Business Associate Agreement

Customer is a covered entity and is therefore subject to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, as incorporated by the American Recovery and Reinvestment Act of 2009 ("HITECH"), and all applicable implementing regulations, including the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule"), the Security Standards for the Protection of Electronic Protected Health Information (the "Security Rule") and the regulations for Breach Notification for Unsecured Protected Health Information (the "Breach Notification Rule") (all such laws and regulations shall be collectively referred to herein as "HIPAA").

B. Customer desires to obtain a dental practice software solution and related services (the "Services") from TeamCare, and Customer may need to provide to TeamCare its protected health information or electronic protected health information (collectively referred to herein as "PHI") to enable TeamCare to perform the Services.

C. If, and only to the extent, TeamCare needs to create, access, receive, maintain, or transmit PHI to perform the Services, it will be acting as a business associate of Customer and will be subject to certain provisions of HIPAA.

D. Customer and TeamCare wish to set forth their understandings with regard to the use and disclosure of PHI by TeamCare so as to comply with HIPAA.

a. TeamCare agrees to not use or further disclose PHI other than as required to perform the Services, requested by Customer, Required by Law or as otherwise permitted in this Agreement.

b. TeamCare shall use appropriate safeguards, and comply with the Security Rule with respect to electronic PHI, to prevent use or disclosure of PHI other than as permitted herein.

c. In using, disclosing or requesting PHI, TeamCare shall comply with the minimum necessary requirements contained within the Privacy Rule.

d. TeamCare agrees to report to Customer, without unreasonable delay and in no case later than 10 business days following actual knowledge by TeamCare:

• Any use or disclosure of PHI not provided for by this Agreement.
• Any Security Incident of which TeamCare becomes aware; provided, however, that the parties acknowledge and agree that this section constitutes notice by TeamCare to Customer of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents of which no additional notice to Customer shall be required. Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on TeamCare's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as such incidents do not result in unauthorized access, use or disclosure of Customer's electronic PHI.
• Any Breach of Unsecured PHI, as defined in 45 CFR § 164.402. Following the initial notification of any such Breach of Unsecured PHI, TeamCare shall provide, within a reasonable period of time, but not later than 30 business days after providing the initial notice, a written report to Customer that includes, to the extent possible: [a] a brief description of what happened, including the date of occurrence and the date of the discovery by TeamCare; [b] a description of the PHI affected, including the names of any Individuals whose PHI has been or is reasonably believed to have been accessed, acquired or disclosed and the types of PHI involved (such as full name, social security number, date of birth, home address, account numbers, etc.); and [c] a brief description of what TeamCare has done to investigate the Breach of Unsecured PHI, to mitigate harm to Individuals, and to protect against any further Breaches of Unsecured PHI. TeamCare also shall provide to Customer any other available information Customer is required to include in its notification to the affected Individual(s).

e. TeamCare agrees to enter into a business associate agreement with any Subcontractor to whom it provides PHI, or that creates, accesses, receives, maintains or transmits PHI on behalf of TeamCare, which agreement shall obligate Subcontractor to comply with the same restrictions and conditions as those that apply to TeamCare with respect to such PHI.

f. TeamCare shall make its internal policies, procedures and records relating to the use and disclosure of PHI reasonably available to the Secretary, upon request, for purposes of assessing TeamCare's or Customer's compliance with HIPAA.

g. It is not anticipated that TeamCare will maintain a Designated Record Set on behalf of Customer; however, if TeamCare maintains a Designated Record Set on behalf of Customer, TeamCare agrees to, at Customer's written request: (i) provide access to such PHI in order to assist Customer in meeting its obligations under the Privacy Rule, and (ii) make any amendment(s) to such PHI as Customer so directs.

h. TeamCare agrees to make available to Customer information required to provide an accounting of disclosures of PHI made by TeamCare as necessary for Customer to satisfy its obligations under HIPAA; provided, however, that Customer shall be solely responsible for tracking and providing Individuals an accounting of disclosures of PHI made by Customer to TeamCare in connection with the Services.

i. TeamCare may use and disclose PHI for TeamCare's proper management and administration or to carry out TeamCare's legal responsibilities, provided that any disclosure is Required by Law or: (i) TeamCare obtains reasonable assurances from any person to whom PHI is disclosed that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which the PHI was disclosed to the person; and (ii) the person notifies TeamCare of any instances of which it is aware in which the confidentiality of the PHI has been breached.

j. TeamCare may use and disclose PHI to provide Data Aggregation services relating to the Health Care Operations of Customer.

k. TeamCare may disclose PHI to other business associates of Customer.

l. TeamCare may, at its option:

• Deidentify PHI in accordance with the requirements of the Privacy Rule and maintain such deidentified information indefinitely; provided that all identifiers are destroyed or returned in accordance with this Agreement.
• Create a Limited Data Set for the purpose of performing its obligations pursuant to the Underlying Agreement, provided that TeamCare:
  • Does not use or further disclose PHI contained in the Limited Data Set except as necessary to perform its obligations pursuant to the Underlying Agreement or as provided for in this Agreement or otherwise Required By Law;
  • Uses appropriate safeguards to prevent the use or disclosure of PHI contained in the Limited Data Set other than as provided for by this Agreement;
  • Reports to Customer any use or disclosure of PHI contained in the Limited Data Set of which TeamCare becomes aware that is not provided for by this Agreement;
  • Ensures that any agents or subcontractors to whom it provides access to the Limited Data Set agree, in writing, to the same restrictions and conditions that apply to TeamCare under this Agreement; and
  • Does not reidentify PHI or contact the Individuals whose information is contained within the Limited Data Set.

m. It is not anticipated that TeamCare will carry out any of Customer's obligations under the Privacy Rule; however, in such event, TeamCare agrees to comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligation.

a. Customer shall not request TeamCare to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer, except for the specific uses and disclosures set forth in sections 2(j) and 2(k) above. Customer shall exercise best efforts to ensure that Customer does not transmit PHI to TeamCare in an unsecure manner (e.g., unencrypted email).

b. Customer shall not provide TeamCare with more PHI than that which is minimally necessary for TeamCare to perform Services and, where possible, Customer shall provide any PHI needed by TeamCare to perform the Services in the form of a Limited Data Set, in accordance with HIPAA. Customer shall exercise best efforts to clearly and conspicuously designate all PHI as such before providing it to TeamCare.

c. Customer shall notify TeamCare of: (i) limitation(s) in its Notice of Privacy Practices, to the extent such limitation affects TeamCare's permitted uses and disclosures; (ii) changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent such restriction affects TeamCare's permitted uses or disclosures of PHI; or (iii) restriction(s) in the use or disclosure of PHI to which Customer has agreed to the extent such restriction affects TeamCare's permitted uses or disclosures of PHI.

d. Customer acknowledges and agrees that this Agreement does not require TeamCare to make any disclosure for which an accounting would be required under the HIPAA Regulations. Customer further agrees that it shall be solely responsible for tracking and providing Individuals an accounting of any disclosures made by Customer to TeamCare.

e. Customer acknowledges and agrees that the provisions of section 2(l)(ii) of this Agreement shall constitute a Data Use Agreement between the parties.

f. Customer shall report to TeamCare, within 10 business days of discovery, any use or disclosure of PHI not permitted by this Agreement related to TeamCare's Services.

a. Term. This Agreement shall be effective as of the date first written above, and shall terminate when all PHI is destroyed or returned to Customer. If TeamCare determines, in accordance with section 4(c)(ii) below, that it is infeasible to return or destroy PHI, TeamCare shall continue to protect the PHI as required under this Agreement until TeamCare returns or destroys such PHI.

b. Termination. Upon a party's knowledge of a material breach of this Agreement by the other party, the nonbreaching party shall either:

• Provide an opportunity for the breaching party to cure the breach or end the violation and terminate this Agreement if the breaching party does not cure the breach or end the violation within the time specified by the nonbreaching party; or
• Immediately terminate this Agreement if the breaching party has breached a material term of this Agreement and cure is not possible.

c. Effect of Termination.

• Except as otherwise provided in section 4(c)(ii) below, upon termination of this Agreement for any reason, TeamCare shall return or destroy all PHI.
• If TeamCare determines that returning or destroying any or all PHI is infeasible, the protections of this Agreement shall continue to apply to such PHI, and TeamCare shall limit further uses and disclosures of PHI to those purposes that make the return or destruction infeasible, for so long as TeamCare maintains such PHI. Customer acknowledges and agrees that infeasibility includes TeamCare's need to retain PHI in connection with its records retention policies.

a. Regulatory References. A reference in this Agreement to a section in HIPAA means the section as in effect or as amended, and for which compliance is required.

b. Amendment. Upon the effective date of any final regulation or amendment to HIPAA, this Agreement shall be deemed automatically amended so that the obligations it imposes on the parties remain in compliance with such regulations. Following amendment of the Agreement in this manner, the parties shall, as necessary, work together to clarify their respective obligations with respect to any new requirements under the modified HIPAA.

c. Independent Contractors. TeamCare and Customer are independent contractors and this Agreement will not establish any relationship of partnership, joint venture, employment, franchise or agency between TeamCare and Customer. Neither TeamCare nor Customer will have the power to bind the other or incur obligations on the other party's behalf without the other party's prior written consent, except as otherwise expressly provided in this Agreement.

d. Conflicts. Any provision of the customer agreement or any other agreement between the parties that is directly contradictory to one or more terms of this Agreement ("Contradictory Term") shall be superseded by the terms of this Agreement only to the extent of the contradiction, only for the purpose of the parties' compliance with HIPAA and only to the extent that it is reasonably impossible to comply with both the Contradictory Term and the terms of this Agreement.

e. Counterparts. This Agreement may be executed in two or more counterparts, each of which shall be an original, but all of which taken together shall constitute one and the same agreement. Scanned and emailed copies of signatures shall constitute acceptable, binding signatures for purposes of this Agreement.

f. Entire Agreement. This Agreement shall constitute the entire agreement of the parties hereto with respect to the subject matter hereof and supersedes all prior agreements, oral or written, and all other communications between the parties hereto relating to such subject matter.