Skip to content

BUSINESS ASSOCIATE AGREEMENT

Effective as of: April 21, 2024

1. SERVICE.

Ovation.io, Inc. (Ovation or Business Associate) owns and operates the websites *.ovation.io, and *.labtests.io (collectively, the Site), Platform and Service (each as defined in the Terms of Service), which are accessed and used by its Customers and their Users to (among other things) organize, track and share clinical data.

The following business associate agreement (BAA) explains Ovation's obligations as a "business associate" under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) (45 CFR Part 160 and Subparts A and E of Part 164) and the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) (45 CFR Part 160 and Subparts A and C of Part 164), and the Health Information Technology for Economic and Clinical Health Act (Title XIII, Subtitle D) and its implementing regulations (HITECH) (together HIPAA), if applicable. This BAA supplements the other terms and conditions that apply between Customer and Ovation, which are set forth in the Terms of Service.

This BAA is intended to ensure that Business Associate and Customer will establish and implement appropriate safeguards where Business Associate may receive, create, maintain, use or disclose electronic or other "protected health information" as such term is defined under HIPAA (PHI), provided PHI is understood to mean only the PHI that Business Associate creates, receives, maintains or transmits in connection with the functions, activities and services that Business Associate performs on behalf of Customer solely to perform its duties and responsibilities under the Services Agreement (as defined in below) (the Services). Capitalized terms used in this BAA and not otherwise defined herein will have that meaning given to them in HIPAA.

2. APPLICABILITY.

Customer and Business Associate agree that this BAA applies solely with respect to PHI that Business Associate creates, receives, accesses, uses, maintains or discloses in connection with performing the Services; it does not apply to other information, including information that would meet the definition of PHI, that Business Associate may create, receive, access, use, maintain or disclose outside of performing the Services.

3. DEFINITIONS.

Analytics means statistics, metrics, abstractions, rules, or models, collections, combinations and other analyses that are based on or derived from the Services or Service Data (including without limitation, measurements of Service usage and performance), which are developed in a manner that does not disclose the identity of Customer, any User or any individual identified in the Service Data and that does not disclose any Service Data except in aggregated form (combined with other data, results or measurements) or, in the case of PHI, in a de-identified form (in accordance with 45 CFR §164.514(a)-(c)).

Individual shall have the same meaning as the term "individual" in 45 CFR §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).

Required By Law shall have the same meaning as the term "required by law" in 45 CFR §164.103.

Services Agreement shall mean the Order Form between Ovation and Customer, taken together with the Terms of Service.

User means each of the named individuals who is specifically identified by Customer for onboarding and use of the Services under Customer's Account.

Capitalized terms used but not defined herein have the meanings assigned to them in the Terms of Service or HIPAA, as the case may be.

4. PERMITTED AND REQUIRED USES AND DISCLOSURES.

a. Service Offerings. Business Associate may use or disclose PHI in connection with the performance of the Services if such use or disclosure of PHI would not violate HIPAA if done by Customer or if such use or disclosure is expressly permitted under this BAA or the Services Agreement.

b. Administration and Management of Services. Business Associate may use or disclose PHI received by Business Associate in its capacity as "business associate" of Customer for the proper management and administration of Business Associate. Any such disclosure of PHI shall only be made if Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (1) the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; (2) Business Associate will be notified by such person of any instances of which it becomes aware in which the confidentiality of the PHI has been breached; and (3) the person will provide Business Associate appropriate notice and opportunity to object before disclosing PHI on the basis that such disclosure is required by law.

c. Disclosures Required By Law. Business Associate may only use or disclose PHI on the basis that such disclosure is required by law after notifying Customer's Privacy Officer or his/her designee to allow an opportunity to object to the disclosure and to seek appropriate relief. If Customer objects to such disclosure, Business Associate shall, to the extent legally permitted, refrain from disclosing the PHI until Customer has exhausted all alternatives for relief. However, if Business Associate is unable to notify Customer for reasons beyond Business Associate's control, Business Associate may disclose PHI on the basis that such disclosure is required by law so long as Business Associate provides immediate notice to Customer's Privacy Officer or his/her designee following the disclosure.

d. Disclosure to Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in a writing that complies with the requirements of 45 CFR §164.504(e)(2) through (e)(4), to be bound by the same restrictions and conditions that apply to Business Associate under this BAA with respect to such PHI, including, without limitation, implementing reasonable and appropriate safeguards to protect it.

e. Data Aggregation. To the extent permitted by the Services Agreement, or as otherwise expressly agreed to in writing by Customer, Business Associate may use and disclose PHI for data aggregation purposes, however, only in order to analyze data for permitted health care operations of Customer, and only to the extent that such use is permitted under HIPAA.

f. De-identification. Business Associate may de-identify PHI, such that any resulting information does not disclose any individually identifiable information, except in de-identified (in accordance 45 CFR § 164.514(a)-(c)) or aggregated form (combined with other data, results or measurements). Business Associate shall own all rights, title and interests in and to any such de-identified PHI.

5. OBLIGATIONS OF BUSINESS ASSOCIATE.

a. Limit on Uses and Disclosures. Business Associate will use and disclose PHI only as permitted by this BAA or as Required By Law.

b. Safeguards. Business Associate will use reasonable and appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this BAA, consistent with the requirements of Subpart C of 45 CFR Part 164 (with respect to Electronic PHI) as determined by Business Associate.

c. Reporting of Impermissible Uses and Disclosures. Business Associate will report to Customer any Use or Disclosure of PHI not permitted or required by this BAA of which Business Associate becomes aware.

d. Reporting of Security Incidents. Business Associate will report to Customer no less than fourteen (14) business days from the date Business Associate becomes aware of any Security Incidents involving PHI in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.

e. Reporting of Breaches. Business Associate will report to Customer any Breach of Customer's Unsecured PHI that Business Associate may discover to the extent required by 45 CFR §164.410. Business Associate will make such report without unreasonable delay, and in no case later than ten (10) days after discovery by Business Associate of such Breach. Business Associate undertakes no obligation to report network security related incidents which occur on its managed network but do not directly involve Customer's use of the Services.

f. Accounting of Disclosures. To the extent applicable, Business Associate will make available to Customer the information required to provide an accounting of Disclosures in accordance with 45 CFR §§164.524, 164.526 and 164.528 of which Business Associate is aware, if requested by Customer.

g. Internal Records. Business Associate will make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Customer compliance with HIPAA. Nothing in this section will waive any applicable privilege or protection, including with respect to trade secrets and confidential commercial information.

6. CUSTOMER'S OBLIGATIONS.

a. Appropriate Use of HIPAA Accounts. At all times, Customer will comply with the Privacy Rules, Security Rules and other applicable laws and regulations. By way of illustration and not limitation, Customer is responsible for implementing appropriate privacy and security safeguards in order to protect PHI in compliance with HIPAA and this BAA and Customer shall not include PHI in any Services that are not or cannot be HIPAA compliant.

b. Necessary Consents. Customer warrants that it has obtained all necessary authorizations, consents, and other permissions from the Individuals (or their personal representatives), in the form and to the extent required by the Privacy Rules, that may be required under applicable law for Business Associate to use and disclose their PHI in the manner and for the purposes described in this BAA and the Services Agreement. Customer will promptly notify Business Associate of any changes in, or withdrawal of, such written permission provided to Customer by Individuals or their personal representatives, including without limitation revocations of authorizations pursuant to 45 CFR §164.508. Customer will also promptly notify Business Associate of any restrictions to the use and disclosure of PHI that Customer has agreed to in accordance with 45 CFR §164.522, to the extent that such restrictions affect Business Associate's use or disclosure of PHI. If Customer notifies Business Associate that Customer has agreed to be bound by additional restrictions on the uses or disclosures of PHI pursuant to HIPAA, Business Associate and Customer shall mutually agree on the extent to which Business Associate will be bound by such additional restrictions and Business Associate shall not use or disclose PHI in violation of such additional mutually agreed upon restrictions. Customer shall not agree to any request for restrictions or place any restrictions in any notice of its privacy practices that would cause Business Associate to violate this BAA, the Services Agreement, or any applicable law.

c. Restrictions on Disclosures. Customer shall not agree to any request for restrictions or place any restrictions in any notice of its privacy practices that would cause Business Associate to violate this BAA, the Services Agreement or any applicable law.

d. Compliance with HIPAA. Customer shall not request or cause Business Associate to make a Use or Disclosure of PHI in a manner that does not comply with this BAA, the Services Agreement, HIPAA or any other applicable law.

e. Privacy Practices. Customer will provide Business Associate with a copy of the notice of privacy practices that it provides to Individuals (or their personal representatives) who are the subject of the PHI.

f. Identity of Users. The Services include means by which Customer's Users may be permitted to import, export, review and exchange PHI. Therefore, Customer shall implement and comply with reasonable policies and methods to confirm and verify the actual identity of Users that will be registered to access and use the Services under its Account.

7. TERM AND TERMINATION.

a. Term. The term of this BAA will commence on the BAA Effective Date and will remain in effect until the termination of the Services Agreement, except that Section 7(a)-(b) shall survive the termination of the Services Agreement as set forth below in Section 8. Customer may terminate this BAA if Business Associate has violated a material term of this BAA, provided, however, that Customer shall provide Business Associate notice of such violation and a reasonable opportunity to cure the violation.

Customer will remain bound by this BAA for so long as Customer uses or is a user of the Services

b. Effect of Termination. Customer is solely responsible for retrieving PHI from the Services. Customer may retrieve PHI from the Services at any time the Services Agreement is in effect and for 30 days following the termination of the Services Agreement or this BAA for any reason ("Retrieval Period"). Business Associate will delete all PHI from the Services upon expiration of the Retrieval Period.

Notwithstanding the foregoing, if the return or destruction of such PHI is not feasible, Business Associate will extend the protections of this BAA to the PHI, limit further uses and disclosures to those purposes that make the return of the PHI infeasible, and make no further use or disclosure of PHI. Business Associate will remain bound by the provisions of this BAA, even after the Termination Date, until such time as all of the PHI has been retrieved or otherwise destroyed as provided in this Section 7(b).

8. MISCELLANEOUS.

a. Amendment. Customer and Business Associate agree to take such action as is reasonably necessary to amend this BAA from time to time as is necessary for either party to comply with the requirements of the Privacy Rule and related laws and regulations.

b. Survival. Customer's and Business Associate's respective rights and obligations under Sections 4(e)-(f) and 7(a)-(b) of this BAA shall survive the termination of the Services Agreement.

c. Interpretation. Any ambiguity in the Services Agreement shall be resolved to permit Business Associate and the Customer to comply with HIPAA and the Privacy Rule.

d. Entire Agreement. This BAA constitutes the entire agreement, and supersedes all prior negotiations, understandings or agreements (oral or written), between the parties regarding the subject matter hereof. All notices under this BAA will be in writing and delivered to the parties at their respective addresses as provided in the Services Agreement. Neither party shall be liable for any delay or failure in performing its obligations hereunder that arises out of any cause, condition or circumstance beyond its reasonable control. Nothing in this BAA confers upon any person other than the parties (and their respective successors and permitted assigns) any rights, remedies, obligations or liabilities whatsoever.