This Business Associate Agreement (“BAA”) is entered into by and between Clarion, Inc. (“Business Associate”) and the entity identified as “Customer” in the order form, checkout page, or order confirmation email referencing the Standard Terms and Conditions into which this BAA is incorporated (“Covered Entity”). Business Associate and Covered Entity may be referred to individually as a “Party” and collectively as the “Parties”. This BAA is incorporated into and made part of the Standard Terms and Conditions between the Parties (“Agreement”). This BAA is effective as of the effective date of the Agreement (“Effective Date”).  

WHEREAS, Business Associate provides certain services to Covered Entity pursuant to the Agreement (“Services”);

WHEREAS, in connection with the Services, Business Associate may create, receive, maintain, or transmit PHI from, to, or on behalf of, Covered Entity, which PHI is subject to certain protections under the HIPAA Rules; and

WHEREAS, this BAA defines the rights and responsibilities of each Party with respect to PHI processed pursuant to the Agreement;

NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Scope; Definitions.
   
   1. This BAA shall only be effective to the extent Business Associate has agreed to perform Services that require Business Associate to create, receive, maintain, or transmit PHI pursuant to the Agreement.    
   2. All terms used but not defined herein shall have the meaning set forth in the HIPAA Rules or the Agreement, as applicable; provided, however, that in the event of a conflict between defined terms, the HIPAA Rules shall control.  
   3. The following capitalized terms are specifically defined as follows:
      
      1. “Business Associate” has the same meaning as the term “business associate” at 45 CFR 160.103, and, subject to Section 1(a), in reference to the Party to this BAA, shall mean Clarion, Inc.
      2. “Covered Entity” has the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the Party to this BAA, shall mean the entity identified as “Customer” in the order form, checkout page, or order confirmation email referencing the Standard Terms and Conditions into which this BAA is incorporated.
      3. “Electronic Protected Health Information” or “ePHI” has the same general meaning as the term “electronic protected health information” at 45 C.F.R. § 160.103, but for purposes of this BAA, is limited to the ePHI created, received, maintained, or transmitted by Business Associate for or on behalf of Covered Entity.
      4. “HIPAA Rules” means the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, the Health Information Technology for Economic and Clinical Health (HITECH) Act, as incorporated in title XIII of division A and title IV of division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Public Law 111–5, and the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164, each as amended from time to time.
      5. “Individual” has the same meaning as the term “individual” at 45 CFR § 160.103 and includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
      6. “Protected Health Information” or “PHI” has the same general meaning as the term “protected health information” at 45 C.F.R. § 160.103, but for purposes of this BAA, is limited to the PHI created, received, maintained, or transmitted by Business Associate for or on behalf of Covered Entity.
      7. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, Use or Disclosure of Covered Entity’s ePHI.
2. Obligations and Activities of Business Associate.
   
   1. Business Associate agrees to not Use or Disclose PHI except as permitted by this BAA, the Agreement, or as Required by Law.
   2. Business Associate agrees to use appropriate safeguards, and to comply, where applicable, with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA, the Agreement, or as Required by Law.
   3. Business Associate agrees to report to Covered Entity any Use or Disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI as required under 45 C.F.R. §164.410, and any Security Incident. Notwithstanding the foregoing, the Parties acknowledge and agree that this Section 2(c) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required.  
   4. Business Associate agrees, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to obtain from any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate pursuant to this BAA and the Agreement, reasonable written assurances that the Subcontractor will adhere to substantially similar restrictions and conditions that apply to Business Associate under this BAA with respect to such PHI.
   5. Business Associate agrees to make available, at the request of Covered Entity, PHI that is maintained by Business Associate in a Designated Record Set (if any) as necessary to allow Covered Entity to satisfy its obligations under 45 C.F.R. §164.524.  
   6. Business Associate agrees to make amendment(s) to PHI that is maintained in a Designated Record Set by Business Associate (if any), as requested by the Covered Entity, pursuant to 45 C.F.R. §164.526, or to take other measures as reasonably necessary to enable Covered Entity to satisfy its obligations under 45 C.F.R. §164.526.
   7. Business Associate agrees to maintain and make available to Covered Entity the information required to provide an accounting of Disclosures, as reasonably necessary to satisfy Covered Entity’s obligations under 45 C.F.R. §164.528.
   8. For clarity, with respect to foregoing Sections 2(e)-(g), in no case shall Business Associate be responsible for responding directly to any Individual who submits a request to Business Associate pursuant to 45 CFR §§ 164.524 - 164.528; provided, however, that Business Associate shall promptly forward such requests to Covered Entity in accordance with Sections 2(e)-(g).
   9. To the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).
   10. Business Associate agrees to make its internal practices, books, and records, regarding the Use and Disclosure of PHI created or received by Business Associate for or on behalf of the Covered Entity available to the Secretary for purposes of the Secretary determining compliance with the HIPAA Rules.
3. Permitted Uses and Disclosures by Business Associate.
   
   1. Business Associate may Use or Disclose PHI to perform the Services set forth in Agreement or as Required by Law. 
   2. Business Associate may Use PHI for its proper management and administration, or to carry out its legal responsibilities. 
   3. Business Associate may Disclose PHI for its proper management and administration, or to carry out its legal responsibilities, provided the Disclosures are (i) Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that the information will remain confidential and Used or further Disclosed only as Required by Law or for the purposes for which it was Disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
4. Obligations of Covered Entity.
   
   1. During the Term of this BAA, Covered Entity shall:
      
      1. Notify Business Associate of any limitations in its Notice of Privacy Practices, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI;
      2. Notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI;
      3. Not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity (other than as permitted pursuant to Sections 3(b)-(d) above); and
      4. Comply with all of the HIPAA Rule requirements applicable to Covered Entity.
5. Term and Termination.
   
   1. Term.  The Term of this BAA shall commence on the Effective Date and, except for the rights and obligations set forth in this BAA specifically surviving termination, shall terminate upon the termination or expiration of the Agreement, unless otherwise earlier terminated for cause in accordance with this Section 5.
   2. Termination by Covered Entity.  In addition to any termination provisions set forth in the applicable Agreement, Covered Entity may terminate this BAA if Covered Entity determines, in good faith and after reasonable investigation, that Business Associate has violated a material term of this BAA, and Business Associate has failed to cure such material breach or end the violation within thirty (30) days of notice by Covered Entity to Business Associate of such alleged breach.
   3. Termination by Business Associate.  In addition to and notwithstanding any termination provisions set forth in the applicable Agreement, Business Associate may terminate this BAA if Business Associate determines, in good faith and after reasonable investigation, that Covered Entity has violated a material term of this BAA, and Covered Entity has failed to cure such material breach or end the violation within thirty (30) days of notice by Business Associate to Covered Entity of such alleged breach.
   4. Effect of Termination.  Upon termination or expiration of this BAA for any reason, Business Associate shall:
      
      1. Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities (if any);
      2. Return to Covered Entity or destroy the remaining PHI that Business Associate still maintains in any form that is not necessary to carry out Section 5(d)(i);
      3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to ePHI to prevent Use or Disclosure of the PHI, other than as provided for in this Section 5(d), for as long as Business Associate retains the PHI;
      4. Not Use or Disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at Sections 3(b)-(d) which applied prior to termination; and
      5. Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration, or to carry out its legal responsibilities.
6. Limitation of Liability.
   
   1. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN OR SET FORTH IN THE AGREEMENT, (I) IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES INCURRED BY A PARTY OR ANY OTHER PERSON IN CONNECTION WITH THIS BAA, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES; AND (II) BUSINESS ASSOCIATE’S AGGREGATE LIABILITY UNDER OR IN CONNECTION WITH THIS BAA SHALL NOT EXCEED THE TOTAL AMOUNTS PAID BY COVERED ENTITY TO BUSINESS ASSOCIATE UNDER THE AGREEMENT FOR SERVICES PROVIDED IN THE 12 MONTH PERIOD PRECEDING THE DATE ON WHICH THE LIABILITY AROSE.‍
7. Miscellaneous.
   
   1. This BAA is governed by, and will be construed in accordance with, the laws of the State that govern the Agreement. Any action relating to this BAA must be commenced within two years after the date upon which the cause of action accrued. This BAA may only be assigned in connection with an assignment of the Agreement. If any part of a provision of this BAA is found illegal or unenforceable, it will be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this BAA will not be affected. All notices relating to the Parties’ legal rights and remedies under this BAA will be provided in writing to a Party, will be sent to its address set forth in the Agreement, or to such other address as may be designated by that Party by notice to the sending Party, and will reference this BAA. This BAA may be modified, or any rights under it waived, only by a written agreement executed by the authorized representatives of the Parties. In the event a change in the HIPAA Rules require the Parties to amend this BAA, the Parties agree to negotiate such amendment in good faith, provided that either Party may terminate this BAA upon notice if the Parties are unable to mutually agree upon and execute such amendment. This BAA is the complete and exclusive agreement between the Parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications, and understandings (written and oral) regarding its subject matter. Any ambiguity in this BAA shall be resolved in favor of the meaning that permits the Parties to comply with applicable law and any current regulations promulgated thereunder. Any failure of a Party to exercise or enforce any of its rights under this BAA will not act as a waiver of such rights. In the event of a conflict between this BAA and the Agreement, the terms of this BAA shall control.