Business Associate Agreement

This Business Associate Agreement (the “Agreement”) shall be incorporated into the Terms of Service for Customers that are Covered Entities (as defined in the HIPAA Rules) and that provide Protected Health Information (“PHI”) (as defined in the HIPAA Rules) to Tebra Technologies, Inc. and its subsidiaries (“Tebra” or “Business Associate”) in connection with the software and services they have purchased.

    1. Definitions. Capitalized terms used, but not otherwise defined, in this Agreement (which includes, without limitation this BA Agreement) shall have the same meaning as those terms used in HIPAA, and if no such definition is provided in such rules, then the meaning shall be that given to such capitalized term in the Agreement to which this BA Agreement is an Exhibit.
    2. Obligations and Activities of Tebra.
        1. Tebra agrees to not use or further disclose Protected Health Information received from or on behalf of Client or created for Client (collectively, “PHI”) other than as permitted or required by this Agreement or as Required By Law. When Tebra uses or discloses PHI,Tebra will limit PHI to the minimum amount of PHI reasonably necessary to accomplish the intended purpose of such use or disclosure.
        2. Tebra agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement and this BA Agreement, including implementing administrative, physical, and technical safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the PHI in electronic media (“ePHI”) that it creates, receives, maintains, or transmits on behalf of Client. Tebra further agrees to comply with the requirements of the HIPAA Security Rule.
        3. Tebra agrees to mitigate, to the extent commercially practicable, any harmful effect that is known to Tebra of a use or disclosure of PHI by Tebra in violation of the requirements of this Agreement or this BA Agreement.
        4. Tebra agrees to report to Client any use or disclosure of PHI that is not provided for by this Agreement or this BA Agreement of which it becomes aware. Tebra also agrees to notify Client of any Breach of Unsecured PHI in accordance with 45 C.F.R. § 164.410; such notification shall be made without unreasonable delay and in no event later than 60 calendar days after discovery, as defined in 45 C.F.R. § 164.410 (a)(2) and shall comply with the requirements of the HIPAA Breach Notification Rule. Tebra shall also, without unreasonable delay, but in no event later than 60 calendar days after becoming aware of any Security Incident that is not an Unsuccessful Security Incident (as defined herein), report the successful Security Incident to Client. Client acknowledges that Tebra experiences Unsuccessful Security Incidents from time-to-time. Client acknowledges receipt of this report of Unsuccessful Security Incidents. “Unsuccessful Security Incident” means an immaterial Security Incident that does not involve an unauthorized use or disclosure of Unsecured Protected Health Information.
        5. Client acknowledges that Tebra may use Subcontractors. Tebra agrees to ensure that any Subcontractor to whom it provides PHI received from, or created or received by Tebra on behalf of, Client agrees to substantially the same restrictions and conditions that apply through this BA Agreement to Tebra with respect to such information.
        6. Tebra agrees to provide access, at the request of Client, to PHI in a Designated Record Set to Client in order to meet the requirements under 45 C.F.R. § 164.524, by making the Hosted Programs available to Client under this Agreement.
        7. Tebra agrees to make any amendment(s) to PHI in a Designated Record Set that the Client directs or agrees to pursuant to 45 C.F.R. § 164.526 by making the Hosted Programs available to Client under this Agreement.
        8. Tebra agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Tebra on behalf of, Client available to the Secretary, in a time and manner designated by the Client or the Secretary and not materially disruptive of Tebra’s operations or business, for the purposes of the Secretary determining Client’s or Tebra’s compliance with the HIPAA Privacy Rule. All information provided by Tebra pursuant to this provision shall remain Confidential Information under this Agreement and subject to the restrictions on disclosure of such information as set forth therein.
        9. Tebra agrees to document such disclosures of PHI and information related to such disclosures as would be required for Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, and to reasonably cooperate with Client in responding to such requests.
        10. Tebra agrees to provide to Client or, at Client’s direction, to an Individual, information collected in accordance with Section 2.9 of this BA Agreement, to permit Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. All information provided by Tebra pursuant to this provision shall remain Confidential Information under this Agreement and subject to the restrictions on disclosure of such information as set forth therein.
        11. To the extent Tebra carries out any of Client’s obligations under the HIPAA Privacy Rule, Tebra shall comply with the requirements of the HIPAA Privacy Rule that apply to Client in the performance of such obligations, provided that Client advises Tebra of such obligations which are not included in the Services under this Agreement and agrees to a fee for Tebra’s performance of such obligations in accordance with Section 2.12.
        12. If, in the performance of its obligations set forth in Sections 2.8 through 2.11 (inclusive), and Sections 5.1 through 5.3 (inclusive), Tebra expends time and materials that are materially in addition to the Services to be provided by Tebra pursuant to this Agreement, Tebra shall provide Client with an estimate of the fees for such time and materials. Upon the mutual agreement by Client and Tebra as to the fees to be charged by Tebra for such time and materials, Tebra shall invoice Client on a time and materials basis at the agreed-upon rate(s), and Client shall pay Tebra all such fees in accordance with the payment terms of this Agreement.
    3. Permitted Uses and Disclosures by Tebra. Except as otherwise limited in this BA Agreement, Tebra may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Client as specified in this Agreement, provided that such use or disclosure would not violate the HIPAA Privacy Rule if done by Client or the minimum necessary policies and procedures of the Client of which Tebra has been informed.
    4. Specific Use and Disclosure Provisions.
      1. Except as otherwise limited in this BA Agreement, Tebra may use PHI for the proper management and administration of Tebra or to carry out the legal responsibilities of Tebra.
      2. Except as otherwise limited in this BA Agreement, Tebra may disclose PHI for the proper management and administration of Tebra, provided that disclosures are Required by Law, or Tebra obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Tebra of any instances of which it is aware in which the confidentiality of the information has been breached.
      3. Except as otherwise limited in this BA Agreement, Tebra may use and disclose PHI to provide Data Aggregation services to Client and other Covered Entities as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B).
      4. Tebra may use PHI to create de-identified health information in accordance with the HIPAA Privacy Rule’s de-identification standards and use and disclose the de-identified health information for commercial purposes and any other purposes not prohibited by Applicable Law. Client agrees that Tebra shall be the exclusive owner of any de-identified health information.
    5. Obligations of Client.
      1. Client shall provide Tebra with any limitations in its notice of privacy practices of Client in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Tebra’s use or disclosure of PHI.
      2. Client shall provide Tebra with any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Tebra’s use or disclosure of PHI.
      3. Client shall notify Tebra in writing of any restriction to the use or disclosure of PHI that Client has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Tebra’s use or disclosure of PHI.
      4. Client shall not request Tebra to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule if done by Client.
      5. Except as provided in herein, upon termination of this BA Agreement for any reason, Tebra shall return or destroy all Company’s PHI in accordance with 45 CFR 164.504(e)(2)(ii)(I) or created or received by Tebra on behalf of Company, and shall retain no copies of the PHI. If Tebra is required by law to retain a copy of such information, Tebra will maintain the PHI for the requisite period required by law, after which Tebra shall return or destroy the Company’s PHI. This provision extends to all PHI that may be in the possession of Tebra’s employees, agents, subagents, or contractors.
      6. If it is infeasible for Tebra to return or destroy the PHI upon termination of this BA Agreement, Tebra shall: (a) extend the protections of this Agreement to such PHI and (b) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Tebra maintains such PHI.
    6. Term and Termination.
      1. Term. The Term of this BA Agreement shall be effective as of the Activation Date contemplated by this Agreement, and shall terminate when all of the PHI provided by Client to Tebra, or created or received by Tebra on behalf of Client, is destroyed or returned to Client, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.
      2. Termination For Cause. In addition to any termination rights set forth in this Agreement, in the event of a material breach of this BA Agreement, the non-breaching party shall provide the breaching party with a written notice describing the breach and an opportunity to cure the breach. If the breaching party does not cure the breach or end the violation within sixty (60) days, the non-breaching party may terminate this Agreement (including the BA Agreement) by providing thirty (30) days written notice of termination.
      3. Termination upon Issuance of Guidance or Change In Law. If the Secretary provides additional guidance, clarification or interpretation on the HIPAA Privacy Rule, or there is a change or supplement to the HIPAA statutes or regulations (both referred to as a “HIPAA Change”), such that a party hereto determines that the service relationship between Tebra and Client is no longer a Business Associate relationship as defined in HIPAA, such party shall provide written notice to the other party of the HIPAA Change, and upon mutual agreement of the parties that the HIPAA Change renders this BA Agreement unnecessary, this BA Agreement shall terminate and be null and void.
      4. Effect of Termination.
        1. Except as provided in paragraph (B) of this subsection, upon termination of this BA Agreement, for any reason, Tebra shall return or destroy all PHI received from Client, or created or received by Tebra on behalf of Client in accordance with Section 5.5 of this Agreement. This provision shall apply to PHI that is in the possession of Subcontractors of Tebra.
        2. In the event that Tebra determines that returning or destroying the PHI is infeasible, Tebra shall extend the protections of this BA Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Tebra maintains such PHI. Without limiting the generality of the foregoing, Client acknowledges and agrees that Tebra may determine that it is infeasible to return or destroy the PHI if Tebra is required to retain the PHI by Applicable Law or Tebra’s document retention policies. In addition, Tebra may delay return or destruction of PHI until Client has confirmed in writing that Client has successfully exported (or otherwise received) the PHI.
        3. Return, destruction, or if infeasible, retention of PHI upon termination of this Agreement shall be governed by Sections 5.5 and 5.6 of this Agreement.
    7. Miscellaneous.
      1. Client Rights and Remedies Upon Breach By Tebra. In the event Tebra fails to perform its obligations hereunder or otherwise breaches this BA Agreement, Client may exercise all rights and remedies available to it under this Agreement, subject to applicable limitations of liability set forth in this Agreement or such other conditions as may apply to Client rights or remedies.
      2. Payment Processing. Client acknowledges and agrees that (i) this BA Agreement does not apply to payment processing under HIPAA Section 1179 (42 USC 1320d-8), and (ii) a Business Associate Agreement is not required between Tebra and its Subcontractors that only provide products and services related to payment processing.
      3. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Client or Tebra to comply with HIPAA. If, following good faith negotiations that shall not exceed ninety (90) calendar days from the date of the request for negotiations, the parties are unable to agree on the modifications to the terms of this Agreement that may be necessary or appropriate in order for Client or Tebra to comply with HIPAA, either party shall have the right to terminate this Agreement without cause as of a date specified in a notice of termination, such date to be no less than thirty days following the effective date of such notice.
      4. Survival. The respective rights and obligations of Tebra under Section 6.4 of this BA Agreement shall survive the termination of this Agreement.
      5. Interpretation. Any ambiguity in this BA Agreement shall be resolved in favor of a meaning that permits Client and Tebra to comply with HIPAA.
      6. Regulatory References. A reference in this BA Agreement to a section in HIPAA means the section as in effect or as amended.
      7. Conflict. In the event of any conflict between the terms and conditions of this BA Agreement and the terms and conditions of the other provisions of this Agreement, this BA Agreement shall prevail.

Last Updated: March 17, 2025