Jiro
Available on the App Store

Business Associate Agreement

Jiro Health Inc.

THIS BUSINESS ASSOCIATE AGREEMENT (this "Agreement") is made and entered into effective as of the date set forth on the signature page of this Agreement ("Effective Date"), by and between the entity or individual identified on the signature page of this Agreement ("Covered Entity"), and Jiro Health Inc., a Delaware corporation ("Business Associate"). Business Associate and Covered Entity may each be referred to in this Agreement as a "Party" or collectively as the "Parties."

Recitals

WHEREAS, the Parties have agreed to certain service arrangements, pursuant to which Business Associate will provide certain items, products or services (the "BAA Services") to, for, or on behalf of Covered Entity that may involve the creation, receipt, maintenance, or transmission of PHI (as defined herein) (the "Services Arrangement");

WHEREAS, now and in the future Business Associate may have access to Protected Health Information, as such term is defined under the Privacy Rule and Security Rule at 45 C.F.R. § 160.103, limited to such information created or received by Business Associate from or on behalf of Covered Entity hereunder (as used herein, "Protected Health Information" or "PHI"), and Business Associate may create, receive, maintain, or transmit PHI in providing items, products or services to Covered Entity.

WHEREAS, both Parties desire to meet their obligations to protect PHI under: (i) the Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") and the Security Standards ("Security Rule") published by the U.S. Department of Health and Human Services ("DHHS") at 45 CFR parts 160 through 164 under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended from time to time; (ii) the additional Privacy and Security Rule requirements pursuant to Subtitle D of the Health Information Technology for Economic and Clinical Health Act ("HITECH"), as amended from time to time; and (iii) the final Omnibus Rule implementing additional Privacy and Security Rule requirements pursuant to HITECH ("Omnibus Rule"), as may be further amended from time to time.

NOW THEREFORE, in consideration of the foregoing and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:

1. Definitions

Regulatory citations in this Agreement are to the United States Code of Federal Regulations ("CFR"), as promulgated, interpreted, and amended from time to time by DHHS, for so long as such regulations are in effect. Unless otherwise specified in this Agreement, all terms not otherwise defined herein will have the meaning established for purposes of parts 160 through 164 of Title 45 of the CFR, as amended from time to time.

2. Permitted Uses and Disclosures of PHI

2.1 Use of PHI

As specified in this Agreement, Business Associate may use or disclose PHI created, received, maintained, or transmitted for or on behalf of Covered Entity (a) as necessary to perform the BAA Services, (b) as otherwise permitted or required by the Services Arrangement, including the use of artificial intelligence ("AI") technologies in connection with any BAA Services that constitute a permitted use or disclosure of PHI under HIPAA, or (c) as otherwise permitted by applicable law or Required by Law.

2.2 Data Analysis

Business Associate may: (i) use, analyze, and disclose PHI in its possession for the public health activities and purposes set forth at 45 CFR § 164.512(b); and (b) aggregate PHI of Covered Entity in Business Associate's possession with PHI of other customers and covered entities that Business Associate has in its possession through its capacity as a business associate to such other entities, provided that the purpose of such aggregation is to provide Covered Entity with data analyses relating to the Health Care Operations of Covered Entity.

2.3 Business Activities of Business Associate

Unless otherwise limited in this Agreement, Business Associate may:

(a) Use PHI in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of Business Associate;

(b) Disclose PHI in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of Business Associate, provided that:

  • the disclosures are permitted by applicable law or Required by Law;
  • the disclosures do not require an authorization or "opportunity to agree"; or
  • Business Associate obtains and maintains reasonable written assurances from the third party receiving the PHI that such party will hold and maintain the PHI confidentially, only use the disclosed PHI as permitted by applicable law or Required by Law or for the purposes of the disclosure, and notify Business Associate if the third party becomes aware that the confidentiality of the PHI has been breached;

(c) De-identify PHI in accordance with 45 C.F.R. § 164.514(b). Business Associate may use such de-identified data for any lawful purpose and is provided a perpetual, worldwide, non-fee-bearing, exclusive, irrevocable license to use any de-identified data developed by Business Associate from the PHI, with the right to grant sublicenses, to use, disclose, sell, or otherwise convey the de-identified data to third parties. Business Associate is permitted to disclose such de-identified data unless otherwise prohibited by law. De-identified information does not constitute PHI and is not subject to the terms of this Agreement; provided, however, absent prior written authorization from Covered Entity, such de-identified information will not include business, proprietary, or other confidential information of, or about, Covered Entity.

3. Responsibilities of the Parties With Respect to PHI

3.1 Responsibilities of Business Associate

With regard to its use or disclosure of PHI, Business Associate will:

  • Use or disclose the minimum amount of PHI necessary as permitted or required by this Agreement, including in connection with the use of AI technologies, or as otherwise Required by Law to accomplish the intended purpose of such use or disclosure;
  • To the extent Business Associate carries out one or more of Covered Entity's obligations under the Privacy Rule, comply with the same Privacy Rule requirements that apply to Covered Entity;
  • Develop and use appropriate safeguards (including implementing administrative, physical, and technical safeguards for electronic PHI ("ePHI")) to protect the confidentiality, integrity, and availability of and to prevent the use or disclosure of PHI other than as provided for by this Agreement or applicable law;
  • For any stored and transmitted PHI, secure such PHI through technology standards Required by Law, as applicable;
  • Promptly report to the designated Privacy Officer of Covered Entity any use or disclosure of PHI that is not permitted by applicable law or Required by Law or this Agreement of which Business Associate becomes aware;
  • Promptly report to the designated Privacy Officer of Covered Entity any breach in the security, confidentiality, integrity, or availability of ePHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity and of which Business Associate becomes aware;
  • Mitigate, to the extent reasonably practicable, any harmful effects from any known use or disclosure of PHI or ePHI by Business Associate in violation of this Agreement;
  • Ensure, consistent with 45 C.F.R. § 164.502(e)(1)(ii), that any subcontractor of Business Associate that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions and conditions that apply to Business Associate under this Agreement with respect to such PHI.

3.2 Responsibilities of Covered Entity

With regard to the use or disclosure of PHI by Business Associate, Covered Entity will:

  • Obtain from an Individual any and all consents or authorizations Required by Law, including HIPAA and applicable state law, prior to furnishing Business Associate the PHI pertaining to that Individual;
  • If required by applicable law, provide Individuals with clear, understandable disclosures with respect to Covered Entity's use of AI technologies for permitted uses and disclosures of PHI under HIPAA or applicable state law;
  • Inform Individuals of their right to opt out of having PHI processed or accessed by AI technologies;
  • Promptly notify Business Associate of any Individual's revocation of consent or opt-out request related to the BAA Services that involve AI processing;
  • Maintain documentation of all Individual consents and opt-outs related to AI processing;
  • Promptly notify Business Associate of any changes or limitations in the notice of privacy practices of Covered Entity to the extent that such change or limitation may affect Business Associate's creation, receipt, maintenance, or transmission of PHI for or on behalf of Covered Entity, including obligations among the Parties with respect to reproductive health matters, the responsibilities for which shall remain with Covered Entity;
  • Promptly notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose such Individual's PHI, to the extent such changes may affect Business Associate's creation, receipt, maintenance, or transmission of PHI pursuant to this Agreement;
  • Promptly notify Business Associate of any restriction on the use or disclosure of an Individual's PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent such restriction may affect Business Associate's use or disclosure of PHI;
  • Promptly notify Business Associate of any known or suspected security incidents, unauthorized access, or threats that may impact the integrity or security of Business Associate's software system or platform, or associated ePHI;
  • Ensure appropriate user access management to Business Associate's software system or platform, including designation of authorized users and timely deactivation of user accounts when access is no longer required;
  • Participate in joint risk assessments or mitigation efforts upon reasonable request by Business Associate when such collaboration is necessary to address system vulnerabilities or ongoing threats;
  • Review and, if applicable, comply with published security procedures and policies provided by Business Associate that pertain to use of Business Associate's software system, website or platform, or access to shared ePHI systems;
  • Refrain from requesting that Business Associate or the BAA Services use or disclose PHI in any manner that would not be permissible under HIPAA or other applicable law if done by Covered Entity;
  • Remain solely responsible for managing whether Covered Entity's end users are authorized to share, disclose, create or use PHI within the BAA Services;

3.3 Responsibilities of the Parties with Respect to Breach Notification

Covered Entity and Business Associate will comply with HITECH and any implementing regulations regarding breach notification, as such regulations may be in effect from time to time (collectively, the "Breach Notification Rules").

  • Except as provided by 45 CFR § 164.412, Business Associate will give Covered Entity notice of any Breach of Unsecured PHI without unreasonable delay and in no event later than the maximum time allowable under applicable law after Business Associate discovered such Breach or activation of a security incident response or contingency plan related to ePHI. For purposes of reporting a Breach to Covered Entity, the discovery of the Breach will be deemed to occur as of the first day on which Business Associate knows or, by exercising reasonable diligence, should have known of such Breach. Business Associate will be deemed to have knowledge of such Breach if it is known, or by exercising reasonable diligence should have been known, by any person who is an employee, director, officer, contractor, or other agent of Business Associate.
  • More specifically and for purposes of this Agreement, a "Breach" is an unauthorized acquisition, access, use, or disclosure of Unsecured PHI, which compromises the security or privacy of the PHI. A Breach will be presumed to compromise (i.e., pose a risk of financial, reputational, or other harm to the Individual whose PHI was breached), unless the Parties can demonstrate in writing the low probability that such PHI has been compromised.
  • Upon discovery and within the time limits set forth in this Section 3.3, Business Associate will notify Covered Entity of a Breach of Unsecured PHI with information available to Business Associate to assist Covered Entity in its duties and obligations under the Breach Notification Rule. Such notice will be written in plain language and will include, to the extent known to the Business Associate, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, used, or disclosed during such Breach. Business Associate will also provide to Covered Entity other available information that the Covered Entity is required to include in its notification to the individual pursuant to the Breach Notification Rule.

3.4 Responsibilities of the Parties with Respect to Designated Record Sets

This Section 3.4 applies only if, in the course of Business Associate performing the BAA Services, Business Associate maintains Designated Records Sets containing PHI. In such case:

  • Business Associate will: (a) at the reasonable request of, and in the reasonable time and manner designated by, Covered Entity, provide access to the PHI to Covered Entity, or the Individual to whom such PHI relates, or such Individual's authorized representative, to satisfy a request by such Individual under HIPAA; and (b) at the reasonable request of, and in the reasonable time and manner designated by, Covered Entity, make any desired amendment(s) to the PHI that Covered Entity directs.
  • Covered Entity will: (a) notify Business Associate, in writing, of any PHI that Covered Entity seeks to make available to an Individual pursuant to HIPAA and will cooperate with Business Associate as to the time, manner, and form in which Business Associate will provide such access; and (b) notify Business Associate, in writing, of any amendment(s) to the PHI in the possession of Business Associate that Covered Entity believes is necessary because of its belief that the PHI that is the subject of the amendment(s) has been or could be relied upon by Business Associate or others to the detriment of the Individual who is the subject of the amendment(s).

4. Representations and Warranties

Each Party represents and warrants to the other Party:

4.1 Authority

The Party has full authority, and has obtained all necessary approvals and consents, to enter into the Services Arrangement and this Agreement and will comply with all applicable federal and state privacy and security laws and regulations with respect to PHI.

4.2 Workforce Informed of Agreement Terms

All the employees and the members of its workforce whose services may be used to fulfill such Party's obligations under this Agreement are or will be appropriately informed of the applicable terms of this Agreement and are under legal obligation to such Party, by contract or otherwise, sufficient to enable such Party to comply with all applicable provisions of this Agreement.

4.3 Reasonable Cooperation

The Party will reasonably cooperate with the other Party in the performance of the mutual obligations under this Agreement.

5. Term and Termination

5.1 Term

This Agreement will become effective on the Effective Date and will continue in effect unless terminated as provided in this Article 5. In addition, certain provisions and requirements of this Agreement will survive the expiration or termination of this Agreement in accordance with Section 6.8 below.

5.2 Termination for Breach

Either Party may immediately terminate this Agreement if such Party reasonably determines that the other Party has breached a material term of this Agreement and such other Party has not cured the reasonably determined breach within thirty (30) days following notice from the non-breaching Party regarding the alleged breach. Failure to cure in the manner set forth in this Section 5.2 will be grounds for the immediate termination of this Agreement by the non-breaching Party.

5.3 Automatic Termination

This Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of all Services Arrangements between Covered Entity and Business Associate.

5.4 Effect of Termination

Upon the termination of this Agreement pursuant to this Article 5, Business Associate will return or destroy within sixty (60) days all PHI, including ePHI, identifiable to Covered Entity that is within Business Associate's possession. If return or destruction of said PHI is not feasible, Business Associate will notify Covered Entity in writing, of the conditions that make return or destruction infeasible. If Business Associate determines that the return or destruction of said PHI is not feasible, for as long as Business Associate maintains such PHI, Business Associate will extend the protections of this Agreement to such PHI and limit further uses or disclosures of such PHI to the purposes that make the return or destruction of the PHI infeasible.

6. Miscellaneous

6.1 Privileges

Nothing in this Agreement shall be construed to waive any applicable legal privileges or protections, including the attorney-client privilege or attorney work-product doctrine. Business Associate shall not be required to disclose to the Secretary of DHHS or any other governmental authority any materials that are protected by such privileges unless Required by Law. The Parties agree to cooperate in good faith to protect privileged or confidential information, consistent with applicable legal and regulatory obligations.

6.2 Nature of Agreement; Independent Contractors

Nothing in this Agreement will be construed to create an employer-employee relationship or partnership, joint venture, or other joint business relationship between the Parties or any of their affiliates. Business Associate is an independent contractor, not an agent, of Covered Entity.

6.3 Entire Agreement

THIS AGREEMENT CONSTITUTES THE ENTIRE AGREEMENT OF THE PARTIES WITH RESPECT TO THE PARTIES' COMPLIANCE WITH FEDERAL OR STATE HEALTH INFORMATION CONFIDENTIALITY LAWS AND REGULATIONS AS WELL AS THE PARTIES' OBLIGATIONS UNDER THE BUSINESS ASSOCIATE PROVISIONS OF HIPAA AND HITECH. THIS AGREEMENT SUPERSEDES ALL PRIOR OR CONTEMPORANEOUS WRITTEN OR ORAL MEMORANDA, ARRANGEMENTS, CONTRACTS, OR UNDERSTANDINGS BETWEEN THE PARTIES RELATING TO THE PARTIES' COMPLIANCE WITH FEDERAL OR STATE HEALTH INFORMATION CONFIDENTIALITY LAWS AND REGULATIONS AND THE PARTIES' HEALTH INFORMATION CONFIDENTIALITY AND SECURITY OBLIGATIONS UNDER 45 CFR PARTS 160 THROUGH 164 OR APPLICABLE STATE LAW.

6.4 Compliance with Law; Change of Law

Each Party agrees to comply with HIPAA and HITECH and their implementing regulations, in each case, as applicable to the obligations of such Party under this Agreement. If there is any amendment to any provision of HIPAA or HITECH, or their implementing regulations, which materially alters either Party's obligations under this Agreement, the Parties will negotiate in good faith mutually acceptable and appropriate amendment(s) to this Agreement to give effect to such revised obligations; provided, however, that if the Parties are unable to agree on mutually acceptable amendment(s) within 60 days of the relevant change of law, either Party may terminate this Agreement consistent with Sections 5.4 and 6.5 herein.

6.5 Third-Party Services

From time to time, Covered Entity may use the BAA Services with other products or services provided to Covered Entity by third-parties (collectively, the "Third-Party Services"). Business Associate does not represent or warrant that the Third-Party Services are HIPAA compliant or that the use of the BAA Services with the Third-Party Services is HIPAA compliant. Unless the Business Associate expressly agrees in writing, this Agreement does not extend to any such Third-Party Services. In the event that Covered Entity desires to use any Third-Party Services, Covered Entity agrees that (a) it will use the Third-Party Services in full compliance with HIPAA and any and all other laws and regulations applicable to Covered Entity; and, (b) Covered Entity will indemnify, defend and hold harmless Business Associate from and against any and all claims regarding or related in any way to the Third-Party Services.

6.6 Construction of Terms

The terms of this Agreement will be construed in light of any interpretation or guidance on HIPAA, HITECH, the Privacy Rule, the Security Rule, or the Omnibus Rule issued by DHHS from time to time. Furthermore, any ambiguity in this Agreement will be resolved to permit the Parties to comply with the applicable Rule.

6.7 Governing Law

THIS AGREEMENT SHALL BE GOVERNED BY AND CONSTRUED IN ACCORDANCE WITH THE SAME INTERNAL LAWS THAT GOVERN THE SERVICES ARRANGEMENT.

6.8 Survival

This Section 6.8 will survive termination of this Agreement for any reason. Further, the respective rights and obligations of Business Associate and Covered Entity under the provisions of Sections 3.1, 3.2, 3.3, 5.4, and 6.5 will survive the expiration or termination of this Agreement for so long as such PHI is retained by Business Associate.

6.9 Amendment; Waiver

This Agreement may not be modified, nor will any provision of this Agreement be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event will not be construed as continuing or as a bar to or waiver of any right or remedy as to subsequent events.

6.10 Assignment of Rights and Delegation of Duties

This Agreement is binding upon and inures to the benefit of the Parties and their respective successors and permitted assigns. However, neither Party may assign any of its rights or delegate any of its obligations under this Agreement without the prior written consent of the other Party. Notwithstanding any provisions herein to the contrary, Business Associate retains the right to assign or delegate any of its rights or obligations in this Agreement in connection with an assignment to an affiliate or in connection with any merger, reorganization, consolidation, sale of assets or similar transaction. Assignments made in violation of this Section 6.10 will be null and void.

6.11 Severability

The provisions of this Agreement are severable, and if any provision of this Agreement will be held or declared to be illegal, invalid, or unenforceable, the remainder of this Agreement will continue in full force and effect as though such illegal, invalid, or unenforceable provision had not been contained in this Agreement.

6.12 No Third Party Beneficiaries

Nothing in this Agreement is intended to confer, nor will anything in this Agreement be considered or construed to confer, on any person other than the Parties, or their respective successors and permitted assigns, any rights, remedies, obligations, or liabilities under or by reason of this Agreement.

6.13 Notices

Any notices to be given under this Agreement shall be made in writing and sent or delivered to the applicable Party in accordance with the notice provisions set forth in the Services Arrangement.

6.14 Counterparts; Facsimiles

This Agreement may be executed in any number of counterparts, each of which will be deemed an original. Electronic copies hereof will be deemed to be originals.

6.15 Disputes

If any controversy, dispute, or claim arises between the Parties with respect to this Agreement, the Parties will make good faith efforts to resolve such matters informally and thereafter, to follow the dispute resolution procedures, as applicable, set forth in the Services Arrangement.