Business Associate Agreement

This Business Associate Agreement ("Agreement") is entered into by and between Tarionix LLC ("Business Associate") and the customer identified in the applicable Master Services Agreement ("Covered Entity"). This Agreement governs the creation, receipt, maintenance, use, disclosure, and transmission of Protected Health Information (PHI) by Business Associate while providing services to Covered Entity and is intended to satisfy the requirements of HIPAA, the HITECH Act, and related regulations.

1. Purpose

The purpose of this Agreement is to define the responsibilities of the Parties with respect to PHI and ePHI processed by Business Associate while delivering services under the applicable Master Services Agreement.

2. Definitions

Capitalized terms not defined herein have the meanings assigned under HIPAA. Definitions include Business Associate, Covered Entity, PHI, ePHI, Breach, Security Incident, Subcontractor, Required by Law, and Unsecured PHI.

3. Services

Business Associate provides managed IT services, managed security services, cloud management, Microsoft 365 and Azure services, backup and disaster recovery, identity and access management, AI governance consulting, cybersecurity, network operations, infrastructure management, and related professional services.

4. Business Associate Responsibilities

Business Associate shall implement appropriate administrative, physical, and technical safeguards; comply with HIPAA; use PHI only as permitted; report reportable breaches and security incidents without unreasonable delay; train personnel; require subcontractors to agree to equivalent obligations; and mitigate known harmful effects of improper disclosures.

5. Permitted Uses and Disclosures

Business Associate may use PHI only to provide contracted services, for internal administration where permitted by law, to satisfy legal obligations, and as otherwise permitted by HIPAA or authorized in writing by Covered Entity.

6. Covered Entity Responsibilities

Covered Entity shall provide PHI only where legally authorized, communicate applicable privacy restrictions, and not require Business Associate to perform actions that violate HIPAA.

7. Individual Rights

Business Associate will reasonably assist Covered Entity with HIPAA requests involving access, amendment, accounting of disclosures, and other applicable individual rights.

8. Security Safeguards

Business Associate will maintain a commercially reasonable information security program including access controls, logging, encryption where appropriate, vulnerability management, incident response, backup, disaster recovery, and workforce security.

9. Breach Notification

Business Associate shall notify Covered Entity of reportable breaches of unsecured PHI without unreasonable delay and cooperate with legally required investigations and notifications.

10. Subcontractors

Business Associate shall require subcontractors handling PHI to execute written agreements imposing substantially equivalent HIPAA obligations.

11. Records and Cooperation

Business Associate shall cooperate with lawful regulatory requests relating to HIPAA compliance and make records available where required by law.

12. Return or Destruction of PHI

Upon termination, Business Associate shall return or securely destroy PHI where feasible. If infeasible, Business Associate shall continue protecting retained PHI until destruction becomes feasible.

13. Term and Termination

This Agreement remains effective while Business Associate maintains PHI. Either Party may terminate for material breach following a reasonable cure period unless immediate termination is legally required.

14. Indemnification

Each Party shall be responsible for its own acts and omissions and indemnify the other Party for losses arising from its material breach, subject to the MSA.

15. Limitation of Liability

Liability shall be governed by the limitation of liability provisions contained in the applicable MSA unless prohibited by law.

16. Notices

Notices shall be provided in accordance with the MSA.

17. Governing Law

This Agreement shall be governed by the governing law specified in the applicable MSA except where federal law preempts.

18. Miscellaneous

This Agreement constitutes the entire HIPAA agreement between the Parties, may be amended only in writing, and survives as necessary to protect retained PHI.