BUSINESS ASSOCIATE AGREEMENT
Business Associate Agreement
(This “BA Agreement”) is by and between ZenChip PRIME Corp. (“ZenChip PRIME Corp.”) A Registered Florida Corporation, Apex NFT Card Services, LLC. and Customer, each individually a “Party” and together the “Parties.” This BA Agreement shall apply and become effective only to the extent, and as of the date that ZenChip PRIME Corp. acts as a Business Associate, as defined by HIPAA, to Customer (“Effective Date”). This BA Agreement forms part of the commercial agreement (the “Agreement”) between ZenChip PRIME Corp. and Customer.
The purpose of this BA Agreement is to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 and the associated regulations, 45 C.F.R. parts 160-164, as may be amended (including the “Privacy Rule” and the “Security Rule”) (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act and the associated regulations, as may be amended (“HITECH”). “HIPAA” and “HITECH” are hereafter collectively referred to in this BA Agreement as “HIPAA.” Unless otherwise defined in this BA Agreement, capitalized terms have the meanings given in HIPAA.
The Parties agree as follows:
Section 1. Permitted Uses and Disclosures.
ZenChip PRIME Corp. may use and/or disclose PHI only as permitted or required by this BA Agreement or as otherwise Required by Law. ZenChip PRIME Corp. may disclose PHI to, and permit the use of PHI by, its employees, contractors, agents, or other representatives to the extent directly related to and necessary for the performance of the Services. Customers will upload no more than the minimum PHI necessary for ZenChip PRIME Corp. to perform the Services. As applicable, ZenChip PRIME Corp. will request, use, and disclose only PHI that constitutes a Limited Data Set, if practicable, and will otherwise limit its use, request, or disclosure (if any), of PHI to the minimum necessary for the intended purpose of the request, use or disclosure. ZenChip PRIME Corp. will not use or disclose PHI in a manner that would violate HIPAA if disclosed or used in such a manner by Customer. ZenChip PRIME Corp. will comply with the
Privacy Rule requirements applicable to Customer if and to the extent ZenChip PRIME Corp.’s performance of the Services involves carrying out Customer’s Privacy Rule obligations.
Section 2. Safeguards for the Protection of PHI. ZenChip PRIME Corp. will implement and maintain appropriate administrative, physical, and technical security safeguards to ensure that PHI obtained by or on behalf of Customer is not used or disclosed by ZenChip PRIME Corp. in violation of this BA Agreement. Such safeguards will be designed to protect the confidentiality and integrity of such PHI obtained, accessed, created, maintained, or transmitted from or on behalf of Customer. ZenChip PRIME Corp. will comply with the applicable requirements of the Security Rule.
Section 3. Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures.
ZenChip PRIME Corp. will promptly report to the Customer, upon discovery, any Security Incident or Breach (as defined below) by it or any of its employees, directors, officers, agents, subcontractors, or representatives concerning the use or disclosure of PHI. For purposes of this BA Agreement, “Breach” means any acquisition, access, use or disclosure of PHI under this BA Agreement that is (a) in violation of the Privacy Rule or (b) not permitted under this BA Agreement. ZenChip PRIME Corp. will be deemed to have discovered a Breach as of the first day on which the Breach is, or should reasonably have been, known to (a) ZenChip PRIME Corp. or (b) any employee, officer, or other agent of ZenChip PRIME Corp. other than the individual committing the Breach. ZenChip PRIME Corp. further will investigate the Breach and promptly provide to Customer information Customer may require to make notifications of the Breach to Individuals and/or other persons or entities (“Notifications”). ZenChip PRIME Corp. will the Customer with Customer in addressing the Breach. Notice is hereby deemed given for attempted but Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents will be given. “Unsuccessful Security Incidents” include but are not limited to firewall pings and other broadcast attacks, port scans, unsuccessful log-on attempts, denial-of-service attacks, and any combination of the foregoing that do not result in unauthorized access, acquisition, use, or disclosure of PHI.
Section 4. Use and Disclosure of PHI by Subcontractors, Agents, and Representatives. ZenChip PRIME Corp. will require any subcontractor, agent, or other representative that is authorized to receive, use, maintain, transmit, or have access to PHI obtained or created under the BA Agreement, to agree, in writing, to: (1) adhere to the same restrictions, conditions and requirements regarding the use and/or disclosure of PHI and safeguarding of PHI that apply to ZenChip PRIME Corp. under this BA Agreement; and (2) comply with the applicable requirements of the Security Rule.
ZenChip PRIME Corp. will comply with the following individual rights requirements as applicable to PHI used or maintained by ZenChip PRIME Corp.:
Right of Access
ZenChip PRIME Corp. agrees to provide access to PHI, at the request of the Customer, as necessary to satisfy the Customer’s obligations with regard to the individual access requirements under HIPAA.
5.1 ZenChip PRIME Corp. agrees to provide access to PHI, at the request of the Customer, as necessary to satisfy the Customer’s obligations with regard to the individual access requirements under HIPAA.
Right of Amendment
ZenChip PRIME Corp. agrees to make any amendment(s) to PHI as directed by the Customer to meet the amendment requirements under HIPAA. 5.3 Right to Accounting of Disclosures. ZenChip PRIME Corp. agrees to document any disclosures of PHI as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA, and to provide all such documentation to Customer or to an Individual, as necessary to satisfy Customer’s obligations with regard to an Individual’s right to an accounting of disclosures. ZenChip PRIME Corp. will otherwise comply with its obligations regarding an Individual’s right to an accounting of disclosures under HIPAA.
Section 6. Use and Disclosure for ZenChip PRIME Corp.’s Purposes.
6.1 Use. Except as otherwise limited in this BA Agreement, ZenChip PRIME Corp. may use PHI for the proper management and administration of ZenChip PRIME Corp. or to carry out the legal responsibilities of ZenChip PRIME Corp.
6.2 Disclosure. Except as otherwise limited in this BA Agreement, ZenChip PRIME Corp. may disclose PHI for the proper management and administration of ZenChip PRIME Corp. or to carry out the legal responsibilities of ZenChip PRIME Corp., provided the disclosures are Required by Law, or ZenChip PRIME Corp. obtains reasonable assurances from the person to whom the PHI is disclosed that the PHI will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies ZenChip PRIME Corp. immediately upon discovery of any instances in which the confidentiality of the PHI has been Breached, as defined and described in Section 3 of this BA Agreement.
Access to Records.
Section 7. ZenChip PRIME Corp. will make its internal practices, books, records, and policies and procedures relating to the use and disclosure of PHI received from or created or received by ZenChip PRIME Corp. on behalf of Customer available to the federal Department of Health and Human Services (“HHS”), the Office for Civil Rights (“OCR”), or their agents for purposes of monitoring compliance with HIPAA.
Term and Termination
This BA Agreement will become effective on the Effective Date. Unless terminated sooner pursuant to Section 8.2, this BA Agreement will remain in effect for the duration of all Services provided by ZenChip PRIME Corp. and for so long as ZenChip PRIME Corp. will remain in possession of any PHI received from Customer or created or received by ZenChip PRIME Corp. on behalf of Customer.
In the event of a material breach of this BA Agreement, the non-breaching Party may immediately terminate this BA Agreement. Alternatively, in the non-breaching Party’s sole discretion, the non-breaching Party may provide the breaching Party with written notice of the existence of the material breach and afford the breaching party thirty (30) days to cure the material breach. In the event the breaching Party fails to cure the material breach within such time period, the non-breaching Party may immediately terminate this BA Agreement.
8.3 Effect of Termination.
Upon termination of this BA Agreement, ZenChip PRIME Corp. will recover any PHI relating to this BA Agreement in the possession of its subcontractors, agents, or representatives. ZenChip PRIME Corp. will return to Customer or destroy all such PHI plus all other PHI relating to this BA Agreement in its possession and will retain no copies. If ZenChip PRIME Corp. cannot feasibly return or destroy the PHI, ZenChip PRIME Corp. will ensure that any and all protections, requirements and restrictions contained in this BA Agreement will be extended to any PHI retained after the termination of this BA Agreement, and that any further uses and/or disclosures will be limited to the purposes that make the return or destruction of the PHI infeasible. Customer understands and agrees that ZenChip PRIME Corp.’s operations generally make it infeasible to return or destroy PHI upon termination of this BA Agreement, unless Customer specifically directs ZenChip PRIME Corp. to return or destroy the PHI.
Each Party will create an escalation process and provide a written copy to the other Party within five (5) business days of any dispute arising out of or relating to this BA Agreement. The escalation process will be used to address disputed issues related to the performance of this BA Agreement. The Parties agree to communicate regularly about any open issues or process problems that require prompt and accurate resolution as set forth in their respective escalation process documentation. The Parties will attempt in good faith to resolve any dispute arising out of or relating to this BA Agreement, before and as a prior condition for commencing legal proceedings of any kind, first as set forth above in the escalation process and next by negotiation between executives who have authority to settle the controversy and who at a higher level of management than the persons with direct responsibility for administration of this BA Agreement.
Any Party may give the other Party written notice of any dispute not resolved in the normal course of business. Within five (5) business days after delivery of the notice, the receiving Party shall submit to the other a written response. The notice and the response will include (a) a statement of each Party’s position and a summary of arguments supporting that position and (b) the name and title of the executive who will represent that Party and of any other person who will accompany the executive. Within fifteen (15) business days after delivery of the disputing Party’s notice, the executives of both Parties shall meet at a mutually acceptable time and place, including telephonically, and thereafter as often as they reasonably deem necessary, to attempt to resolve the dispute. All reasonable requests for information made by one Party to the other will be honored. All negotiations pursuant to this section are confidential and compromise and settlement negotiations for purposes of applicable rules of evidence.
10.1 Indemnity and Limitation of Liability.
The indemnity and limitation of liability provisions in the Agreement apply to liability arising under this BA Agreement.
10.2 Survival. The respective rights and obligations of the Parties under Sections 7 (Access to Records), 8.3 (Effect of Termination), 9 (Dispute Resolution) and 10 (Miscellaneous) will survive termination of this BA Agreement indefinitely.
10.3 Amendments. This BA Agreement constitutes the entire agreement between the Parties with respect to its subject matter. It may not be modified, nor will any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties. The Parties agree to amend this BA Agreement from time to time as necessary for the Parties to comply with their respective obligations under HIPAA.
A waiver with respect to one event will not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
10.5 Compliance with HIPAA.
Any ambiguity in this BA Agreement will be resolved in favor of a meaning that permits the Parties to comply with their respective obligations under HIPAA.
10.6 No Third Party Beneficiaries.
Nothing express or implied in this BA Agreement is intended to confer, nor will anything herein confer, upon any person other than the Parties and their respective successors and permitted assigns, any rights, remedies, obligations, or liabilities whatsoever.
All required reports or notices to Customer under this Agreement will be made by ZenChip PRIME Corp. via either a general notice on ZenChip PRIME Corp.’s website or web application, an individualized notice to Customer on the ZenChip PRIME Corp. web application, or electronic mail to Customer’s e-mail address on record in Customer’s account. Such notice will be deemed to have been given upon the expiration of forty-eight (48) hours after posting or twelve (12) hours after sending by email. Customer will send required notices to ZenChip PRIME Corp. via email addressed to firstname.lastname@example.org
If any of the terms of this BA Agreement conflict with or are inconsistent with the terms of the Agreement, the terms of this BA Agreement will prevail.