EXHIBIT A

HIPAA BUSINESS ASSOCIATE AGREEMENT

For the purposes of this Business Associate Agreement (“BAA”), Licensee is “Covered Entity” and Modus is “Business Associate.”

1. All terms used, but not otherwise defined in this BAA, shall have the same meaning as those terms in the HIPAA Rules, as defined below. A reference in this BAA to a section in the HIPAA Rules means the section as then in effect as amended from time to time.
2. “Breach Notification Rule” means the regulations at 45 CFR §164.400 et. seq.
3. “Enforcement Rule” means the regulations at 45 C.F.R. §160, subparts C, D and E.
4. “HIPAA Rules” means the Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR parts 160 and 164, which implement certain provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended, and the HITECH Act.
5. “HITECH Act” means the Health Information Technology For Economic and Clinical Heath Act found at Division A, Title XIII – Health Information Technology, and Division B, Title IV of the American Recovery and Reinvestment Act of 2009.
6. “Privacy Rule” means the regulations at 45 CFR parts 160 and 164, subparts A and E.
7. “Protected Health Information” or “PHI” refers to individually identifiable health information, and shall have the same meaning as the term “protected health information” in 45 CFR §164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity. All references to PHI include electronic PHI.
8. “Secretary” means the Secretary of the Department of Health and Human Services or his/her designee.
9. “Security Rule” means the regulations at 45 CFR Parts 160 and 164, subpart A and C.

1. Business Associate performs services for Covered Entity pursuant to an underlying services agreement to which this BAA is attached (the “Agreement”).  Business Associate agrees to not Use or Disclose PHI other than as permitted or required:  (i) to perform services for the Covered Entity, (ii) by this BAA, or (iii) as Required by Law.
2. Business Associate agrees to use appropriate safeguards, and comply with the standards of the Security Rule set forth at 45 CFR 164 subpart C with respect to electronic Protected Health Information to prevent the Use or Disclosure of PHI other than as provided for by this BAA.
3. Business Associate agrees to report to Covered Entity within a reasonable time any Use or Disclosure of PHI of which it becomes aware that is not provided for by this BAA, including any Security Incident of which it becomes aware.
4. Business Associate agrees to ensure that any subcontractors that create, receive, maintain or transmit PHI, including electronic PHI, on behalf of the Business Associate to perform services delegated to it that the Business Associate has agreed to perform for or on behalf of Covered Entity also agree to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI by entering into a written contract that complies with 45 CFR §164.314 and 45 CFR §164.504.
5. Business Associate agrees that, at the reasonable request of Covered Entity and in a mutually acceptable time and manner, it will provide access to PHI in a Designated Record Set, if any, maintained by Business Associate to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524.
6. At the direction of Covered Entity, and in a mutually acceptable time and manner, Business Associate will make any amendment(s) to PHI in a Designated Record Set maintained by Business Associate that the Covered Entity has agreed to pursuant to 45 CFR § 164.526.
7. Business Associate agrees to make internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI available to the Secretary for purposes of the Secretary determining compliance with the HIPAA Rules.
8. Business Associate agrees to document Disclosures of PHI and information related to such Disclosures, and to make such documentation and information available to Covered Entity as would be necessary for Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528, or an accounting of Disclosures made through an electronic health record in accordance with the HITECH Act, § 13405(c)(1), 42 U.S.C. §17935(b), if applicable.
9. To the extent that Business Associate carries out any of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.

1. Business Associate may Use or Disclose PHI as Required by Law.
2. Business Associate agrees to use reasonable efforts to limit any Use or Disclosure of PHI to the minimum necessary to accomplish the intended purpose of the Use or Disclosure consistent with the provisions of the HIPAA Rules.
3. Business Associate may not Use or Disclose Protected Health Information in a manner that would not be permissible under the Privacy Rule if done by the Covered Entity, except as otherwise provided herein or as set forth below:
4. Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate;
5. Business Associate may Disclose Protected Health Information to third parties for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate; provided, however, that in each case the Disclosure is Required by Law, or Business Associate obtains reasonable assurances from such parties that the Protected Health Information Disclosed shall be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to such third party, and the third party agrees to notify the Business Associate of any instance in which it is aware in which the confidentiality of the information has been breached; and
6. Business Associate may provide data aggregation services relating to the Health Care Operations of the Covered Entity.
7. Business Associate may create de-identified health information in accordance with the standards set forth in the HIPAA Rules and may use de-identified health information for any purpose, including after cancellation, termination, expiration, or other conclusion of the underlying Agreement to which this BAA is attached.

1. Covered Entity shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity in accordance with 45 CFR § 164.520, as well as any changes to such notice, to the extent that such limitation or changes may affect Business Associate’s use or disclosure of PHI.
2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
3. Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
4. Covered Entity shall not request that Business Associate Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

Business Associate will report a Breach Known to it to Covered Entity without unreasonable delay and in no case later than 60 calendar days after Discovery. Business Associate shall provide Covered Entity with information in its possession relating to the Breach that Covered Entity would need to provide the required notices, including the results of the Business Associate’s risk assessment. Should Covered Entity determine, pursuant to its own risk assessment, that a Breach had in fact occurred, Covered Entity shall provide any required notices to (i) the Individuals whose PHI was involved in the Breach, (ii) the media and (iii) the Secretary, as required under the Breach Notification Rule.

1. Termination.  This BAA shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is not feasible to return or destroy PHI, when protections are extended to such information in accordance with the termination provisions in Section 6(c).
2. Termination for Breach of HIPAA Obligations.  Upon Covered Entity’s knowledge of an act or a pattern of activity that constitutes a breach of a material term of this BAA by Business Associate, the Covered Entity may either:  (i) provide an opportunity for the Business Associate to cure the breach or end the violation, and terminate this BAA and the underlying Agreement to which this BAA is attached if the Business Associate does not cure the breach or end the violation within a reasonable period; or (ii) immediately terminate this BAA and the underlying Agreement to which this BAA is attached, if the Business Associate has breached a material term of this BAA and cure is not possible.

1. Except as provided in Sections 6(c)(ii) and 6(c)(iii), upon termination of this BAA for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created, received, maintained or transmitted by Business Associate on behalf of Covered Entity, including PHI that is in the possession of subcontractors or agents of Business Associate.  Business Associate shall retain no copies of the PHI.
2. Upon termination of this BAA, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity shall: (i) retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities, (ii) continue to use appropriate safeguards and comply with Subpart C of 45 CFR part 164 with respect to electronic PHI to prevent Use or Disclosure of the PHI, other than as provided for in this BAA for so long as Business Associate retains the PHI, (iii) not Use or Disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained, and (iv) return or destroy the PHI when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
3. In the event that Business Associate determines that returning or destroying the PHI is not feasible, (i) Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction not feasible, and (ii) Business Associate shall extend the protections of this BAA to such PHI, and limit further uses and disclosures of such PHI to those purposes that make the return or destruction not feasible, for so long as Business Associate maintains such PHI.
4. The respective rights and obligations of Business Associate under Section (c) of this BAA shall survive the termination of this BAA.