Business Associate Agreement

1. Definitions

Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the HITECH Act, and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Rules”).

• Protected Health Information (PHI) — individually identifiable health information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
• Electronic PHI (ePHI) — PHI that is created, received, maintained, or transmitted in electronic form.
• Services — the home care management platform and related services provided by Infiniti Solutions, including patient records, caregiver scheduling, EVV tracking, timesheets, billing, and messaging.

2. Obligations of Business Associate

Infiniti Solutions agrees to:

• Not use or further disclose PHI other than as permitted or required by this Agreement or as required by law.
• Use appropriate safeguards — and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI — to prevent use or disclosure of PHI other than as provided by this Agreement.
• Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including breaches of Unsecured PHI, within 60 days of discovery, in accordance with 45 C.F.R. § 164.410.
• Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.
• Make available PHI in a designated record set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524.
• Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules.
• Upon termination of this Agreement, return or destroy all PHI received from, or created or received on behalf of, Covered Entity that Business Associate still maintains in any form, if feasible. If not feasible, extend the protections of this Agreement to the information and limit further uses and disclosures.

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as necessary to perform the Services described in the underlying service agreement with Covered Entity. Additionally, Business Associate may:

• Use PHI for the proper management and administration of Business Associate.
• Disclose PHI for the proper management and administration of Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the recipient that it will be held confidentially.
• Use PHI to provide data aggregation services relating to the health care operations of Covered Entity, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
• De-identify PHI in accordance with 45 C.F.R. § 164.514.

4. Security Standards for ePHI

Infiniti Solutions implements the following administrative, physical, and technical safeguards to protect ePHI:

• Encryption at rest and in transit — All ePHI is encrypted using AES-256 at rest and TLS 1.2+ in transit.
• Access controls — Role-based access control (RBAC) limits access to PHI to authorized personnel only.
• Audit logging — All access to ePHI is logged and retained for no less than 6 years.
• Multi-factor authentication — MFA is available and recommended for all platform accounts.
• Data backup and disaster recovery — Automated backups are performed daily with point-in-time recovery capability.
• Employee training — All Infiniti Solutions employees who access ePHI receive HIPAA security and privacy training upon hire and annually.
• Incident response — A documented incident response plan is in place for suspected breaches of ePHI.

5. Obligations of Covered Entity

Covered Entity agrees to:

• Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
• Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
• Obtain any authorization required under the HIPAA Rules for Business Associate to perform the requested Services.

6. Term and Termination

This Agreement is effective as of the date of execution and shall remain in effect until the termination of the underlying service agreement, unless earlier terminated as set forth below.

Either party may terminate this Agreement if the other party materially breaches a material term and fails to cure the breach within 30 days after written notice. Upon termination, Business Associate shall return or destroy all PHI as described in Section 2 above.

7. Miscellaneous

• Amendment. The parties agree to take such action as is necessary to amend this Agreement to comply with the HIPAA Rules as they are amended from time to time.
• Survival. The respective rights and obligations of Business Associate under Section 2 (return/destruction of PHI) survive the termination of this Agreement.
• Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits both parties to comply with the HIPAA Rules.
• Governing law. This Agreement shall be governed by the laws of the State of Minnesota.