HIPAA Business Associate Agreement

SECTION 01Definitions

Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.

• Breach Notification RuleThe Breach Notification for Unsecured Protected Health Information Final Rule.
• Business AssociateShall have the same meaning as the term "business associate" in 45 CFR § 160.103 of HIPAA.
• Covered EntityShall have the same meaning as the term "covered entity" in 45 CFR § 160.103 of HIPAA.
• CustomerThe User (as defined in the Terms of Use) that has entered into the Agreement with FortaTech Security, LLC. For purposes of this BAA only, "Customer" also includes Customer's Affiliates that receive Services under the Agreement, to the extent such Affiliates transmit, make available, or otherwise provide Protected Health Information to FortaTech Security, LLC through the Services.
• HIPAACollectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health ("HITECH") Act and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.
• Privacy RuleThe Standards for Privacy of Individually Identifiable Health Information.
• Protected Health InformationShall have the same meaning as the term "protected health information" in 45 CFR § 160.103 of HIPAA, provided that it is limited to such protected health information that is received by FortaTech Security, LLC d/b/a Bastion Intelligence from, or created, received, maintained, or transmitted by FortaTech Security, LLC d/b/a Bastion Intelligence on behalf of, Customer through the use of its services.
• Security RuleThe Security Standards for the Protection of Electronic Protected Health Information.
• SubcontractorShall have the same meaning as the term "subcontractor" in 45 CFR § 160.103 of HIPAA, and includes any person or entity to whom FortaTech Security, LLC d/b/a Bastion Intelligence delegates a function, activity, or service involving the creation, receipt, maintenance, or transmission of Protected Health Information on behalf of FortaTech Security, LLC d/b/a Bastion Intelligence, other than in the capacity of a member of the workforce of FortaTech Security, LLC d/b/a Bastion Intelligence.

SECTION 02Permitted Uses and Disclosures of Protected Health Information

a. Performance of the Agreement

Except as otherwise limited in this BAA, FortaTech Security, LLC d/b/a Bastion Intelligence may Use and Disclose Protected Health Information for, or on behalf of, Customer as specified in the Agreement; provided that any such Use or Disclosure would not violate HIPAA if done by Customer, unless expressly permitted under paragraph b of this Section.

b. Management, Administration, and Legal Responsibilities

Except as otherwise limited in this BAA, FortaTech Security, LLC d/b/a Bastion Intelligence may Use and Disclose Protected Health Information for the proper management and administration of FortaTech Security, LLC d/b/a Bastion Intelligence and/or to carry out the legal responsibilities of FortaTech Security, LLC d/b/a Bastion Intelligence, provided that any Disclosure may occur only if:

1. Required by Law; or
2. FortaTech Security, LLC d/b/a Bastion Intelligence obtains written reasonable assurances from the person to whom the Protected Health Information is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person, and the person notifies FortaTech Security, LLC d/b/a Bastion Intelligence of any instances of which it becomes aware in which the confidentiality of the Protected Health Information has been breached.

SECTION 03Responsibilities of the Parties with Respect to Protected Health Information

a. FortaTech Security, LLC d/b/a Bastion Intelligence's Responsibilities

To the extent FortaTech Security, LLC d/b/a Bastion Intelligence is acting as a Business Associate, FortaTech Security, LLC d/b/a Bastion Intelligence agrees to the following:

(i) Limitations on Use and Disclosure

FortaTech Security, LLC d/b/a Bastion Intelligence shall not Use and/or Disclose the Protected Health Information other than as permitted or required by the Agreement and/or this BAA or as otherwise Required by Law. FortaTech Security, LLC d/b/a Bastion Intelligence shall not disclose, capture, maintain, scan, index, transmit, share or Use Protected Health Information for any activity not authorized under the Agreement and/or this BAA. The Services shall not use Protected Health Information for any advertising, Marketing or similar commercial purpose of FortaTech Security, LLC d/b/a Bastion Intelligence or any third party. FortaTech Security, LLC d/b/a Bastion Intelligence shall not violate the HIPAA prohibition on the sale of Protected Health Information. FortaTech Security, LLC d/b/a Bastion Intelligence shall make reasonable efforts to Use, Disclose, and/or request the minimum necessary Protected Health Information to accomplish the intended purpose of such Use, Disclosure, or request.

(ii) Safeguards

FortaTech Security, LLC d/b/a Bastion Intelligence shall: (1) use reasonable and appropriate safeguards to prevent Use and Disclosure of Protected Health Information other than as permitted in Section 2 herein; and (2) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule.

(iii) Reporting

FortaTech Security, LLC d/b/a Bastion Intelligence shall report to Customer:

1. Any Use and/or Disclosure of Protected Health Information that is not permitted or required by this BAA of which FortaTech Security, LLC d/b/a Bastion Intelligence becomes aware;
2. Any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or
3. Any Breach of Customer's Unsecured Protected Health Information that FortaTech Security, LLC d/b/a Bastion Intelligence may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule).

For purposes of this Section, "Unsuccessful Security Incidents" mean, without limitation, pings and other broadcast attacks on FortaTech Security, LLC d/b/a Bastion Intelligence's firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information.

Notification(s) under this Section, if any, will be delivered to contacts identified by Customer pursuant to Section 3b(ii) (Contact Information for Notices) of this BAA by any means FortaTech Security, LLC d/b/a Bastion Intelligence selects, including through e-mail. FortaTech Security, LLC d/b/a Bastion Intelligence's obligation to report under this Section is not and will not be construed as an acknowledgement by FortaTech Security, LLC d/b/a Bastion Intelligence of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.

(iv) Subcontractors

In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, FortaTech Security, LLC d/b/a Bastion Intelligence shall require its Subcontractors who create, receive, maintain, or transmit Protected Health Information on behalf of FortaTech Security, LLC d/b/a Bastion Intelligence to agree in writing to: (1) the same or more stringent restrictions and conditions that apply to FortaTech Security, LLC d/b/a Bastion Intelligence with respect to such Protected Health Information; (2) appropriately safeguard the Protected Health Information; and (3) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. FortaTech Security, LLC d/b/a Bastion Intelligence remains responsible for its Subcontractors' compliance with obligations in this BAA.

(v) Disclosure to the Secretary

FortaTech Security, LLC d/b/a Bastion Intelligence shall make available its internal practices, records, and books relating to the Use and/or Disclosure of Protected Health Information received from Customer to the Secretary of the Department of Health and Human Services for purposes of determining Customer's compliance with HIPAA, subject to attorney-client and other applicable legal privileges. If FortaTech Security, LLC d/b/a Bastion Intelligence receives a subpoena, civil investigative demand, court order, warrant, or other legally binding request from a governmental authority or third party for Protected Health Information, FortaTech Security, LLC d/b/a Bastion Intelligence shall, to the extent permitted by applicable law: (1) promptly notify Customer of the request before disclosing any Protected Health Information, so that Customer may seek a protective order or other appropriate remedy; (2) reasonably cooperate, at Customer's expense, with Customer's efforts to limit, quash, or challenge the request; and (3) Disclose only the minimum Protected Health Information legally required to comply with the request.

(vi) Access

The parties acknowledge and agree that FortaTech Security, LLC d/b/a Bastion Intelligence does not maintain Protected Health Information in a Designated Record Set for Customer.

(vii) Accounting of Disclosure

FortaTech Security, LLC d/b/a Bastion Intelligence, at the request of Customer, shall within thirty (30) days make available to Customer such information relating to Disclosures made by FortaTech Security, LLC d/b/a Bastion Intelligence as required for Customer to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.

(viii) Performance of a Covered Entity's Obligations

To the extent FortaTech Security, LLC d/b/a Bastion Intelligence is to carry out a Covered Entity obligation under the Privacy Rule, FortaTech Security, LLC d/b/a Bastion Intelligence shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligation.

b. Customer Responsibilities

(i) No Impermissible Requests

Customer shall not request FortaTech Security, LLC d/b/a Bastion Intelligence to Use or Disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a Business Associate).

(ii) Contact Information for Notices

Customer hereby agrees that any reports, notification, or other notice by FortaTech Security, LLC d/b/a Bastion Intelligence pursuant to this BAA will be provided as set forth in the Agreement.

(iii) Safeguards and Appropriate Use of Protected Health Information

Customer is responsible for implementing appropriate privacy and security safeguards to protect its Protected Health Information in compliance with HIPAA. Without limitation, it is Customer's obligation to not include Protected Health Information in: (1) information Customer submits to technical support personnel through a technical support request or to community support forums outside of Professional Services, or, for Professional Services, within the subject or body of a support case management or support ticket; and (2) Customer's address book or directory information. In addition, FortaTech Security, LLC d/b/a Bastion Intelligence does not act as, or have the obligations of, a Business Associate under HIPAA with respect to Customer Data that Customer transmits to, or receives from, third parties outside the FortaTech Security, LLC d/b/a Bastion Intelligence Services, or with respect to Customer Data transmitted by Customer in violation of FortaTech Security, LLC d/b/a Bastion Intelligence's documented instructions or specifications for use of the Services, including instructions regarding physical media transported by a common carrier. For the avoidance of doubt, this limitation does not apply to Customer Data in transit to or from the FortaTech Security, LLC d/b/a Bastion Intelligence Services over the public Internet in the ordinary course of Customer's authorized use of the Services.

SECTION 04Applicability of BAA

This BAA applies to all Services through which Customer transmits, makes available, or otherwise provides Protected Health Information to FortaTech Security, LLC d/b/a Bastion Intelligence, or through which FortaTech Security, LLC d/b/a Bastion Intelligence creates, receives, maintains, or transmits Protected Health Information on behalf of Customer. It is Customer's obligation not to store, process, or transmit Protected Health Information through any Service or feature for which this BAA is not in effect, and to follow FortaTech Security, LLC d/b/a Bastion Intelligence's documented instructions for use of the Services with respect to Protected Health Information (as that term is defined in 45 CFR § 160.103 of HIPAA).

SECTION 05Term and Termination

a. Term

This BAA shall continue in effect until the earlier of (1) termination by a Party for breach as set forth in Section 5.b., below, or (2) expiration of Customer's Agreement.

b. Termination for Breach

Upon written notice, either Party immediately may terminate the Agreement and this BAA if the other Party is in material breach or default of any obligation in this BAA. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice.

c. Return, Destruction, or Retention of Protected Health Information Upon Termination

Upon expiration or termination of this BAA, FortaTech Security, LLC d/b/a Bastion Intelligence shall return or destroy all Protected Health Information in its possession, and shall retain no copies of such Protected Health Information, as set forth in the applicable termination provisions of the Agreement. If FortaTech Security, LLC d/b/a Bastion Intelligence determines that returning or destroying any portion of the Protected Health Information is infeasible, FortaTech Security, LLC d/b/a Bastion Intelligence shall: (1) provide Customer with written notification of the conditions that make return or destruction infeasible, including a description of the categories of Protected Health Information at issue and the basis for the determination of infeasibility; (2) extend the protections of this BAA, without limitation, to such Protected Health Information and limit any further Use or Disclosure of the Protected Health Information to those purposes that make the return or destruction infeasible, for so long as FortaTech Security, LLC d/b/a Bastion Intelligence retains the Protected Health Information; and (3) return or destroy the Protected Health Information promptly upon, and to the extent that, return or destruction becomes feasible. The obligations in this Section 5(c) shall survive termination of this BAA.

SECTION 06Miscellaneous

a. Interpretation

The Parties intend that this BAA be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Except where this BAA conflicts with the Agreement, all other terms and conditions of the Agreement remain unchanged. With respect to Part 2 Records, the Part 2 Addendum controls over both this BAA and the Agreement in any conflict, as provided in Section 8(a) of the Part 2 Addendum. Any captions or headings in this BAA are for the convenience of the Parties and shall not affect the interpretation of this BAA.

b. Amendments; Waiver

This BAA may not be modified or amended except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, as a bar to, or as a waiver of any right or remedy as to subsequent events.

c. No Third-Party Beneficiaries

Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

d. Severability

In the event that any provision of this BAA is found to be invalid or unenforceable, the remainder of this BAA shall not be affected thereby, but rather the remainder of this BAA shall be enforced to the greatest extent permitted by law.

e. No Agency Relationship

It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Customer and FortaTech Security, LLC d/b/a Bastion Intelligence under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this BAA shall be construed to make or render FortaTech Security, LLC d/b/a Bastion Intelligence an agent of Customer.