Subcontractor Business Associate Agreement

2.1.

Subcontractor as the subcontractor Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Business Associate and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Business Associate to Subcontractor or is created or received by Subcontractor on Business Associate's behalf shall be subject to this Agreement. 

2.2.

Subcontractor acknowledges that Business Associate is itself bound by one or more business associate agreements with Upstream Covered Entities. In accordance with 45 C.F.R. § 164.504(e)(5), Subcontractor agrees to comply with the same restrictions and conditions that apply to Business Associate under each such agreement with an Upstream Covered Entity, provided that: (i) Business Associate has communicated such restrictions to Subcontractor in writing with sufficient specificity to permit Subcontractor's compliance; (ii) such restrictions are not inconsistent with applicable law or Subcontractor's obligations under the Master Terms of Service; and (iii) compliance with such restrictions does not require Subcontractor to incur material additional costs or obligations not otherwise contemplated by this Agreement or the Master Terms of Service, unless separately agreed in writing. Business Associate shall notify Subcontractor in writing of any material new or modified restriction imposed by an Upstream Covered Entity that affects Subcontractor's processing of Protected Health Information, and in no event later than ten (10) business days after such restriction becomes effective as to Business Associate. 

2.3.

Subcontractor shall not exceed the scope of uses and disclosures of Protected Health Information permitted to Business Associate by the applicable Upstream Covered Entity, to the extent such scope limitations have been communicated to Subcontractor by Business Associate in writing. Business Associate represents and warrants to Subcontractor that (a) its permitted uses and disclosures under each applicable BAA with an Upstream Covered Entity are sufficient in scope to permit Business Associate to engage Subcontractor under this Agreement and the Master Terms of Service, and (b) Business Associate has obtained, or will obtain prior to any disclosure to Subcontractor, all authorizations and approvals required from each Upstream Covered Entity for the engagement of Subcontractor. Business Associate shall indemnify, defend, and hold harmless Subcontractor from and against any losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from (i) Business Associate's failure to accurately and timely communicate applicable restrictions or scope limitations as required by this Section, or (ii) any breach of Business Associate's representations or warranties set forth herein.

3.1.

Subcontractor may use or disclose Protected Health Information only as permitted or required by this Agreement or as required by law. Except as specifically set forth herein, Subcontractor may not use or disclose Protected Health Information in a manner that would violate the HIPAA Security and Privacy Rule if such use or disclosure were done by Business Associate or the Upstream Covered Entity. Specifically, Subcontractor may use or disclose Protected Health Information: 

3.2.

Subcontractor may de-identify Protected Health Information in accordance with the standards set forth in 45 C.F.R. § 164.514. Subcontractor may not sell Protected Health Information except at the direction of Business Associate and in compliance with the requirements of the HIPAA Security and Privacy Rule. 

3.3.

Notwithstanding the prohibitions set forth in this Agreement, Subcontractor may:

4.1.

Model Training and Algorithm Development Restrictions. Subcontractor shall not use Protected Health Information for artificial intelligence model training, algorithm development or machine learning model improvement unless: 

4.2.

Re-identification Prohibition. Any use of data that has been de-identified from Protected Health Information shall comply with the de-identification standards under 45 C.F.R. § 164.514 and Subcontractor shall not attempt to re-identify such data or contact individuals whose data has been de-identified.

4.3.

Operational Data Use Exception. This Section 4 does not prohibit Subcontractor's use of Usage Data (as defined in the Master Terms of Service) that has been properly aggregated and de-identified such that it no longer contains Protected Health Information (both direct and indirect identifiers), for operational, security, and platform improvement purposes. For clarity, any aggregated or de-identified Usage Data used by Subcontractor shall not be customer-specific, shall not permit re-identification of any individual or Covered Entity, and shall not be used to train or improve clinical, diagnostic, or decision-support models without Business Associate's prior written consent.

5.1.

Subcontractor agrees not to use or disclose Protected Health Information other than as permitted or required by this Agreement or as required by law. To the extent Subcontractor carries out obligations of Business Associate under the HIPAA Security and Privacy Rule, Subcontractor shall comply with the applicable provisions of the HIPAA Security and Privacy Rule as if such use or disclosure were made by Business Associate. Business Associate will not request Subcontractor to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Security and Privacy Rule if done by Business Associate or the Upstream Covered Entity, except as otherwise provided herein.

5.2.

Subcontractor agrees to provide HIPAA training to all of its personnel who service Business Associate's account or who otherwise will have access to Business Associate's Protected Health Information.

5.3.

Data Retention and Return. At termination of this Agreement, the Parties' business arrangement, or upon request of Business Associate, whichever occurs first, if feasible, Subcontractor will return (in a manner or process approved by Business Associate) or destroy all Protected Health Information received from Business Associate, or created, maintained or received by Subcontractor on behalf of Business Associate, that Subcontractor still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, Subcontractor will:

5.4.

Downstream Subcontractor Requirements. Subcontractor agrees to ensure that its agents, including any downstream subcontractors, that create, receive, maintain or transmit Protected Health Information on behalf of Subcontractor agree to the same (or greater) restrictions and conditions that apply to Subcontractor with respect to such information, and agree to implement reasonable and appropriate safeguards to protect any of such information that is Electronic Protected Health Information. Subcontractor agrees to enter into written agreements with any downstream subcontractors in accordance with the requirements of the HIPAA Security and Privacy Rule. In addition, Subcontractor agrees to take reasonable steps to ensure that its employees' actions or omissions do not cause Subcontractor to breach the terms of this Agreement.

5.5.

Technical Safeguards. Subcontractor will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Subcontractor will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Business Associate as required by the HIPAA Security and Privacy Rule. 

5.6.

Compliance with Upstream Restrictions. To the extent applicable and as communicated by Business Associate, Subcontractor will comply with:

5.7.

Government Access and Cooperation. Subcontractor will make its internal practices, books, and records available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the terms of the HIPAA Security and Privacy Rule, and, at the request of the Secretary, will comply with any investigations and compliance reviews, permit access to information, and cooperate with any complaints, as required by law. Without unreasonable delay and, in any event, no more than 72 hours of receipt of the request or notification, Subcontractor will notify Business Associate in writing of any request by any governmental entity, or its designee, to review Subcontractor's compliance with law or this Agreement, to pursue a complaint, or to conduct an audit or assessment of any kind. 

5.8.

Incident Reporting and Breach Notification. Subcontractor shall report to Business Associate any use or disclosure of Protected Health Information that is not in compliance with the terms of this Agreement, as well as any Security Incident and any actual or suspected Breach, of which it becomes aware, without unreasonable delay, and in no event later than seventy-two (72) hours after such discovery. Security Incidents and Breaches shall be treated as discovered by Subcontractor as of the first day on which such Security Incident or Breach is known to Subcontractor or, by exercising reasonable diligence, would have been known to Subcontractor. Notification to Business Associate shall contain the elements required by 45 C.F.R. § 164.410. In addition, Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Subcontractor of a use or disclosure of Protected Health Information by Subcontractor in violation of the requirements of this Agreement, as well as to provide complete cooperation to Business Associate should Business Associate elect to review or investigate such noncompliance or Security Incident; provided, however, that with respect to unsuccessful Security Incidents that result in no unauthorized access, use, or disclosure of Protected Health Information (such as attempted pings, port scans, or failed login attempts), Subcontractor may provide summary notification of such incidents on a quarterly basis in lieu of individual incident-by-incident reporting, consistent with guidance published by the Department of Health and Human Services. 

5.9.

Breach Cooperation and Indemnification. Subcontractor shall cooperate in Business Associate's breach analysis and/or risk assessment, if requested. Furthermore, Subcontractor shall cooperate with Business Associate in the event that Business Associate or the Upstream Covered Entity determines that any third parties must be notified of a Breach, provided that Subcontractor shall not provide any such notification except at the direction of Business Associate. Subcontractor shall indemnify and hold harmless Business Associate for any injury or damages arising from any noncompliance with this Agreement or any Security Incident or Breach attributable to the negligence of Subcontractor, including the failure to execute the terms of this Agreement.

6.1.

Subcontractor shall not be responsible for responding directly to any Individual or Covered Entity request under 45 C.F.R. §§ 164.524–164.528. If Subcontractor receives any such request directly, Subcontractor shall promptly forward the request to Business Associate and shall respond only as directed by Business Associate.

6.2.

Subcontractor agrees to make available Protected Health Information in a Designated Record Set to Business Associate as requested by Business Associate to enable Business Associate to satisfy its obligations under Section 164.524 of the HIPAA Security and Privacy Rule.

6.3.

Subcontractor agrees to make available Protected Health Information in a Designated Record Set for amendment and to incorporate any amendments to Protected Health Information as directed by Business Associate in accordance with the requirements of Section 164.526 of the HIPAA Security and Privacy Rule.

6.4.

Subcontractor agrees to maintain and make available the information required to provide an accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule and as requested by Business Associate to enable Business Associate to satisfy its obligations to Upstream Covered Entities. 

6.5.

Subcontractor agrees to comply with any requests for restriction on certain disclosures of Protected Health Information pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which the Upstream Covered Entity has agreed and of which Subcontractor is notified by Business Associate.

6.6.

In the event an Individual makes a request under this Section 6 directly to Subcontractor, Subcontractor will notify Business Associate in writing of such request within one (1) business day and shall cooperate with, and act only at the direction of, Business Associate in responding to such request.

7.1.

Liability Cap. Subcontractor's aggregate liability for all claims arising under this Agreement, the Master Terms of Service, or any other agreement between the Parties shall be limited to the lesser of: (a) one and one-half (1.5) times the total fees paid by Business Associate to Subcontractor in the twelve (12) months preceding the first incident giving rise to liability; or (b) Four Million United States Dollars (USD $4,000,000) (the "Enhanced Cap"). The Enhanced Cap is a single aggregate cap that applies to all claim types, including but not limited to claims arising from breaches of Protected Health Information, Security Incidents, indemnification obligations, regulatory fines and penalties, and data breaches, whether arising under this Agreement, the Master Terms of Service, or any combination thereof. Business Associate may not recover more than the Enhanced Cap in total, regardless of the number of claims asserted or the agreement(s) under which such claims arise. Once the Enhanced Cap is exhausted through payment of any claims under this Agreement or the Master Terms of Service, Subcontractor shall have no further liability to Business Associate for any subsequent claims. 

7.2.

Mutual Indemnification. Each Party agrees to indemnify and hold harmless the other Party from and against any losses, damages, costs, and expenses (including reasonable attorney fees) arising from:

7.3.

HIPAA Compliance Indemnification. Subject to the aggregate Enhanced Cap set forth in Section 7.1, Subcontractor agrees to indemnify and hold harmless Business Associate from any regulatory penalties, fines, or sanctions imposed by governmental authorities arising from Subcontractor's non-compliance with HIPAA or this Agreement, to the extent such penalties, fines, or sanctions are directly attributable to Subcontractor's breach of its obligations hereunder. Any amounts paid under this Section 7.3 shall reduce the available Enhanced Cap on a dollar-for-dollar basis. 

8.1.

This Agreement shall be effective as of the date first set forth above and shall terminate upon the earlier of:

8.2.

Termination for Cause. Notwithstanding anything in this Agreement to the contrary, Business Associate shall have the right to terminate this Agreement immediately if Business Associate determines that Subcontractor has violated any material term of this Agreement. If Business Associate reasonably believes that Subcontractor will violate a material term of this Agreement and, where practicable, Business Associate gives written notice to Subcontractor of such belief within a reasonable time after forming such belief, and Subcontractor fails to provide adequate written assurances to Business Associate that it will not breach the cited term of this Agreement within a reasonable period of time given the specific circumstances, but in any event, before the threatened breach is to occur, then Business Associate shall have the right to terminate this Agreement immediately.

8.3.

Effect of Termination. Upon termination of this Agreement, the obligations set forth in Section 5.3 (Data Retention and Return) shall immediately apply, and all other provisions of this Agreement shall survive termination to the extent necessary to ensure continued protection of Protected Health Information and compliance with HIPAA requirements. Notwithstanding anything to the contrary in this Agreement, Subcontractor's obligations with respect to Protected Health Information under this Agreement are independent of and shall survive any termination, expiration, suspension, or modification of the Master Terms of Service, and no such change shall limit or reduce Subcontractor's obligations regarding Protected Health Information.

9.1.

Third Party Rights. Except as expressly stated herein or in the HIPAA Security and Privacy Rule, the parties to this Agreement do not intend to create any rights in any third parties. The obligations of Subcontractor under this Agreement shall survive the expiration, termination, or cancellation of this Agreement and/or the Parties' business relationship, and shall continue to bind Subcontractor, its agents, employees, contractors, successors, and assigns as set forth herein.

9.2.

Amendment and Assignment. Corti may update or modify this Agreement from time to time by posting updated terms at the URL where this Agreement is published. Corti will provide Business Associate with at least thirty (30) days' prior written notice of any material changes. Business Associate's continued use of the Platform or continued submission of Protected Health Information to the Platform after the effective date of any update constitutes acceptance of the updated Agreement; provided, however, that any amendment that would materially and adversely expand Subcontractor's permitted uses of Protected Health Information shall require Business Associate's affirmative written consent. Neither Party may assign its respective rights and obligations under this Agreement without the prior written consent of the other Party, except that Corti may assign this Agreement to an Affiliate or in connection with a merger, acquisition, or sale of all or substantially all of its business without such consent. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and the Master Terms of Service. 

9.3.

Governing Law. This Agreement will be governed by the laws of the State of Delaware, without regard to conflict of law principles.

9.4.

Relationship to Other Agreements. The parties agree that, in the event that the Master Terms of Service or any other documentation of the arrangement pursuant to which Subcontractor provides services to Business Associate contains provisions relating to the use or disclosure of Protected Health Information that are more restrictive than the provisions of this Agreement, the more restrictive provisions will control. The provisions of this Agreement are intended to establish the minimum requirements regarding Subcontractor's use and disclosure of Protected Health Information. 

9.5.

Severability and HIPAA Compliance. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. In addition, in the event a party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, such party shall notify the other party in writing. For a period up to thirty days, the parties shall address in good faith such concern and amend the terms of this Agreement as necessary to bring it into compliance. If, after such thirty-day period, a party believes in good faith that the Agreement fails to comply with the HIPAA Security and Privacy Rule, then either party has the right to terminate upon written notice to the other party.

9.6.

Priority Over Master Terms. In the event of any conflict between this Agreement and the Master Terms of Service with respect to the use, disclosure, or protection of Protected Health Information, this Agreement shall control.

9.7.

Aggregate Liability Cap Across All Agreements. Notwithstanding Section 9.6 or any other provision in this Agreement or the Master Terms of Service, the Enhanced Cap set forth in Section 7.1 represents the maximum aggregate liability of Subcontractor to Business Associate for all claims under all agreements between the Parties. Once the Enhanced Cap is reached through payment of claims under this Agreement, the Master Terms of Service, or any combination thereof, Subcontractor shall have no further liability to Business Associate regardless of the agreement under which any subsequent claim is asserted.