Business Associate Agreement

Overjet BAA

This Overjet Agreement (this “BAA”) is entered into by and between Overjet, Inc. and its affiliates (“Overjet ”) and you (“Customer”), and is effective as of the Effective Date of the Master Services Agreement executed by Overjet and Customer (the “MSA”).  Capitalized terms used but not defined in this BAA have the meanings ascribed to such terms in the MSA or the HIPAA, which definitions are incorporated in this BAA by reference.

RECITALS

(A) Overjet is providing certain covered services to Customer as stated in the MSA or an applicable order form (“Covered Services”), and Customer wishes to disclose certain information to Overjet pursuant to the terms of such MSA, some of which may constitute PHI under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and their implementing and amending regulations (“HIPAA”), and the Privacy Rule, Security Rule, Enforcement Rule and Breach Notification Rule set forth at 45 C.F.R. Parts 160 and 164 (jointly, the “HIPAA Rules”) promulgated thereunder.

(B) The purpose of this BAA is to satisfy certain standards and requirements of HIPAA and the HIPAA Rules, including, but not limited to, Title 45, §§ 164.314(a)(2)(i), 164.502(e) and 164.504(e) of the Code of Federal Regulations (“C.F.R.”).

In consideration of the mutual covenants and promises set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereto agree as follows:

SECTION 1. DEFINITIONS

  1. Breach” has the definition given to it under HIPAA. A Breach will not include an acquisition, access, use, or disclosure of PHI that Overjet has determined in accordance with 45. C.F.R. § 164.402 that there is a low probability that PHI has been compromised. 

  2. Protected Health Information or “PHI shall have the same meaning given to such term in 45 C.F.R. § 160.103, as applied to the information created, received, maintained or transmitted by Overjet from or on behalf of Customer.

  3. Security Breach” means any Breach of Unsecured PHI or Security Incident that Overjet becomes aware of.

  4. Unsuccessful Security Incident” shall mean pings and other broadcast attacks on a firewall, port scans, unsuccessful log-on attempts, denials of service, or other similar attempted but unsuccessful Security Incident, or a combination thereof, so long as no such incident results in unauthorized access, use or disclosure of PHI.

SECTION 2: PERMITTED USES AND DISCLOSURES OF PHI

  1. Applicability. This BAA applies to Covered Services to the extent Customer is acting as a “Covered Entity” or “Business Associate” under HIPAA to create, receive, maintain, or transmit PHI via a Covered Service and to the extent Overjet, as a result, is deemed to be acting as a Business Associate or Subcontractor of a Business Associate under HIPAA. Customer agrees that it will not make PHI available to Overjet personnel outside of the Covered Services. 

  2. Uses and Disclosures of PHI Pursuant to the MSA.  Overjet shall not use or disclose PHI other than as (i) permitted herein or the MSA, (ii) required to provide Covered Services to the Customer, or (iii) as required by HIPAA.  To the extent Overjet is carrying out any of Customer’s obligations under the Privacy Rule pursuant to the terms of the MSA or this BAA, Overjet shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligation(s).

  3. Permitted Uses of PHI by Overjet.  Except as otherwise limited in this BAA, Overjet may use PHI for the proper management and administration of Overjet, including care coordination, and maintaining legal records of Overjet.

  4. Permitted Disclosures of PHI by Overjet.  Overjet may use and disclose PHI for the proper management and administration of Overjet and to carry out its legal responsibilities, provided that any disclosure of PHI for such purposes may only occur if (i) required by applicable law, or (ii) Overjet obtains written reasonable assurances from the recipient to which PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed, and that overjet will be notified of any Security Breach reportable to Customer.  

  5. Data Aggregation.  Except as otherwise limited in this BAA, Overjet may use PHI to provide Data Aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

  6. De-identified Data.  Overjet may de-identify PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and may use or disclose such de-identified data to train Overjet’s AI/ML algorithms or for other internal uses to improve Overjet’s products and services.

SECTION 3. OBLIGATIONS OF OVERJET

  1. Appropriate Safeguards.  Overjet shall use appropriate safeguards and shall comply with the Security Rule with respect to Electronic PHI, to prevent use or disclosure of such information other than as provided for by the MSA and this BAA.

  2. Reporting of Improper Use or Disclosure, Security Incident or Breach.  Overjet shall report to Customer any Security Breach of which it becomes aware, without unreasonable delay, and in any event no more than five (5) business days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Overjet to Customer of the ongoing existence and occurrence of Unsuccessful Security Incidents.  Overjet agrees to mitigate, to the extent commercially practicable, any harmful effects of a Security Breach caused by Overjet.

  3. Overjet’s Agents.  In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), as applicable, Overjet shall enter into a written agreement with any agent or subcontractor that creates, receives, maintains, or transmits PHI on behalf of Overjet for services provided to Customer, providing that the subcontractor or agent agrees to substantially the same restrictions and conditions that apply to Overjet through this BAA with respect to such PHI.

  4. Access and Amendment. Customer acknowledges and agrees that Customer is solely responsible for PHI maintained by Customer within its Covered Services, including whether such PHI is maintained in a Designated Record Set. Overjet will make PHI available to Customer so Customer can fulfill its obligations with respect to Individuals’ rights of access and amendment, but will have no other obligations to Customer with respect to Designated Record Sets, including rights of access or amendment of PHI as required by 45 C.F.R. § 164.524 and 45. C.F.R § 164.526.

  5. Accounting of Disclosures.  Overjet will, as and to the extent required of a Business Associate under HIPAA, maintain and, upon request by Customer, provide Customer with the information necessary for Customer to provide an Individual with an accounting of Disclosures as required by 45. C.F.R § 164.528 

  6. Governmental Access to Records.  Overjet shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Overjet on behalf of, Customer available to the Secretary for purposes of the Secretary determining Customer’s compliance with the Privacy Rule. Nothing in this Section shall be construed as a waiver of any legal privilege or any protections for trade secrets or confidential commercial information

  7. Minimum Necessary.  Overjet shall request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure, in accordance with 45 C.F.R. § 164.514(d), and any amendments thereto.

SECTION 4. OBLIGATIONS OF CUSTOMER

  1. Configuration. Customer is solely responsible for appropriately configuring and using the Covered Services in accordance with the BAA and the MSA and ensuring that its use of the Covered Services complies with HIPAA.

  2. Notice of Privacy Practices.  Customer shall notify Overjet of any limitation(s) in its, or an applicable, Notice of Privacy Practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Overjet’s use or disclosure of PHI.

  3. Notification of Changes Regarding Individual Permission.  Customer shall obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing Overjet with PHI.  Customer shall notify Overjet of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Overjet’s use or disclosure of PHI. If there are any changes in, or revocation of, such consents, authorizations, or permissions, Customer is responsible for managing its use of its Covered Services accordingly to update or delete such PHI in accordance with any resulting changes or revocations.

  4. Notification of Restrictions to Use or Disclosure of PHI.  Customer shall notify Overjet of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Overjet’s use or disclosure of PHI.

  5. Permissible Requests by Customer.  Customer shall not request Overjet to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Customer.

SECTION 5. TERM AND TERMINATION

  1. Term.  The term of this BAA shall commence as of the BAA Effective Date, and shall terminate when all of the PHI provided by Customer to Overjet, or created or received by Overjet on behalf of Customer, is destroyed or returned to Customer.  If it is infeasible to return or destroy PHI, Overjet shall extend protections to such information in accordance with Section 5.3.

  2. Termination for Cause.  Upon either Party’s knowledge of a material breach by the other Party of this BAA, such Party may terminate this BAA immediately if cure is not possible.  Otherwise, the non-breaching Party shall provide written notice to the breaching Party detailing the nature of the breach and providing an opportunity to cure the breach within thirty (30) business days.  Upon the expiration of such thirty (30) day cure period, the non-breaching Party may terminate this BAA if the breaching Party does not cure the breach or if cure is not possible.

  3. Effect of Termination.

    1. Except as otherwise provided herein, upon termination of the MSA or this BAA for any reason, Overjet shall return or destroy all PHI received from Customer, or created or received by Overjet on behalf of Customer, and shall retain no copies of the PHI; provided, however, that Overjet may maintain copies of PHI for the proper management and administration of Overjet, including care coordination and maintenance of legal records.

    2. If it is infeasible for Overjet to return or destroy the PHI upon termination of the MSA or this BAA, Overjet shall: (a) extend the protections of this BAA to such PHI and (b) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Overjet maintains such PHI.

SECTION 6. COOPERATION IN INVESTIGATIONS

The Parties acknowledge that certain breaches or violations of this BAA may result in litigation or investigations pursued by federal or state governmental authorities of the United States resulting in civil liability or criminal penalties.  Each Party shall cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry.

SECTION 7. SURVIVAL

The respective rights and obligations of Overjet under Section 5.3 of this BAA shall survive the termination of this BAA and the MSA.

SECTION 8. AMENDMENT

This BAA may be modified, or any rights under it waived, only by a written document executed by the authorized representatives of both Parties.  In addition, if any relevant provision of the HIPAA Rules is amended in a manner that changes the obligations of Overjet or Customer that are embodied in terms of this BAA, then the Parties agree to negotiate in good faith appropriate non-financial terms or amendments to this BAA to give effect to such revised obligations.

SECTION 9. EFFECT OF BAA

In the event of any inconsistency between the provisions of this BAA and the MSA, the provisions of this BAA shall control.  In the event that a court or regulatory agency with authority over Overjet or Customer interprets the mandatory provisions of the HIPAA Rules, in a way that is inconsistent with the provisions of this BAA, such interpretation shall control.  Where provisions of this BAA are different from those mandated in the HIPAA Rules, but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this BAA shall control.

SECTION 10. GENERAL

This BAA is governed by, and shall be construed in accordance with, the laws of the state that govern the MSA.  Customer shall not assign this BAA without the prior written consent of Overjet, which shall not be unreasonably withheld.  If any part of a provision of this BAA is found illegal or unenforceable, it shall be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this BAA shall not be affected.  All notices relating to the Parties’ legal rights and remedies under this BAA shall be provided in writing to a Party, shall be sent to its address set forth in the MSA, or to such other address as may be designated by that Party by notice to the sending Party, and shall reference this BAA.  Nothing in this BAA shall confer any right, remedy, or obligation upon anyone other than Customer and Overjet.  This BAA is the complete and exclusive agreement between the Parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications, and understandings (written and oral) regarding its subject matter.