Vendor BAA

Vendor BAA

Effective as of 07/13/21

This Business Associate Agreement (“Agreement”) is between Tech Heads, Inc., an Oregon corporation with offices at 7070 SW Fir Loop, Portland, OR 97223 (“Tech Heads”) and the individual or entity identified as the “Contractor” in the Independent Contractor Agreement (“Business Associate”).

RECITALS 

WHEREAS, Business Associate provides services (“Services”) for or on behalf of Tech Heads to certain Tech Heads’ customers (each, a “Covered Entity”) (each a “Party” and collectively the “Parties”); and 

WHEREAS, in connection with those Services, Tech Heads or the Covered Entity may be required to use and/or disclose to Business Associate certain Protected Health Information (“PHI”) (as defined in 45 C.F.R. §164.501) that is subject to protection under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule,” 45 C.F.R. Parts 160 and 164); and 45 C.F.R. Part 164, Subpart C, the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”); and the American Recovery and Reinvestment Act of 2009, Public Law No. 111- 005, Part I, Title XIII, Subpart D, Sections 13401-13409, (“the HITECH Act”); and 

WHEREAS, Tech Heads and Business Associate acknowledge that that each has obligations in their respective roles as Business Associates under HIPAA and under the HITECH Act, as well as under guidance documents and regulations issued under those Rules; and 

WHEREAS, as required under those Rules, an appropriate Business Associate Agreement (“BAA”) must be entered into by Tech Heads and Business Associate to describe any collection, use, sharing, storing, retention and disposal of PHI received from Tech Heads or the Covered Entity by the Business Associate; and 

NOW THEREFORE, in consideration of the mutual promises and covenants, herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows: 

DEFINITIONS 

For purposes of this BAA, the following terms shall have the designated meanings: 

“Designated Record Set” means a group of records maintained by or for Tech Heads or the Covered Entity, that is (i) the medical records and billing records about individuals maintained by or for Tech Heads or the Covered Entity; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for Tech Heads or the Covered Entity to make decisions about individuals. As used herein, the term “Record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Tech Heads or the Covered Entity. 

“Electronic Media” means the mode of electronic transmissions. It includes the Internet, extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media. 

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996. 

“HIPAA Transaction” shall mean Transactions as defined in 45 C.F.R. §160.103 of the Transaction Standards. 

Vendor BAA Page 2 of 7 Revised July 13, 2021 

“HITECH Act” means the American Recovery and Reinvestment Act of 2009 Public Law No. 111-005, Part I, Title XIII, Subpart D, Sections 13401-13409 and any amendments; 

“Individual” means the person who is the subject of the Protected Health Information. 

“Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, and (i) is created or received by a health care provider, health plan, employer, or health care clearinghouse, and (ii) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual, and (iii) identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 

“Privacy and Security Standards” means Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”), 45 C.F.R. Parts 160 and 164, and the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”), 45 C.F.R. Part 164 Subpart C; and the American Recovery and Reinvestment Act of 2009, Public Law No. 111-005, Part I, Title XIII, Subpart D, Sections 13401- 13409 and any amendments, (“the HITECH Act”), as well as guidance documents and regulations issued under all of those rules, to the extent that they impose additional requirements on covered entities and their business associates. 

“Protected Health Information” or “PHI” means Individually Identifiable Health Information that is (i) transmitted by electronic media; (ii) maintained in any medium constituting electronic media; or (iii) transmitted or maintained in any other form or medium. “PHI” shall not include education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. §1232g, or records described in 20 U.S.C. §1232g(a)(4)(b)(iv). 

“Required By Law” means a mandate contained in a law that compels a use or disclosure of PHI and that is enforceable in a Court of Law. 

“Secretary” means the Secretary of the Department of Health and Human Services. 

“Security Standards” means the regulations with regard to security standards for health information promulgated by the Secretary pursuant to the authority granted by Title II, Subtitle F, Section 263 of HIPAA and contained in 45 C.F.R. Parts 160, 162 and 164, as modified by the HITECH Act, any amendments thereto, and any regulations and guidance documents issued under those rules. 

“Transaction Standards” means the Standards for Electronic Transactions, 45 C.F.R. 160 and 162. 

BUSINESS ASSOCIATE OBLIGATIONS 

1. Use and Disclosure of PHI. Business Associate shall not, and shall ensure that its directors, officers, employees, contractors, and agents do not use or disclose PHI received from Tech Heads or a Covered Entity, in any manner that would constitute a violation of the Privacy and Security Standards if used by Tech Heads or the Covered Entity, and may only use PHI as allowed under HIPAA and the HITECH Act for the limited purpose of performing Services on Tech Heads’ behalf or as Required by Law. To the extent the terms of the Agreement and the terms of this BAA are not consistent, the terms of the document that provides the most protection for PHI shall govern. 

Business Associate agrees to comply with applicable federal and state laws, including but not limited to the Privacy and Security Standards. Business Associate shall not use or disclose PHI except as necessary to provide Services to Tech Heads or the Covered Entity. Business Associate shall in all cases: 

Vendor BAA Page 3 of 7 Revised July 13, 2021 

a. Provide training to members of its workforce regarding the requirements in the Privacy and Security Standards, the Agreement, and this BAA, and other applicable privacy and security laws. The training shall be updated periodically, as the laws and regulations evolve; 

b. Obtain reasonable assurances from the person or entity to whom or to which PHI is disclosed that the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person or entity and such person or entity agrees to notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; 

c. Notify Tech Heads as soon as it becomes aware of any instances in which the PHI is used, compromised, inappropriately disclosed, or becomes at risk for breach for a purpose that is not otherwise provided for in this BAA or for a purpose not expressly permitted by the Privacy or Security Standards and notify Tech Heads immediately of any security incident of which it becomes aware; and 

d. Ensure that all disclosures of PHI, including those made for treatment purposes, are subject to the principle of “minimum necessary use and disclosure,” i.e., only PHI that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request may be disclosed. 

2. Safeguards. Business Associate agrees that it will maintain all appropriate safeguards to ensure that PHI is not used or disclosed other than as provided by this BAA or as Required by Law. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of Tech Heads or the Covered Entity, as required by the HIPAA Security Standards, the HITECH Act, and all other applicable laws, regulations and guidance documents. 

Business Associate agrees to ensure that all of its third parties and agents, including, for example, temporary employees and subcontractors, to whom it permits access to any PHI from Tech Heads or the Covered Entity, agree in writing beforehand to implement substantially similar privacy and security measures and safeguards to those required of the Business Associate under this BAA, and to those required under the Privacy and Security Standards. 

Business Associate agrees that upon reasonable notice of ten (10) business days, it will allow Tech Heads to audit its security and privacy policies and procedures to ensure the appropriate protections are in place. Tech Heads also has the right to perform or, if it so chooses, hire third parties at its own expense to perform — vulnerability or penetration testing or physical assessments of Business Associate’s operations that relate to Tech Heads’ or the Covered Entity’s PHI, but will work with Business Associate beforehand to minimize any negatively effect on the operation of Business Associate’s database, application or its systems as a result of such a review. Tech Heads will also provide Business Associate with a copy of the results of such testing. 

3. Disclosures to Third Parties. Before disclosing any PHI received from, or created on behalf of Tech Heads or the Covered Entity, Business Associate shall ensure that any and all agents, including subcontractors, who will have access to such PHI, are bound in writing to substantially similar restrictions, terms, and conditions that apply to Business Associate pursuant to this BAA with respect to such PHI. 

4. Report Disclosures. Business Associate shall, within twenty-four (24) hours of becoming aware of a disclosure or potential disclosure of PHI in violation of the BAA by Business Associate, its officers, directors, employees, contractors, or agents, or by a third party to which Business Associate disclosed PHI pursuant to Paragraph 3 hereunder, report any such disclosure to Tech Heads. However, with respect to any security incidents that Business Associate becomes aware of, or with reasonable diligence 

Vendor BAA Page 4 of 7 Revised July 13, 2021 

should have become aware of, Business Associate shall report such incidents to Tech Heads within 24 hours. 

5. De-Identified Information. Use and disclosure of de-identified health information by Business Associate is permitted upon written approval in advance by Tech Heads. Any such de-identification must be in compliance with 45 CFR §164.502(d), and any such de-identified health information meets the standard and implementation specifications for de-identification under 45 CFR §164.514(a) and (b), or such regulations as they may be amended from time to time. 

6. Notice of Privacy Practices. Business Associate agrees that it will abide by the limitations of any Notice of Privacy Practices (“Notice”) published by Tech Heads or the Covered Entity of which it has knowledge. 

7. Mitigation. Business Associate is prohibited from further use or disclosure of PHI in a manner that would violate the requirements of the Privacy and Security Standards if the PHI were so used or disclosed by Tech Heads or the Covered Entity, or the terms of the BAA. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA. The parties agree that in the event that their Agreement is terminated, or any Business Associate employee or agent is suspected of inappropriate use or access of PHI, then each agrees to take the necessary steps to promptly limit the suspect’s access to Tech Heads’ or the Covered Entity’s systems. 

8. Accounting of Disclosures. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Tech Heads or the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 54 CFR §164.528, as modified by the HITECH Act. Business Associate agrees to provide to Tech Heads or an Individual, within five (5) days, information collected in accordance with this paragraph of this BAA, to permit Tech Heads or the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA. Alternatively, Tech Heads may provide the contact information of the Business Associate to the Individual, to seek information directly from the Business Associate. 

9. Individual Rights Regarding Designated Record Sets. It is not anticipated that Business Associate will maintain a Designated Record Set on behalf of Tech Heads or the Covered Entity, however, if Business Associate maintains a Designated Record Set on behalf of Tech Heads or the Covered Entity, Business Associate agrees as follows: 

a. Individual Right to Copy or Inspection. Business Associate agrees that, if it maintains a Designated Record Set for Tech Heads or the Covered Entity, upon the direction of Tech Heads it will permit an Individual access to inspect or copy PHI in that set under conditions and limitations required under 45 CFR § 164.524 as it may be amended from time to time. 

b. Amendment of PHI. If Business Associate maintains a Designated Record Set, it agrees that it will amend PHI maintained by Business Associate as requested by Tech Heads under conditions and limitations required under 45 CFR § 164.526 as it may be amended from time to time. 

c. Accounting of Disclosures. Business Associate agrees to make available to the Individual and/or Tech Heads or the Covered Entity from whom the PHI originated, information required for an accounting of disclosures of PHI with respect to the Individual, in accordance with 45 CFR §164.528 and as modified by the HITECH Act, and as those laws may be amended from time to time, and incorporating exceptions to such accounting designated under the laws, regulations and guidance documents. Such accounting is limited to disclosures that were made in the three (3) years prior to the request (not including any disclosures prior to the compliance date of the Privacy Standards). 

Vendor BAA Page 5 of 7 Revised July 13, 2021 

10. Internal Practices, Books, and Records. Business Associate shall make available its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by Business Associate on behalf of Tech Heads or the Covered Entity to the Secretary or his or her agents for the purpose of determining Tech Heads or the Covered Entity’s compliance with the Privacy Standards. 

11. Continuity of Business. Business Associate shall ensure that any and all data that it manages on Tech Heads’ behalf shall be secured and backed up such that in the event that its data center suffers a system set back, Tech Heads shall be able to continue its business as intended. Therefore, Business Associate shall maintain such processes in place to ensure that in the event that it is bankrupt, data is corrupted or other interruption of its services, that it has sufficient contingency plans in place to allow Tech Heads to continue its operations. 

12. Term and Termination. This BAA shall automatically terminate whenever Business Associate ceases to provide Services to and on behalf of Tech Heads. Notwithstanding the foregoing, any provisions of this BAA, which by their terms survive termination, shall continue in accordance with such terms. 

Upon termination of this BAA, Business Associate agrees to transfer PHI as directed by Tech Heads, or to return or destroy all PHI received from Tech Heads or the Covered Entity that Business Associate maintains in any form and shall comply with federal and state laws as they may be amended from time to time governing the maintenance or retention of PHI. If Business Associate determines that the return or destruction of PHI is not feasible, Business Associate shall so inform Tech Heads, and Business Associate agrees to extend the protections of this BAA to the information and limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI infeasible, for so long as Business Associate retains the PHI. 

13. Survival. The respective rights and obligations of Business Associate under Paragraph 2 of this BAA with regard to the security of records management shall survive the termination of this BAA. 

14. Termination for Breach. If Business Associate breaches any provision in this BAA, Tech Heads may, at its option, immediately access and audit the records of Business Associate related to its use and disclosure of PHI, require Business Associate to submit to monitoring and reporting, and such other conditions as Tech Heads may determine is necessary to ensure compliance with this BAA. In addition to the foregoing, Tech Heads may terminate any other agreement in place with Business Associate upon notice in the event of a breach. 

15. Notices. Any notices pertaining to this BAA shall be given in writing and shall be deemed duly given when personally delivered or sent by means of a reputable overnight carrier, or sent by means of certified mail, return receipt requested, postage prepaid. 

16. Amendments. This BAA may not be changed or modified in any manner except by an instrument in writing signed by a duly authorized officer of each of the Parties hereto. The Parties, however, agree to amend this BAA from time to time, in order to assure Tech Heads’ compliance with the requirements of the Privacy Standards. 

17. Choice of Law. This BAA and the rights and the obligations of the Parties hereunder shall be governed by and construed under the laws of the State of Oregon, without regard to applicable conflict of laws principles. 

18. Assignment of Rights and Delegation of Duties. This BAA is binding upon and inures to the benefit of the Parties hereto and their respective successors and permitted assigns. However, neither Party may assign any of its rights or delegate any of its obligations under this BAA without the prior written consent of the other Party, which consent shall not be unreasonably withheld or delayed. 

Vendor BAA Page 6 of 7 Revised July 13, 2021 

19. Nature of BAA. Nothing in this BAA shall be construed to create (i) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates, (ii) any fiduciary duty owed by one Party to another Party or any of its affiliates, or (iii) a relationship of employer and employee between the Parties. 

20. No Waiver. Failure or delay on the part of either Party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof. No provision of this BAA may be waived by either Party except by a writing signed by an authorized representative of the Party making the waiver. 

21. Severability. The provisions of this BAA shall be severable, and if any provision of this BAA shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BAA shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein. 

22. No Third Party Beneficiaries. Nothing in this BAA is intended to confer on any person or Individual other than the Parties to this BAA or their respective successors and assigns any rights, remedies, obligations or liabilities under or by reason of this BAA. Nothing in this BAA shall be considered or construed as conferring any right or benefit on a person not party to this BAA or imposing any obligations on either Party hereto to persons not a party to this BAA. 

23. Headings. The descriptive headings of the articles, sections, subsections, exhibits and schedules of this BAA are inserted for convenience only, do not constitute a part of this BAA and shall not affect in any way the meaning or interpretation of this BAA. 

24. Entire BAA. This BAA, together with attached exhibits, riders and amendments, constitutes the entire agreement between the Parties hereto with respect to the subject matter hereof and supersedes all previous written or oral understandings, BAAs, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof. In the event of any inconsistencies between any provisions of this BAA in any provisions of any exhibits or riders, the provisions of this BAA shall control. 

25. Regulatory References. A citation in this BAA to the Code of Federal Regulations shall mean the cited section as that section may be amended from time to time. 

26. Electronic Transactions. Business Associate hereby represents and warrants that to the extent it is transmitting any of the HIPAA Transactions for Tech Heads or the Covered Entity, the format and structure of such transmissions shall be in compliance with the Transaction Standards. Business Associate shall indemnify and hold Tech Heads harmless from any monetary penalties assessed against Tech Heads arising from a breach of the representation and warranty contained in this BAA, including reimbursing Tech Heads for any cost incurred by Tech Heads as a result of an audit or investigation by the Secretary which may include the costs of consultants and lawyers. 

27. Data Security. Business Associate hereby represents and warrants that it will utilize its commercially reasonable efforts to implement administrative, technical and physical safeguards to comply with the HIPAA Security Standards, as modified by the HITECH Act, and all other reasonably applicable security standards for similarly situated industry members, such as the security standards provided by the International Standards Organization and the National Institute of Standards and Technology. Business Associate agrees that it shall perform regular, at least every six months, security assessments by qualified third parties to ensure the sufficiency and appropriateness of the security and privacy measures it has in place to protect the privacy and confidentiality of the Tech Heads’ or the Covered Entity’s PHI. 

28. Indemnification. Business Associate agrees to indemnify, defend and hold harmless Tech Heads, its respective employees, directors, officers, or other members of its workforce against all losses suffered by Tech Heads or to third parties arising from or in connection with any breach of this BAA or of any warranty hereunder or from any negligence or wrongful acts or omissions, including failure to perform its obligations under the Privacy Regulation. Accordingly, on demand, Business Associate shall reimburse 

Vendor BAA Page 7 of 7 Revised July 13, 2021 

Tech Heads for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys’ fees), and breach notification costs and expenses, which may for any reason be imposed upon Tech Heads by reason of any suit, claim, action, proceeding, regulatory investigation or demand by any third party, including any state or federal agency, which results from the Business Associate’s actions hereunder. Business Associate’s obligation to indemnify Tech Heads shall survive the expiration or termination of this BAA for any reason. Any notices required to be given to individuals whose PHI is compromised, inappropriately accessed, or otherwise require notice of breach under HIPAA, the HITECH Act, or other federal, state or international notification laws, shall be provided by Tech Heads or the Covered Entity at Business Associate’s sole cost, in a manner that complies with the applicable regulatory requirements. In addition, Business Associate shall cooperate with and fund any other reasonable mitigation efforts related to such breach or potential breach, such as staffing a toll-free number, or offering credit monitoring, and perform appropriate remediation in a reasonable time following the breach, to reduce the risk of similar situations. Business Associate shall cooperate fully with Tech Heads in the handling of any such privacy and/or security incidents. The Parties agree that any limitation of liability provision of the Independent Contract Agreement shall not apply to Business Associate’s indemnification obligations hereunder.