Business Associate Agreement

JourneyLabs Inc. (the “Company”), in its capacity as a Business Associate, and you (the “Clinician”), in your capacity as a Covered Entity, shall comply with the following rights, duties, and obligations regarding ePHI transmitted by the Clinician for processing and/or storage on the Company’s system in connection with the services it provides.

1. As required by Section 13401(a) of the HITECH Act, the following sections of the HIPAA Regulations will also apply to the Company in its capacity as a Business Associate:

a. 45 CFR 164.308 (Administrative Safeguards);
b. 45 CFR 164.310 (Physical Safeguards);
c. 45 CFR 164.312 (Technical Safeguards); and
d. 45 CFR 164.316 (Policies and Procedures and Documentation Requirements).

Regarding implementation specifications, the Company may use its discretion regarding compliance with the addressable specifications. For clarification and not in limitation of the foregoing, the Company shall implement appropriate safeguards to prevent unauthorized use or disclosure of ePHI, including implementing requirements of the HIPAA Security Rule with regard to ePHI.

2. As required by Section 13404 of the HITECH Act:

a. The Company may use and disclose ePHI that it obtains or creates under this Agreement only if such use or disclosure, respectively, is in strict compliance with, and limited to, used and disclosures permitted by the Services Agreement and otherwise in compliance with each applicable provision of 42 CFR 164.512(e); and
b. If the Company knows of any use or disclosure of ePHI not provided for in the Services Agreement or knows of a pattern of activity or practice that constitutes a material breach of this Agreement by the Clinician in its capacity as a Covered Entity or violation by the Clinician in its capacity as a Covered Entity of the standards of 45 CFR 164.502(e) or 45 CFR 164.504(e) with respect to this Agreement, the Company shall notify the Clinician of such material breach or violation by the Clinician and unless the Clinician takes reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, the Company shall either:
– i. Terminate this Agreement; or
– ii. If termination is not feasible, report the problem to the Secretary.

3. The Company shall report to the Clinician any Breach of Unsecured ePHI that it becomes aware of as required under the HITECH Act. The report will include the name of each individual whose unsecured ePHI has been, or is reasonably believed by the Company to have been, accessed, acquired, or disclosed as a result of such Breach. The Company shall submit such reports within five (5) business days of when the Company becomes aware of such Breach. The reports will contain such information as the Company reasonably believes is required for the Clinician to further investigate. The Company shall also provide such assistance and further information as reasonably requested by the Clinician.

4. As required by Section 13405(d)(1) of the HITECH Act, and unless approved by the Clinician consistent with the exceptions set forth in Section 13405(d)(2) of the HITECH Act, the Company shall not directly or indirectly receive remuneration in exchange for any ePHI of an individual unless the Clinician has obtained from the individual a valid authorization that includes a specification of whether the ePHI can be further exchanged for remuneration by the entity receiving the ePHI of that individual.

5. As defined by Section 13406(a) of the HITECH Act and 45 CFR 164.508, and unless approved by the Clinician, the Company shall not directly or indirectly perform marketing to Clinician’s patients using ePHI that was either provided by the Clinician, or created or otherwise acquired by the Company on behalf of the Clinician.

6. As provided for in Section 13411 of the HITECH Act, the Company shall be subject to audits by the Secretary to ensure the Company’s compliance with the HITECH Act as well as 45 CFR 164 subparts C and E. For clarification and not in limitation of the foregoing, the Company shall make available to the Secretary its internal practices, books, and records relating to the use and disclosure of ePHI received from, or created or received by the Company on behalf of the Clinician for purposes of the Secretary’s determination regarding whether the Clinician is in compliance with the HIPAA Privacy Rule.

7. The Company agrees to document such disclosures of ePHI and information related to such disclosures as would be required for the Clinician to respond to a request by an individual for an accounting of disclosures of ePHI in accordance with 45 CFR 164.528 and Section 13405(c) of the HITECH Act. The Company further agrees to provide the Clinician or an individual, as applicable, in a time and manner as prescribed by the HIPAA Regulations and the HITECH Act, such information collected in accordance with this subsection in response to a request for an accounting of disclosures of ePHI in accordance with 45 CFR Section 164.528 of the HITECH Act. Such time and manner will comply with the obligations under the HIPAA Regulations or the HITECH Act.

8. The Company will limit its requests for and use and disclosure of ePHI to the minimum necessary to accomplish the intended purpose of the applicable request, use or disclosure.

9. The Company shall required that any subcontractors the Company may engage on its behalf that will have access to ePHI agree to the same restrictions and conditions that apply to the Company with respect to ePHI.

10. In addition to the foregoing terms, the Company shall adhere to all directives issued by the Department of Veteran Affairs, as they may be updated from time to time, with regard to its handling of PHI and ePHI.

11. Unless otherwise specified in this Agreement, all capitalized terms in this exhibit not otherwise defined have the meaning established for purposes of HIPAA and HITECH and regulations promulgated under HIPAA and HITECH, as amended from time to time.