Business Associate Agreement

1. Introduction

This Business Associate Agreement ("Agreement") is entered into between Above Health, Inc. ("Covered Entity") and the contracting party ("Business Associate") to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), including the Privacy Rule, Security Rule, and Breach Notification Rule.

2. Definitions

• Protected Health Information (PHI): Individually identifiable health information transmitted or maintained by Business Associate on behalf of Covered Entity.
• Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted by this Agreement that compromises the security or privacy of PHI.
• Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
• Minimum Necessary: The minimum amount of PHI necessary to accomplish the intended purpose of use, disclosure, or request.

3. Permitted Uses and Disclosures

3.1 Authorized Activities

Business Associate may use or disclose PHI only as permitted by this Agreement and as required to:

• Perform healthcare operations, administrative functions, or data analysis services on behalf of Covered Entity
• Provide healthcare technology services, software development, or system maintenance
• Conduct marketing, consulting, or business intelligence services as specifically authorized
• Comply with legal requirements under applicable state and federal law

3.2 Prohibited Uses

Business Associate shall not:

• Use or disclose PHI for any purpose other than those specifically authorized in this Agreement
• Use PHI for marketing purposes without written authorization from the individual
• Sell PHI or receive direct or indirect remuneration for PHI
• Combine PHI received from Covered Entity with other information for unauthorized purposes

4. Safeguarding Requirements

4.1 Administrative Safeguards

• Security Officer: Designate a security officer responsible for developing and implementing security policies
• Workforce Training: Ensure all personnel with PHI access receive appropriate HIPAA training
• Access Management: Implement procedures for granting, modifying, and terminating PHI access
• Incident Response: Establish procedures for responding to security incidents and breaches

4.2 Physical Safeguards

• Facility Access: Limit physical access to facilities, workstations, and media containing PHI
• Device Controls: Implement controls for electronic devices and media that contain PHI
• Disposal: Securely dispose of PHI-containing materials when no longer needed

4.3 Technical Safeguards

• Access Control: Implement unique user identification, emergency access procedures, automatic logoff, and encryption
• Audit Controls: Implement hardware, software, and procedural mechanisms that record access to PHI
• Data Integrity: Ensure PHI is not improperly altered or destroyed
• Transmission Security: Implement end-to-end encryption for PHI transmitted over open networks

5. Minimum Necessary Standard

Business Associate agrees to request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose. This includes implementing policies and procedures to limit access to PHI to the minimum necessary for each workforce member's job function.

6. Individual Rights

6.1 Access Rights

Business Associate agrees to provide access to PHI when requested by Covered Entity to fulfill individual access rights under HIPAA within 30 days of the request.

6.2 Amendment Rights

Business Associate agrees to amend PHI when requested by Covered Entity to fulfill individual amendment rights under HIPAA within 60 days of the request.

6.3 Accounting of Disclosures

Business Associate agrees to maintain records of PHI disclosures and provide an accounting when requested by Covered Entity within 60 days.

7. Subcontractor Requirements

Business Associate agrees that any subcontractors or third parties that will have access to PHI will enter into a written agreement containing the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement.

8. Breach Notification

8.1 Discovery and Notification

Business Associate shall notify Covered Entity of any breach of PHI immediately upon discovery, but no later than 24 hours after becoming aware of the breach.

8.2 Breach Investigation

Business Associate shall conduct a thorough investigation of any breach and provide Covered Entity with:

• A description of what happened and when the breach was discovered
• A description of the types of PHI involved in the breach
• The number of individuals affected and identification of those individuals
• A description of steps taken to mitigate the harmful effects
• Contact information for follow-up questions

9. Security Incident Response

Business Associate shall immediately report any security incidents, including but not limited to:

• Unauthorized access attempts or successful breaches
• Malware infections affecting PHI systems
• Loss or theft of devices containing PHI
• Unauthorized disclosure of PHI by workforce members
• Any other events that could compromise PHI security

10. Return or Destruction of PHI

Upon termination of this Agreement, Business Associate shall either return or destroy all PHI received from, created, or received on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend protections of this Agreement to such PHI and limit further uses and disclosures.

11. Compliance and Auditing

11.1 Compliance Monitoring

Business Associate agrees to cooperate with reasonable compliance monitoring activities conducted by Covered Entity, including security assessments and audits.

11.2 Documentation

Business Associate shall maintain documentation of all security measures, policies, and procedures related to PHI protection for a minimum of six (6) years.

11.3 Certification

Business Associate shall provide annual written certification of ongoing compliance with HIPAA requirements and this Agreement.

12. Liability and Indemnification

12.1 Mutual Responsibility

Each party is responsible for its own compliance with applicable HIPAA requirements and shall indemnify the other party for violations arising from its own actions or omissions.

12.2 Limitation of Liability

Neither party shall be liable for indirect, special, incidental, or consequential damages, except in cases involving willful misconduct or violations of this Agreement.

13. Term and Termination

13.1 Term

This Agreement shall remain in effect for the duration of the underlying service agreement between the parties, unless earlier terminated in accordance with this section.

13.2 Termination for Cause

Either party may terminate this Agreement immediately upon written notice if:

• The other party materially breaches this Agreement and fails to cure within 30 days
• A breach involves willful misconduct or repeated violations
• Cure is not possible or feasible

13.3 Effect of Termination

Upon termination, all obligations regarding PHI protection, return, or destruction shall survive, and Business Associate shall cease all use and disclosure of PHI.

14. Regulatory Changes

This Agreement shall be amended as necessary to comply with changes to HIPAA regulations or other applicable privacy and security laws. Both parties agree to negotiate such amendments in good faith.

15. Dispute Resolution

Any disputes arising under this Agreement shall be resolved through binding arbitration in accordance with the rules of the American Arbitration Association, conducted in California.

16. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to conflict of law principles.

17. Entire Agreement

This Agreement represents the complete agreement between the parties regarding PHI protection and supersedes all prior negotiations, representations, or agreements relating to this subject matter.