Pursuant to the HIPAA Rules (defined below), this HIPAA Business Associate Agreement (“BAA”) applies to Customers of Connexin Software, Inc., dba Office Practicum (“Vendor”) who are “Covered Entities” as that term is defined by HIPAA Rules, and who, in accordance with the software and services provided by Vendor, transmit Protected Health Information as that term is defined by HIPAA Rules (“PHI”), to Vendor. Customer, and Vendor agree that the terms of this BAA shall be incorporated into the OP Customer Agreement  related to the the purchase of electronic health record clinical and practice management software, revenue cycle management services, website and related services, or any other services offered by Vendor (“Underlying Agreement”), under which Vendor is a Business Associate (as defined by HIPAA Rules) and Customer is a Covered Entity. This BAA shall be effective as of the effective date of the Underlying Agreement.

This BAA is intended to ensure that Vendor (also “Business Associate”) will establish and implement appropriate safeguards for the PHI that it may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity pursuant to the Underlying Agreement. Customer and Vendor (collectively referred to as “the Parties”) desire to enter into this BAA for the purpose of ensuring compliance with HIPAA and HITECH, and relevant implementing regulations, with respect to such PHI. 

Pursuant to the above, and in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:

• Definitions. “HIPAA Rules” means, collectively, the federal Health Insurance Portability and Accountability Act of 1966 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR parts 160 and 164, as amended. Unless the context clearly indicates otherwise, capitalized terms in this BAA shall have the same meaning as those terms in the HIPAA Rules.
• Permission to Use and Disclose PHI.
• Business Associate may use or disclose PHI as necessary to perform the services set forth in the Underlying Agreement, or as Required by Law or pursuant to this BAA.
• Business Associate may use or disclose PHI to de-identify the PHI in accordance with 45 CFR 164.514(a)-(c) and use to provide data aggregation services relating to the health care operations of the Covered Entity to the fullest extent permitted by the Privacy Rule, the Underlying Agreement and any applicable provisions in this BAA.
• Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity; provided that, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out its legal responsibilities, or if Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
• Business Associate Obligations. Business Associate shall:
• Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent use or disclosure other than as provided for by this BAA.
• Not use or disclose PHI other than as permitted by this BAA, or as otherwise authorized by Covered Entity.
• Mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
• Report to Covered Entity promptly upon becoming aware of: (i) any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including any Breach of unsecured PHI as required by, and in compliance with, 45 CFR 164.410; and (ii) any successful security incident of which it becomes aware.  Business Associate also shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available. 
• Make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524.
• Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526.
• Make available the information required to provide an accounting of disclosures to the Covered Entity or an Individual as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528. Business Associate agrees to comply with an individual's request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. § 164.522, except where such use, disclosure, or request is required or permitted under applicable law.
• Request, use and disclose the Minimum Necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
• Make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of the Covered Entity available to the Covered Entity, or to the Secretary, for the purposes of the Secretary determining the Covered Entity's compliance with the Privacy Rule.
• Ensure that any subcontractor(s) that, in connection with the Underlying Agreement, create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to substantially the same restrictions, conditions, and requirements as required under this BAA, as applicable to such PHI.
• Covered Entity Obligations regarding Privacy Practices and Restrictions. Covered entity shall:
• Notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
• Notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
• Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
• Not request the Business Associate to use or disclose PHI in any manner that would be prohibited to the Covered Entity under the applicable Regulations.
• Term and Termination.
• (a) Term. The Term of this Agreement shall be effective as of the Effective Date of the Underlying Agreement, and shall terminate when all of the PHI that is the subject of this BAA is destroyed, returned or retained as provided in paragraph (c) of this Section, or on the date Covered Entity terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
• (b) Termination for Cause. Covered Entity may terminate if Business Associate has violated a material term of the Agreement, and Business Associate has not cured the breach or ended the violation within thirty (30) days of receipt of notice from Covered Entity of the breach. 
• (c) Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
• Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
• Return to Covered Entity or, if agreed to by Covered Entity and/or permitted by the Underlying Agreement, destroy the remaining PHI that the Business Associate still maintains in any form;
• Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI;
• Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions of permitted use which applied prior to termination; and
• Return to Covered Entity or, if agreed to by Covered Entity, destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
• Customer acknowledges provision 45 CFR §164.530 (j) (2) within Section: Administrative Requirements, that demands all Covered Entities or Business Associates to observe a six-year (6-year) retention period of all HIPAA related documentation, defined by paragraph (j) (1) of the same Section. Nonetheless, State Laws and Regulations on this matter could supersede the HIPAA medical documentation retention timeframe. Therefore, Customer understands that Vendor will not be held accountable for Customer’s legal obligation regarding documentation retention under HIPAA or State Law requirements, and understands that upon Termination of this Agreement Vendor will return or destroy all e-PHI/PHI if feasible. in accordance herewith, and shall not retain copies.
• (d) Survival.  The obligations of Business Associate under this Section shall survive the termination of this Agreement.
• Miscellaneous.
• Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
• Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
• Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
• Inconsistencies. In the event that the provisions of this Agreement are inconsistent with HIPAA or its implementing regulations or any binding interpretation thereof, said conflict will be resolved in accordance with the rules of presence. To the extent that any such conflicts are nonetheless permitted under the Regulations, the provisions of this Agreement will prevail.
• State Law and Preemption. Where any provision of applicable State law is more stringent or otherwise constitutes a basis upon which the Regulation is preempted, state law controls and the Parties agree to comply fully therewith.
• Third-Parties. Except as expressly provided for in the Regulations and/or within the terms contained herein, this Agreement does not create any rights in third parties.