HIPAA Business Associate
Agreement

Recitals

This Business Associate Agreement ("Agreement") is entered into between the entity identified as "Covered Entity" (defined below) and [KNOXCALL LEGAL ENTITY NAME] ("Business Associate"), collectively the "Parties."

Covered Entity is a covered entity as defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, "HIPAA"). In connection with certain services Business Associate provides to Covered Entity, Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity. This Agreement sets forth the terms and conditions under which Business Associate may use or disclose such information and governs the rights and obligations of both Parties with respect to HIPAA compliance.

Business Associate is a company carrying on business in New Zealand and is subject to the New Zealand Privacy Act 2020 (No 31) ("NZ Privacy Act") and, in respect of health information, the Health Information Privacy Code 2020 ("HIPC 2020") issued under section 202 of the NZ Privacy Act. Because PHI constitutes health information as defined in the HIPC 2020, disclosures of PHI from Business Associate to or through Covered Entity's systems in the United States are governed by both Information Privacy Principle 12(1)(f) of the NZ Privacy Act and Rule 12(1)(f) of the HIPC 2020 (each providing that cross-border disclosure is permitted where the recipient is required by agreement to protect the information in a manner that, overall, provides comparable safeguards to those required under the NZ Privacy Act and HIPC 2020 respectively). Covered Entity acknowledges and agrees to protect personal information received from Business Associate in a manner consistent with the Information Privacy Principles set out in Schedule 1 of the NZ Privacy Act and the Rules of the HIPC 2020, thereby satisfying both grounds for lawful cross-border disclosure.

Section 1

Definitions

Capitalized terms not otherwise defined in this Agreement shall have the meanings ascribed to them under HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"). Key terms include:

1. "Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the Protected Health Information, as defined in 45 C.F.R. § 164.402.
2. "Business Associate" means [KNOXCALL LEGAL ENTITY NAME], a company that performs services for or on behalf of a Covered Entity that involve the creation, receipt, maintenance, or transmission of Protected Health Information.
3. "Covered Entity" means the health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a covered transaction, as defined in 45 C.F.R. § 160.103, that is a party to this Agreement.
4. "Electronic Protected Health Information" or "ePHI" means Protected Health Information that is created, received, maintained, or transmitted in electronic form.
5. "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
6. "Protected Health Information" or "PHI" means individually identifiable health information that is transmitted or maintained in any form or medium (including electronic media) by Business Associate, as defined in 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity pursuant to this Agreement.
7. "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 C.F.R. § 164.304.
8. "Services" means the API proxy, credential management, and related services provided by Business Associate to Covered Entity as described in the applicable Order Form or subscription agreement between the Parties (the "Service Agreement").
9. "Subcontractor" means a person to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the Business Associate's workforce, as defined in 45 C.F.R. § 160.103.
10. "Unsecured PHI" means PHI that is not secured through the use of a technology or methodology specified by the Secretary of HHS in guidance issued under 42 U.S.C. § 17932(h)(2).
11. "NZ Privacy Act" means the Privacy Act 2020 (New Zealand), No 31, as amended from time to time, including all Information Privacy Principles set out in Schedule 1 thereof.
12. "HIPC 2020" means the Health Information Privacy Code 2020, issued by the New Zealand Privacy Commissioner under section 202 of the NZ Privacy Act, as amended from time to time.
13. "Notifiable Privacy Breach" means a privacy breach that has caused serious harm, or is reasonably likely to cause serious harm, to one or more affected individuals, as defined in sections 112–113 of the NZ Privacy Act, and for which Business Associate is required to notify the New Zealand Privacy Commissioner and affected individuals.
14. "NZ Privacy Commissioner" means the Privacy Commissioner appointed under the NZ Privacy Act and the office of the Privacy Commissioner of New Zealand (privacy.org.nz).
15. "Required by Law" means a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law, including but not limited to court orders, court-ordered warrants, subpoenas or summons issued by a court, grand jury, or governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits, as defined in 45 C.F.R. § 164.103.
16. "Designated Record Set" means a group of records maintained by or for a covered entity that is: (i) the medical records and billing records about individuals maintained by or for a covered health care provider; (ii) the enrolment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the covered entity to make decisions about individuals, as defined in 45 C.F.R. § 164.501.

Section 2

Obligations of Business Associate

2.1 Permitted Uses and Disclosures. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, the Service Agreement, or as Required by Law. Business Associate is permitted to use and disclose PHI:

1. As necessary to perform the Services for or on behalf of Covered Entity, consistent with the terms of the Service Agreement and this Agreement;
2. For the proper management and administration of Business Associate's business, provided that such disclosures are required by law or Business Associate obtains reasonable assurances that the information will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed;
3. To carry out the legal responsibilities of Business Associate, subject to the same conditions set forth in (b) above; and
4. To provide data aggregation services relating to the health care operations of Covered Entity, as defined in 45 C.F.R. § 164.501.

2.2 Safeguards. Business Associate shall use appropriate administrative, physical, and technical safeguards and, with respect to ePHI, comply with the HIPAA Security Rule, to prevent the use or disclosure of PHI other than as provided for by this Agreement. Specific safeguards maintained by Business Associate include:

• AES-256-GCM encryption of all PHI at rest using tenant-specific keys;
• TLS 1.3 encryption of all PHI in transit;
• Role-based access controls limiting access to PHI to authorized personnel only;
• Multi-factor authentication for all administrative access to systems processing PHI;
• Comprehensive audit logging of all access to and disclosures of PHI;
• Regular security risk assessments consistent with 45 C.F.R. § 164.308(a)(1); and
• Annual employee workforce training on HIPAA Privacy and Security Rules.

2.3 Reporting. Business Associate shall report to Covered Entity, without unreasonable delay:

1. Any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including Breaches of Unsecured PHI as required by 45 C.F.R. § 164.410;
2. Any Security Incident of which Business Associate becomes aware. The Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents (e.g., pings, port scans, denial of service attacks, and other unsuccessful attempts) for which no additional notice to Covered Entity shall be required. Business Associate shall report actual, successful Security Incidents to Covered Entity no later than seventy-two (72) hours after discovery; and
3. Any Breach of Unsecured PHI, including the identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, compromised, no later than sixty (60) calendar days after Business Associate's discovery of such Breach, as required by 45 C.F.R. § 164.410(b).

2.3A New Zealand Parallel Notification Obligation. Business Associate is independently subject to sections 112–116 of the NZ Privacy Act. Where a privacy breach constitutes a Notifiable Privacy Breach, Business Associate is required to notify the NZ Privacy Commissioner and affected individuals as soon as practicable after becoming aware of the breach. Covered Entity acknowledges that Business Associate may make such notifications to the NZ Privacy Commissioner concurrently with, or prior to, notifying Covered Entity, and that such notifications do not constitute an unauthorized disclosure of PHI under this Agreement, provided that Business Associate does not disclose more PHI to the NZ Privacy Commissioner than is required by the NZ Privacy Act. Business Associate shall notify Covered Entity promptly of any notification made to the NZ Privacy Commissioner that relates to PHI covered by this Agreement.

2.4 Mitigation. Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or its Subcontractors in violation of the requirements of this Agreement.

2.5 Subcontractors. Business Associate shall, in accordance with 45 C.F.R. §§ 164.308(b)(2) and 164.502(e)(1)(ii), ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this Agreement by entering into a written business associate agreement with each such Subcontractor. Because Business Associate is subject to the NZ Privacy Act, each such sub-BAA shall also require the Subcontractor to protect personal information in a manner that provides comparable safeguards to those required by the NZ Privacy Act, consistent with Information Privacy Principle 12(1)(f) (Ground 6), so as to provide a lawful basis for any onward cross-border transfer of personal information from Business Associate to that Subcontractor.

2.6 Access to PHI. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make PHI available to Covered Entity or, as directed by Covered Entity, to an Individual, to enable Covered Entity to fulfill its access obligations under 45 C.F.R. § 164.524. Business Associate shall respond to any such request from Covered Entity within fifteen (15) business days.

2.7 Amendment. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make PHI available to Covered Entity for amendment and shall incorporate any amendments to PHI directed or agreed to by Covered Entity pursuant to 45 C.F.R. § 164.526 within fifteen (15) business days of such direction.

2.8 Accounting of Disclosures. Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures under 45 C.F.R. § 164.528, and shall make such information available to Covered Entity within fifteen (15) business days of Covered Entity's request.

2.9 Governmental Access. To the extent permitted by applicable law, including the laws of New Zealand, Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services ("HHS") for purposes of determining Business Associate's and Covered Entity's compliance with HIPAA, as required by 45 C.F.R. § 164.504(e)(2)(ii)(I). Business Associate shall cooperate in good faith with any such request from HHS or its Office for Civil Rights ("OCR"). Where compliance with a request from HHS would conflict with Business Associate's obligations under New Zealand law, Business Associate shall promptly notify Covered Entity and both Parties shall cooperate to identify a lawful means of satisfying the request to the greatest extent practicable.

2.10A Data Retention During Term. Consistent with Information Privacy Principle 9 of the NZ Privacy Act, Business Associate shall not retain PHI or personal information derived from it for longer than is necessary for the purpose for which it was received. Business Associate shall establish and maintain documented data retention schedules for PHI processed under this Agreement, and shall securely delete or destroy PHI that is no longer required for the performance of the Services or as otherwise required by applicable law. Nothing in this Section shall override any retention period required by law or regulation, including any minimum retention period applicable to audit logs under HIPAA or the NZ Privacy Act.

2.10 Minimum Necessary. Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure, consistent with 45 C.F.R. § 164.514(d).

Section 3

Obligations of Covered Entity

Covered Entity shall:

1. Notify Business Associate of any limitation(s) in Covered Entity's Notice of Privacy Practices pursuant to 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI;
2. Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI;
3. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI;
4. Not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity, unless expressly permitted under Section 2.1 of this Agreement; and
5. Obtain any authorization required by 45 C.F.R. § 164.508 from Individuals before providing PHI to Business Associate for which such authorization is required.

Section 4

Permitted Uses and Disclosures by Business Associate

4.1 Prohibited Activities. Business Associate shall not:

1. Use or disclose PHI for fundraising or marketing purposes without an authorization from the Individual that meets the requirements of 45 C.F.R. § 164.508;
2. Sell PHI as prohibited by 45 C.F.R. § 164.502(a)(5)(ii);
3. Use or disclose PHI in a manner that constitutes a violation of 45 C.F.R. § 164.502(a)(5); or
4. Use or disclose Genetic Information for underwriting purposes as prohibited by 45 C.F.R. § 164.502(a)(5)(i).

Section 5

Term and Termination

5.1 Term. This Agreement shall be effective as of the Effective Date and shall terminate upon the earlier of: (a) the termination or expiration of the Service Agreement; or (b) written notice of termination by either Party as set forth in this Section.

5.2 Termination for Cause. If either Party knows of a material breach by the other Party of this Agreement, the non-breaching Party shall provide an opportunity for the breaching Party to cure the breach or end the violation within thirty (30) days of written notice. If the breach is not cured within the cure period, the non-breaching Party may terminate this Agreement and/or the Service Agreement upon written notice.

5.3 Effect of Termination. Upon termination or expiration of this Agreement for any reason, Business Associate shall, at Covered Entity's election, either return to Covered Entity or destroy all PHI received from Covered Entity or created, maintained, or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI. If return or destruction is not feasible, Business Associate shall (i) notify Covered Entity of the conditions that make return or destruction infeasible, (ii) extend the protections of this Agreement to the PHI and limit further use or disclosure of the PHI to those purposes that make return or destruction infeasible, and (iii) return to Covered Entity or destroy the PHI when such conditions no longer exist. This Section 5.3 shall survive the termination of this Agreement.

5.4 Indemnification. Each Party ("Indemnifying Party") shall indemnify, defend, and hold harmless the other Party and its officers, directors, employees, and agents ("Indemnified Party") from and against any and all losses, damages, costs, and expenses (including reasonable legal fees) arising out of or resulting from the Indemnifying Party's material breach of this Agreement. Where Covered Entity incurs civil monetary penalties, fines, or settlement amounts assessed by HHS OCR as a direct result of Business Associate's material breach of this Agreement, the Parties acknowledge that such amounts constitute direct contractual losses of the Covered Entity and not penalties within the meaning of the penalty clause doctrine under New Zealand law. Nothing in this Section shall be construed to limit either Party's obligations under HIPAA or the NZ Privacy Act.

Section 6

Limitation of Liability

6.1 Exclusion of Consequential Damages. To the maximum extent permitted by applicable law, neither Party shall be liable to the other Party for any indirect, incidental, special, consequential, punitive, or exemplary damages arising out of or related to this Agreement, including but not limited to loss of revenue, loss of profits, loss of business, loss of data, loss of goodwill, or business interruption, even if the Party has been advised of the possibility of such damages and regardless of the theory of liability (contract, tort, strict liability, or otherwise).

6.2 Aggregate Liability Cap. To the maximum extent permitted by applicable law, Business Associate's total aggregate liability to Covered Entity under or in connection with this Agreement, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall not exceed the total fees paid or payable by Covered Entity to Business Associate under the Service Agreement in the twelve (12) calendar months immediately preceding the event giving rise to the claim.

6.3 Exceptions. Notwithstanding Sections 6.1 and 6.2, the exclusions and cap set out above shall not apply to:

1. Liability arising from either Party's fraud, wilful misconduct, or gross negligence;
2. Liability for death or personal injury caused by negligence (which cannot be excluded under New Zealand law);
3. Liability arising from Business Associate's intentional, unauthorised disclosure of PHI to a third party in breach of this Agreement;
4. Business Associate's indemnification obligations under Section 5.4 to the extent such obligations arise from Business Associate's material breach of this Agreement; or
5. Any liability that cannot be excluded or limited by applicable law, including mandatory provisions of HIPAA, the HITECH Act, or the NZ Privacy Act 2020.

6.4 Essential Basis. The Parties acknowledge that the limitations and exclusions of liability in this Section 6 reflect a reasonable allocation of risk and form an essential basis of the bargain between the Parties. Business Associate would not have entered into this Agreement without these limitations. The limitations apply even if any limited remedy fails of its essential purpose.

6.5 No Limitation on Statutory Rights. Nothing in this Section limits or excludes any liability to the extent that such limitation or exclusion would be contrary to mandatory requirements of HIPAA, the HITECH Act, or the NZ Privacy Act 2020, or would prevent Covered Entity from fulfilling its obligations to HHS.

Section 7

Miscellaneous

7.1 Regulatory References. Any reference in this Agreement to a section of HIPAA or the HITECH Act means the section as in effect or as amended from time to time. Any reference to the NZ Privacy Act, the HIPC 2020, or any Information Privacy Principle means the provision as in effect or as amended from time to time, including any replacement code of practice issued by the NZ Privacy Commissioner.

7.2 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA. This Agreement may not otherwise be amended except by a written instrument signed by authorized representatives of both Parties.

7.3 Survival. The obligations of Business Associate under Section 5.3 (Effect of Termination), Section 6 (Limitation of Liability), and this Section 7 shall survive the termination of this Agreement.

7.4 Interpretation. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of HIPAA, the HIPAA provisions shall control.

7.5 No Third-Party Beneficiaries. Nothing in this Agreement shall be construed to create any rights or remedies in any third parties, including Individuals whose PHI is used or disclosed under this Agreement.

7.6 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of New Zealand, including the Contract and Commercial Law Act 2017 (NZ). The Parties acknowledge that Business Associate's obligations under the HIPAA Rules and the HITECH Act are imposed by United States federal law and regulations, including 45 C.F.R. Parts 160 and 164, and that such obligations are not modified or displaced by this governing law clause. In the event of any inconsistency between the contractual interpretation of this Agreement under New Zealand law and Business Associate's mandatory HIPAA compliance obligations, the mandatory HIPAA provisions shall control to the extent necessary to achieve compliance.

7.6A Dispute Resolution. Any dispute arising out of or in connection with this Agreement, including any question regarding its existence, validity, or termination ("Dispute"), shall be resolved as follows:

1. Negotiation. The Parties shall first attempt to resolve the Dispute through good-faith negotiations between senior representatives for a period of thirty (30) days following written notice of the Dispute ("Negotiation Period");
2. Arbitration. If the Dispute is not resolved during the Negotiation Period, it shall be referred to and finally resolved by binding arbitration under the UNCITRAL Arbitration Rules as then in force. The seat of the arbitration shall be Auckland, New Zealand. The language of the arbitration shall be English. The arbitral tribunal shall consist of one (1) arbitrator appointed in accordance with the UNCITRAL Arbitration Rules. The arbitral award shall be final and binding on both Parties. Judgment on the award may be entered and enforced in any court of competent jurisdiction, including under the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards (1958), to which both New Zealand (acceded 1983) and the United States (acceded 1970) are signatories; and
3. Emergency Relief. Nothing in this Section shall prevent either Party from seeking urgent injunctive or other emergency relief from any court of competent jurisdiction to prevent irreparable harm pending the outcome of arbitration.

7.7 Entire Agreement. This Agreement, together with the Service Agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, negotiations, and discussions, whether oral or written, between the Parties relating to PHI.

7.9 Severability. If any provision of this Agreement is held to be invalid, illegal, or unenforceable under applicable law, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, and the validity, legality, and enforceability of the remaining provisions of this Agreement shall not in any way be affected or impaired. Without limiting the foregoing, if the limitation of liability provisions in Section 6 are found partially unenforceable, only that part shall be severed, and the remainder of Section 6 shall continue in full force and effect.

7.10 Waiver. No failure or delay by either Party in exercising any right, power, or remedy under this Agreement shall operate as a waiver of that right, power, or remedy. No single or partial exercise of any right, power, or remedy shall preclude any other or further exercise of it or the exercise of any other right, power, or remedy.

7.11 Notices. All notices, requests, demands, and other communications required or permitted under this Agreement shall be in writing and shall be deemed duly given: (a) when delivered by hand; (b) one (1) business day after deposit with a nationally recognized overnight courier; (c) three (3) business days after being sent by registered or certified mail, return receipt requested, postage prepaid; or (d) upon confirmed receipt when sent by email to the addresses below, provided that a copy is promptly sent by one of the other methods specified above if the matter is time-sensitive.

• If to Business Associate: [KNOXCALL LEGAL ENTITY NAME], [Registered Address — to be inserted upon incorporation], New Zealand. Email: [email protected]
• If to Covered Entity: As specified in the Service Agreement, or such other address as Covered Entity may designate in writing from time to time.

7.8 Counterparts; Electronic Signatures. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, and all of which together shall constitute one instrument. Electronic signatures shall be deemed valid and binding to the same extent as original signatures pursuant to the Electronic Transactions Act 2002 (NZ) and applicable United States federal and state electronic signature laws.