Business Associate Addendum

Last Updated and Effective as of July 6, 2023

This Business Associate Addendum (this “Addendum”), effective as of the date set forth above, is hereby incorporated by reference into those certain Terms & Conditions (the “Terms”) by and between Quinsite, Inc. (“Quinsite”), a Delaware corporation with its principal office located at 1818 Martin Luther King Jr Blvd, Suite 185, Chapel Hill, North Carolina 27514, and the customer (“Customer”) identified on an Order Form. Initially capitalized terms used but not otherwise defined herein shall have the meaning set forth in the Terms.

1. Background
    
   1.1 The Parties acknowledge and agree that Customer and/or its clients from time to time is/are covered entity(ies) (“Covered Entity”) as defined in the federal regulations at 45 C.F.R. Parts 160 and 164, Subparts A, C, and E (the “Privacy and Security Standards”) promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”). Pursuant to HIPAA and HITECH, the U.S. Department of Health & Human Services (“HHS”) promulgated the Privacy and Security Standards requiring certain individuals and entities subject to the Privacy and Security Standards to protect the privacy and security of certain individually identifiable health information (“Protected Health Information,” or “PHI”), including electronic protected health information (“EPHI”), and the Parties wish to comply with Privacy and Security Standards as amended by the HHS regulations promulgated on January 25, 2013, entitled the “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act,” as such may be revised or amended by HHS from time to time, and in connection with Business Associate’s performance under the Agreement and/or other documented arrangements between Customer and Business Associate, Business Associate may provide services for, or on behalf of, Covered Entity that require Business Associate to use, disclose, access, create, maintain and/or transmit health information that is protected by state and/or federal law, and Covered Entity desires that Business Associate use and disclose PHI and/or EPHI in accordance with the terms specified herein.
   
   
2. Business Associate Obligations
    
   2.1 Business Associate may use, disclose, access, create, maintain and/or transmit health information that is protected under applicable state and/or federal law, including without limitation, PHI and EPHI. Business Associate acknowledges and agrees it meets the definition of a “business associate” at 45 C.F.R. §160.103. All capitalized terms not otherwise defined in this Addendum shall have the meanings set forth in the Privacy and Security Standards. All references to PHI herein shall be construed to include EPHI. PHI shall mean only that PHI Business Associate uses, discloses, accesses, creates, maintains and/or transmits for or on behalf of Covered Entity pursuant to the Agreement. The Parties hereby acknowledge that the definition of PHI includes “Genetic Information” as set forth at 45 C.F.R. §160.103 (“Definitions”). Business Associate agrees not to use or disclose (or permit the use or disclosure of) PHI in a manner that would violate the Privacy and Security Standards if the PHI were used or disclosed by Covered Entity in the same manner. To the extent the Business Associate is to carry out Covered Entity’s obligations under the Privacy and Security Standards, the Business Associate shall comply with the provision(s) of the Privacy and Security Standards that would apply to the Covered Entity in the performance of such obligation(s).
   
   
3. Use and Disclosure of PHI
    
   3.1 Business Associate expressly agrees that any and all Uses or Disclosures of PHI by Business Associate will be done in accordance with the terms of this Addendum, applicable provisions of the Privacy and Security Standards, or as Required by Law. Business Associate may: (a) Use and Disclose PHI in order to provide the Services; (b) Use and Disclose PHI to provide Data Aggregation services; (c) Use PHI as necessary for the proper management and administration of Business Associate or to carry out its legal responsibilities; and (d) Disclose PHI as necessary for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that as to any such Disclosure, the following requirements are met: (x) The Disclosure is Required by Law; or (y) Business Associate obtains reasonable assurances through a written agreement with the other agents or parties to whom PHI is disclosed that PHI will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the recipient, and the recipient notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. For avoidance of doubt, Business Associate may Use and Disclose information that previously constituted PHI and has been de-identified in compliance with 45 C.F.R. § 164.514 for any purpose.
   
   
4. Business Associate Subcontractors
    
   4.1 If Business Associate uses or contracts with any agent, including a subcontractor (collectively, “Subcontractors”) that uses, discloses, accesses, creates, receives, maintains, or transmits PHI on behalf of Covered Entity, Business Associate shall require its Subcontractors to agree in writing to substantially similar restrictions and conditions that apply to the Business Associate under the Agreement.
      
5. Individual Rights Regarding Designated Record Sets
    
   5.1 If Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall, upon written request from Covered Entity: (a) provide access to, and permit inspection and copying of, PHI by Covered Entity under conditions and limitations required under 45 C.F.R. §164.524 (“Access of individuals to protected health information”), as it may be amended from time to time; and (b) amend PHI maintained by Business Associate as requested by Covered Entity. Business Associate will not respond directly to Individual requests for access to such information , but shall notify Covered Entity in writing in a timely manner of Business Associate’s receipt of such request. Business Associate may charge a reasonable fee based upon the Business Associate’s labor costs in responding to a request for electronic information (or a cost-based fee for the production of non-electronic media copies).
   
   
6. Accounting of Disclosures
    
   6.1 Business Associate shall, upon written request from Covered Entity, make available to Covered Entity in response to a request from an Individual, information required for an accounting of disclosures of PHI with respect to the Individual in accordance with 45 CFR §164.528 (“Accounting of disclosures of protected health information”). Such accounting must be provided without cost to the Individual or to Covered Entity if it is the first accounting requested by an individual within any twelve (12)-month period. For subsequent accountings within a twelve (12) month period, Business Associate may charge a reasonable fee based upon the Business Associate’s labor costs in responding to a request for electronic information (or a cost-based fee for the production of non-electronic media copies) so long as Business Associate informs the Covered Entity and the Covered Entity informs the Individual in advance of the fee, and the Individual is afforded an opportunity to withdraw or modify the request. Such accounting obligations shall survive expiration or termination of the Agreement and shall continue as long as Business Associate maintains PHI.
   
   
7. Withdrawal of Authorization
    
   7.1 If the use or disclosure of PHI under the Agreement is based upon an Individual’s specific authorization regarding the use of his or her PHI, and: (a) the Individual revokes such authorization in writing; (b) the effective date of such authorization has expired; or (c) the authorization is found to be defective in any manner that renders it invalid for whatever reason, then Business Associate agrees, if it has notice of such revocation or invalidity, to cease the use and disclosure of any such Individual’s PHI except to the extent Business Associate has relied on such use or disclosure, or where an exception under the Privacy and Security Standards expressly applies.
   
   
8. Records and Audit
    
   8.1 Business Associate shall make available to HHS or its agents, its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by Business Associate on behalf of Covered Entity for the purpose of determining Covered Entity’s compliance with the Privacy and Security Standards, in a time and manner designated by HHS. Nothing in this Section 8 waives any applicable privilege or protection, including with respect to trade secrets, confidential commercial information, and information subject to attorney-client privilege.
   
   
9. Safeguards
    
   9.1 Business Associate will comply, where applicable, with the HIPAA Security Rules (set forth at 45 C.F.R. Parts 160 and 164, Subparts A and C) and will implement appropriate administrative, technical, and physical safeguards designed to prevent the Use or Disclosure of PHI other than as permitted in this Addendum.
   
   
10. Impermissible Uses and Disclosures of PHI
     
    10.1 Business Associate shall report to Covered Entity any Use or Disclosure of Covered Entity’s PHI of which Business Associate is aware, and which is not in compliance with the terms of this Addendum, including any Breach of Unsecured Protected Health Information pursuant to 45 C.F.R. § 164.410 and any Security Incident. Notwithstanding the foregoing, the Parties acknowledge and agree that Business Associate shall not be required to report attempted but unsuccessful Security Incidents that do not result in actual unauthorized access, Use, or Disclosure of Protected Health Information, and that this Addendum constitutes notice to Covered Entity that such unsuccessful Security Incidents (such as broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, or denial of service attacks) may occur periodically.
        
11. Covered Entity Obligations
     
    11.1 Permissions and Notices. Covered Entity represents, warrants, and covenants that it has obtained and will continue to obtain all necessary authorizations, consents, releases, and permissions to permit Business Associate to Use and Disclose PHI pursuant to this BAA and in order to provide the Services in compliance with all applicable laws, regulations, and other governmental requirements and that it has provided, and will continue to provide, appropriate notice to Individuals to permit Business Associate to Use and Disclose PHI pursuant to this BAA and in order to provide the Services in compliance with all applicable laws, regulations, and other governmental requirements. Covered Entity shall notify Business Associate of any changes in, or revocation of the authorization, consent, release, or permission by an Individual to Use or Disclose their PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI. Covered Entity shall provide such notice to Business Associate in the manner specified by Business Associate.
    
    11.2   Compliance with HIPAA. Covered Entity shall comply with all of its obligations under HIPAA.
    
    11.3 Instructions. Covered Entity will not request or cause Business Associate to make a Use or Disclosure of PHI or take other actions in a manner that does not comply with HIPAA, any other law, or this BAA. Covered Entity understands and agrees that it is responsible for using and configuring the Services, including any integration with other services, in a manner that complies with HIPAA and any other laws.
    
    11.4 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitations in the notice of privacy practices of Covered Entity under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
    
    11.5 Restrictions on PHI Use and Disclosures. Covered Entity shall notify Business Associate of any restrictions on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
    
    
12. Term and Termination
     
    12.1 Upon either Party’s knowledge of a material breach by the other Party to this Addendum, such Party shall provide written notice to the breaching Party stating the nature of the breach and providing an opportunity to cure the breach within sixty (60) business days. Upon the expiration of such sixty (60)-day cure period, the non-breaching Party may terminate this Addendum. Upon termination of the Agreement for any reason, Business Associate agrees either to return to Covered Entity or to destroy all PHI received from Covered Entity or otherwise through the performance of services for Covered Entity, that is in the possession or control of Business Associate or its agents. In the case of PHI which is not feasible to return or destroy, Business Associate shall extend the protections of the Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. Business Associate further agrees to comply with other applicable state or federal law, which may require a specific period of retention, redaction, or other treatment of such PHI. This Section 12 shall survive the expiration or termination of the Agreement and shall remain in effect for so long as Subcontractor maintains PHI.