Business Associate Agreement

Article I: Definitions

The following terms shall have the meanings set forth below. Any capitalized terms not defined in this Agreement shall have the meanings assigned under 45 C.F.R. Parts 160 and 164.

• Breach: The unauthorized acquisition, access, use, or disclosure of Protected Health Information that compromises the security or privacy of such information, as further defined under 45 C.F.R. § 164.402.
• Designated Record Set: A collection of records maintained by or for Covered Entity containing medical records, billing records, enrollment information, payment records, claims adjudication data, or other records used to make decisions about individuals, as defined under 45 C.F.R. § 164.501.
• Electronic Protected Health Information (ePHI): Protected Health Information that is transmitted or maintained in electronic media.
• Individual: The person who is the subject of Protected Health Information, including a personal representative as defined under 45 C.F.R. § 164.502(g).
• Privacy Rule: The Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
• Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, excluding certain education records and employment records as specified under 45 C.F.R. § 160.103.
• Required by Law: A mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law, including court orders, subpoenas, and statutory or regulatory requirements.
• Secretary: The Secretary of the United States Department of Health and Human Services or their designated representative.
• Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
• Security Rule: The Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
• Services: The membership plan administration, patient engagement, billing, and related services provided by Business Associate through the Smile Pilot platform.
• Subcontractor: A person or entity to whom Business Associate delegates a function, activity, or service involving the creation, receipt, maintenance, or transmission of PHI.
• Unsecured PHI: Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction methods specified by the Secretary.

Article II: Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate agrees to use and disclose PHI solely as necessary to perform the Services under the underlying Service Agreement, as permitted under this BAA, or as required by applicable law. Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the Privacy Rule if performed by Covered Entity, except as specifically authorized herein.

2.2 Minimum Necessary Standard

Business Associate shall limit its use, disclosure, and requests for PHI to the minimum amount necessary to accomplish the intended purpose, in accordance with the minimum necessary requirements of 45 C.F.R. § 164.502(b).

2.3 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. With respect to ePHI, Business Associate shall comply with the applicable requirements of the Security Rule, including:

• Implementing policies and procedures to prevent, detect, contain, and correct security violations
• Conducting periodic risk assessments and implementing appropriate security measures
• Ensuring that workforce members with access to ePHI receive appropriate training
• Implementing access controls and audit controls
• Utilizing encryption and other security technologies as appropriate
• Maintaining contingency plans for responding to emergencies that damage systems containing ePHI

2.4 Reporting Obligations

Business Associate shall report to Covered Entity without unreasonable delay, and in no event later than thirty (30) calendar days following discovery:

• Any use or disclosure of PHI not authorized by this Agreement
• Any Breach of Unsecured PHI, including the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed
• Any Security Incident of which Business Associate becomes aware

Such reports shall include, to the extent available: the nature and extent of the PHI involved; the identification of individuals whose information may have been compromised; the circumstances surrounding the incident; steps taken to mitigate harm; and corrective actions implemented to prevent future occurrences.

2.5 Subcontractors and Agents

Business Associate shall ensure that any agent or subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement, including the implementation of appropriate safeguards.

2.6 Access to PHI

To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such information available to Covered Entity within ten (10) business days of a written request, in the form and format requested if reasonably practicable, to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524.

2.7 Amendment of PHI

Business Associate shall make amendments to PHI maintained in a Designated Record Set as directed by Covered Entity within ten (10) business days of receiving such direction, to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.526.

2.8 Accounting of Disclosures

Business Associate shall maintain documentation of disclosures of PHI and information related to such disclosures as required for Covered Entity to respond to requests for an accounting of disclosures under 45 C.F.R. § 164.528. Business Associate shall provide such documentation to Covered Entity within thirty (30) days of a written request.

2.9 Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with HIPAA regulations, subject to applicable legal privileges.

2.10 Mitigation

Business Associate agrees to mitigate, to the extent practicable, any harmful effects known to Business Associate resulting from a use or disclosure of PHI in violation of this Agreement.

Article III: Permitted Uses and Disclosures by Business Associate

3.1 Service Performance

Business Associate may use and disclose PHI as necessary to perform the Services specified in the underlying Service Agreement, provided such use or disclosure would not violate the Privacy Rule if performed by Covered Entity.

3.2 Administration and Management

Business Associate may use PHI for its proper management and administration and to fulfill its legal responsibilities, provided that such uses are consistent with this Agreement.

3.3 Disclosure for Administration

Business Associate may disclose PHI for its proper management and administration or to fulfill its legal responsibilities, provided that:

• The disclosure is required by law; or
• Business Associate obtains reasonable assurances from the recipient that the information will be held confidentially, used or disclosed only as required by law or for the purposes for which it was disclosed, and the recipient will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been compromised.

3.4 Data Aggregation

Business Associate may use PHI to provide data aggregation services relating to the healthcare operations of Covered Entity, as permitted under 45 C.F.R. § 164.504(e)(2)(i)(B).

3.5 De-Identification

Business Associate may de-identify PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(a)-(c). De-identified information is not subject to the terms of this Agreement.

Article IV: Obligations of Covered Entity

4.1 Notice of Privacy Practices

Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices under 45 C.F.R. § 164.520 that may affect Business Associate's use or disclosure of PHI.

4.2 Permission Changes

Covered Entity shall notify Business Associate of any changes in, or revocation of, authorization by an Individual to use or disclose PHI, to the extent such changes may affect Business Associate's permitted uses or disclosures.

4.3 Restrictions on Use or Disclosure

Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of PHI to which Covered Entity has agreed or is required to comply under 45 C.F.R. § 164.522, to the extent such restrictions may affect Business Associate's use or disclosure of PHI.

4.4 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except for uses and disclosures specifically permitted under Article III of this Agreement.

4.5 Authorizations

Covered Entity is responsible for obtaining any necessary authorizations from Individuals for the use and disclosure of PHI in connection with the Services provided under this Agreement.

Article V: Term and Termination

5.1 Term

This Agreement shall become effective upon execution of the underlying Service Agreement and shall remain in effect until the Service Agreement is terminated or expires, unless earlier terminated as provided herein.

5.2 Termination for Cause

Either party may terminate this Agreement and the underlying Service Agreement upon written notice if the other party materially breaches this Agreement and fails to cure such breach within thirty (30) days of receiving written notice of the breach. If cure is not reasonably possible, the non-breaching party may immediately terminate upon written notice.

5.3 Effect of Termination

Upon termination of this Agreement for any reason, Business Associate shall:

• Cease all uses and disclosures of PHI except as authorized herein
• Return to Covered Entity or destroy all PHI received from Covered Entity or created, received, or maintained on behalf of Covered Entity, retaining no copies in any form
• If return or destruction is not feasible, extend the protections of this Agreement to any retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible
• Continue to maintain appropriate safeguards for any retained PHI for as long as such PHI is maintained

5.4 Survival

The obligations of Business Associate under Section 5.3 shall survive termination of this Agreement. Additionally, any provisions that by their nature should survive termination shall remain in effect.

Article VI: General Provisions

6.1 Regulatory References

Any reference in this Agreement to a regulatory provision means the provision as in effect or as subsequently amended. The parties agree to negotiate in good faith to amend this Agreement as necessary to comply with changes in HIPAA regulations or other applicable law.

6.2 Amendment

This Agreement may be amended only by a written instrument signed by both parties. The parties agree to take such action as is necessary to amend this Agreement to comply with applicable law.

6.3 Interpretation

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits both parties to comply with HIPAA regulations and other applicable privacy and security laws.

6.4 No Third-Party Beneficiaries

Nothing in this Agreement shall confer upon any person other than the parties and their respective successors and permitted assigns any rights or remedies under this Agreement. However, Individuals whose PHI is subject to this Agreement shall be entitled to the protections afforded by applicable law.

6.5 Indemnification

Each party agrees to indemnify, defend, and hold harmless the other party from and against any claims, losses, damages, costs, and expenses (including reasonable attorneys' fees) arising from or related to the indemnifying party's material breach of this Agreement, violation of HIPAA regulations, or gross negligence or willful misconduct in connection with PHI.

6.6 Limitation of Liability

Except for breaches involving PHI, gross negligence, or willful misconduct, neither party shall be liable to the other for any indirect, incidental, special, consequential, or punitive damages arising out of or related to this Agreement, regardless of whether such damages were foreseeable or whether a party has been advised of the possibility of such damages.

6.7 Waiver

The failure of either party to enforce any provision of this Agreement shall not constitute a waiver of future enforcement of that or any other provision. Any waiver must be in writing and signed by the waiving party.

6.8 Severability

If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.

6.9 Entire Agreement

This Agreement, together with the underlying Service Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, representations, and understandings, whether written or oral.

6.10 Governing Law

This Agreement shall be governed by and construed in accordance with federal law and, to the extent not preempted by federal law, the laws of the State of Utah, without regard to its conflict of laws principles.

6.11 Notices

All notices required or permitted under this Agreement shall be in writing and shall be delivered by hand, sent by certified mail (return receipt requested), or sent by nationally recognized overnight courier to the addresses specified in the underlying Service Agreement. Notices to Business Associate may also be sent to:

Benefit Administrative Solutions Inc.
DBA: Smile Pilot
Mailing Address: P.O. Box 424
Smithfield, UT 84335
Attention: Privacy Officer
Email: privacy@mysmilepilot.com

Article VII: Security Specifications

Business Associate represents and warrants that it maintains the following security measures to protect ePHI:

7.1 Administrative Safeguards

• Designated security official responsible for developing and implementing security policies
• Workforce security procedures including background checks and access authorization
• Security awareness and training programs for all workforce members
• Security incident procedures for identifying, responding to, and mitigating security incidents
• Contingency planning including data backup, disaster recovery, and emergency mode operation plans
• Periodic evaluation of security policies and procedures

7.2 Physical Safeguards

• Facility access controls to limit physical access to electronic information systems
• Workstation security policies specifying proper use and physical safeguards
• Device and media controls for the receipt, removal, and disposal of hardware and electronic media

7.3 Technical Safeguards

• Access controls including unique user identification, emergency access procedures, automatic logoff, and encryption
• Audit controls to record and examine access and activity in systems containing ePHI
• Integrity controls to protect ePHI from improper alteration or destruction
• Transmission security including encryption of ePHI transmitted over electronic networks

Contact Information

For questions about this Business Associate Agreement or to report a potential privacy or security concern, please contact:

Benefit Administrative Solutions Inc.
DBA: Smile Pilot
Mailing Address: P.O. Box 424
Smithfield, UT 84335
Attention: Privacy Officer
Email: privacy@mysmilepilot.com
General Inquiries: info@mysmilepilot.com