BUSINESS ASSOCIATE AGREEMENT

THIS BUSINESS ASSOCIATE AGREEMENT (this “Agreement”) is entered into as of _____________, (“Effective Date”) between ______________________________________________(“Covered Entity”) and D&D AdVenture Corp, LLC (d/b/a Continuud) (“Business Associate”), each individually a “Party” and collectively, the “Parties.”

The purpose of this Agreement is to comply with the requirements of (i) the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the associated regulations, as may be amended; (ii) the HIPAA Privacy Rule codified at 45 C.F.R. Parts 160 and 164, Subparts A and E, as may be amended; (iii) the HIPAA Security Rule codified at 45 C.F.R. Part 160 and 164, Subpart C, as may be amended; (iv) the Breach Notification Rule codified at 45 C.F.R. Part 164, Subpart D, as may be amended; (v) the Enforcement Rule codified at 45 C.F.R. Part 160, Subparts C and D, as may be amended; (vi) the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”); and (vii) the HIPAA Omnibus Final Rule published in the Federal Register at 78 Fed. Reg. 5566 (January 25, 2013), and effective on March 26, 2013; and (viii) the final regulations concerning standard transactions and code sets codified at 45 C.F.R. Parts 160 and 162 ("Electronic Transaction Rule"). The HITECH Act provides further protection for the privacy and security of Protected Health Information ("PHI") used and disclosed through health information technology. The Privacy, Security, Breach Notification and Enforcement Rules are collectively referred to herein as the “HIPAA Rules.” Unless otherwise defined in this Agreement, capitalized terms have the meanings given in the HIPAA Rules and the HITECH Act, and the Electronic Transactions Rule.

In consideration of the Parties’ new or continuing obligations under the Master Services Agreement, as defined below, the Parties agree to comply with the requirements of the HIPAA Rules and HITECH Act as follows:

1.   Applicability. This Agreement applies to the limited PHI that Business Associate may receive from Covered Entity. Such PHI is expected to be restricted to an Individual’s contact information (i.e., names, phone numbers, and addresses) and an Individual’s diagnosis (the “Limited PHI”). It is Covered Entity’s responsibility to:

a)      assess whether its usage of the Services is appropriate for the storage or control of, or access to, sensitive data, including PHI;

b)     Validate that its other vendors of computer or internet service, whether or not bound by a Business Associate Agreement, are secure channels for which to connect Business Associate’s equipment; and

c)     Ensure that any vendors of software products or services to be loaded on to Business Associate’s equipment are compliant with applicable HIPAA Rules.

2.   Services. Covered Entity and Business Associate have entered into a written agreement (the “Master Services Agreement”) under which Business Associate may store limited PHI from or on behalf of Covered Entity in the course of providing its services to Covered Entity (the “Services”). The Master Services Agreement is incorporated herein by this reference. In the event of a conflict between the terms of the Master Services Agreement and this Agreement, this Agreement shall control with regard to the HIPAA Rules.

3.   Permitted Uses and Disclosures. Business Associate may use and/or disclose PHI only as permitted or required by this Agreement, or as otherwise required by law. Business Associate may disclose PHI to, and permit the use of PHI by, its employees, contractors, agents, or other representatives only to the extent directly related to and necessary for the performance of the Services. Business Associate shall make uses and disclosures, and requests for PHI from Covered Entity, only in a manner consistent with HIPAA's minimum necessary requirements, and use or disclose no more than the minimum PHI necessary to perform the Services. Business Associate will not access any PHI other than the Limited PHI unless specifically instructed to do so by Covered Entity in the course of providing the Services via remote troubleshooting. Business Associate shall not use or disclose PHI in a manner (i) inconsistent with Covered Entity’s obligations under the HIPAA Rules or the HITECH Act, or (ii) that would violate the HIPAA Rules or the HITECH Act if disclosed or used in such a manner by Covered Entity. Business Associate may use PHI for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities in accordance with 45 C.F.R. § 164.504(e)(4).

4.  Safeguards for the Protection of PHI. Business Associate shall comply with the HIPAA Security Rule codified at 45 C.F.R. Part 160 and 164, Subpart C, as may be amended, with respect to Electronic PHI, and shall implement appropriate safeguards to prevent the Use or Disclosure of PHI other than as provided for by this Agreement.

5.   Reporting. For all reporting obligations under this Agreement, the Parties acknowledge that, due to encryption, Business Associate will not know the nature of the PHI contained in Covered Entity’s accounts. As a result, Business Associate may not be able to identify the Individuals affected or describe the information subjected to a Security Incident, Impermissible Use or Disclosure, or Breach. Business Associate’s reporting obligations shall be limited to the information it can readily see without decryption.

6.   Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures. If Business Associate has knowledge of any use or disclosure of PHI not provided for by this Agreement, then Business Associate shall promptly notify Covered Entity in the manner set forth in Section 15. Business Associate shall establish and implement procedures and other reasonable efforts for mitigating, to the extent possible, any harmful effects arising from any improper use and/or disclosure of PHI of which it becomes aware. Furthermore, in the event Business Associate becomes aware of a Security Incident involving PHI, by itself or any of its agents or subcontractors, Business Associate shall notify Covered Entity in writing within sixty (60) calendar days after discovery of such Security Incident. Business Associate shall identify to the extent known: (i) the date of the Security Incident; (ii) the scope of the Security Incident; (iii) the Business Associate’s response to the Security Incident; and (iv) the party responsible for the Security Incident. Covered Entity and Business Associate agree to act together in good faith to take reasonable steps to investigate and mitigate any harm caused by such unauthorized use or Security Incident. For these purposes, a "Security Incident" shall mean the successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.

7.   Data Breach Notification and Mitigation. Business Associate agrees to promptly notify Covered Entity of any “Breach” of “Unsecured PHI” as those terms are defined by 45 C.F.R. § 164.402 (hereinafter a “Data Breach”). The Parties acknowledge and agree that 45 C.F.R. § 164.404, as described below in this Section, governs the determination of the date of a Data Breach. Business Associate shall, following the discovery of a Data Breach, promptly notify Covered Entity and in no event later than sixty (60) calendar days after Business Associate discovers such Data Breach, unless Business Associate is prevented from doing so by 45 C.F.R. § 164.412 concerning law enforcement investigations. For purposes of reporting a Data Breach to Covered Entity, the discovery of a Data Breach shall occur as of the first day on which such Data Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be considered to have had knowledge of a Data Breach if the Data Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the Data Breach) who is an employee, officer or other agent of Business Associate. No later than sixty (60) calendar days following discovery of a Data Breach, Business Associate shall provide Covered Entity with, subject to Section 5 of this Agreement, sufficient information to permit Covered Entity to comply with the Data Breach notification requirements set forth at 45 C.F.R. § 164.400, et seq. Following a Data Breach, Business Associate shall have a continuing duty to inform Covered Entity of new information learned by Business Associate regarding the Data Breach, including but not limited to the information described in the Breach Notification Rule.

8.   Use and Disclosure of PHI by Subcontractors, Agents, and Representatives. Business Associate shall require any subcontractor, agent or other representative that is authorized to create, receive, maintain, or transmit PHI on behalf of Business Associate to execute a business associate agreement with terms no less stringent than those set forth herein. Business Associate shall terminate its business associate agreement with any subcontractor, agent or other representative if such subcontractor, agent or representative fails to abide by any material term of such agreement.

9.   Individual Rights. Subject to Section 5 of this Agreement, Business Associate shall comply with the following Individual rights requirements as applicable to PHI used or maintained by Business Associate:

    9.1           Right of Access. Business Associate agrees to provide access to PHI maintained by Business Associate in a Designated Record Set, at the request of Covered Entity or as directed by Covered Entity, to an individual in order to meet the requirements under 45 C.F.R. § 164.524. Such access shall be provided by Business Associate in the time and manner designated by Covered Entity, including, where applicable, access by electronic means pursuant to Section 13405(e) of the HITECH Act.

9.2               Right of Amendment. Business Associate agrees to make, or will make PHI in a Designated Record Set available to Covered Entity so Covered Entity can make, any amendment(s) to PHI maintained by Business Associate in a Designated Record Set that Covered Entity directs or agrees to, pursuant to 45 C.F.R. § 164.526, in the time frame and manner designated by Covered Entity.

9.3               Right to Accounting of Disclosures. Upon Covered Entity’s request, and subject to Section 5 of this Agreement, Business Associate agrees to make available to Covered Entity information, of which Business Associate is aware, required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528, as amended by Section 13405(c) of the HITECH Act and any related regulations or guidance issued by the U.S. Department of Health and Human Services ("HHS") in accordance with such provision.

10.   Obligations of Covered Entity. Covered Entity hereby agrees to do the following:

10.1 Safeguards. Covered Entity will: (i) employ appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate pursuant to this Agreement and the Master Services Agreement, in accordance with the standards and requirements of the HIPAA Rules and the HITECH Act, until such PHI is received by Business Associate; (ii) utilize the highest level of audit logging in connection with Covered Entity’s use of the Services; (iii) maintain the maximum retention of logs in connection with Covered Entity’s use of the Services; and (iv) permit Business Associate to make any use or disclosure of Covered Entity PHI required under 45 C.F.R. § 164.512.

10.2 Individual Consent or Authorization. Covered Entity shall be responsible for ensuring that any Individual Consent or Authorization necessary for Access to, creation, maintenance, Use and Disclosure of PHI subject to this Agreement has been obtained and is in force as of the date of such Access to, creation, maintenance, Use and Disclosure of PHI.

10.3 Notification of Restrictions. Covered Entity will notify Business Associate in writing of any restrictions to the Use or Disclosure of PHI which Covered Entity has accepted that apply to any access to, creation, maintenance, Use and Disclosure of PHI subject to this Agreement.

10.4 Changes in Permission. Covered Entity shall promptly notify Business Associate in writing of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI which affects Business Associate's permitted or required Uses or Disclosures.

11.   Ownership of PHI. Covered Entity holds all right, title and interest in and to any and all PHI received by Business Associate from, or created or received by Business Associate on behalf of, Covered Entity, and Business Associate does not hold, and shall not acquire by virtue of this Agreement or by virtue of providing any services or goods to Covered Entity in the course of fulfilling its obligations pursuant to this Agreement, any right, title or interest in or to such PHI. Except as specified in this Agreement or the Master Services Agreement, Business Associate shall have no right to compile or distribute any statistical analysis or report utilizing such PHI, derived from such PHI, any aggregate information derived from such PHI, or any other health and medical information obtained from or on behalf of Covered Entity.

12.   Prohibition on Sale of PHI. Business Associate shall not sell PHI or receive any remuneration, direct or indirect, in exchange for PHI, except as expressly permitted by this Agreement and the Master Services Agreement.

13.   Inspection of Books and Records. If Business Associate receives a request, made by or on behalf of HHS requiring Business Associate to make available its internal practices, books, and records relating to the use and disclosure of PHI to HHS for the purpose of determining compliance of Covered Entity with the Privacy Standards or the Security Standards, then Business Associate shall promptly notify Covered Entity of such request, unless otherwise prohibited by law. Except as otherwise set forth below, Business Associate shall make its books and records relating to the use and disclosure of PHI by Covered Entity available to HHS and its authorized representatives for purposes of determining compliance of Covered Entity with the Privacy Standards and Security Standards.

14.   Term and Termination.

14.1 Term. This Agreement shall commence on the Effective Date and end with the termination of the Master Services Agreement unless terminated sooner pursuant to Section 14.2 or Section 14.3.

14.2 Termination by Covered Entity. If Covered Entity determines that Business Associate has breached a material term of this Agreement, Covered Entity shall notify Business Associate of such breach and Business Associate shall have thirty (30) calendar days to cure such breach. In the event Business Associate does not cure the breach, or cure is infeasible, Covered Entity shall have the right to immediately terminate this Agreement and the Master Services Agreement.

14.3 Termination by Business Associate. If Business Associate determines that Covered Entity has breached a material term of this Agreement, Business Associate shall notify Covered Entity of such breach and Covered Entity shall have thirty (30) calendar days to cure such breach. In the event Covered Entity does not cure the breach, or cure is infeasible, Business Associate shall have the right to immediately terminate this Agreement and the Master Services Agreement.

14.4 Effect of Termination. Upon termination of this Agreement, if feasible, Business Associate shall recover any PHI relating to this Agreement in possession of Business Associate and its subcontractors, agents, or representatives. If feasible, Business Associate shall return to Covered Entity or destroy all such PHI in its possession and shall retain no copies. If Business Associate determines it cannot feasibly return or destroy the PHI, Business Associate shall ensure that any and all protections, requirements and restrictions contained in this Agreement shall be extended to any PHI retained after the termination of this Agreement, and that any further uses and/or disclosures shall be limited to the purposes that make the return or destruction of the PHI infeasible. Business Associate further agrees to comply with other applicable state or federal law, which may require a specific period of retention, redaction, or other treatment of such PHI.

15.   Notices. Any and all notices and other communications required or permitted to be given under this Agreement shall be: (a) delivered by personal delivery, provided the person to whom delivered signs a receipt; (b) delivered by commercial overnight courier, provided the person to whom delivered signs a receipt or the commercial courier can verify delivery; (c) sent by overnight U.S. express mail, provided the postal service can verify delivery; or (d) sent by registered or certified mail, postage prepaid, provided delivery is actually made. In addition to using one of the delivery methods specified above, the Parties shall also provide notice via electronic mail (e-mail). All notices shall be sent to the following addresses or to such other addresses as shall be furnished by notice to the other party in accordance with the provisions of this Section 15:

16.   Miscellaneous.

16.1                Survival. The respective rights and obligations of the Parties under Section 13 (Inspection of Books and Records), Section 14.4 (Effect of Termination), and Section 16 (Miscellaneous) shall survive termination of this Agreement indefinitely, and those other provisions of this Agreement that apply to rights or obligation of a Party, which continue or arise upon or after the termination of this Agreement shall survive the termination this Agreement to the extent necessary to enforce such rights and obligations and to otherwise effectuate such provisions.

16.2                Regulatory References. A citation in this Agreement to the Code of Federal Regulations shall mean the cited section as that section may be amended from time to time.

16.3                 Amendment. This Agreement may be amended or modified only in a writing signed by the Parties. The Parties agree that they shall negotiate amendments to this Agreement to conform to any changes in the HIPAA Rules as are necessary for Covered Entity to continually comply with the current requirements of the HIPAA Rules. In addition, in the event that either Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Rules or any other applicable legislation, then such Party shall notify the other Party of its belief in writing. For a period of up to thirty (30) calendar days, the Parties shall address in good faith such concern and amend the terms of this Agreement, as necessary, to bring it into compliance. If, after such 30-day period, the Agreement fails to comply with the HIPAA Rules, then either Party has the right to terminate this Agreement and the Master Services Agreement upon written notice to the other Party.

16.4                Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules and HITECH Act.

16.5                Governing Law; Venue. This Agreement shall be interpreted, construed, and governed according to the laws of the State of Indiana. All actions commenced to enforce or interpret this Agreement shall be brought in the federal or state courts in Marion County, Indiana. Neither party may assert or be entitled to relief on a claim of forum non conveniens as to a court of competent jurisdiction located in said county.

16.6                No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors and permitted assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

16.7                Severability. In the event any provision of this Agreement is held to be unenforceable for any reason, such unenforceability shall not affect the remainder of this Agreement, which shall remain in full force and effect.

16.8                Assignment. Neither Party may assign this Agreement without the prior written consent of the other. Any attempted assignment or delegation by either Party shall be void.

16.9                Binding Effect. The provisions of this Agreement shall be binding upon and shall inure to the benefit of the Parties and their respective heirs, executors, administrators, legal representatives, successors and assigns.

16.10             Counterparts. This Agreement may be executed in counterparts, including by email, facsimile, pdf, or other electronic means, that preserves the original graphic and pictorial appearance of the document, each of which will constitute an original and all of which will be one and the same document.

IN WITNESS WHEREOF, the Parties hereto have entered into this Agreement as of the Effective Date.