This Business Associate Agreement (“Agreement”) shall be incorporated into the applicable Terms of Service or Master Service Agreement for Fortuna Clients or Customers that are Covered Entities and provide Protected Health Information (“PHI”) (as defined in HIPAA) to Fortuna Corporation, Inc. in the course of using or accessing purchased Fortuna Services.
The Parties to this Agreement are committed to complying with the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) and the Standards for Security of Electronic Protected Health Information (the “Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This Agreement, in conjunction with the Privacy and Security Rules, sets forth the terms and conditions pursuant to which PHI (electronic and non-electronic) that is created, received, maintained, or transmitted by, the Business Associate from or on behalf of Covered Entity, will be handled between the Business Associate and Covered Entity and with third parties during the term of their Underlying Agreement and after its termination.
a. HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
b. Other terms.
The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Business Associate, Breach, Covered Entity, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Privacy Officer, Privacy Rule, Protected Health Information (“PHI”), Required By Law, Secretary, Security Rule, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
PERMITTED USES AND DISCLOSURES OF PHI
2.1 Services. Business Associate provides services (“Services”) for Covered Entity that involve the receipt, use and disclosure of PHI. Except as otherwise specified herein, the Business Associate may make all uses of PHI necessary to perform its obligations under the Underlying Agreement. All other uses not authorized by this Agreement are prohibited. Moreover, Business Associate may disclose PHI for the purposes authorized by this Agreement only: (i) to its employees, subcontractors and agents, in accordance with Section 3.1(d), or (ii) as otherwise permitted by or as required by the Privacy or Security Rule.
2.2 Business Activities of the Business Associate. Unless otherwise limited herein and if such use or disclosure of PHI would not violate the Privacy or Security Rules if done by the Covered Entity, the Business Associate may:
a. Use the PHI in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of the Business Associate provided that such uses are permitted under state and federal confidentiality laws.
b. Disclose the PHI in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of the Business Associate, provided that the Business Associate represents to Covered Entity, in writing, that (i) the disclosures are required by law, or (ii) the Business Associate has received from the third party written assurances regarding its confidential handling of such PHI as required under 45 C.F.R. § 164.504(e)(4) and § 164.314, and the third party notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3. RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PHI
3.1 Responsibilities of the Business Associate. Business Associate hereby agrees to do the following:
a. Not use or disclose PHI other than as permitted or required by the Agreement or as required by law.
b. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement.
c. Report in writing to Covered Entity within five (5) business days any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 410, and any security incident of which it becomes aware, and cooperate with the Covered Entity in any mitigation or breach reporting efforts.
d. In accordance with 45 CFR 502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
e. Ensure that any agent or subcontractor to whom the Business Associate provides PHI, as well as Business Associate, not export PHI for storage beyond the borders of the United States of America.
f. With respect to any agent or subcontractor who has access to PHI from beyond the borders of the United States of America:
i. Ensure that any such individuals are bound by the terms and conditions of this Agreement or a subcontractor Agreement containing substantially similar terms and conditions; and
ii. Ensure that any such individuals with access to PHI beyond the borders of the United States of America are subject to the jurisdiction of the courts in the United States of America; and
g. Within ten (10) business days request of Covered Entity, make available PHI in a designated record set, if applicable, to Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 CFR 524.
h. Within ten (10) business days, make any amendment(s) to PHI, if applicable, in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526.
i. As applicable, maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 CFR 528.
j. To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such
k. Make its internal practices, books, and records available to the Secretary and to the Covered Entity for purposes of determining compliance with the HIPAA
l. Comply with minimum necessary requirements under the HIPAA Rules.
3.2 Responsibilities of Covered Entity. Regarding the use and/or disclosure of PHI by the Business Associate, Covered Entity hereby agrees:
a. To inform the Business Associate of any limitations in the form of notice of privacy practices that Covered Entity provides to individuals pursuant to 45 C.F.R. §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
b. To inform the Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose PHI, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
c. To notify the Business Associate, in writing and in a timely manner, of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may impact in any manner the use and/or disclosure of PHI by the Business Associate under this Agreement.
d. Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by the Covered Entity.
4. TERMS AND TERMINATION
4.1 Term. The Term of this Agreement shall commence on the Effective Date, and shall terminate on the termination date of the relevant Underlying Agreement or on the date Covered Entity terminates this Agreement for cause as authorized in paragraph 4.2 of this Section, whichever is sooner.
4.2 Termination for Cause. Business Associate authorizes termination of this Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the Agreement and Business Associate has not cured the breach or ended the violation within the time specified by Covered Entity.
4.3 Obligations of Business Associate upon Termination. Business Associate agrees to return or destroy all PHI pursuant to 45 C.F.R. § 164.504(e) (2) (ii)(J), if it is feasible to do so. If it is not feasible for the Business Associate to return or destroy said PHI, the Business Associate will notify Covered Entity in writing. Said notification shall include: (i) a statement that the Business Associate has determined that it is not feasible to return or destroy the PHI in its possession, and (ii) the specific reasons for such determination. Business Associate agrees to extend all protections, limitations and restrictions contained in this Agreement to the Business Associate’s use and/or disclosure of any PHI retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible.
4.4 Automatic Termination. This Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of the Underlying Agreement.
5.1 Mutual Indemnification. Each Party (each an “Indemnifying Party”) agrees to indemnify and defend the other Party (each an “Indemnified Party”) for any costs, fees, fines, settlements, judgments, including attorney’s fees and court costs incurred as a result of a material breach of this Agreement by the Indemnifying Party or its agents or subcontractors, or as a result of any gross negligence or willful misconduct by an Indemnifying Party or its agents or subcontractors.
6.1 Business Associate. For purposes of this Agreement, Business Associate shall include the named Business Associate herein. However, if the Business Associate is otherwise a Covered Entity under the Privacy or Security Rule, that entity may appropriately designate a health care component of the entity, pursuant to 45 C.F.R. § 164.504(a), as the Business Associate for purposes of this Agreement.
6.2 Survival. The respective rights and obligations of Business Associate and Covered Entity under this Agreement shall survive termination of this Agreement indefinitely.
6.3 Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
6.4 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
6.5 No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
6.6 Notices. Any notices to be given hereunder to a Party shall be made as described in the applicable services agreement or via Canada post or express courier to such Party’s address given below.
If to Business Associate, to:
Fortuna AI Labs, Inc.
180 John Street,
Toronto, ON M5T1X5
Attn: Legal Department
If to Covered Entity, to:
The current address associated with Client’s Fortuna account, where applicable.