This Business Associate Agreement ( “BAA”) supplements the agreement signed by and between STACKONE TECHNOLOGIES LIMITED, a company incorporated in England and Wales under company number 14684360 and having its registered offices at Camburgh House, 27 New Dover Road, Canterbury, Kent, United Kingdom, CT1 3DN (“StackOne”) and the Customer, defined in the (“Agreement”) and is incorporated by reference.

This BAA contains terms to ensure that appropriately safeguard Protected Health Information (“PHI”) that may be processed by StackOne in the delivery of the Service for the Purpose pursuant to the Agreement, as required. Any terms not defined in this BAA shall have the meaning set forth in the Agreement. Except as modified below, this BAA automatically expires upon deletion of all PHI as described herein. StackOne reserves the right to modify or update this BAA in its sole discretion. Customer’s acceptance of such modifications and/or updates shall be indicated by Customer’s continued use of the Service and shall be effective immediately.

The parties may maintain, transmit, create or receive data that constitutes PHI to perform tasks on behalf of Covered Entity and/or Business Associate as applicable pursuant to the terms of this BAA.

This BAA will take effect as of the Effective Date of the Agreement, between Customer and StackOne and shall apply where StackOne processes PHI.

1. Definitions

1.1 The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

1.2 The following expressions are also used in this BAA:

(a) “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean shall mean the relevant party outlined in clause 2.1, depending on the Customer PHI or End Customer PHI is being processed.

(b) “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean the relevant party outlined in clause 2.1, depending on the Customer PHI or End Customer PHI is being processed.

(c) “HIPAA Regulations” shall include Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 (“HIPAA Rules”).

2. Status of the parties

2.1 In respect of the parties' rights and obligations under this BAA regarding PHI, the parties hereby acknowledge and agree that (a) for Customer PHI, Customer is the Covered Entity and StackOne is the Business Associate and accordingly, (b) for End Customer PHI, End Customer is the Covered Entity, Customer is the Business Associate and StackOne is the Subcontractor. For the avoidance of doubt Partner(s) will be a Business Associate of End Customer PHI and StackOne may be a Subcontractor to Partner.

3. Obligations and Activities

3.1 The parties will comply with the applicable obligations of the HIPAA Regulations and pursuant to this BAA, including where a Subcontractor handles PHI on behalf of Business Associate, such Subcontractor will comply with the terms and conditions of this BAA that apply to Business Associate.

3.2 Business Associate and, where applicable, Subcontractor agrees:

(a) not use or disclose PHI other than as permitted or required by this BAA or as required the HIPAA Regulations or otherwise by law;

(b) to use and maintain appropriate safeguards, and comply with HIPAA Rules with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA;

(c) to report to Covered Entity any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as HIPAA Rules, and any security incident of which it becomes aware as soon as reasonably possible;

(d) in accordance with HIPAA Rules, if applicable, to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;

(e) to make available PHI in a designated record set to the Covered Entity as reasonably necessary to satisfy Covered Entity’s obligations HIPAA Rules as soon as reasonably possible from receipt of a request by Covered Entity;

(f) to make any amendment(s) to PHI in a designated record set as directed or agreed to by the Covered Entity pursuant to HIPAA Rules, or take other measures as reasonably necessary to satisfy Covered Entity’s obligations under HIPAA Rules as soon as reasonably possible from receipt of a request by Covered Entity;

(g) to maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as reasonably necessary to satisfy Covered Entity’s obligations under HIPAA Rules as soon as reasonably possible;

(h) to the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under HIPAA Rules, to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and

(i) to make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules as soon as reasonably possibly from a request for such disclosure.

4. Permitted Uses and Disclosures

1. Business Associate, or Subcontractor, where applicable, may only use or disclose protected health information as follows:

1. a party may use and disclose PHI only as permitted or required by this BAA or as required by law.

2. Where a Covered Entity provides notice to a party of a reasonable restriction that would limit its use or disclosure of PHI, Business Associate will promptly notify Subcontractor of such restriction; and each party will use commercially reasonable efforts to comply with the restriction as applicable.

‍

3. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity save for the specific uses and disclosures set forth in this BAA.

‍

4. Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

‍

5. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached;

‍

6. use and disclose PHI to report violations of law to appropriate Federal and State authorities;

‍

7. aggregate the PHI in its possession with the PHI of other covered entities that it has in its possession through its Role to other covered entities, provided that such aggregation conforms to the requirements of the HIPAA Regulations; and

‍

8. use PHI to create de-identified information, and use such de-identified information for its own purposes, provided that the de-identification and use thereof conforms to the requirements of the HIPAA Regulations.

5. Responsibilities of the Business Associate with Subcontractor.

If applicable, for the use and/or disclosure of PHI by Subcontractor, Business Associate agrees:

1. that in the event that there are any changes in the notice of privacy practices (“Notice”), Subcontractor that Business Associate provides, directly or indirectly, to individuals pursuant to the HIPAA Regulations, that affect Subcontractor’s use or disclosure of PHI, it will inform Subcontractor and provide to Subcontractor, upon request, a copy of the Notice currently in use;

(b) Business Associate will notify Subcontractor of any changes or revocations of authorizations provided by individuals under HIPAA Regulations, as long as it pertains to the Service being provided under the Agreement.

(c) If any individual exercises opt-outs from fundraising activities by Business Associate under HIPAA Regulations, Business Associate will inform Subcontractor to the extent that it is relevant to the Service being provided under the Agreement.

(d) Business Associate will promptly notify Subcontractor in writing if any arrangements permitted or required by HIPAA Regulations, including any agreed-upon restrictions regarding the use and disclosure of PHI, may affect the use and/or disclosure of PHI required by Subcontractor under this BAA.

6. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions

6.1 Covered entity shall:

(a) notify business associate of any limitation(s) in the notice of privacy practices of covered entity under HIPAA Rules, to the extent that such limitation may affect business associate’s use or disclosure of PHI;

(b) notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI; and

(c) notify Business Associate of any restriction on the use or disclosure of PHI that covered entity has agreed to or is required to abide by under HIPAA Rules, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

7. Permissible Requests by Covered Entity

1. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA Regulations if done by Covered Entity, save where permitted under clause 4 of this BAA.

8. HIPAA Standard Transactions.

8.1 Business Associate and Subcontractor will ensure that they, as well as any agents or contractors (including subcontractors) involved in standard transactions, comply with all relevant HIPAA Regulations. This compliance will be enforced through written contracts with each agent or contractor.

8.2 Business Associate and Subcontractor both agree not to engage in any trading partner agreement that would alter the standard transaction process for or on behalf of Covered Entity. This includes any modifications to the definition, data condition, or use of a data element or segment, adding additional data elements or segments to the maximum defined data set, using any code or data element marked "not used" or not included in the standard transaction's implementation specification, or altering the intended meaning of the implementation specification. Both parties also agree to comply with any testing modifications made by Covered Entity in accordance with HIPAA regulations.

9. Term and Termination

9.1 Term. The Term of this Agreement shall be effective as of the Effective Date of the Agreement, and shall terminate in accordance with the Agreement or on the date Covered Entity terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.

9.2 Termination for Cause. Business Associate authorizes termination of this Agreement by Covered Entity, if Covered Entity determines Business Associate is in material breach of this BAA and Business Associate has not cured the breach or ended the violation within 30 days of being notified by the Covered Entity of such breach.

3. Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

1. retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
2. return to Covered Entity or, if agreed to by Covered Entity, destroy the remaining PHI that the Business Associate still maintains in any form;
3. continue to use appropriate safeguards and comply with HIPAA Rules with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI;
4. not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out in this BAA which applied prior to termination; and
5. return to Covered Entity or, if agreed to by Covered Entity, destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

(d) Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.

10. Limitation of Liability.

10.1 This BAA is subject to the limitations on liability set forth in the Agreement.

11. Miscellaneous.

11.1 If Business Associate is acting as a Business Associate under HIPAA regulations, it will be subject to the penalties outlined in HITECH. If there are any final regulations or amendments to regulations regarding PHI, this BAA will automatically be updated to ensure compliance with such regulations. Any confusion or uncertainty in this agreement should be interpreted in a way that allows compliance with HIPAA Rules. In the event that any term or condition in this BAA conflicts with the Services Agreement or DPA, the terms of this BAA will take precedence.