Business Associate Addendum

Updated October 11, 2019

This Business Associate Addendum (this “Addendum”) is an addendum to one or more services agreements (collectively, the “Terms”), including but not limited to the Terms of Service Agreement to which this Addendum is appended, between Mighty Group Inc., a Delaware corporation (the “Business Associate”) and the customer specified in the Terms (the “Covered Entity”) (individually a “Party” and collectively the “Parties”), under which Business Associate provides services to Covered Entity (the “Services”).

This Addendum is incorporated into the Terms and is effective when the Terms become effective (the “Effective Date”).

Recitals

WHEREAS, the Parties desire to enter into this Addendum in order to provide for the Parties’ compliance with the privacy regulations (the “Privacy Rule”) and security regulations (the “Security Rule”) adopted by the U.S. Department of Health and Human Services (“HHS”) at 45 C.F.R. Parts 160 and 164, as promulgated by HHS in accordance with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”); and any other regulations promulgated by HHS in accordance with HIPAA and/or HITECH From time to time, herein after such regulations and Acts collectively referred to as the “HIPAA Regulations”;

WHEREAS, in connection with the Services, Business Associate may use, disclose, create, receive, maintain and/or transmit PHI, as defined below for or on behalf of Covered Entity;

WHEREAS, the Parties desire to enter into this Addendum in order to ensure the Covered Entity receives adequate and satisfactory assurances from Business Associate that Business Associate and its subcontractors will comply with all applicable obligations under the HIPAA Regulations;

NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, and incorporating the recitals above, the Parties agree as follows:

1. Impact of Addendum.  The Parties agree that, notwithstanding anything to the contrary in this Addendum, this Addendum is being entered into solely to comply with the HIPAA Regulations to the extent that Business Associate meets the definition of Business Associate under the HIPAA Regulations with respect to Covered Entity.  Until such time as Business Associate meets such definition with respect to Covered Entity, this Addendum and its provisions shall not be effective or binding on the Parties.

2. Definitions.

        A. Unless otherwise provided in this Addendum, all capitalized terms in this Addendum will have the meaning set forth in the HIPAA Regulations.  References to Protected Health Information (hereinafter “PHI”) shall be construed to include Electronic Protected Health Information, and references to PHI shall mean only the PHI that Business Associate uses, discloses, creates, receives, maintains and/or transmits for or on behalf of Covered Entity to perform the Services.  For purposes of this Addendum, capitalized words shall have the definitions given or used by the HIPAA Regulations as of the compliance deadline established by such requirements.  The Parties hereby acknowledge that the definition of PHI includes Genetic Information, as defined at 45 C.F.R. §160.103.

3. Obligations of Business Associate.

        A. Compliance with Laws.  Business Associate shall only create, receive, use, disclose, maintain, and/or transmit PHI in compliance with this Addendum and the Confidentiality Requirements, including 45 C.F.R. §164.504(e).  Business Associate agrees to comply with applicable federal and state privacy laws, including but not limited to the HIPAA Regulations.

        B. Business Associate Agreements with Subcontractors.  If Business Associate subcontracts any portion of the Services to any agent or subcontractor as those terms are defined or otherwise used in the HIPAA Regulations (hereinafter referred to individually as a “Subcontractor” or collectively as “Subcontractors”), prior to any Subcontractor accessing, creating, using, disclosing, maintaining, transmitting or receiving any PHI, Business Associate shall require such Subcontractor to agree in writing to the business associate agreement restrictions and conditions set forth in the HIPAA Regulations, including but not limited to the implementation specifications of 45 C.F.R.§§164.314, 164.410, 164.502, and 164.504(e); provided further, such agreement shall require the Subcontractor to comply with the HIPAA Regulations, including but not limited to the Security Standards.

        C. Use of PHI.  Except as otherwise permitted by law and this Addendum, Business Associate shall only create, receive, use, disclose, maintain, and/or transmit PHI in compliance with the Terms, this Addendum and the HIPAA Regulations, whichever is more protective of patient confidentiality and patient rights.  In accordance with the foregoing, Business Associate shall use PHI (i) to perform the Services, and (ii) as necessary for the proper management and administration of the Business Associate or to carry out Business Associate’s legal responsibilities, provided that such uses are permitted under federal and applicable state law.  Additionally, Business Associate may use and disclose PHI for Data Aggregation purposes relating to the healthcare operations of the Covered Entity.

        D. Disclosure of PHI.  Business Associate may disclose PHI if required to do so by law.  In addition to the requirements of Section 3B of this Addendum regarding Business Associate Agreements with Subcontractors, Business Associate may disclose PHI to a third party, including any Subcontractor, as necessary for such third party to assist Business Associate in performance of the Services; provided, however, that prior to any such disclosure Business Associate:  (i) obtains reasonable written assurances from the third party, including any Subcontractor, to whom the PHI is disclosed that the third party will hold such PHI confidentially and will use or disclose such PHI only as Required by Law or for the purpose(s) for which the PHI was disclosed to the third party; and (ii) requires the third party, including any Subcontractor, to agree to notify the Business Associate promptly, but in no event later than ten (10) business days, following any instance of which such third party is aware that PHI has been used or disclosed for a purpose that is not permitted by this Addendum or the HIPAA Regulations.  Business Associate further agrees that any disclosures of PHI made by Business Associate to any third party, including Subcontractors, shall comply with the HIPAA Regulations, including but not limited to the Security Standards.

        E. Report of Misuses and/or Inappropriate Disclosures of PHI.  Business Associate shall:  (i) report to the Covered Entity any use or disclosure of PHI not permitted by this Addendum or the HIPAA Regulations, such report to be made within fifteen (15) business days of the Business Associate becoming aware of such misuse or inappropriate disclosure; and (ii) mitigate, to the extent practical, any harmful effect that is known or reasonably foreseeable to Business Associate and is the result of a use or disclosure of PHI by Business Associate in violation of this Addendum, the HIPAA Regulations or other applicable law.

        F. De-identification and Limited Data Sets.  Subject to any restrictions in the HIPAA Regulations, Business Associate shall have full discretion and authority to de-identify PHI and provide the Covered Entity with data aggregation services.

        G. Safeguards by Business Associate and Subcontractors.  Business Associate represents and warrants that it has adopted, implemented and shall continue to maintain, for so long as Business Associate has access to, maintains, uses or discloses Data, as defined below, adequate and appropriate safeguards to:  (i) protect the confidentiality and security of PHI and other individually identifiable information obtained from, or created on behalf of, Covered Entity (for purposes of this Section 3G, “Data”); and (ii) prevent the use or disclosure of Data other than as provided for by this Addendum, the HIPAA Regulations and other applicable law.  Business Associate’s administrative, physical and technical safeguards protecting Data shall comply with applicable law and the HIPAA Security Rule.

        H. Minimum Necessary.  Business Associate shall limit its uses and disclosures of PHI to the “Minimum Necessary,” that is, Business Associate shall only use and further disclose PHI as permitted by this Addendum and the HIPAA Regulations (including but not limited to the minimum necessary standard set forth at 45 C.F.R. Section 164.502(b)), to accomplish the intended purpose of such use, disclosure, or request to use or disclose.

4. Obligations of Covered Entity.

        A. Notice of Privacy Practices.  Upon written request by Business Associate, Covered Entity shall provide Business Associate with Covered Entity’s then-current notice of privacy practices.

        B. Restrictions on Use or Disclosure of PHI.  Covered Entity shall notify Business Associate of any restrictions to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

        C. Revocation of Permitted Use or Disclosure of PHI.  Covered Entity shall notify Business Associate of any changes in, or revocation of, permission to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

        D. Requested Uses of Disclosures of PHI.  Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Regulations if done by Covered Entity.

5. Individual Rights.  Business Associate agrees as follows:

        A. Individual Right to Copy or Append PHI in the Designated Record Set.  In the event Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall promptly take all actions necessary for Covered Entity to comply with 45 C.F.R. Sections 164.524 and 164.526.  Business Associate shall provide any request it (or its Subcontractors) receives from an Individual for access or amendment under such regulations to Covered Entity within ten (10) business days of receipt.  Business Associate agrees that only Covered Entity shall respond to requests received by Business Associate (or its Subcontractors) from Individuals.

        B. Accounting of Disclosures.  Business Associate agrees to maintain documentation of the information required to provide an Accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528, and to make this information available to Covered Entity within ten (10) business days of Covered Entity’s request, in order to allow Covered Entity to respond to an Individual’s request for Accounting of Disclosures.  Such accounting is limited to disclosures that were made in the six (6) years prior to the request (not including disclosures prior to the compliance date of the Privacy Rule) and shall be provided for as long as Business Associate maintains the PHI.  If an Individual requests an Accounting of Disclosures directly from Business Associate, Business Associate will forward the request and its Disclosure record to Covered Entity within ten (10) business days of Business Associate’s receipt of the Individual’s request.  Covered Entity will be responsible for preparing and delivering the Accounting to the Individual.  Business Associate will not provide an Accounting of its Disclosures directly to any Individual.

6. Internal Practices, Policies and Procedures.  Except as otherwise specified herein, Business Associate shall make available information regarding Business Associate’s internal practices, policies and procedures relating to the use and disclosure of PHI to HHS or its authorized agents for the purpose of determining Covered Entity’s and/or Business Associate’s compliance with the HIPAA Rules.  Records requested that are not protected by an applicable legal privilege will be made available in the time and manner specified by HHS or its authorized agents.  To the extent permitted by law, Business Associate shall promptly notify Covered Entity in writing regarding any requests for such information received from HHS or its authorized agents.

7. Withdrawal of Authorization.  If the use or disclosure of PHI in this Addendum is based upon an Individual’s specific authorization for the use or disclosure of his or her PHI, and the Individual revokes such authorization, the effective date of such authorization has expired, or such authorization is found to be defective in any manner that renders it invalid, Business Associate shall, if it has notice of such revocation, expiration, or invalidity, cease the use and disclosure of the Individual’s PHI except to the extent it has relied on such use or disclosure, or if an exception under the HIPAA Regulations expressly applies.

8. Security Incidents.  Business Associate agrees to report to the Covered Entity any Security Incident of which Business Associate becomes aware, as follows:

        A. Attempted incidents, i.e., those incidents that are unsuccessful and neither penetrate the information systems nor cause any threat of harm to such systems, shall be reported to the Covered Entity within thirty (30) days of the Covered Entity’s written request.  The Covered Entity will not make such a request more frequently than quarterly.

        B. Successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operation shall be reported to the Covered Entity within fifteen (15) business days of discovery by Business Associate.

9. Breaches of Unsecured PHI.  Business Associate will report in writing to Covered Entity any Breach of Unsecured Protected Health Information, as defined in the Breach Notification Regulations, 45 C.F.R. Section 164.400 et seq. (each a “HIPAA Breach”), within fifteen (15) business days of the date Business Associate Discovers the Breach, and shall provide Covered Entity with all information required by 45 C.F.R. Section 164.410 that Business Associate has or may obtain without unreasonable difficulty.  Business Associate will provide such information to Covered Entity in the manner required by the Breach Notification Regulations, and as promptly as is possible.  This Section shall survive the expiration or termination of this Addendum and shall remain in effect for so long as Business Associate maintains PHI.

10. Term and Termination.

        A. Term.  This Addendum shall be effective as of the Effective Date and shall be terminated concurrently with the termination of the Terms, or as otherwise provided in this Addendum.

        B. Termination for Breach.  Either Party may terminate this Addendum (the “Terminating Party”) upon written notice to the other Party (the “Terminated Party”) if the Terminating Party determines that the Terminated Party has breached a material term of this Addendum.  The Terminating Party will provide the Terminated Party with written notice of the breach of this Addendum and afford the Terminated Party the opportunity to cure the breach to the satisfaction of the Terminating Party within thirty (30) days of the date of such notice.  If the Terminated Party fails to timely cure the breach, as determined by the Terminating Party in its sole discretion, this Addendum shall terminate upon notice of such determination given by the Terminating Party to the Terminated Party.

        C. Effect of Termination.  Upon termination of this Addendum for any reason, Business Associate agrees to return or destroy all PHI received from, or accessed, maintained, used, disclosed and/or transmitted for or on behalf of, Covered Entity by Business Associate (or its Subcontractors).  If Business Associate reasonably determines that the return or destruction of PHI is not feasible, Business Associate shall inform Covered Entity in writing of the reason thereof, and shall agree to extend the protections of this Addendum to such PHI and limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Business Associate retains the PHI.

11. Mitigation.  If Business Associate violates this Addendum, the HIPAA Regulations, state medical record privacy laws, and/or State Breach laws, Business Associate shall take commercially reasonable efforts to mitigate any damage caused by such violation or breach; provided, however, that Business Associate admits no negligence or fault by Covered Entity as part of its mitigation efforts.

12. Miscellaneous.

        A. Survival.  The respective rights and obligations of Business Associate under this Addendum shall survive the termination of this Addendum and shall continue for so long as Business Associate, its Subcontractors or agents maintain PHI.

        B. Notices.  Any notices pertaining to this Addendum shall be given in writing and shall be deemed duly given when personally delivered to a Party or a Party’s authorized representative as listed below or sent by means of a reputable overnight carrier, or sent by means of certified mail, return receipt requested, postage prepaid.  A notice sent by certified mail shall be deemed given on the date of receipt or refusal of receipt.  All notices to Covered Entity shall be addressed to its address reflected in the records of Business Associate.  All notices to Business Associate shall be addressed as follows (or to such other address as Business Associate may notify Covered Entity from time to time):  

        Mighty Group Inc.
        400 Madison Avenue, Suite 4D
        New York, NY 10017

     C. Amendments.  This Addendum may not be changed or modified in any manner except by an instrument in writing signed by a duly authorized officer of each of the Parties hereto.  The Parties, however, agree to amend this Addendum from time to time as necessary to comply with the HIPAA Regulations.

     D. Choice of Law.  This Addendum and the rights and the obligations of the Parties hereunder shall be governed by and construed under the laws of the State of New York, without regard to applicable conflict of laws principles.

    E. Assignment of Rights and Delegation of Duties.  This Addendum is binding upon and inures to the benefit of the Parties hereto and their respective successors and permitted assigns.  Neither Party may assign any of its rights or delegate any of its obligations under this Addendum without the prior written consent of the other Party, which consent shall not be unreasonably withheld or delayed.  Notwithstanding any provisions to the contrary, however, Covered Entity retains the right to assign or delegate any of its rights or obligations hereunder to any of its wholly owned subsidiaries, affiliates or successor companies.  Assignments made in violation of this provision are null and void.

     F. Nature of Addendum.  Nothing in this Addendum shall be construed to create (i) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates, (ii) any fiduciary duty owed by one Party to another Party or any of its affiliates, or (iii) a relationship of employer and employee between the Parties.  The Parties explicitly agree that Business Associate is an independent contractor of Covered Entity, and not an agent of Covered Entity.

    G. No Waiver.  Failure or delay on the part of either Party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof.  No provision of this Addendum may be waived by either Party except by a writing signed by an authorized representative of the Party making the waiver.

    H. Severability.  The provisions of this Addendum shall be severable, and if any provision of this Addendum shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Addendum shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.

      I. No Third Party Beneficiaries.  Nothing in this Addendum shall be considered or construed as conferring any right or benefit on a person not party to this Addendum nor imposing any obligations on either Party hereto to persons not a party to this Addendum.

      J. Headings.  The descriptive headings of the articles, sections, subsections, exhibits and schedules of this Addendum are inserted for convenience only, do not constitute a part of this Addendum and shall not affect in any way the meaning or interpretation of this Addendum.

     K. Entire Addendum.  This Addendum, together with all Exhibits, Riders and amendments, if applicable, which are fully completed and signed by authorized persons on behalf of both Parties from time to time while this Addendum is in effect, constitutes the entire Addendum between the Parties hereto with respect to the subject matter hereof and supersedes all previous written or oral understandings, Addendums, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof.  In the event of any inconsistency or conflict between any provisions of this Addendum and any provisions of the Terms, Exhibits, Riders, or amendments thereto, the provisions of this Addendum shall control with respect to PHI.

     L. Interpretation.  Any ambiguity in this Addendum shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules and any applicable state confidentiality laws.  The provisions of this Addendum shall prevail over the provisions of any other agreement or Addendum that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this Addendum or the HIPAA Regulations.

    M. Regulatory References.  A citation in this Addendum to the Code of Federal Regulations shall mean the cited section as that section may be amended from time to time.