This Business Associate Agreement (“BAA”) is between the “Client” identified on the Work/Purchase Order/Services Agreement (“Company”) and Green Apples MedSystems, LLC (“GAMS”). Company and GAMS are each a “Party,” and together the “Parties” Company is a Covered Entity or a Business Associate to one or more Covered Entities (see Section 1 for Definitions) and desires to disclose certain information to GAMS, some of which may constitute Protected Health Information.

GAMS provides certain services to the Company pursuant to one or more service agreements (“Work Order/Services Agreement”). These services qualify GAMS as a Business Associate or Subcontractor Business Associate to the Company. The Parties are entering into this BAA to set forth the terms on which GAMS may use and disclose Protected Health Information. The Parties agree as follows:

1. Definitions. Capitalized terms not otherwise defined in this BAA shall have the meanings as set forth in the HIPAA Rules.
   “HIPAA Rules” means collectively the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and its implementing regulations set forth at 45 C.F.R. Parts 160 and 164, including the Privacy, Security, Breach Notification, and Enforcement Rules.
   “Protected Health Information” and “PHI” have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, as applied to the information created or received by GAMS from or on behalf of Company.
   “Security Incident” has the same meaning as “security incident” in 45 C.F.R. § 164.304, excluding immaterial or trivial incidents that occur on a daily basis, such as “scans,” “pings,” or an unsuccessful attempt to improperly access Electronic PHI that is stored in an information system under its control.

2. Obligations and Activities of GAMS

2.1. Uses and Disclosures of PHI. GAMS shall not use or disclose PHI other than as permitted or required by the Work Order/Services Agreement or as required by law.

2.2. Safeguards. GAMS shall use reasonable and appropriate safeguards in compliance with Subpart C of 45 C.F.R. Part 164 with respect to PHI in electronic format designed to prevent use or disclosure of PHI other than as provided for by this BAA.

2.3. Reporting of Improper Use or Disclosure, Breach or Security Incident. GAMS shall report to Company in writing within 30 days after the Discovery any use or disclosure of PHI not provided for by this BAA, including any Security Incident or Breach of Unsecured PHI. Such notice shall include, to the extent known, the identification of each Individual whose PHI has been or is reasonably believed by GAMS to have been accessed, acquired, or disclosed. GAMS shall cooperate with Company in investigating a Breach or Security Incident so that Company may meet Company’s obligations under the HIPAA Rules and any other breach notification law. GAMS agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to GAMS of a use or disclosure of PHI by GAMS in violation of the requirements of this BAA.

2.4. Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(l)(ii) and § 164.308(b)(2), GAMS shall require that its subcontractors and agents that create, receive, maintain or transmit PHI agree to the same or no less stringent restrictions, conditions and requirements that apply to GAMS with respect to such information.

2.5. Access to PHI. Within 15 days after receiving a written request from Company, GAMS shall make available PHI in a Designated Record Set in accordance with the terms of the Work Order/Services Agreement and 45 C.F.R. § 164.524.

2.6. Amendment to PHI. Within 15 days after receiving a written request from Company, GAMS shall make available to Company PHI in a Designated Record Set for amendment or incorporate any amendments to PHI in accordance with the terms of the Work Order/Services Agreement and 45 C.F.R. § 164.526.

2.7. Accounting for Disclosures. Within 30 days after receiving a written request, GAMS shall make available to Company the information necessary for Company to respond to a request for an accounting of disclosures in accordance with 45 C.F.R. § 164.528. If it will take longer than 30 days to compile the information, GAMS shall inform the Company of the delay and the reason for the delay.

2.8. Company’s Obligations. To the extent GAMS is to carry out one or more of the Company’s obligations under Subpart E of 45 C.F.R. Part 164, GAMS shall comply with the requirements of Subpart E that apply to the Company in the performance of such obligations.

2.9. Governmental Access to Records. GAMS shall make available its internal practices, books, and records relating to the use and disclosure of PHI to the Secretary for purposes of determining compliance with the HIPAA Rules. GAMS’s provision of any internal practices, books, or records or cooperation with any audit shall not be deemed to waive any legal privilege to which GAMS is entitled under the law.

2.10. Marketing and Sale of PHI. GAMS shall not use or disclose PHI for marketing purposes unless expressly directed by Company, and in accordance with§ 13406(a) of the HITECH Act and 45 C.F.R. § 164.508(a)(3). GAMS shall comply with the prohibition on the sale of PHI in accordance with§ 13405(d) of the HITECH Act and 45 C.F.R. § 164.502(a)(5)(ii).

3. Permitted Uses and Disclosures by GAMS
   
   

3.1. Uses and Disclosures of PHI. Except as otherwise limited in this BAA, GAMS may use or disclose PHI to perform functions, activities or services for, or on behalf of, Company as specified in the Work Order/Services Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Company.

3.2. Uses and Disclosures Required by Law. GAMS may use or disclose PHI as required by law. GAMS may disclose PHI to report violations of law to appropriate federal and state authorities consistent with 45 C.F.R. § 164.502(j)(1).

3.3. Minimum Necessary. GAMS shall limit its uses, disclosures and requests for PHI to the minimum necessary to achieve the specific purpose of the use, disclosure or request in compliance with the HIPAA Rules

3.4. Permitted Uses of PHI. Except as otherwise limited in this BAA, GAMS may use PHI for the proper management and administration of GAMS or to carry out the legal responsibilities of GAMS.

3.5. Permitted Disclosures of PHI. Except as otherwise limited in this BAA, GAMS may disclose PHI for the proper management and administration of GAMS or to carry out the legal responsibilities of GAMS, provided that the disclosures are required by law or GAMS obtains reasonable assurances from the person to whom the information is disclosed that it shall remain confidential and shall be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person and the person agrees to notify GAMS of any instances of which it is aware in which the confidentiality of the information has been breached.

3.6. Data Aggregation and De-identified Data. Except as otherwise limited in this BAA, GAMS may use PHI to provide data aggregation services to Company as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). GAMS may use or disclose PHI for any purpose provided that such data has been de-identified in accordance with the standards set forth in 45 C.F.R. § 164.514(b) either by Company or by GAMS on Company’s behalf.

4. Provisions for Company to Inform GAMS of Privacy Practices and Restrictions.
   
   

4.1. Notice Changes. Company shall notify GAMS 15 days prior to the effective date of any limitations in the applicable Notice of Privacy Practices under 45 C.F.R. § 164.520 to the extent that such limitation may affect GAMS’s use or disclosure of PHI.

4.2. Changes in Authorization. Company shall notify GAMS 15 days prior to the effective date of any changes in, or revocation of, authorizations to use or disclose PHI to the extent that such changes may affect GAMS’s use or disclosure of PHI.

4.3. Requests for Restrictions. Company shall notify GAMS 15 days prior to the effective date of any restrictions on the use or disclosure of PHI that Company has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect GAMS’s use or disclosure of PHI.

4.4. Permissible Requests by Company. Company shall not request GAMS to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Company, unless the requested use or disclosure by GAMS is expressly permitted under this BAA.

4.5. Compliance with the HIPAA Rules. Company in performing its obligations and exercising its rights under the Work Order/Services Agreement and this BAA shall use and disclose PHI in compliance with the applicable provisions of the HIPAA Rules.

4.6. Compliance with Other Laws. Company shall be responsible for obtaining any authorizations or patient permission necessary under applicable federal and state law to disclose PHI to GAMS and for GAMS to use the PHI for the purposes outlined in this BAA and the Work Order/Services Agreement.

5. Term and Termination

5.1. Term. This BAA shall terminate when all of the PHI provided by Company to GAMS, or created or received by GAMS on behalf of Company, is destroyed or returned to Company or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with Section

5.2. Termination by Company. Upon Company’s knowledge of a material breach or violation of this BAA by GAMS, Company may either: (i) provide an opportunity for GAMS to cure the breach or end the violation within the time reasonably specified by Company, or (ii) immediately terminate this BAA and the Work Order/Services Agreement if cure is not possible.

5.3. Termination by GAMS. Upon GAMS’s knowledge of a material breach by Company of this BAA, GAMS may either: (i) provide an opportunity for Company to cure the breach or end the violation within the time reasonably specified by GAMS, or (ii) immediately terminate this BAA and the Work Order/Services Agreement if cure is not possible.

5.4. Effect of Termination. Within 90 days after the termination of this BAA, GAMS shall return to the Company or destroy all PHI in its possession and retain no copies, if it is feasible to do so. Any PHI destroyed by GAMS in accordance with this BAA shall, to the extent practicable, comply with guidance for the destruction of PHI issued by the Secretary from time to time. If return or destruction is infeasible, GAMS shall extend all protections contained in this BAA to GAMS’s use or disclosure of any retained PHI, and shall limit any further uses or disclosures to those purposes that make the return or destruction of the PHI infeasible. The obligations of GAMS under this Section 5.4 shall survive the termination of this BAA.

6. Miscellaneous
   
   

6.1. Injunctive Relief. Notwithstanding any other provision of this BAA, Company retains its rights to seek injunctive relief to prevent or stop the unauthorized use or disclosure of PHI by GAMS or any third party that received PHI from GAMS.

6.2. Indemnification by GAMS. If an unaffiliated third party brings a claim against Company or any of its officers, agents or employees because GAMS or any of its officers, agents or employees used or disclosed PHI in violation of this BAA, then GAMS shall defend the claim and shall pay all defense costs, any settlement amount negotiated by GAMS, and all damages awarded by a court, or a government agency with appropriate authority, after all appeals have concluded.

6.3. Indemnification by Company. If an unaffiliated third party brings a claim against GAMS or any of its officers, agents or employees because Company or any of its officers, agents or employees used or disclosed PHI in violation of this BAA, then Company shall defend the claim and shall pay all defense costs, any settlement amount negotiated by Company, and all damages awarded by a court, or a government agency with appropriate authority, after all appeals have concluded.

6.4. Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.

6.5. Amendment. If the HIPAA Rules are amended in a manner that materially changes the obligations of Company or GAMS under this BAA, or any of GAMS’s contractors or agents that are subject to the terms that flow from this BAA, the Parties agree to negotiate in good faith to amend this BAA, and if applicable the Work Order/Services Agreement, to comply with the requirements of the HIPAA Rules and any applicable law.

6.6. Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Rules.

6.7. No Third-Party Beneficiaries. There are no intended third-party beneficiaries under this BAA other than each Party’s successors or permitted assigns and other than those who are expressly intended to benefit from the indemnification obligations under Sections 6.2 and 6.3

6.8. Governing Law. This BAA is governed by and shall be interpreted in accordance with the state laws that govern the Work Order/Services Agreement.

6.9. Binding Agreement. This BAA binds the Parties and each of their respective successors and permitted assigns.

6.10. Entire Agreement. This BAA is the entire and only agreement between the Parties regarding its subject matter. This BAA supersedes and fully integrates all prior and contemporaneous discussions, understandings, and agreements between the Parties regarding its subject matter. To the extent that there is any inconsistency between this BAA and the Work Order/Services Agreement, this BAA shall control. No amendment or additions to this BAA shall be binding unless in writing and signed by both Parties

BUSINESS ASSOCIATE
Signature: _____________
Name: _____________
Title: _____________

COVERED ENTITY
Signature: _____________
Name: _____________
Title: _____________