Business Associate Agreement

Terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules, including:

• "Covered Entity" means a health plan, healthcare clearinghouse, or healthcare provider that transmits health information in electronic form in connection with a HIPAA-covered transaction, being the customer who has agreed to this BAA.
• "Business Associate" means JCorp Australia Pty Ltd (ABN: 51 694 095 513), trading as Tork, that performs functions or activities on behalf of, or provides services to, a Covered Entity that involve access to Protected Health Information.
• "Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103.
• "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted or maintained in electronic media, as defined in 45 CFR § 160.103.
• "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
• "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR § 164.402.
• "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR § 164.304.
• "Subcontractor" means a person or entity to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of Business Associate.
• "Required by Law" means a mandate contained in law that compels an entity to make a use or disclosure of PHI that is enforceable in a court of law.
• "Secretary" means the Secretary of the U.S. Department of Health and Human Services (HHS) or the Secretary's designee.

Business Associate agrees to:

• 2.1 Not use or disclose PHI other than as permitted or required by this BAA or as Required by Law.
• 2.2 Use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 (Security Rule) with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
• 2.3 Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including any Breach of Unsecured PHI and any Security Incident.
• 2.4 In accordance with 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this BAA.
• 2.5 Make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524 (individual access rights).
• 2.6 Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526.
• 2.7 Maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.528.
• 2.8 To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).
• 2.9 Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

3.1 Service Performance: Business Associate may use or disclose PHI as necessary to perform the services set forth in the underlying Terms of Service, specifically:

• • PII and PHI detection and redaction services
• • Content policy evaluation and enforcement
• • HIPAA compliance logging and audit trail generation
• • Real-time content filtering for healthcare applications

3.2 Business Associate's Operations: Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided that such uses are permitted under the Privacy Rule.

3.3 Disclosures for Management: Business Associate may disclose PHI for its proper management and administration or to carry out its legal responsibilities, provided that:

• • The disclosure is Required by Law; or
• • Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3.4 Data Aggregation: Business Associate may use PHI to provide Data Aggregation services relating to Covered Entity's health care operations.

3.5 De-Identification: Business Associate may use PHI to de-identify the information in accordance with 45 CFR § 164.514(a)-(c).

Business Associate shall implement and maintain appropriate safeguards as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C):

5.1 Discovery and Notification: Business Associate shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach, as required by 45 CFR § 164.410.

5.2 Breach Report Content: Business Associate's Breach report shall include, to the extent possible:

• • Identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed
• • A brief description of what happened, including the date of the Breach and the date of discovery
• • A description of the types of Unsecured PHI involved in the Breach
• • Any steps individuals should take to protect themselves from potential harm
• • A description of what Business Associate is doing to investigate, mitigate harm, and protect against further Breaches
• • Contact procedures for individuals to ask questions or learn additional information

5.3 Security Incidents: Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. Reports of unsuccessful Security Incidents (such as pings, port scans, or unsuccessful login attempts) may be provided in summary form on a periodic basis.

5.4 Cooperation: Business Associate shall cooperate with Covered Entity in investigating and mitigating any Breach, and shall preserve evidence relating to the Breach.

6.1 In accordance with 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), Business Associate shall ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA.

6.2 Current Subcontractors: The following Subcontractors are currently engaged and have executed appropriate BAAs:

6.3 Business Associate shall provide Covered Entity with notice of any changes to the list of Subcontractors.

7.1 To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make available to Covered Entity, in response to a request from an individual, PHI contained in that Designated Record Set, in order to meet Covered Entity's obligations under 45 CFR § 164.524.

7.2 Business Associate shall respond to any request from Covered Entity for access to PHI within fifteen (15) business days.

7.3 If an individual makes a request for access directly to Business Associate, Business Associate shall forward such request to Covered Entity within five (5) business days.

8.1 To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make any amendment(s) to PHI in a Designated Record Set as directed by Covered Entity or as agreed to by Covered Entity pursuant to 45 CFR § 164.526.

8.2 Business Associate shall make such amendments within thirty (30) days of receipt of Covered Entity's request.

8.3 If an individual makes a request for amendment directly to Business Associate, Business Associate shall forward such request to Covered Entity within five (5) business days.

9.1 Business Associate shall maintain and make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528.

9.2 Business Associate shall maintain such information for at least six (6) years from the date of disclosure.

9.3 For each disclosure that requires an accounting, Business Associate shall record:

• • Date of the disclosure
• • Name and address (if known) of the entity or person who received the PHI
• • Brief description of the PHI disclosed
• • Brief statement of the purpose of the disclosure

9.4 Business Associate shall provide such accounting to Covered Entity within thirty (30) days of a request.

10.1 Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Covered Entity's and Business Associate's compliance with the HIPAA Rules.

10.2 Business Associate shall promptly notify Covered Entity of any request by the Secretary for such access and shall provide Covered Entity with copies of any documents produced.

11.1 Term: This BAA shall be effective as of [EFFECTIVE DATE] or the date Covered Entity first accesses the Services, whichever is later, and shall remain in effect until the earlier of:

• • Termination of the underlying Terms of Service;
• • Termination of this BAA as provided herein; or
• • The date all PHI has been returned or destroyed in accordance with Section 12.

11.2 Termination for Cause: Either party may terminate this BAA if the other party materially breaches any provision of this BAA and fails to cure such breach within thirty (30) days after receiving written notice of the breach.

11.3 Termination for Breach of HIPAA: Covered Entity may immediately terminate this BAA if Business Associate has breached a material term of this BAA and cure is not possible.

11.4 Effect of Termination: Upon termination of this BAA for any reason, Business Associate shall comply with Section 12 regarding return or destruction of PHI.

12.1 Upon termination of this BAA for any reason, Business Associate shall, at Covered Entity's election:

• • Return all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity; or
• • Destroy all PHI and certify such destruction in writing to Covered Entity.

12.2 Business Associate shall complete such return or destruction within thirty (30) days of termination.

12.3 If return or destruction of PHI is not feasible, Business Associate shall:

• • Notify Covered Entity of the conditions that make return or destruction not feasible;
• • Extend the protections of this BAA to such PHI;
• • Limit further uses and disclosures to the purposes that make return or destruction not feasible; and
• • Return or destroy the PHI when it becomes feasible to do so.

Note: Tork's Services are designed to minimize PHI retention. API request content containing PHI is processed in real-time and is not stored beyond the time necessary to complete the evaluation, except for audit logs as configured by the Covered Entity.

13.1 Survival: The respective rights and obligations of Business Associate under Sections 5, 9, 10, and 12 of this BAA shall survive the termination of this BAA.

13.2 Regulatory References: A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.

13.3 Amendment: The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

13.4 Interpretation: Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.

13.5 No Third-Party Beneficiaries: Nothing express or implied in this BAA is intended to confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities.

13.6 Governing Law: This BAA shall be governed by applicable federal law, including HIPAA. To the extent federal law does not preempt state law, this BAA shall be governed by the laws of the State in which the Covered Entity's principal place of business is located.