Business Associate Agreement

(Incorporated by Reference into W3LL Terms of Service)

 

This Business Associate Agreement (“BAA”) is incorporated by reference into, and forms part of, the W3LL Broker Agency Cloud Terms of Service (the “Terms”). This BAA becomes effective upon User’s acceptance of the Terms. Capitalized terms not otherwise defined herein have the meanings set forth in the Terms or under HIPAA, as applicable.

1. Relationship of the Parties

Welltheos LLC, doing business as W3LL (“W3LL”), and the individual or entity accepting the Terms (“User”) may each provide services to health plans, employers, agencies, or other entities in the healthcare industry that qualify as Covered Entities.

In connection with the Services provided under the Terms, either party may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of the other or on behalf of a Covered Entity and may therefore be deemed a “business associate” or “subcontractor business associate” under the Health Insurance Portability and Accountability Act of 1996, as amended, including the HITECH Act, and its implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, “HIPAA”).

Accordingly, to the extent either party acts as a business associate or subcontractor business associate of the other in connection with Services involving PHI, such party agrees to the obligations set forth in this BAA. References to “Business Associate” mean the party performing or receiving Services involving PHI, as applicable in context.

2. Definitions

• “Breach” has the meaning set forth in 45 C.F.R. § 164.402.
• “Disclosure” means the release, transfer, provision of access to, or divulgence of PHI outside a Business Associate’s internal operations.
• “Electronic PHI” means PHI that is created, received, maintained, or transmitted in electronic media as defined by HIPAA.
• “PHI” means protected health information as defined at 45 C.F.R. § 160.103.
• “Services” means the services provided pursuant to the Terms or any applicable Order Form.
• “Unsecured PHI” means unsecured protected health information as defined in 45 C.F.R. § 164.402.

Terms not otherwise defined in this BAA have the meanings given to them under HIPAA.

3. HIPAA Compliance

Each Business Associate shall comply with the HIPAA Privacy Rule and Security Rule to the extent applicable to it in its capacity as a business associate or subcontractor business associate.

4. Permitted Uses and Disclosures

A Business Associate may use and disclose PHI solely as necessary to perform the Services and only in a manner that would be permissible under HIPAA if performed by the other party or a Covered Entity.

Each Business Associate shall:

• • limit PHI to the minimum amount necessary to perform or receive the Services;
  • implement appropriate administrative, physical, and technical safeguards;
  • report any Breach of Unsecured PHI or unauthorized use or disclosure without unreasonable delay and in accordance with 45 C.F.R. § 164.410;
  • mitigate harmful effects of unauthorized uses or disclosures; and
  • ensure its subcontractors agree in writing to protections substantially similar to this BAA.

5. Government Access

To the extent required by HIPAA, a Business Associate shall make relevant practices, books, and records available to the Secretary for compliance review. Furthermore, User shall provide the same level of access to such practices, books, and records to W3LL.

6. Covered Entity Obligations

If a Business Associate performs any Covered Entity obligation under the Privacy Rule on behalf of the other party, it shall comply with the HIPAA requirements applicable to such performance.

7. Geographic Restrictions

A Business Associate shall not permit PHI to be accessed, used, or disclosed by persons located outside the United States.

8. Return or Destruction of PHI

Upon termination of the Services or User’s account under the Terms, PHI shall be returned or destroyed if feasible. If infeasible, protections under this BAA shall continue and use shall be limited to purposes making return or destruction infeasible. This section survives termination of the Terms and this BAA.

9. Business Associate Operations

A Business Associate may use or disclose PHI for its own management and administration or legal responsibilities where required by law or where permitted by law, provided the recipient provides reasonable confidentiality assurances and breach notification obligations.

10. Indemnification by User

User shall defend, indemnify, and hold harmless W3LL and its affiliates, officers, members, managers, employees, and agents from any third-party claims, damages, fines, penalties, costs, or expenses (including reasonable attorneys’ fees) arising out of or relating to:
(a) User’s breach of this BAA or HIPAA;
(b) any PHI or PII breach caused by User or its subcontractors; or
(c) User’s failure to maintain required safeguards,
except to the extent caused by W3LL’s material breach.

This section supplements and does not limit User’s indemnification obligations under Section 21 of the Terms.

11. Insurance

User shall maintain, at its own expense, during the term of the Services and for one (1) year thereafter:

• • Commercial General Liability insurance of at least $1,000,000 per occurrence; and
  • Cyber/Privacy Liability insurance of at least $1,000,000 per claim.

Failure to maintain such insurance constitutes a material breach of the Terms and this BAA. User shall provide valid certificates of insurance evidencing such coverages to W3LL upon request.

12. Audit and Compliance Verification

Consistent with Sections 8, 10, and 22 of the Terms, W3LL may, upon reasonable notice and no more than annually (unless required by law or following a confirmed Breach), audit User’s compliance with this BAA as it relates to PHI handled through the Platform. Audits shall be scope-limited, non-disruptive, and subject to confidentiality. User may satisfy this obligation via a recent third-party audit or attestation acceptable to W3LL, at W3LL’s discretion.

13. HIPAA Supremacy

In the event of any conflict between this BAA and the Terms, the Privacy Policy, or any Order Form, HIPAA shall control solely with respect to the use and disclosure of PHI.
Except as required by HIPAA, the Terms (including liability limitations, indemnification structure, audit authority, suspension rights, and remedies) govern and control.

14. Limitation of Liability

Except as expressly prohibited by law, the limitations of liability set forth in Section 20 of the Terms (including the $100 aggregate liability cap) apply to this BAA and all claims arising out of or relating to PHI, HIPAA compliance, or this BAA.

15. Governing Law

This BAA is governed by and construed in accordance with the laws of the State of New York, consistent with Section 26 of the Terms, without regard to conflicts-of-law principles.