Ambiki Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

This Agreement (“Agreement”) is made and entered into at the date and time you begin an Ambiki trial subscription or purchase a subscription and is between you (“Covered Entity”) and SF AMBI, LLC d/b/a Ambitious Idea Labs with its principal place of business at 251 Little Falls Drive, Wilmington, DE 19808 (“Business Associate”), (individually, a “Party” and collectively, the “Parties”).

WITNESSETH:

WHEREAS, Covered Entity and Business Associate have entered into a documented agreement and/or or other arrangement (collectively, the “Services Agreement”) pursuant to which Business Associate provides products and/or services to Covered Entity (“Services”) that may require Business Associate to access, create and use health information that is protected by state and/or federal law; and

WHEREAS, Business Associate will require access to Protected Health Information (“PHI”) in connection with providing the Services to the Covered Entity under the Services Agreement; and

WHEREAS, Covered Entity and Business Associate desire to enter into this Agreement to reflect their mutual understanding of the use, disclosure and general confidentiality obligations of Business Associate as it relates and applies to the Services Agreement, as well as to allow Covered Entity to fully comply with the requirements of the Health Insurance Portability and Accountability Act of 1996, the “Privacy Rule” (45 CFR Parts 160 and 164, subparts A and E) and the “Security Rule” (45 CFR Part 164, subparts A and C), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and the January 2013 Omnibus Rule (collectively “HIPAA”) and the various statutes and regulations that may amend, alter or expand the scope of HIPAA.

THEREFORE, in consideration of the Parties' continuing obligations involved in the purchase and sales of Services, compliance with the HIPAA Security and Privacy Rule, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree to the provisions of this Agreement in order to address the requirements of the HIPAA Security and Privacy Rule and to protect the interests of both Parties.

Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, video recording, and electronic display by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity's behalf shall be subject to this Agreement.

I. DEFINITIONS

Except as otherwise defined herein, any and all capitalized terms in this Section shall have the definitions set forth in the HIPAA Security and Privacy Rule. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Security and Privacy Rule, as amended, the HIPAA Security and Privacy Rule shall control. Where provisions of this Agreement are different than those mandated in the HIPAA Security and Privacy Rule, but are nonetheless permitted by the HIPAA Security and Privacy Rule, the provisions of this Agreement shall control; provided, however, obligations hereunder deriving from the Security Regulations shall be applicable to the Parties as of the Security Regulations Effective Date.

The term “Protected Health Information” or “PHI” means individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. “Protected Health Information” includes without limitation “Electronic Protected Health Information” as defined below.

The term “Electronic Protected Health Information” or “E-PHI/e-PHI” means Protected Health Information which is transmitted by Electronic Media (as defined in the HIPAA Security and Privacy Rule) or maintained in Electronic Media.

The term “Covered Entity” means Organization, School, Clinic, or Individual Subscriber, or user of Ambiki, Ambiki Platform and related services.

The term “Business Associate” means the Ambiki Web Application and Service.

II. CONFIDENTIALITY AND SECURITY REQUIREMENTS

  1. Business Associate agrees:
    1. to use or disclose any Protected Health Information solely:
      1. for meeting its obligations as set forth in any agreements between the Parties evidencing their business relationship, or
      2. as required by applicable law, rule or regulation, or by accrediting or credentialing organization to whom Covered Entity is required to disclose such information or as otherwise permitted under this Agreement or the HIPAA Security and Privacy Rule, and
      3. as would be permitted by the HIPAA Security and Privacy Rule if such use or disclosure were made by Covered Entity;
    2. at termination of this Agreement, or any other business relationship between the Parties, or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return or destroy all Protected Health Information received from or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form and retain no copies of such information, or if such return or destruction is not feasible, Business Associate will extend the protections of this Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible; and
    3. to ensure that its agents, including a subcontractor, to whom it provides Protected Health Information received from or created by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply to Business Associate with respect to such information, and agrees to implement reasonable and appropriate safeguards to protect any of such information which is Electronic Protected Health Information. In addition, Business Associate agrees to take reasonable steps to ensure that its employees' actions or omissions do not cause Business Associate to breach the terms of this Agreement.
  2. Notwithstanding the prohibitions set forth in this Agreement, Business Associate may use and disclose Protected Health Information as follows:
    1. if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, the following requirements are met:
      1. the disclosure is required by law; or
      2. Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached;
    2. for data aggregation services, if to be provided by Business Associate for the health care operations of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship. For purposes of this Agreement, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
  3. Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule, as amended by the HITECH act, and the January 2013 Omnibus Rule (“HIPAA”), as well as any statutes or regulations that may amend, alter, or expand the scope of HIPAA.
  4. The Secretary of Health and Human Services shall have the right to audit Business Associate's records and practices related to use and disclosure of Protected Health Information to ensure Covered Entity's compliance with the terms of the HIPAA Security and Privacy Rule.
  5. Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information which is not in compliance with the terms of this Agreement of which it becomes aware within forty-eight (48) hours of discovery. Such notification to include: the nature of the non-permitted use or disclosure, identification of the Protected Health Information used or disclosed, and if possible, the identity of the person/entity who improperly received the non-permitted disclosure. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. For purposes of this Agreement, “Security Incident” is as defined at 45 C.F.R. Part 164, Subpart D (the “Breach Notification Rule”). In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.
  6. Covered Entity agrees:
    1. That it is the sole responsibility of Covered Entity to ensure that appropriate mechanisms, as provided by Business Associate, are used to secure Protected Health Information while in transit from Covered Entity to Business Associate or from Business Associate to Covered Entity, including, without limitation, to utilize secure transport methods and not to utilize their account in such a way as to send or receive Protected Health Information via unencrypted email transport.
    2. That Business Associate will have no responsibility for any unauthorized use or disclosure of Protected Health Information that occurs while the information is in transit from Business Associate to Covered Entity or from Covered Entity to Business Associate.
    3. The obligations of Covered Entity under this Section '(f)' shall survive the expiration, termination, or cancellation of this Agreement, and/or the business relationship of the Parties, and shall continue to bind Covered Entity, its agents, employees, contractors, successors, and assigns as set forth herein.

III. AVAILABILITY OF PHI

Business Associate agrees to make available Protected Health Information to the extent and in the manner required by Section 164.524 of the HIPAA Security and Privacy Rule. Business Associate agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule.

IV. TERMINATION

Notwithstanding anything in this Agreement to the contrary, either Party shall have the right to terminate this Agreement immediately if that Party determines that the other Party has violated any material term of this Agreement. If Party reasonably believes that the other Party will violate a material term of this Agreement and, where practicable, Party gives written notice to the other Party of such belief within a reasonable time after forming such belief, and the other Party fails to provide adequate written assurances to Party that it will not breach the cited term of this Agreement within a reasonable period of time given the specific circumstances, but in any event, before the threatened breach is to occur, then Party shall have the right to terminate this Agreement and any other agreement between the Parties immediately.

V. MISCELLANEOUS

Except as expressly stated herein or the HIPAA Security and Privacy Rule, the Parties to this Agreement do not intend to create any rights in any third parties. The obligations of Parties under this Section shall survive the expiration, termination, or cancellation of this Agreement, and/or the business relationship of the Parties, and shall continue to bind Parties, their agents, employees, contractors, successors, and assigns as set forth herein.

This Agreement may be amended or modified only in a writing signed by the Parties. No Party may assign its respective rights and obligations under this Agreement without the prior written consent of the other Party. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship.

This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law provisions, and the Parties hereby consent and attorn to the exclusive jurisdiction of such State and agree that all disputes shall be tried in the State of Delaware.

No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion.

The Parties agree that, in the event that any documentation of the arrangement pursuant to which Business Associate provides services to Covered Entity contains provisions relating to the use or disclosure of Protected Health Information which are more restrictive than the provisions of this Agreement, the provisions of the more restrictive documentation will control. The provisions of this Agreement are intended to establish the minimum requirements regarding Business Associate's use and disclosure of Protected Health Information.

In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. In addition, in the event a Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, such Party shall notify the other party in writing. For a period of up to thirty days, the Parties shall address in good faith such concern and amend the terms of this Agreement, if necessary to bring it into compliance. If, after such thirty-day period, the Agreement fails to comply with the HIPAA Security and Privacy Rule, then either Party has the right to terminate upon written notice to the other Party.

IN WITNESS WHEREOF, the Parties have executed this Agreement as of the day and year first written above.

Version 1.0