of Privacy Practices and any changes thereto that affect IHP’s permitted or required uses/disclosures.
• Provide IHP with changes in or revocations of authorizations by Individuals relating to PHI to the extent such changes affect IHP’s permitted or required uses/disclosures.
• Notify IHP of any restriction to the use/disclosure of PHI agreed to in accordance with 45 CFR 164.522 to the extent such restriction may affect IHP’s use/disclosure of PHI.
• Notify IHP of any amendment to PHI that affects a Designated Record Set maintained by IHP and provide policies regarding Individual rights (access, amendment, confidential communications, accounting of disclosures) where IHP maintains such sets.

D) Obligations of Business Associate

1. Use and Disclosure of PHI: IHP shall not use or disclose PHI except as permitted or required by this Agreement or as Required by Law. IHP may use/disclose PHI for Data Aggregation, and for IHP’s management, administration, and legal responsibilities as permitted. IHP will (a) inform workforce members of confidentiality duties; (b) obtain reasonable assurances from recipients to maintain confidentiality and report breaches; (c) notify Covered Entity of any unauthorized uses/disclosures, Breaches of Unsecured PHI (45 CFR 164.410), and Security Incidents; and (d) comply with Subpart E of 45 CFR Part 164 to the extent IHP performs Covered Entity obligations thereunder.
2. Data Aggregation: IHP may use/disclose de-identified patient information for Data Aggregation for permitted Health Care Operations as allowed under the HIPAA Rules.
3. De-identified Information: IHP may use/disclose de-identified PHI consistent with 45 CFR 164.502(d) and may use, modify, and disclose such de-identified data for any lawful purpose.
4. Safeguards: IHP shall implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity.
5. Minimum Necessary: IHP shall ensure that uses/disclosures are limited to the minimum necessary to accomplish the intended purpose.
6. Agents/Subcontractors: If IHP discloses PHI to agents/subcontractors, IHP shall require them to agree to the same restrictions and conditions that apply to IHP under this Agreement (45 CFR 164.502(e)(1)(ii); 164.308(b)(2)).
7. Individual Rights (Designated Record Sets): Where IHP maintains a Designated Record Set: (a) permit Individual access/copy per 45 CFR 164.524; (b) make amendments per 45 CFR 164.526 at Covered Entity’s direction; (c) document disclosures and provide information to support an accounting per 45 CFR 164.528.
8. Internal Practices; Access: Make internal practices, policies, and procedures relating to PHI available to the Secretary (or other health oversight agency) or Covered Entity to determine compliance, in the time and manner specified.
9. Notice of Privacy Practices: Uses/disclosures permitted by this Agreement may be amended by changes to Covered Entity’s Notice; such amendments do not affect prior permitted uses/disclosures relied upon before IHP received notice.
10. Withdrawal of Authorization: Where use/disclosure is based on an Individual’s authorization and such authorization is revoked, expired, or defective, IHP shall cease use/disclosure upon notice, except to the extent relied upon or where another HIPAA exception applies.

E) Term and Termination

1. Term: Effective upon execution and terminates upon the earlier of (i) termination of the Services Agreement or (ii) termination under this Section E.
2. Termination for Cause by Covered Entity: Upon knowledge of IHP’s breach, Covered Entity shall require cure or end of violation within a specified time; failing which, Covered Entity shall terminate this Agreement (and applicable Service Agreement sections) or, if termination is not feasible, report the violation to the Secretary.
3. Termination for Cause by Business Associate: Upon knowledge of a Covered Entity pattern of activity/practice in material breach, IHP will seek cure; if not cured, IHP shall terminate or, if not feasible, report to the Secretary.
4. Effect of Termination: Upon termination, IHP shall return or destroy all PHI in its or its subcontractors’/agents’ possession, retaining no copies. If infeasible, IHP shall extend protections and limit further use/disclosure to purposes that make return/destruction infeasible; obligation lasts only while IHP retains PHI. De-identified data may be retained and used without restriction.

F) Indemnification

Each Party shall indemnify the other and their affiliates and respective officers, directors, employees, and agents from and against all third-party claims (including losses, fines, penalties, and reasonable attorneys’ fees) arising out of the indemnifying Party’s breach of this Agreement and/or the HIPAA Rules.

G) Miscellaneous

1. Survival: Sections E and F survive termination.
2. Notices: Notices must be in writing and are effective upon personal delivery, reputable overnight carrier, or certified mail (return receipt requested) to the Parties’ designated addresses. If to IHP: Intelligent Health Partners Inc, 30 N Gould St, Sheridan, WY 82801, United States, Attn: General Counsel.
3. Amendments: Must be in writing signed by authorized officers. Parties agree to amend as necessary to comply with HIPAA Rules.
4. Governing Law: New York law governs, without regard to conflict-of-law principles.
5. Assignment: Neither Party may assign without prior written consent, not unreasonably withheld; either may assign to a successor via merger, consolidation, sale of substantially all assets, or by law.
6. Nature of Agreement: No partnership, joint venture, fiduciary duty, or employment relationship is created.
7. No Waiver: No waiver except by signed writing; no delay constitutes waiver.
8. Severability: If any provision is invalid or unenforceable, the remainder remains in effect.
9. No Third-Party Beneficiaries: No rights for persons not party to this Agreement.
10. Headings: For convenience only and do not affect interpretation.
11. Entire Agreement: This Agreement and applicable provisions of the Services Agreement (including exhibits/riders/amendments) constitute the entire agreement regarding subject matter and supersede prior understandings. Inconsistent provisions are controlled by this Agreement.
12. Interpretation: Ambiguities are resolved to permit compliance with HIPAA and applicable state confidentiality laws. This Agreement prevails over conflicting provisions in other agreements regarding the subject matter.
13. Regulatory References: References to HIPAA Rules include subsequent amendments.