Business Associate Agreement

This Business Associate Agreement (“Agreement”), effective February 16, 2018, is entered into by and among ______(*1)______, a Tennessee company with its principal place of business located at ______(*2)______(“Covered Entity”) and Keylink Innovative Technology a Tennessee Company with its principal place of business located at 535 Shute Ln, Hendersonville, TN 37075 (“Business Associate”).
*2 Address of business(Required)
RECITALS
WHEREAS, Business Associate has been engaged to provide certain services to Covered Entity, and, in connection with those services, Covered Entity may need to disclose to Business Associate, or Business Associate may need to create, receive, maintain or transmit on Covered Entity’s behalf, certain Protected Information (as defined below).

NOW THEREFORE, in consideration of the foregoing, and the mutual promises and covenants contain herein, Business Associate and Covered Entity agree as follows:
AGREEMENT

1. Definitions.

Any prospective amendment to the laws referenced in this definitional section prospectively amend this Agreement to incorporate said changes by Congressional act or by government regulations.

(a) “Designated Record Set” means a group of records maintained by or for Covered Entity that is (i) the financial records and billing records about individuals or companies maintained by or for outside client.

(b) Electronic Personally Identifiable Information (“ePII”) means individually identifiable information that is transmitted by, or maintained in, electronic media. PII and ePII are interchangeable.

(f) “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.


2. Obligations and Activities of Business Associate.

(a) Specific Uses and Disclosures. Except as otherwise limited in this Agreement, Business Associate may use or disclose PII to perform functions, activities, or services for, or on behalf of, Covered Entity, provided that such use or disclosure would not violate the governmental Regulations if done by Covered Entity.

(b) Other Business Associates. As part of its providing functions, activities, and/or services to Covered Entity, Business Associate may disclose information, including PII, to other business associates of Covered Entity and may use and disclose information, including PII, received from other business associates of Covered Entity as if this information was received from, or originated with, Covered Entity.

(c) Permitted Uses and Disclosures. Business Associate agrees to not use or disclose PII other than as permitted or required by the Agreement or as required by law.

(d) Safeguards for Protection of PII. Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of the PII other than as provided for by this Agreement or as required by law. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePII that it creates, receives, maintains, or transmits on behalf of Covered Entity.

(e) Reporting of Unauthorized Uses or Disclosures and Security Incidents, and Breaches of Unsecured PII.

(1)Business Associate agrees to report to Covered Entity any Breach of Unsecured PII not provided for by this Agreement and any Security Incidents of which it becomes aware without unreasonable delay, but in no case later than 48 hours of such discovery or suspicion. In its notice to Covered Entity, Business Associate shall provide, to the extent possible, the identification of each Individual whose unsecured PII has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach of Unsecured PII. Business Associate shall provide any other available information that Covered Entity is required to include in a notification to the Individual at the time of the notice, or promptly thereafter as information becomes available, including, but not limited to: (i) a brief description of what happened, including the date of the Breach and the date of discovery of the Breach; and (ii) a description of the types of Unsecured PII involved in the Breach.
(2)The parties agree that this section satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted, but Unsuccessful Security Incidents, for which no additional notice shall be required. For purposes of this Agreement, Unsuccessful Security Incident includes activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of ePII.

(3)Business Associate shall reimburse Covered Entity for all reasonable and necessary out-of-pocket costs incurred by Covered Entity (including without limitation costs associated with providing notices) as a result of a Breach of Unsecured PII or any of use or disclosure of PII in violation of the terms and conditions of this Agreement.

(4)In the event of Business Associate’s use or disclosure of Unsecured PII is in violation of Federal or State law, Business Associate bears the burden of demonstrating that notice as required under this section was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PII.

(f) Mitigation of Unauthorized Uses or Disclosures. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PII by Business Associate or one of its subcontractors in violation of the requirements of this Agreement.

(g) Subcontractors. Business Associate agrees to ensure that any subcontractor to whom it provides PII received from, or created, received, maintained, or transmitted by Business Associate on behalf of, Covered Entity agrees in writing to the same restrictions, conditions and requirements that apply through this Agreement to Business Associate with respect to such PII.

(h) Authorized Access to PII. To the extent that Business Associate maintains PII in a Designated Record Set and at the request of Covered Entity, Business Associate agrees to provide access to PII in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual

(i)Amendment of PII. To the extent that Business Associate maintains PII in a Designated Record Set, Business Associate agrees to make any amendment(s) to PII in a Designated Record Set that Covered Entity directs

(j) Right to Audit. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PII received from, or created, received, maintained, or transmitted by Business Associate on behalf of, Covered Entity available to Covered Entity, in a prompt commercially reasonable manner for purposes determining Covered Entity's compliance with the applicable Regulations.

(k) Accounting for Uses and Disclosures. Business Associate agrees to document disclosures of PII and make available information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PII

(k) Accounting for Uses and Disclosures. Business Associate agrees to document disclosures of PII and make available information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PII

(m)Management and Administrative Functions of Business Associate. Except as otherwise limited in this Agreement, Business Associate may use or disclose PII for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. Business Associate may disclose PII for such purposes provided that
(i) such disclosures are Required By Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

(o)Minimum Necessary. Business Associate agrees to limit its uses and disclosures of, and requests for, PII (a) when practical, to the information making up a Limited Data Set; and (b) in all other cases subject to the legal requirements to the minimum amount of PII necessary to accomplish the intended purpose of the use, disclosure or request.


3.Obligations of Covered Entity.
(a)Notice of Privacy Practices. Covered Entity shall provide Business Associate with its Notice of Privacy Practices, as well as any changes to such notice.

(b)Revocation of Permitted Use or Disclosure of PII. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by Individual to use or disclose PII, if such changes affect Business Associate's permitted or required uses and disclosures.

(c) Restrictions on Use of Disclosure of PII. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PII that Covered Entity has agreed to or is required to abide by in accordance with the law, to the extent that such restriction may affect Business Associate’s use or disclosure of PII.

(d)Requested Uses or Disclosures of PII. Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PII in any manner that would not be permissible under the Federal or State Regulations if done by Covered Entity.

4.Term and Termination.
(a) Term. This Agreement shall continue until all of the PII provided by Covered Entity to Business Associate, or created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PII, protections are extended to such information, in accordance with the termination provisions in this Section.

(b) Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate of any of the terms and/or conditions of this Agreement, Covered Entity may inform Business Associate in writing of such breach and provide Business Associate an opportunity to cure the breach. If Business Associate does not cure the breach within a reasonable time, Covered Entity may terminate this Agreement upon written notice. Such termination is effective on the date that the Business Associate receives the termination notice from Covered Entity that states that Covered Entity wishes to terminate this Agreement under this provision and states the material term of this Agreement the Covered Entity believes has been violated by Business Associate.

(c)Effect of Termination
(1) Any termination and/or expiration of either this Agreement or any other agreements entered into by the parties will not affect the Covered Entity’s obligation to pay for legal services rendered and expenses and charges incurred before termination or expiration, as well as additional services and charges incurred in connection with an orderly transition.

(2)Except as provided in paragraph (3) of this section, upon termination of this Agreement for any reason, Business Associate shall return or destroy all PII received from Covered Entity, or created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity. This provision shall also apply to PII that is in the possession of subcontractors of Business Associate. Business Associate shall retain no copies of the PII.
(3) In the event that Business Associate determines that returning or destroying the PII is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this Agreement to such PII and limit further uses and disclosures to those purposes that make the return or destruction of the PII infeasible, for so long as Business Associate maintains such PII.

5.Miscellaneous.
(a) Amendment. Business Associate and Covered Entity agree to take such action as is necessary to amend this Agreement from time to time to enable Covered Entity to comply with the requirements of the applicable Regulations. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed and agreed to by Business Associate and Covered Entity.

(b)Interpretation. In the event of an inconsistency between the provisions of this Agreement and the mandatory terms of the applicable Regulations, as may be expressly amended from time to time by Federal or State law, a court, or another regulatory agency with authority over Covered Entity and/or Business Associate, the court or such other regulatory agency shall prevail. In the event of a conflict among the interpretations of these entities, the conflict shall be resolved in accordance with rules of precedence. Where provisions of this Agreement are different from those mandated by the applicable Regulations, but are nonetheless permitted by the Rule, the provisions of the Agreement shall control.

(c)Notices. Any notices to be given hereunder shall be given in writing and shall be deemed given (i) upon receipt, if delivered personally or by a nationally recognized overnight courier service; (ii) three (3) business days after mailing when sent by registered or certified mail, return receipt requested, addressed to the address set forth below; and (iii) on the day of transmission, if sent via electronic transmission to the email address below (provided confirmation of transmission is mechanically or electronically generated and kept on file by the sending party). If notice is sent by registered or certified mail, postage will be prepaid.


If to Covered Entity:
{Business Name}
{Business Address}
{Business Contact}
If to Business Associate:Keylink Innovative Technology
535 Shute Ln
Hendersonville, TN 37075
Attention: Allen McGhan

(e) Subpoenas. In the event that Business Associate receives a subpoena or similar notice or request from any judicial, administrative or other party arising out of or in connection with this Agreement, including, but not limited to, any unauthorized use or disclosure of PII or any failure in Business Associates’ security measures, Business Associate shall promptly forward a copy of such subpoena, notice or request to Covered Entity and afford Covered Entity the opportunity to exercise any rights it may have under law.

(f) Survival. The respective rights and obligations of Business Associate under Section 4(c) of this Agreement (Effect of Termination) shall survive the termination of this Agreement.

(g)Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Tennessee to the extent that the provisions of Federal Regulations do not preempt the laws of the State of Tennessee.

(h) Enforcement. If legal action is instituted to enforce the terms and conditions of this Agreement, the prevailing party will be awarded reasonable attorneys’ fees at all trial and appellate levels, expenses and costs. Covered Entity and Business Associate acknowledge and agree that either party’s remedy at law for a breach or threatened breach of any of the provisions of this Agreement would be inadequate and such breach or threatened breach shall be per se deemed as causing irreparable harm to such party. Therefore, in the event of such breach or threatened breach, the parties hereto agree that, in addition to any available remedy at law, including but not limited to monetary damages, an aggrieved party, without posting any bond, shall be entitled to seek equitable relief in the form of specific enforcement, temporary restraining order, temporary or permanent injunction, or any other equitable remedy that may then be available to the aggrieved party.

(i) Exclusive jurisdiction and venue for any such action will be in the courts of St. Lucie County, Florida. The parties hereto hereby irrevocably waive, to the fullest extent permitted by law, any objection that any of them may now or hereafter have to the laying of jurisdiction or venue of any suit, action or proceeding arising out of or relating to this Agreement or any judgment entered by any court in respect thereof brought in St. Lucie County, Florida, and hereby further irrevocably waive any claim that any suit, action or proceeding brought in St. Lucie County, Florida, has been brought in an inconvenient forum.



(i) Successor and Assigns. This Agreement shall be binding upon and shall inure to the benefit of the parties hereto and their respective successors and assigns.

(j) Assignment. The rights and obligations granted hereunder to the parties are personal to the parties and shall not, without the prior consent of the other party, be assigned, mortgaged, sublicensed, or otherwise transferred or encumbered by either party or by operation of law; provided, however, that Comfort Medical may assign all of its rights and obligations hereunder to (i) an entity owned by or having common ownership with Comfort Medical without Business Associate’s prior written consent, or (ii) upon the sale of all or substantially all of the assets of Comfort Medical or its ultimate corporate parent.

(k) Force Majeure. Neither party will be in default hereunder by reason of any failure or delay in the performance of any obligation under this Agreement where the failure or delay arises out of any cause beyond the reasonable control and without the fault or negligence of such party. These causes will include, without limitation, storms, floods, other acts of nature, fires, explosions, riots, pandemic outbreak, war or civil disturbance, terrorist act, strikes or other labor unrests, embargoes, and other governmental actions or regulations that would prohibit either party from performing any of its obligations hereunder.

(1) Waiver. The failure of either party hereto at any time to demand strict performance by the other of any of the terms, covenants or conditions set forth herein shall not be construed as a continuing waiver or relinquishment of any of its rights, and each party may at any time demand strict and complete performance by the other of all of the terms, covenants and conditions of this Agreement.

(m) Partial Invalidity. If any term, provision, covenant, or condition of this Agreement is found to be invalid, void or unenforceable, the remainder of the provisions shall remain in full force and effect and shall in no way be affected, impaired, or invalidated, and the parties shall negotiate in good faith to substitute for the void or unenforceable provision a valid and enforceable replacement which shall secure, so far as possible, the same commercial effect as the original.

(n) Headings. The headings in this Agreement are for convenient reference only. They shall not apply to govern, limit, modify or construe this Agreement or otherwise be given any legal effect.

(o) No Third-Party Beneficiaries. No person shall be deemed to possess any third-party beneficiary right pursuant to this Agreement. It is the intent of the parties hereto that no direct benefit to any third party is intended or implied by the execution of this Agreement.


(p) Counterparts; Facsimile Signatures. This Agreement may be executed in one or more counterparts for the convenience of the parties, all of which together shall constitute one and the same instrument. Delivery of a counterpart hereof via facsimile transmission shall be as effective as delivery of a manually executed counterpart hereof.

(q) Prior Agreements Superseded. This Agreement supersedes any and all previous business associate agreements between Covered Entity and Business Associate. All of such previous agreement shall be of no further force and effect after the execution and delivery of this Agreement by Covered Entity and Business Associate.
IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be duly executed in its name and on its behalf.

BUSINESS ASSOCIATE
Keylink Innovative Technology
By:(Required)
MM slash DD slash YYYY

COVERED ENTITY
Client
By:(Required)
MM slash DD slash YYYY

© 2022 Keylink Innovative Technology. All rights reserved.

Click Me