HIPAA BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("BAA") is entered into by and between the Covered Entity requesting  remote IT support services from Business Associate ("Covered Entity") and Dental Imaging Technologies Corporation (DITC), 450 Commerce Dr Quakertown, PA, 18951-3729 United States ("Company") and/or any other affiliated company of our group from which Company received a DEXIS product and/or solution (collectively "Business Associate") (collectively referred to herein as the "Parties"),  and supplements, amends and is incorporated into the existing End User Licence Agreement between Company and Business Associate and is effective as of the date it is  agreed upon by the Covered Entity by accepting the terms of the IT support session .

WHEREAS, the Covered Entity has purchased a product or solution from the Company and  has requested Business Associate to perform remote IT support services to the Covered Entity  in relation to such product or solution which may result in incidental access, use or disclosure of Protected Health Information (as defined herein) and Electronic Protected Health Information (as defined herein); and

WHEREAS, this BAA is intended to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and implementing regulations, the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule") the Security Standards for the Protection of Electronic Protected Health Information (the "Security Rule"), and the privacy, security and Breach Notification regulations of the Health Information Technology for Economic and Clinical Health ("HITECH") Act and the HIPAA Omnibus final rule (collectively, the "HIPAA Rules"), as amended from time to time.

NOW, THEREFORE, in consideration of the Parties' continuing obligations under the existing End User Licence Agreement, the agreements herein, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, to the Parties agree as follows:

  1. Definitions
    Except as otherwise defined herein, any and all capitalized terms in this BAA shall have the definitions set forth in the Privacy Rule or the Security Rule.
    1. "Breach" has the meaning given to such term in 45 C.F.R. § 164.402.
    2. "Business Associate" has the meaning set forth above.
    3. "Covered Entity" has the meaning set forth above.
    4. "Designated Record Set" has the same meaning as the term "designated record set" in 45 C.F.R. § 164.501 of the Privacy Rule.
    5. "Electronic Protected Health Information" ("EPHI") has the same meaning as the term "electronic protected health information" in 45 C.F.R. § 160.103 of the Security Rule, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
    6. Health Information Technology for Economic and Clinical Health ("HITECH") Act.
    7. "HIPAA" has the meaning set forth above.
    8. "Individual" has the same meaning as the term "individual" in 45 C.F.R. § 160.103 of the Privacy Rule.
    9. "Privacy Rule" has the meaning set forth above.
    10. "Protected Health Information ("PHI")" has the same meaning as the term "protected health information" in 45 C.F.R. § 160.103 of the Privacy Rule (including, without limitation, Electronic Protected Health Information), limited to the information created or received by Business Associate from or on behalf of Covered Entity.
    11. "Required by Law" has the same meaning as the term "required by law" in 45 C.F.R. § 164.103 of the Privacy Rule.
    12. "Secretary" means the Secretary of the Department of Health and Human Services or his or her designee.
    13. "Security Incident" has the same meaning as the term "security incident" in 45 C.F.R. § 164.304 of the Security Rule.
    14. "Security Rule" has the meaning set forth above.
    15. "Unsecured PHI" has the meaning given to such phrase in the Breach Notification Rule at 45 C.F.R. § 164.402.
       
  2. Obligations and Activities of Business Associate
    1. Business Associate acknowledges and agrees that all PHI that is created or received by Covered Entity and used by or disclosed to Business Associate or created or received by Business Associate on Covered Entity's behalf shall be subject to this BAA.
    2. Business Associate agrees to not use or disclose PHI other than as permitted or required by this BAA or as Required by Law.
    3. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA.
    4. Business Associate agrees to notify Covered Entity promptly following discovery of any Breach of Unsecured PHI. Business Associate will provide such information to Covered Entity as required in the Breach Notification Rule.
    5. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this BAA or any Security Incident of which it becomes aware.
    6. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate for, or on behalf of, Covered Entity agrees in writing to substantially similar restrictions and conditions that apply through this BAA to Business Associate with respect to such information.
    7. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will make such PHI available to Covered Entity within thirty (30) business days of a request by Covered Entity for access to such PHI. For avoidance of doubt, Covered Entity understands and agrees that Business Associate does not maintain any PHI in a Designated Record Set. If an Individual makes a request for access directly to Business Associate, Business Associate will within thirty (30) business days forward such request in writing to Covered Entity. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual's request for PHI and Business Associate will make no such determinations. Only Covered Entity will release PHI to an Individual pursuant to such a request, unless Covered Entity directs Business Associate to do so.
    8. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will provide such PHI to Covered Entity for amendment within thirty (30) business days of receiving a request from Covered Entity to amend an Individual's PHI. For avoidance of doubt, Covered Entity understands and agrees that Business Associate does not maintain any PHI in a Designated Record Set. If an Individual makes a request for amendment directly to Business Associate, Business Associate will within thirty (30) business days forward such request in writing to Covered Entity. Covered Entity will be responsible for making all determinations regarding amendments to PHI and Business Associate will make no such determinations unless Covered Entity directs Business Associate to do so.
    9. Within thirty (30) days of receiving a written request from Covered Entity, Business Associate shall provide to Covered Entity an accounting of the disclosures of the Individual's PHI in accordance with 45 C.F.R. § 164.528. If an Individual requests an accounting of Disclosures directly from Business Associate, Business Associate will forward the request and its record of Disclosures to Covered Entity within thirty (30) business days of Business Associate's receipt of the Individual's request. Covered Entity will be responsible for preparing and delivering the accounting to the Individual. Business Associate will not provide an accounting of its Disclosures directly to any Individual, unless directed by Covered Entity to do so.
    10. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity, available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule.
       
  3. Permitted Uses and Disclosures by Business Associate
    1. Except as otherwise limited by this BAA, Business Associate may use or disclose PHI to perform functions, activities or services for or on behalf of Covered Entity as contemplated in the Services Agreement, provided that such use or disclosure does not violate the Privacy Rule or the HITECH Act if done by Covered Entity.
    2. Except as otherwise limited by this BAA, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the present and/or future legal responsibilities of Business Associate.
    3. Except as otherwise limited by this BAA, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any breaches in the confidentiality of the PHI.
    4. Business Associate may use PHI to report violations of law or other conduct to appropriate federal and state authorities or other designated officials, consistent with 45 C.F.R. § 164.502(j)(1).
    5. Business Associate may use PHI to aggregate data as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
    6. Business Associate may use PHI to create de-identified information in accordance with 45 CFR § 164.514.
       
  4. Obligations of Covered Entity on Behalf of Business Associate
    1. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices within fifteen (15) business days of Covered Entity's receipt of the Individual's request in accordance with 45 C.F.R. § 164.520, to the extent that such limitation(s) may affect Business Associate's use or disclosure of PHI.
    2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI within fifteen (15) business days of Covered Entity's receipt of the Individual's request, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
    3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that it has agreed to within fifteen (15) business days of Covered Entity agreeing to such restriction in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
    4. Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a business associate).
    5. Covered Entity is responsible for implementing appropriate privacy and security safeguards to protect its PHI in compliance with HIPAA.
       
  5. Security Rule and HITECH Act Responsibilities of the Business Associate.
    With regard to its use and/or disclosure of ePHI, Business Associate hereby agrees to do the following:
    1. Comply with the applicable requirements of the Security Rule.
    2. Require all of its subcontractors and agents that create, receive, maintain, or transmit ePHI on behalf of Business Associate to agree, in writing, to adhere to substantially similar restrictions and conditions concerning ePHI that apply to Business Associate pursuant to Section 5 of this BAA.
    3. Report to Covered Entity any Security Incident of which it becomes aware. Specifically, Business Associate will report to Covered Entity any successful unauthorized access, Use, Disclosure, modification, or destruction of ePHI or interference with system operations in an information system containing ePHI of which Business Associate becomes aware within thirty (30) business days of Business Associate learning of such Security Incident. The parties agree that this Section serves as notice by Business Associate to Covered Entity of the ongoing existence of attempted but Unsuccessful Security Incidents (as defined below), for which no additional reporting is required. For purposes of this BAA, "Unsuccessful Security Incidents" include but are not limited to activity such as "pings" and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any other attempts to penetrate such computer networks or systems that do not result in unauthorized access, use or disclosure of ePHI.
       
  6. Term and Termination
    1. Term. The Term of this BAA shall in effect as of the Effective Date set forth above, and shall terminate when all the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate for or on behalf of Covered Entity, is destroyed or returned to Covered Entity or, if it is infeasible to return or destroy the PHI, protections are extended to such information, in accordance with the termination provisions in this Section 6.
    2. Termination for Cause. If Covered Entity or Business Associate knows of a material breach or violation by the other party of any provision of this BAA, then the non-breaching party shall provide written notice of the breach or violation to the other party that specifies the nature of the breach or violation. The breaching party must cure the breach or end the violation within thirty (30) days after receipt of the written notice. In the absence of a cure reasonably satisfactory to the non-breaching party, then the non-breaching party may terminate this BAA between the parties.
    3. Effect of Termination.
      1. Except as provided in paragraph (ii) of this Section, upon termination of this BAA, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate for or on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
      2. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
         

  7. Notification
    With respect to notices pursuant to paragraph 2(D) above, notice shall be made by telephone to the telephone number associated with Covered Entity's account, followed promptly by a written notice as described below.

    Any notices required or provided for under this BAA shall be made in writing and shall be either personally delivered, mailed by first class mail or sent via facsimile or electronic mail to the appropriate individual identified below:

    For Covered Entity: Your address.

    For Business Associate: Dental Imaging Technologies Corporation (DITC), 450 Commerce Dr Quakertown, PA, 18951-3729 United States or contact us at privacy@envistaco.com. Either Party may designate a different address in writing to the other.
     

  8. Regulatory References
    A reference in this BAA to a section in the Privacy Rule, the Security Rule or the HITECH Act means the section as in effect or as amended.
     
  9. Survival
    The respective rights and obligations of the Business Associate under Section 6 of this BAA shall survive the termination of this BAA.
     
  10. Interpretation
    Any ambiguity in this BAA shall be resolved to permit compliance with the HIPAA Rules. Any conflict between the terms of this BAA and any other agreement relating to the same subject matter shall be resolved so that the terms of this BAA supersede and replace the relevant terms of any such other agreement.
     
  11. Severability
    The provisions of this BAA shall be severable, and if any provision of this BAA shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BAA shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
     
  12. Effect
    This BAA amends, restates and replaces in its entirety any prior business associate agreement between the parties. This BAA supersedes all prior or contemporaneous written or oral contracts or understandings between the parties relating to their compliance with health information confidentiality laws and regulations, including HIPAA and HITECH.
     
  13. No Agency Relationship
    It is not intended that an agency relationship (as defined under the federal common law of agency) be established hereby expressly or by implication between Covered Entity and Business Associate under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this BAA shall be construed to make or render Business Associate an agent of Covered Entity.

 

DXIS01493 Rev00