Ursa Health Business Associate Agreement

Last Updated: January 9, 2024

This Business Associate Agreement (this “Agreement”) is made effective as of the Effective Date of the Cover Sheet, and is entered into between Customer (“Covered Entity”) and Ursa Health, LLC (“Business Associate”). Covered Entity and Business Associate each are from time to time individually referred to herein as a “Party” and collectively as the “Parties.”

WHEREAS, Covered Entity and Business Associate have entered into, are entering into simultaneously herewith and/or may subsequently enter into agreements or other documented arrangements, including, but not limited to, a software license agreement (as the same may be amended, restated and supplemented from time to time, collectively, the “Underlying Agreement”);

WHEREAS, in connection with the Underlying Agreement, Business Associate performs or may perform functions or activities on behalf of, or provides or may provide certain services to (collectively, the “Services”), Covered Entity that involve Business Associate creating, receiving, maintaining, transmitting or otherwise using or disclosing protected health information, as such term is defined in 45 C.F.R. Part 160.103 (the “PHI”);

WHEREAS, the PHI is subject to protection under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, including, without limitation, the Privacy, Security, Breach Notification and Enforcement Rules at 45 C.F.R. Parts 160 to 164, each as amended from time to time, including as either have been amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act of 2009 and its implementing regulations (collectively, “HIPAA”); and

WHEREAS, HIPAA requires the Parties to enter into this Agreement and the Parties further desire to comply with HIPAA and the standards for privacy and security of the PHI set forth therein.

NOW THEREFORE, in consideration of the foregoing recitals and the mutual covenants and premises contained herein, the Parties, intending to be legally bound, hereby agree as follows:

1. Definitions; Recitals

Terms used, but not otherwise defined, in this Agreement have the respective meanings given to such terms in the regulations promulgated under HIPAA. The recitals to this Agreement are incorporated herein as if fully set forth below.

2. Ambiguity; Priority of Agreement

The Parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA. If any portion of this Agreement is inconsistent with the terms of the Underlying Agreement, then the terms of this Agreement shall prevail and govern in all respects. Except as set forth above, the remaining portions of the Underlying Agreement are adopted herein in their entirety.

3. Business Associate Obligations

3.1 Permitted Uses and Disclosures. Except as otherwise limited in this Agreement, Business Associate is permitted to use or disclose the PHI to (1) perform functions, activities or services for or on behalf of Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate HIPAA if made by Covered Entity, (2) as required by law and (3) as expressly permitted by this Agreement. In furtherance of (3) above, Business Associate is expressly permitted to use or disclose the PHI:

(a) for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided, however, that any disclosure made by Business Associate pursuant to this Section 3.1(a) must: (i) be “required by law”, as that term is defined in 45 C.F.R. Part 164.103; or (ii) occur only after Business Associate (A) has obtained reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person and (B) has obtained the agreement from the person to whom the PHI is disclosed that such person will notify Business Associate of any instances of which such person becomes aware in which the confidentiality of the PHI has been breached;

(b) to provide data aggregation services, as that term is defined in 45 C.F.R. Part 164.501, related to the health care operations of Covered Entity; and

(c) to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. Part 164.502(j)(1).
Notwithstanding the foregoing, Business Associate shall not use or disclose the PHI in a manner that violates HIPAA.

3.2 Restrictions; Minimum Necessary. Business Associate shall only use and disclose the PHI for the purposes permitted by this Agreement and will abide by any restrictions on the PHI, to the extent that Business Associate is made aware of such restrictions by Covered Entity, relating to the use or disclosure of the PHI which Covered Entity has agreed upon or is required to abide with by HIPAA. In performing services in accordance with this Agreement and the Underlying Agreement, each Party shall take reasonable steps to limit the use or disclosure of, and requests for, the PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.

3.3 Use of Subcontractors. Whenever Business Associate uses a “business associate” or a “subcontractor”, each as defined in 45 C.F.R. Part 160.103 (a “Subcontractor”), to accomplish Business Associate’s duties under the Underlying Agreement or this Agreement and such Subcontractor creates, receives, maintains or transmits, or may create, receive, maintain or transmit, the PHI on Business Associate’s behalf, Business Associate shall obtain satisfactory assurances that the Subcontractor will appropriately safeguard the PHI, including requiring the Subcontractor to enter into an agreement with Business Associate in compliance with HIPAA, including, without limitation, Subpart C of 45 C.F.R. Part 164.

3.4 Appropriate Safeguards; Security Incidents. Business Associate shall implement appropriate and reasonable safeguards, including administrative, physical and technical safeguards, to prevent use or disclosure of the PHI other than as permitted in this Agreement and to ensure the confidentiality, integrity and availability of all electronic PHI that Business Associate creates, receives, maintains or transmits. Business Associate will comply with all applicable requirements set forth in Subpart C of 45 C.F.R. Part 164 and report to Covered Entity any Security Incident of which it becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. Part 164.410. For purposes of this Agreement, “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification or destruction of the PHI of Covered Entity in Business Associate’s custody or control or interference with system operations in an “information system”, as defined in 45 C.F.R. Part 164.304, of Business Associate that holds the PHI in electronic form (a “System”). Notwithstanding the foregoing, certain low risk attempts to breach a System set forth below shall not constitute a Security Incident under this Agreement, provided that such attempts do not result in an actual or suspected breach of unsecured PHI and remain within the normal incident level experience by Business Associate: (i) pings on a System’s firewall; (ii) port scans; (iii) attempts to log onto a System or enter a database thereon with an invalid password or username; and (iv) denial-of-service attacks that do not result in a System server being taken off-line.

3.5 Government Access to Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of the PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the HHS Secretary for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA.

3.6 De-Identification. Business Associate may de-identify the PHI from time to time in accordance with the requirements of HIPAA for any purposes not prohibited by applicable law.

3.7 Reporting of Improper Use or Disclosure. Business Associate shall report to Covered Entity in writing without unreasonable delay and in all cases not more than 30 days after discovery of any actual “breach”, such term is defined in 45 C.F.R. Part 164.402, of unsecured PHI. For purposes hereof, “unsecured PHI” means PHI that is not secured through the use of a technology or methodology specified in guidance from the U.S. Department of Health and Human Services (“HHS”) in a manner (e.g., via encryption or destruction) that renders such PHI unusable, unreadable or indecipherable to unauthorized persons. An actual breach of unsecured PHI shall be treated as discovered by Business Associate as of the first day on which such breach is known to the Business Associate, its employees, officers or Subcontractors or, by exercising reasonable diligence, should have been known to Business Associate, its employees, officers or Subcontractors, other than to the person who committed the breach. Business Associate’s notification to Covered Entity, to the extent possible, will include the identity of each individual whose unsecured PHI has been, or is reasonably believed to have been, breached and any particulars regarding the breach that Covered Entity would need to include in a notification required by 45 C.F.R. Parts 164.404 to 164.408. Business Associate agrees to fully cooperate in good faith with and to assist Covered Entity in complying with the requirements of HIPAA.

3.8 Mitigation. Business Associate shall mitigate, to the extent commercially practicable, any harmful effect that is known to Business Associate of a use or disclosure of the PHI or unsecured PHI by Business Associate in violation of the requirements of this Agreement or HIPAA.

3.9 Availability of the PHI. To the extent that the Parties mutually agree in writing that the PHI is part of a “designated record set”, as such term is defined in HIPAA, and that such designated record set (or a portion thereof) is to be maintained by Business Associate, Business Associate shall within 30 calendar days after a written request from Covered Entity and in the manner reasonably designated or directed by Covered Entity: (i) provide access to the PHI to Covered Entity or to an individual in order to meet the requirements under 45 CFR Part 164.524; and (ii) make amendments to the PHI in accordance with the requirements of 45 CFR Part 164.526.

3.10 Accounting Rights. Business Associate shall document and make available all information required to respond to a request for an accounting of disclosures in accordance with 45 C.F.R. Part 164.528 within 30 calendar days of a written request by Covered Entity for such information. Notwithstanding the foregoing or anything else in this Agreement to the contrary, Covered Entity shall be solely responsible for preparing, delivering and paying the costs associated with any such requested accounting, including, without limitation, promptly reimbursing Business Associate for all reasonable costs incurred in association therewith.

4. Covered Entity’s Obligations

4.1 Notice. Covered Entity shall promptly provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR Part 164.520, as well as any subsequent changes to the notice of privacy practices.

4.2 Changes in Access by Individual. Covered Entity shall promptly provide Business Associate with any changes in, or revocation of, permission by an individual to use or to disclose the PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.

4.3 Restrictions on Use and Disclosure of the PHI. Covered Entity shall promptly notify Business Associate of any restriction to the use or disclosure of the PHI that Covered Entity has agreed to in accordance with 45 CFR Part 164.522

4.4 Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity, except that Business Associate may use or disclose PHI for Business Associate’s data aggregation, management, administration, and legal responsibilities as set forth in Section 3.1.

5. Termination

5.1 Term. The Term of this Agreement is effective as of the Effective Date and will terminate in accordance with Sections 5.2 or 5.3 below, as applicable, at such time when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, and that it is feasible for Business Associate to destroy or return to Covered Entity, is destroyed or returned to Covered Entity. With respect to the PHI that cannot be feasibly returned or destroyed, protections will be extended to such information in accordance with Section 5.4 below.

5.2 Termination for Cause. If either Party knows or discovers a pattern of activity or practice of the other Party that constitutes a material breach of the other Party’s obligations under this Agreement or under applicable federal standards, the discovering Party agrees to promptly notify the other Party in writing as to the nature and extent of such breach, and shall provide the other Party a reasonable amount of time to cure such breach. A reasonable amount of time shall depend on the nature and extent of the breach, shall be clearly stated in the notice, but in no case shall the period for cure be less than 30 days. Notwithstanding the foregoing, should the discovering Party determine that the breach is incurable, or that the other Party has repeatedly engaged in such impermissible use or disclosure despite prior notice, the discovering Party may terminate this Agreement, if feasible, and in accordance with Section 5.1 above upon written notice to the breaching Party, without damages or liability thereto.

5.3 Termination of Underlying Agreement. Upon termination of the Underlying Agreement, either Party may terminate this Agreement in accordance with Section 5.1 above by providing written notice to the other Party.

5.4 Return or Destruction of the PHI. Business Associate agrees that, upon termination of this Agreement, if feasible, Business Associate shall return or destroy the PHI received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate maintains in any form and retain no copies of such information; provided, however, that Business Associate may retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities as described in Section 3.1(a) above. If return or destruction of any portion of the PHI is not feasible, then Business Associate shall extend the protections of this Agreement to such information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible or, if applicable, that relate directly to Business Associate’s proper management and administration or legal responsibilities.

6. Limitation of Liability

The limitations of liability set forth in the Underlying Agreement shall apply to this Agreement and neither party shall have any liability to the other party for any breach of this Agreement except as provided in the Underlying Agreement.

7. Miscellaneous

7.1 Amendment to Comply with Law. The Parties acknowledge that it may be necessary to amend this Agreement to comply with modifications to HIPAA, including but not limited to statutory or regulatory modifications or interpretations by a regulatory agency or court of competent jurisdiction. No later than 30 days after the Parties become aware that any such modifications or interpretations have become effective, the Parties agree to use good faith efforts to develop and execute any amendments to this Agreement as may be required to comply with HIPAA.  

7.2 Amendment. This Agreement may be amended or modified only in writing signed by the Parties.

7.3 No Third Party Beneficiaries. Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.

7.4 Governing Law. This Agreement shall be governed by, and interpreted in accordance with, the internal laws of the State of Tennessee without giving effect to any principles of conflicts of law that would cause the laws of another jurisdiction to apply.

7.5 Paragraph Headings; Gender and Number. The paragraph headings in this Agreement are for convenience only. They form no part of this Agreement and shall not affect its interpretations.  The use of the masculine, feminine or neuter genders, and the use of the singular and plural, shall not be given an effect of any exclusion or limitation herein. The use of the word “person” or “party” shall mean and include any individual, trust, corporation, limited liability company, partnership or other entity.

7.6 Entire Agreement. This Agreement in conjunction with the Underlying Agreement and any attachments, exhibits, schedules and appendices hereto and/or to the Underlying Agreement constitutes the entire agreement between the Parties with respect to the matters contemplated herein and supersedes and replaces all previous and contemporaneous oral and written negotiations, agreements, commitments and understandings relating hereto or thereto, including, without limitation, any previous business associate agreement between the Parties.

7.7 Counterparts. This Agreement may be executed in one or more counterparts, each of which shall constitute an original and all of which shall constitute one agreement. Signatures to this Agreement may be exchanged by facsimile, portable document format or other similar electronic format and all signatures exchanged in such manner shall constitute and be deemed original signatures.

7.8 Binding Effect. This Agreement shall be binding upon, and shall inure to the benefit of, the Parties and their respective permitted successors and assigns.

7.9 Severability. In the event any provision of this Agreement is held to be unenforceable or invalid for any reason, this Agreement shall remain in full force and effect and enforceable in accordance with its terms disregarding such unenforceable or invalid provision.

7.10 Notices. All notices and other communications required or permitted pursuant to this Agreement shall be in writing, addressed to the Party at the address set forth below, or to such other address as either Party may designate from time to time in writing, and given in accordance with the notice provisions of the Underlying Agreement. Further, in addition to following the notice provisions of the Underlying Agreement, the Parties shall give notice by certified mail, return receipt request, or facsimile using the following notice information:

To Business Associate:
Ursa Health, LLC
3200 West End Ave., Suite 500
Nashville, TN 37203
Attn: Privacy Officer

To Covered Entity:        
________________________________________________________________

________________________________________________________________

________________________________________________________________

Attn:     

________________________________________________________________
    
7.11 Assignment. Neither Party may assign (whether by operation of law or otherwise) any of its rights or delegate or subcontract any of its obligations under this Agreement without the prior written consent of the other Party, which consent shall not be unreasonably withheld, conditioned, or delayed. Notwithstanding the foregoing, Business Associate may assign this Agreement upon the sale of all or substantially all of its assets or upon a merger or similar transaction, without the prior approval of Covered Entity.

7.12 Authority to Execute. Each individual signing this Agreement below warrants and represents that he or she has the full authority and power to execute this Agreement on behalf of himself or herself or on behalf of his or her company, as applicable, and that, to the extent applicable, all other actions necessary to the execution of and binding effect of this Agreement have been fully performed by his or her company.

7.13 Priority of Agreement. If any portion of this Agreement is inconsistent with the terms of the Underlying Agreement, then the terms of this Agreement shall prevail and govern in all respects. Except as set forth above, the remaining provisions of the Underlying Agreement are adopted herein in their entirety.

7.14 No Joint Venture Relationship. This Agreement does not grant either Party any authority to assume or to create any obligation on behalf of or in the name of the other.  The Parties expressly acknowledge that no franchise, partnership or joint venture relationship exists or is intended to exist between such Parties on account of this Agreement.
 
IN WITNESS WHEREOF, the Parties have duly executed this Agreement to be effective as of the Effective Date.

COVERED ENTITY:

BUSINESS NAME, LLC
By: ________________________________________________________________
Name: ____________________________________________________________
Title: ______________________________________________________________

BUSINESS ASSOCIATE:

URSA HEALTH, LLC
By: ________________________________________________________________
Name: ____________________________________________________________
Title: ______________________________________________________________