Business Associate Agreement.

Capitalized terms not defined here have the meanings given in 45 C.F.R. Parts 160, 162, and 164 (the HIPAA Rules).

Business Associate may use or disclose PHI only:

• To perform services described in the underlying Order Form or MSA.
• For Business Associate's proper management and administration, or to carry out its legal responsibilities, provided that any disclosure is required by law or the recipient agrees in writing to protect the PHI under terms equivalent to this BAA and to notify Business Associate of any breach.
• To provide data aggregation services relating to Covered Entity's healthcare operations.
• As otherwise permitted by HIPAA, the Order Form, or the express written direction of Covered Entity.

Business Associate will not use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity.

Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI as required by 45 C.F.R. §164.308, §164.310, §164.312, and §164.316. These include encryption in transit and at rest, role-based access controls, audit logging, continuous monitoring, vulnerability management, and a documented incident-response program.

Business Associate will require all subcontractors that create, receive, maintain, or transmit PHI on its behalf to enter into a written agreement containing terms substantially the same as those imposed on Business Associate by this BAA, in accordance with 45 C.F.R. §164.502(e)(1)(ii) and §164.308(b)(2).

Business Associate will report to Covered Entity, without unreasonable delay and no later than fifteen (15) calendar days after discovery, any:

• Use or disclosure of PHI not provided for by this BAA.
• Security Incident as defined in 45 C.F.R. §164.304.
• Breach of Unsecured PHI as defined in 45 C.F.R. §164.402.

Reports will identify the affected individuals, describe the incident, identify any unauthorized recipient, and describe remediation steps. Routine unsuccessful access attempts (e.g., port scans, blocked logins) are reported in periodic summary form.

Business Associate will, within fifteen (15) calendar days of a request from Covered Entity, provide access to PHI, incorporate amendments, and make available the information required to provide an accounting of disclosures consistent with 45 C.F.R. §164.524, §164.526, and §164.528.

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from Covered Entity available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with HIPAA, subject to attorney-client and work-product privileges.

This BAA is effective on the date both parties execute the underlying Order Form or MSA and remains in effect until the underlying agreement is terminated. On termination, Business Associate will return or destroy all PHI in accordance with the underlying agreement and applicable record-retention laws. Where return or destruction is infeasible, this BAA's protections survive for as long as Business Associate retains the PHI.

A signed counterpart of the Medonix BAA is provided as part of every customer onboarding. To request a copy in advance for review by your privacy or compliance counsel, contact hello@medonix.io and reference your organization name.