2.2. Permitted Uses of PHI by Business Associate. Except as otherwise limited in this BAA, Boulevard may use PHI for the following purposes: (i) the proper management and administration of Boulevard or to carry out the legal responsibilities of Boulevard; (ii) as Required by Law; (iii) to de-
identify PHI in accordance with 45 C.F.R. § 164.514(b) and use such de-identified data for any reason not prohibited by applicable law; and (iv) provide Data Aggregation services relating to the Healthcare
Operations of the Customer.

2.3. Permitted Disclosures of PHI by Business Associate. Except as otherwise limited in this BAA, Boulevard may disclose PHI for the following purposes: (i) the proper management and administration of
Boulevard, provided that the disclosures are Required by Law or Boulevard obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to such person, and that person agrees to notify Boulevard of any instances of which it is aware in which the confidentiality of the information has been breached; and (ii) to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(l).

2.4. Prohibited Uses and Disclosures of PHI by Business Associate. Boulevard may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Customer; provided, further, that Boulevard may not use or disclose PHI for the purpose of marketing, as such term is defined at 45 C.F.R. § 164.501, unless Boulevard has obtained an authorization from the Individual in accordance with 45 C.F.R. § 164.508(a)(3).

3. BUSINESS ASSOCIATE OBLIGATIONS

(A) Appropriate Safeguards.

(1) Boulevard agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI that Boulevard may receive, create, maintain, use, or disclose in connection with
Customer’s use of the Covered Services in order to prevent the use or disclosure of PHI other than as provided for by the MSA and this BAA.
(2) To the extent applicable, Boulevard will implement the Administrative Safeguards (45 C.F.R. § 164.308), Physical Safeguards (45 C.F.R. § 164.310), and Technical Safeguards (45 C.F.R. § 164.312) to reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that that Boulevard may receive, create, maintain, use, or disclose in connection with Customer’s use of the Covered Services as required by the Security Rule.

(B) Privacy Rule Requirements. Except as provided in the MSA or this BAA, Boulevard will not assume any obligations of Customer under the Privacy Rule. To the extent that Boulevard is to carry out any of Customer’s obligations under the Privacy Rule as expressly provided in the MSA or this BAA, Boulevard will comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligations.

(C) Reporting of Improper Use or Disclosure, Security Incident, or Breach.

(1) Boulevard will report to Customer any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI, or any Security Incident, without unreasonable delay, and in any event no more than
thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Boulevard to Customer of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below). “Unsuccessful Security Incidents” will include, but not be limited to, pings and other broadcast attacks on Boulevard’s firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as no such
incident results in unauthorized access, use, or disclosure of PHI.
(2) Boulevard’s notification to Customer of a Breach will include (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Boulevard to have been, accessed, acquired, or disclosed during the Breach; and (ii) any particulars regarding the Breach that Customer would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.
(3) A Security Incident, for the purpose of this Section 3.1(C)(3), does not include attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with Boulevard’s corporate information system (“non-PHI Information System”), as defined by Boulevard’s internal policies and procedures.

(D) Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), as applicable, Boulevard will enter into a written agreement with any Subcontractor that creates, receives,
maintains, or transmits PHI on behalf of Boulevard for Covered Services provided to Customer, providing that the Subcontractor agrees to restrictions and conditions that are substantially similar to those that apply through this BAA to Boulevard with respect to such PHI. As part of this agreement, Boulevard will require any Subcontractor to whom it provides PHI to implement reasonable and appropriate safeguards
to protect the PHI.

(E) Access to PHI. The Parties do not intend for Boulevard to maintain any PHI in a Designated Record Set for Customer. If, at any point, the parties mutually agree in writing for Boulevard to possess PHI in a
Designated Record Set, Boulevard agrees to make such information available to Customer pursuant to 45 C.F.R. § 164.524 and 42 U.S.C. § 17935(e) within thirty (30) business days of Boulevard’s receipt of a written request from Customer; provided, however, that Boulevard is not required to provide such access where the PHI is duplicative of the PHI contained in a Designated Record Set possessed by Customer. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Boulevard or inquiries about his or her right to access, Boulevard will either forward such request to Customer or direct the Individual to Customer.

(F) Amendment of PHI. The Parties do not intend for Boulevard to maintain any PHI in a Designated Record Set for Customer. If, at any point, the parties mutually agree in writing for Boulevard to possess
PHI in a Designated Record Set, Boulevard agrees to make such information available to Customer for amendment pursuant to 45 C.F.R. § 164.526 within thirty (30) business days of Boulevard’s receipt of a
written request from Customer. If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to Boulevard, or inquiries about his or her right to amendment, Boulevard will either forward such request to Customer or direct the Individual to Customer.

(G) Documentation of Disclosures of PHI. Boulevard agrees to document disclosures of PHI and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Boulevard will document, at a minimum, the following information (“Disclosure Information”): (i) the date of the disclosure; (ii) the name and, if known, the address of the recipient of the PHI; (iii) a brief description of the PHI disclosed; (iv) the purpose of the disclosure that includes an explanation of the basis for such disclosure; and (v) any additional information required under the HITECH Act and any implementing regulations.

(H) Accounting of Disclosures of PHI. Boulevard agrees to provide to Customer, within twenty (20) business days of Boulevard’s receipt of a written request from Customer, information collected in accordance with Section 3.1(F) (Amendment of PHI) of this BAA, to permit Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and 42 U.S.C. § 17935(c). If the Individual submits a written request for an accounting of disclosures of
PHI pursuant to 45 C.F.R. § 164.528 directly to Boulevard, or inquiries about his or her right to an accounting, Boulevard will direct the Individual to Customer.

(I) Government Access to Records. Boulevard will make its internal practices, books, and records relating to the use and disclosure of PHI received from or created or received by Boulevard on behalf of, Customer available to the Secretary for purposes of the Secretary determining Customer’s compliance with the Privacy Rule and the Security Rule.

(J) Mitigation. To the extent reasonable and practicable, Boulevard will cooperate with Customer’s efforts, at Boulevard’s expense, to mitigate a harmful effect that is known to Boulevard of a use of disclosure of PHI by Boulevard that is not permitted by this BAA. Boulevard shall reasonably cooperate with Customer’s investigation, analysis, notification, and mitigation activities, at Customer’s expense, if it is determined that the source of the Breach or Security Incident is the Customer.

(K) Minimum Necessary. Boulevard will request, use, and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure, in accordance with 45 C.F.R § 164.514(d), and any amendments thereto.

4. CUSTOMER OBLIGATIONS

4.1. Notice of Privacy Practices. Customer will notify Boulevard of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R § 164.520, to the extent that such limitation may affect Boulevard’s use or disclosure of PHI. Customer will provide such notice no later than fifteen (15) days prior to the effective date of the limitation.

4.2. Notification of Changes Regarding Individual Permission. Customer will obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing
Boulevard with PHI. Customer will notify Boulevard of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Boulevard’s use or disclosure of PHI. Customer will provide such notice no later than fifteen (15) days prior to the effective date of the change.

4.3. Notification of Restrictions to Use or Disclosure of PHI. Customer will notify Boulevard of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Boulevard’s use or disclosure of PHI. Customer will provide such notice no later than (15) days prior to the effective date of the restriction. If Boulevard reasonably believes that any restriction agreed to by Customer pursuant to this Section may materially
impair Boulevard’s ability to perform its obligations under the MSA or this BAA, Boulevard may terminate this Agreement and the MSA. In the alternative, at Boulevard’s discretion, the Parties may mutually agree upon any necessary modification of Boulevard’s obligations under such agreements.

4.4. Permissible Requests by Covered Entity. Customer will not request Boulevard to use or disclose PHI in any manner that would not be permissible under the Privacy Rule, the Security Rule, or the HITECH Act if done by Customer, except as permitted pursuant to the provisions of Section 3.2 (Permitted Uses of PHI by Business Associate), Section 3.3 (Permitted Disclosures of PHI by Business Associate), and Section 3.4 (Prohibited Uses and Disclosures of PHI by Business Associate) of this
BAA. In addition, in connection with Customer’s use, management, and administration of the Covered Services, including its Clients’ access and use of the Covered Services, Customer shall provide to Boulevard only the “minimum necessary” PHI (as described in 45 C.F.R. § 164.502(b)) required for Boulevard to perform its obligations under the MSA and Customer will use controls available within the Covered Services to ensure its use of PHI is limited to the Covered Services. Customer is solely responsible for ensuring that its Users’ and Clients’ use of the Covered Services complies with HIPAA and HITECH. Customer agrees that Boulevard has no obligation to protect PHI under this BAA to the extent Customer or its Clients create, receive, maintain, use, or transmit PHI in a manner that is not within the permitted or intended use of the Covered Services, a violation of the Agreement, or outside of the scope of the Covered Services (including Customer’s use of offline or on-premise tools or third-party applications). Customer, and not Boulevard, is responsible for managing whether its Users and Clients are authorized to create, receive, maintain or transmit PHI within the Services and Boulevard will have
no obligations relating thereto. Customer shall obtain and maintain any and all authorizations and/or consents by Clients or other parties required for Boulevard’s use or disclosure of PHI contemplated by this BAA.

4.5. Boulevard Security Requirements. Customer is solely responsible for complying with Boulevard’s HIPAA Security Requirements for HIPAA Enabled Accounts to which this BAA applies, found here: https://support.boulevard.io/en/articles/8550292-hipaa-security-requirements-for-hipaa-enabled-accounts. Customer acknowledges that, due to changes in law or regulation, or changes to the Boulevard Services, it may be necessary for Boulevard to update these security requirements from time to time upon reasonable notice, which may be provided via Customer’s Account, email, or by posting an updated version at https://support.boulevard.io/en/articles/8550292-hipaa-security-requirements-for-hipaa-enabled-accounts.

5. TERM AND TERMINATION

5.1. Should Customer downgrade to any service plan that does not include Boulevard’s HIPAA Coverage, or upon termination of this BAA, Boulevard’s consent provided herein for Customer to transmit and store PHI on the Boulevard Services shall be deemed immediately revoked and, subject to
Boulevard’s obligation described in Section 5.3 herein, all obligations of Boulevard hereunder shall terminate, and Customer must delete any PHI it maintains in the Services and cease to disclose such PHI to Boulevard via the Services. Customer is solely responsible for ensuring that any such downgrade in Services will not cause Customer or Boulevard to violate any applicable laws or regulations, and Customer shall indemnify and hold Boulevard harmless against any alleged or actual violation of such
laws. Customer’s obligations pursuant to this Section shall survive termination of this BAA.

5.2. This BAA will terminate on the earlier of (A) Customer’s downgrade to a service plan that does not include HIPAA Coverage as described in Section 5.1 above, or (B) the expiration or termination of the Agreement. In addition, if either party materially breaches this BAA, and the breaching party does not cure the breach within thirty (30) days of receiving written notice of such breach, the non-breaching party may terminate this BAA. If a cure under this Section 5.2 is not reasonably possible, the non-breaching
party may immediately terminate this BAA.

5.3. Upon termination of this BAA, (i) Boulevard’s consent provided herein for Customer to transmit and store PHI on the Boulevard Services shall be deemed immediately revoked and, subject to Boulevard’s obligation described in Section 9.3 herein, all obligations of Boulevard hereunder shall terminate, and (ii) Boulevard will make Customer’s PHI available for retrieval and deletion as described in the Agreement. Notwithstanding the foregoing, Boulevard may retain PHI (A) which is necessary to carry out its legal responsibilities and (B) in the event that Boulevard determines that returning or destroying PHI is infeasible, provided that it provides Customer notification of the conditions that make return or destruction infeasible. In this case, Boulevard will: (i) extend the protections of this BAA to such PHI and (ii) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Boulevard maintains such PHI. This Section 5.3 will survive termination or expiration of this BAA.

6. GENERAL

This Agreement shall be construed as broadly as necessary to implement and comply with HIPAA, HITECH, and the HIPAA Rules; the parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with these regulations and rules. Following any change to the HIPAA Rules or other law applicable to PHI, the parties will negotiate in good faith to amend this BAA to remain in compliance with the new laws or regulations. Any ambiguity in this BAA will be resolved to permit Boulevard and you to comply with the HIPAA Rules. This BAA will control in the event of any conflict with the Agreement, otherwise, the Agreement shall remain unchanged and in effect. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer upon any other person or entity other than Customer and Boulevard any rights, remedies, obligations, or liabilities whatsoever. LIMITATION OF LIABILITY: THE TOTAL LIABILITY OF EITHER PARTY AND ITS AFFILIATES TOWARDS THE OTHER PARTY AND ITS AFFILIATES, WHETHER IN CONTRACT, TORT, OR ANY OTHER THEORY OF LIABILITY, UNDER OR IN CONNECTION WITH THIS BAA WILL BE LIMITED TO LIMITATIONS ON LIABILITY OR OTHER LIABILITY CAPS AGREED TO BY THE PARTIES IN THE AGREEMENT.

7. MISCELLANEOUS TERMS

7.1. Cooperation in Investigations. The Parties acknowledge that certain breaches or violations of this BAA may result in litigation or investigations pursued by federal or state governmental authorities of the United States resulting in civil liability or criminal penalties. Each Party will cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action, or other inquiry.

7.2. Order of Precedence. Any ambiguity in this BAA will be resolved to permit Business Associate to comply with the HIPAA Rules. If any express term of this BAA conflicts with the MSA, then this BAA, if applicable, will control as to that term, but only to the extent of an express ambiguity. The MSA will control in all other instances, including, without limitation, remedies, limitation of liability, limitation of remedies, warranties, disclaimer of warranties, governing law, venue, and relationship of the Parties.

[End of BAA]