.

BACKGROUND

Covered Entity and Business Associate are parties to the Agreement(s) under which
Business Associate provides certain goods or services to Covered Entity and, in connection with
the provision of those goods or services, Business Associate has, or will have access to or will
receive, certain PHI that is subject to protection under the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic
and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009),
and any amendments or implementing regulations (“HITECH”). All business associates of
covered entities must agree in writing to certain mandatory provisions regarding the use and
disclosure of PHI; and the purpose of this BAA is to comply with the requirements of the
HIPAA Rules as defined in this BAA.

1. Definitions.

(a) Catch-all definitions. The following terms used in this BAA shall have the same
meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set,
Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy
Practices, Protected Health Information, Required By Law, Secretary, Security Incident,
Subcontractor, Unsecured Protected Health Information, and Use.

(b) Specific definitions.

(i) Business Associate. “Business Associate” shall generally have the

same meaning as the term “business associate” at 45 CFR 160.103.

(ii) Covered Entity. “Covered Entity” shall generally have the same
meaning as the term “covered entity” at 45 CFR 160.103.

(iii) HIPAA Rules. “HIPAA Rules” shall mean HITECH and the Privacy,
Security, Breach Notification, and Enforcement Rules at 45 CFR Part
160 and Part 164.

2. Obligations and Activities of Business Associate.

Business Associate agrees to:

(a) Not use or disclose PHI other than as permitted or required by this BAA, the
Agreement(s) or as required by law. Business Associate may not use or further disclose PHI in a
manner that would violate Subpart E of 45 CFR Part 164, if done by Covered Entity.

(b) To the extent Business Associate is to carry out one or more of Covered Entity’s
obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E
that apply to Covered Entity in the performance of such obligation(s).

Page 1 of 5
 (c) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable,
ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of
Business Associate agree to the same restrictions, conditions, and requirements that apply to
Business Associate with respect to such information.

(d) Make available PHI in a designated record set to Covered Entity as necessary to
satisfy Covered Entity’s obligations under 45 CFR 164.524 to respond to an individual’s access
request.

(e) Within fifteen (15) days of receiving a written request from Covered Entity make
available PHI for amendment and make any amendment(s) to PHI in a designated record set as
directed or agreed to by Covered Entity pursuant to 45 CFR 164.526, and forward in a timely
manner to Covered Entity any request for amendment that Business Associate receives directly
from the individual.

(f) Within fifteen (15) days of receiving a written request from Covered Entity make
available the information required to provide an accounting of disclosures to Covered Entity as
necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528.

(g) Make its internal practices, books, and records relating to the use and disclosure
of PHI received from, or created or received by Business Associate on behalf of Covered Entity
available to the Secretary for purposes of determining compliance with the HIPAA Rules.

(h) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with
respect to electronic PHI (“ePHI”), to prevent use or disclosure of ePHI and PHI other than as
provided for by the Agreement(s).

(i) Use reasonable and appropriate administrative, technical, and physical safeguards,
in accordance with the HIPAA Rules to prevent use or disclosure of PHI other than as provided
for by this BAA or the Agreement(s).

(j) Within twenty (20) days, report to Covered Entity any use or disclosure of PHI
not provided for by the Agreement(s) of which it becomes aware, including breaches of
unsecured PHI as required at 45 CFR 164.410, and any Security Incident of which it becomes
aware. Such notice shall include the identification of each individual whose unsecured PHI has
been, or is reasonably believed by Business Associate to have been, accessed, acquired, or
disclosed during such Breach. The parties agree that this section satisfies any notices necessary
by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted
but Unsuccessful Security Incidents (as defined below) for which no additional notice to
Covered Entity shall be required. For purposes of this BAA, “Unsuccessful Security Incidents”
include activity such as pings and other broadcast attacks on Business Associate’s firewall, port
scans, unsuccessful log-on attempts, denials of service and any combination of the above, so
long as no such incident results in unauthorized access, use or disclosure of electronic PHI.

(k) Business Associate agrees to mitigate, to the extent practicable, any harmful
effect of a use or disclosure of PHI by Business Associate in violation of the requirements of this

Page 2 of 5
BAA including, but not limited to, compliance with any state law or contractual data breach
requirements.

3. Permitted Uses and Disclosures by Business Associate.

Business Associate may:

(a) Except as otherwise limited by this BAA or the Agreement(s), use PHI for the
proper management and administration of Business Associate or to carry out the legal
responsibilities of Business Associate.

(b) Except as otherwise limited by this BAA or the Agreement(s), disclose PHI for
the proper management and administration of Business Associate or to carry out the legal
responsibilities of Business Associate, provided the disclosures are required by law, or Business
Associate obtains reasonable assurances from the person to whom the information is disclosed
that the information will remain confidential and used or further disclosed only as required by
law or for the purposes for which it was disclosed to the person, and the person notifies Business
Associate of any instances of which it is aware in which the confidentiality of the information
has been breached.

(c) Provide data aggregation services relating to the health care operations of
Covered Entity.

(d) De-identify any and all PHI created or received by Business Associate under this
BAA; provided that the de-identification conforms to the requirements of the HIPAA Privacy
Rule.

4. Obligations of Covered Entity.

(a) Covered Entity shall notify Business Associate of any limitation(s) in the notice
of privacy practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation
may affect Business Associate’s use or disclosure of PHI.

(b) Covered Entity shall promptly notify Business Associate of any changes in, or
revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that
such changes may affect Business Associate’s use or disclosure of PHI.

(c) Covered Entity shall notify Business Associate of any restriction on the use or
disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR
164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of
PHI.

5. Term and Termination.

(a) Term. The term of this BAA shall be coterminous with that of the Agreement(s)
and shall terminate on termination or expiration of the Agreement(s) or when all the PHI

Page 3 of 5
provided by Covered Entity to Business Associate, or created or received by Business Associate
on behalf of Covered Entity, is destroyed or returned to Covered Entity.

(b) Termination for Cause. If Covered Entity determines Business Associate has
violated a material term of this BAA, Covered Entity may terminate this BAA. Alternatively,
Covered Entity may choose to provide Business Associate with notice of the existence of an
alleged breach and afford Business Associate an opportunity to cure the alleged breach. In the
event Business Associate fails to cure the breach to the satisfaction of Covered Entity, Covered
Entity may immediately thereafter terminate this BAA.

(c) Obligations of Business Associate Upon Termination.

(i) Upon termination of this BAA for any reason, Business Associate
shall, if Business Associate determines it feasible, return to Covered
Entity or destroy all PHI received from Covered Entity, or created,
maintained, or received by Business Associate on behalf of Covered
Entity that Business Associate still maintains in any form. Business
Associate shall retain no copies of the PHI.

(ii) Notwithstanding the above, if such return or destruction is not feasible,

Business Associate shall:

A. extend the protections of the contract to the information; and

B. limit further uses and disclosures to those purposes that make

the return or destruction of the information infeasible.

6. Amendment. Covered Entity and Business Associate agree to take such action as is
necessary to amend this BAA from time to time as is necessary for Covered Entity to comply
with the requirements of the HIPAA Rules.

7. Survival. The obligations of Business Associate under this Section shall survive the
termination of this BAA.

8. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to

confer, nor shall anything in this BAA confer, upon any person other than the parties and their
respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
9. Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with
the HIPAA Rules.

10. Independent Contractor Status. For the purpose of this BAA, Business Associate is an
independent contractor of Covered Entity, and shall not be considered an agent of Covered
Entity.

IN WITNESS WHEREOF, the parties have caused this Business Associate Agreement to
be executed as of the dates set forth below.

Page 4 of 5
Page 5 of 5