Business Associate Agreement (BAA)

1. Parties

This Business Associate Agreement (the “Agreement”) is entered into by and between _______________________________________ (“Covered Entity”) and Kani Technologies Inc (“Business Associate”), each a “Party” and collectively the “Parties.”

2. Purpose and Scope

The Parties have established this Agreement to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, along with the associated privacy, security, breach notification, and enforcement provisions found at 45 C.F.R. Parts 160 and 164, and to comply with the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and other applicable federal and state laws (collectively, the “HIPAA Rules”). This Agreement ensures that Business Associate implements appropriate safeguards for Protected Health Information (“PHI”) that it may receive, create, maintain, use, or disclose while performing services for Covered Entity.

3. Definitions

3.1 Terms not otherwise defined in this Agreement shall have the meanings ascribed to them in the HIPAA Rules.

3.2 For purposes of this Agreement:

3.2.1 Individual: As defined in 45 C.F.R. §160.103, including any personal representative in accordance with 45 C.F.R. §164.502(g).

3.2.2 Protected Health Information (PHI): As defined at 45 C.F.R. §160.103, limited to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.

3.2.3 Electronic Protected Health Information (ePHI): As defined in 45 C.F.R. §160.103, applying to PHI that is transmitted or maintained electronically by the Business Associate on behalf of Covered Entity.

3.2.4 Privacy Rule: Refers to the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and E.

3.2.5 Required by Law: As defined in 45 C.F.R. §164.103.

3.2.6 Security Rule: Refers to the Security Standards at 45 C.F.R. Part 160 and Part 164, Subparts A and C.

3.2.7 Security Incident: Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

3.2.8 Secretary: The Secretary of the U.S. Department of Health and Human Services or a designee thereof.

4. Permitted Uses and Disclosures by Business Associate

4.1 The Business Associate may use or disclose PHI solely as needed to fulfill its obligations to the Covered Entity under the Agreement, and only in a manner that would not violate the Privacy Rule if performed by Covered Entity itself.

4.2 The Business Associate may disclose PHI to third parties to the extent that such disclosure is Required by Law.

4.3 In addition, the Business Associate may:

4.3.1 Use PHI to provide Data Aggregation services permitted by the HIPAA Rules.

4.3.2 Use PHI for the Business Associate’s proper management and administration or to meet its legal responsibilities.

4.3.3 Disclose PHI for the Business Associate’s proper management and administration or to carry out its legal obligations if such disclosure is Required by Law or if the Business Associate obtains written assurances from the recipient regarding confidentiality and notification of any breach.

5. Business Associate’s General Obligations

5.1 Use and Disclosure Restrictions: The Business Associate shall not use or disclose PHI except as allowed by this Agreement or as Required by Law. When acting on behalf of the Covered Entity under the Privacy Rule, the Business Associate must adhere to the applicable Privacy Rule requirements.

5.2 Subcontractors: The Business Associate shall ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions and requirements that apply to Business Associate under this Agreement.

5.3 Access to PHI: Upon request, the Business Associate shall make PHI in a Designated Record Set available to the Covered Entity so the Covered Entity can meet its obligations under 45 C.F.R. §164.524. Any Individual’s request received directly by the Business Associate shall be forwarded to the Covered Entity.

5.4 Amendment of PHI: The Business Associate shall make PHI available for amendment per 45 C.F.R. §164.526 upon the Covered Entity’s request. If an Individual requests an amendment directly from the Business Associate, the Business Associate will forward the request to the Covered Entity.

5.5 Minimum Necessary: In using, disclosing, or requesting PHI, the Business Associate shall make reasonable efforts to limit PHI to the minimum necessary, including when creating a limited data set, as required by 45 C.F.R. §164.502(b)(1).

5.6 Accounting of Disclosures: The Business Associate shall document disclosures of PHI as necessary for the Covered Entity to respond to an Individual’s request for an accounting under 45 C.F.R. §164.528. If an Individual’s request is made directly to Business Associate, it shall be forwarded to the Covered Entity.

5.7 Internal Practices and Records: The Business Associate shall make its internal practices, books, and records relating to the use or disclosure of PHI available to the Secretary for purposes of determining the Parties’ compliance with the HIPAA Rules.

5.8 Mitigation: The Business Associate shall take reasonable steps to mitigate any harmful effect known to it resulting from any improper use or disclosure of PHI in violation of this Agreement.

5.9 Safeguards: The Business Associate shall implement appropriate administrative, physical, and technical safeguards to protect PHI and prevent any use or disclosure not permitted by this Agreement or the HIPAA Rules.

5.10 Reporting Breaches and Security Incidents: The Business Associate shall report to the Covered Entity, without unreasonable delay and no later than thirty (30) days after discovery, any use or disclosure of PHI not provided for by this Agreement, any Breach of Unsecured PHI, or any Security Incident. Attempts that do not result in unauthorized access (e.g., unsuccessful log-on attempts) are considered reported under this provision without the need for additional notification unless requested by Covered Entity.

6. Covered Entity’s Obligations

6.1 The Covered Entity shall inform the Business Associate of any restrictions, changes, or revocations of permissions with respect to PHI that may impact the Business Associate’s permitted uses and disclosures.

6.2 The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would not be permissible for the Covered Entity to perform itself under the Privacy Rule or Security Rule, except as otherwise allowed herein.

7. Indemnification

Each Party shall indemnify, defend, and hold the other Party harmless from and against all damages, claims, liabilities, costs, judgments, penalties, and expenses, including those related to investigations, litigation, or dispute resolution, arising out of or related to any breach of this Agreement or any Breach caused by the indemnifying Party or its subcontractors or agents. Notwithstanding anything to the contrary in this Agreement, the Business Associate’s total aggregate liability arising out of or related to this Agreement shall be subject to the limitations of liability, including the monetary cap and exclusion of consequential damages, set forth in the Terms of Service then in effect between the Parties.

8. Term and Termination

8.1 Term: This Agreement shall be effective on the Effective Date and remain in effect until terminated or until all PHI is returned or destroyed in accordance with this Agreement.

8.2 Termination for Cause: If the Covered Entity identifies a material breach of this Agreement by the Business Associate, it shall provide an opportunity to cure. If cure is not possible or not effected within a specified time, the Covered Entity may terminate this Agreement.

8.3 Obligations Upon Termination: Upon termination, the Business Associate shall return or destroy all PHI received or created on behalf of the Covered Entity. If return or destruction is infeasible, the Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible.

9. Miscellaneous

9.1 Amendment: The Parties agree to amend this Agreement as necessary to comply with the HIPAA Rules or other applicable laws.

9.2 Survival: The provisions governing the protection of PHI shall survive termination.

9.3 Counterparts: This Agreement may be executed in multiple counterparts, each constituting an original.

9.4 Regulatory References: Any reference herein to a provision of the HIPAA Rules shall mean that provision as currently in effect or as subsequently amended.

9.5 Governing Law: Except to the extent preempted by federal law, this Agreement shall be governed by and interpreted in accordance with the laws of the State of California.

9.6 Interpretation: Any ambiguity shall be resolved to ensure compliance with the HIPAA Rules.

9.7 Entire Agreement; Severability: This Agreement constitutes the entire agreement between the Parties related to the subject matter of this Agreement. If any provision is found invalid, the remainder shall remain in full force.

9.8 Assignment: Neither Party shall assign its rights or obligations under this Agreement without the other Party’s written consent.

IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date: _______________________

______________________________

(Covered Entity)

 

Name: ________________________________

Title: _________________________________

 

Kani Technologies Inc
(Business Associate)

 

Name: Kumar Krishnasami

Title: CEO