Business Associate Agreement

1. Definitions

2. Obligations of Business Associate

MedNex agrees to the following obligations:

• Use and Disclosure: Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
• Safeguards: Implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI.
• Reporting: Report any use or disclosure of PHI not provided for by this Agreement, including any Security Incident or Breach.
• Subcontractors: Ensure that any subcontractors who may access PHI agree to the same restrictions and conditions.
• Access to PHI: Make PHI available to the Covered Entity or individual as required by HIPAA.
• Amendment: Make PHI available for amendment and incorporate any amendments as directed.
• Accounting: Make available information required to provide an accounting of disclosures.
• Compliance: Make internal practices, books, and records relating to PHI available to the Secretary of HHS.

3. Permitted Uses and Disclosures

MedNex may use or disclose PHI:

• To perform functions, activities, or services specified in the Service Agreement
• For the proper management and administration of the Business Associate
• To carry out legal responsibilities of the Business Associate
• To provide Data Aggregation services relating to the Covered Entity's healthcare operations
• To de-identify PHI in accordance with 45 CFR 164.514(a)-(c)

4. Obligations of Covered Entity

The Covered Entity agrees to:

• Notify Business Associate of any limitations in its Notice of Privacy Practices that affect use of PHI
• Notify Business Associate of any changes or revocation of authorization by individuals
• Notify Business Associate of any restrictions on use or disclosure of PHI agreed to by Covered Entity
• Not request Business Associate to use or disclose PHI in any manner not permitted by HIPAA

5. Security Requirements

6. Breach Notification

In the event of a Breach of Unsecured PHI, Business Associate shall:

• Notify Covered Entity within 24 hours of discovery of the Breach
• Provide sufficient information for Covered Entity to investigate and report the Breach
• Cooperate with Covered Entity in investigating and mitigating the Breach
• Provide any additional information as it becomes available

7. Term and Termination

Term: This Agreement is effective upon your acceptance of MedNex services and remains in effect until terminated.

Termination: Either party may terminate this Agreement upon material breach that is not cured within 30 days of notice.

Effect of Termination: Upon termination, Business Associate shall return or destroy all PHI, if feasible. If return or destruction is not feasible, Business Associate will extend the protections of this Agreement to retained PHI and limit further uses and disclosures.

8. General Provisions

• Amendment: This Agreement may be amended by mutual written consent or as required by changes in HIPAA regulations.
• Survival: Obligations relating to the protection of PHI survive termination of this Agreement.
• Governing Law: This Agreement is governed by HIPAA and applicable federal and state laws.
• Interpretation: Any ambiguity in this Agreement shall be resolved to permit compliance with HIPAA.