2. Obligations of Business Associate

2.1 Use and Disclosure Restrictions

BA agrees to not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. BA shall use or disclose PHI only for the purpose of performing the Business Associate Services or as otherwise permitted herein.

2.2 Permitted Uses and Disclosures

BA may use or disclose PHI:

1. As necessary to perform the Business Associate Services on behalf of Covered Entity;
2. For the proper management and administration of BA's business, or to carry out the legal responsibilities of BA, provided the disclosure is Required by Law, or BA obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially;
3. To provide data aggregation services relating to the health care operations of CE, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B);
4. As directed in writing by CE to make disclosures to third parties for purposes permitted under HIPAA.

2.3 Safeguards

BA shall use appropriate administrative, physical, and technical safeguards, and comply with the HIPAA Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for in this Agreement. Such safeguards include, but are not limited to:

1. Encryption of ePHI at rest using AES-256 encryption via NIST-approved methods;
2. Encryption of ePHI in transit using TLS 1.2 or higher;
3. Access controls limiting PHI access to workforce members with a minimum necessary need;
4. Audit controls logging access to systems containing PHI;
5. Workforce training on HIPAA requirements no less frequently than annually;
6. Risk analysis and risk management procedures conducted no less frequently than annually.

2.4 Subcontractors

BA shall ensure that any Subcontractor to whom it delegates any function, activity, or service, and who creates, receives, maintains, or transmits PHI on behalf of BA, enters into a written agreement with BA containing substantially the same restrictions and obligations with respect to such PHI as contained in this Agreement. BA's current subprocessors who may access or process PHI are identified in Schedule A to this Agreement, as updated from time to time.

2.5 Reporting

BA shall report to CE, without unreasonable delay, and in no case later than:

1. 24 hours following discovery of a Breach of Unsecured PHI (exceeding HIPAA's 60-day minimum requirement);
2. 72 hours following discovery of a Security Incident that results in unauthorized access to or disclosure of PHI;
3. 30 days following discovery of any use or disclosure of PHI not provided for in this Agreement that does not rise to the level of a Breach.

Such report shall include, to the extent known at the time of the report: (i) identification of affected individuals; (ii) a description of what happened, including the date of the Breach; (iii) a description of the types of PHI involved; (iv) steps individuals should take to protect themselves; and (v) a description of what BA is doing to investigate, mitigate, and prevent future occurrences.

3. Individual Rights

3.1 Access to PHI

BA shall make PHI in a Designated Record Set available to CE as necessary to allow CE to fulfill its obligations under 45 C.F.R. § 164.524 (Individual's right of access to PHI). BA shall provide access to such PHI within 15 days of receipt of a written request from CE.

3.2 Amendment of PHI

BA shall make PHI in a Designated Record Set available for amendment, and shall incorporate any amendments to PHI as directed by CE, pursuant to 45 C.F.R. § 164.526.

3.3 Disclosure Accounting

BA shall document and make available to CE information relating to disclosures of PHI made by BA as required for CE to respond to an individual's request for an accounting of disclosures under 45 C.F.R. § 164.528. BA shall maintain such information for a period of at least six (6) years from the date of the disclosure.

3.4 Minimum Necessary Standard

BA shall, to the extent practicable, request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 C.F.R. § 164.514(d).

4. Obligations of Covered Entity

CE agrees to:

1. Notify BA of any limitation(s) in CE's Notice of Privacy Practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect BA's use or disclosure of PHI;
2. Notify BA of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect BA's permitted or required uses and disclosures;
3. Notify BA of any restriction on the use or disclosure of PHI that CE has agreed to in accordance with 45 C.F.R. § 164.522;
4. Not request BA to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by CE, except as permitted under Section 2.2 of this Agreement;
5. Obtain all necessary consents and authorizations for BA to receive, access, and process PHI as necessary to perform the Business Associate Services.

5. Term and Termination

5.1 Term

This Agreement shall be effective as of the Effective Date and shall continue in effect until terminated by either Party as set forth herein, or until the termination or expiration of the underlying Service Agreement, whichever occurs first.

5.2 Termination for Cause

Either Party may terminate this Agreement, effective immediately upon written notice, if it determines that the other Party has materially breached this Agreement and has failed to cure such breach within 30 calendar days of receiving written notice of the breach.

5.3 Effect of Termination

Upon termination of this Agreement for any reason, BA shall, at CE's election:

1. Return to CE all PHI received from, or created or received on behalf of, CE, in a machine-readable format mutually agreed upon by the Parties; or
2. Destroy all PHI and certify in writing that all such PHI has been destroyed from active systems within 30 days of termination, and from backup systems within 90 days of termination, retaining only that PHI required to be retained under applicable law for the minimum legally required period.

6. Breach Notification — HITECH Compliance

In compliance with the HITECH Act (Pub. L. 111-5, § 13402) and 45 C.F.R. Part 164 Subpart D:

6.1 Discovery of Breach

A Breach shall be treated as discovered as of the first day on which such Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the Breach) who is a workforce member or agent of BA.

6.2 Notification Content

BA's breach notification to CE shall include, to the extent available:

1. Identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed;
2. A brief description of what happened, including the date of the Breach and the date of discovery;
3. A description of the types of Unsecured PHI involved (e.g., names, Social Security numbers, dates of birth, insurance member IDs);
4. Any steps individuals should take to protect themselves from potential harm;
5. A brief description of what BA is doing to investigate, mitigate, and protect against future occurrences;
6. Contact information for individuals to ask questions or learn additional information.

6.3 Risk Assessment

BA shall perform a risk assessment following any Security Incident involving PHI to determine the probability that PHI has been compromised, considering at minimum: (i) the nature and extent of the PHI involved; (ii) the unauthorized person involved; (iii) whether the PHI was actually acquired or viewed; and (iv) the extent to which the risk has been mitigated.

7. General Provisions

7.1 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law provisions, and applicable federal law including the HIPAA Rules.

7.2 Entire Agreement; Amendment

This Agreement, together with any exhibits or schedules, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous negotiations, representations, warranties, or agreements relating to such subject matter. This Agreement may not be amended, modified, or supplemented except by a written instrument signed by authorized representatives of both Parties.

7.3 Severability

If any provision of this Agreement is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect, and the Parties shall negotiate in good faith a replacement provision that is valid and enforceable and achieves, as nearly as possible, the same economic effect as the invalid provision.

7.4 No Third-Party Beneficiaries

Nothing in this Agreement, express or implied, is intended to confer upon any other person or entity any rights, remedies, obligations, or liabilities under or by reason of this Agreement.

7.5 Notices

All notices, consents, and other communications under this Agreement shall be in writing and shall be deemed delivered when sent by email with confirmation of receipt, or by overnight courier to the addresses set forth in Schedule B.

7.6 Counterparts; Electronic Signatures

This Agreement may be executed in counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument. Electronic signatures shall be deemed valid and binding to the same extent as original signatures.

7.7 Regulatory Changes

The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the HIPAA Rules, including any amendments thereto. If any term of this Agreement conflicts with applicable law, the applicable law shall control.

8. HIPAA Security Rule Compliance

BA shall comply with the applicable provisions of the HIPAA Security Rule, 45 C.F.R. Part 164, Subparts A and C, with respect to ePHI that BA creates, receives, maintains, or transmits on behalf of CE. Without limiting the generality of the foregoing:

8.1 Administrative Safeguards

BA shall implement the following administrative safeguards:

1. Security Officer: BA has designated a Security Officer responsible for the development and implementation of policies and procedures required under the Security Rule;
2. Risk Analysis: BA conducts a periodic assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI;
3. Workforce Training: BA trains all workforce members on HIPAA Security Rule policies and procedures;
4. Access Management: BA implements policies and procedures for authorizing access to ePHI that is consistent with the applicable requirements of the Privacy Rule;
5. Contingency Plan: BA has established and implements a data backup plan, disaster recovery plan, and emergency mode operation plan.

8.2 Physical Safeguards

BA shall implement physical safeguards for all workstations that access ePHI, including: facility access controls, workstation use and security policies, and device and media controls.

8.3 Technical Safeguards

BA shall implement technical safeguards to guard against unauthorized access to ePHI transmitted over electronic communications networks, including:

1. Unique user identification and emergency access procedures;
2. Automatic logoff for workstations accessing ePHI;
3. Encryption and decryption of ePHI;
4. Audit controls that record and examine activity in information systems containing ePHI;
5. Integrity controls to ensure ePHI is not improperly altered or destroyed;
6. Transmission security including encryption of ePHI in transit.

9. Artificial Intelligence and Automated Processing of PHI

Given that BA's services include AI-assisted workflows that may process PHI, the Parties agree to the following specific provisions:

9.1 AI Subprocessor BAAs

BA shall maintain executed Business Associate Agreements or equivalent data processing agreements with any artificial intelligence model provider whose API or services receive PHI in connection with the Business Associate Services. BA's current AI subprocessors are identified in Schedule A.

9.2 No Model Training on PHI

BA represents and warrants that its agreements with AI model providers expressly prohibit the use of PHI submitted via API for the purpose of training, fine-tuning, or improving any AI model without CE's prior written consent. CE's patient data shall not be used to improve any AI model operated by BA or any third party.

9.3 Minimum Necessary in AI Prompts

BA shall apply minimum necessary principles when including PHI in AI model prompts, and shall use de-identification or pseudonymization techniques where the AI task can be accomplished with equivalent accuracy using de-identified data.

9.4 Data Residency for AI Processing

BA shall not route PHI through AI model providers whose primary inference infrastructure resides exclusively outside the United States, without prior written notice to and approval from CE.

10. Schedule A — Authorized Subprocessors

The following subprocessors are authorized to receive, access, or process PHI as part of the Business Associate Services. ScriptRelay maintains BAAs or equivalent data processing agreements with each subprocessor identified below as handling PHI.

This list may be updated by BA upon 30 days' prior written notice to CE. CE may object to new subprocessors within 15 days of notice.

Schedule B — Notice Contacts