Vendor Business Associate Agreement - Exabeam

Vendor Business Associate Agreement

This HIPAA Business Associate Agreement (“BAA”) is entered into between Exabeam, Inc. (“EXABEAM”) and the other party identified in the Agreement, its directors, officers, employees, affiliates, agents, subcontractors, and Third Parties (as set forth in Section 3) (collectively, “CONTRACTOR”). EXABEAM may act as a Business Associate to health care providers, covered entities, or other business associates under HIPAA. As Such, this BAA applies to the extent EXABEAM is acting as a Business Associate to create, receive, maintain, or transmit PHI or PII for a Covered Entity or Business Associate, and to the extent CONTRACTOR, as a result is deemed under HIPAA to be acting as a Business Associate or subcontractor of EXABEAM. Therefore, CONTRACTOR agrees to follow the terms and conditions set forth in this BAA, as may be updated from time to time.

CONTRACTOR acknowledges and agrees that it performs services or assists EXABEAM in the performance of services that may involve the use or disclosure of PHI and PII, and, therefore, HIPAA and stricter state and federal laws, as applicable, require PHI and PII be protected from inappropriate uses or disclosures. As such, CONTRACTOR acknowledges and agrees that its use and disclosure of PHI must be in compliance with the terms of this BAA and 45 C.F.R. §164.504(e).

The terms and conditions of this BAA shall supplement and amend all agreements and relationships between the parties (“Agreement”), which provide for or result in CONTRACTOR’s creation, receipt, maintenance, access, transmission, use, and/or disclosure of any PHI or PII, in any form or medium, in CONTRACTOR’s capacity as business associate for or subcontractor of EXABEAM.

Any ambiguity in this BAA shall be resolved to permit the parties to comply with HIPAA. In the case of any inconsistency or conflict between the Agreement (including, but not limited to, any attachments, amendments, or other agreements thereto, whether with EXABEAM or is subsidiaries, affiliates, parent companies, officers, directors, employees, contractors, and/or agents), and this BAA, this BAA shall control. Except as supplemented and/or amended, the terms of the Agreement shall continue to govern matters addressed in the Agreement.

1. DEFINITIONS Any terms not expressly defined herein or the Agreement shall have the meaning set forth in HIPAA.

1.1 “Affiliates” means an entity directly or indirectly controlling, controlled by or under common control with a party. For purposes of this definition, “control” means the ownership or control, directly or indirectly, of at least fifty percent (50%) or more of all the voting shares (or other securities or rights) entitled to vote for the election of directors or other governing authority.

1.2. “Business Associate” has the definition given to it under HIPAA.

1.3 “Breach” has the definition given to it under HIPAA. For purposes of this Agreement, the term “Breach” further relates to compromises of PII.

1.4 “Data Subject” means the individual to which specific PHI or PII pertains, as further defined in HIPAA or applicable data security legislations.

1.5 “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, and the rules and regulations thereunder, as amended. The definition of HIPAA for purposes of this Agreement shall include the HITECH Act.

1.6 “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.

1.7 “Protected Health Information” (“PHI”) and “Electronic Protected Health Information” (“ePHI”) has the definition given to it under HIPAA.

1.8 “Personally Identifiable Information” or “PII” means personal information that is, without limitation, names, phone numbers, mailing addresses, credit card information, social security numbers, and/or account or financial information of EXABEAM, its Affiliates, customers, and/or end users.

1.9 “Security Incident” has the definition given to it under HIPAA.

2. Permitted Use of PHI and PII. CONTRACTOR acknowledges that it performs services or assists EXABEAM in the performance of a function or service that involves the use, disclosure, creation, receipt, maintenance, or transmission of PHI and PII, and, therefore, HIPAA, and stricter state and federal laws, as applicable, require that PHI and PII be protected from inappropriate uses or disclosures.

2.1 Permitted Use. Except as otherwise stated in this BAA, CONTRACTOR may use, disclose, create, receive, maintain, or transmit PHI only as permitted or required by this BAA go perform the functions, activities, services, and operations that CONTRACTOR is contractually obligated by EXABEAM pursuant to the Agreement, or as required by applicable law.

2.2 Prohibited Uses and Disclosures. CONTRACTOR shall not use, disclose, create, receive, maintain, or transmit PHI or PII in any manner that is not permitted or required by the Agreement or this BAA, or that would otherwise constitute a violation of applicable law, including, but not limited to acts that would be considered a violation of HIPAA if done by EXABEAM or a covered entity. All uses and disclosures of, and requests by EXABEAM for, PHI are subject to the Privacy Standards’ Minimum Necessary Rule and shall be limited to the information contained in a Limited Data Set, to the extent practical, unless additional information is needed to accomplish the intended purpose, or as otherwise permitted in accordance with Section 13405(b) of HITECH, and any other subsequently adopted guidance. CONTRACTOR shall not send PHI or PII outside the country of origin or allow access to PHI or PII outside the country of origin without EXABEAM’s prior written consent.

2.3 Restriction on Renumeration. CONTRACTOR shall neither directly nor indirectly receive renumeration in exchange for any PHI except as permitted by 45 CFR 164.502(5)(ii)(B). In addition, CONTRACTOR shall neither directly nor indirectly receive renumeration in connection with a communication, that includes PHI or PII, or is based on PHI or PII, to purchase or use a product except as permitted by 45 CFR 164.508(a)(3) and with EXABEAM’s prior written permission.

2.4 Restriction on Solicitations & Communications. CONTRACTOR shall not use information obtained from this engagement to solicit or make any communication to an EXABEAM member or a member of EXABEAM’s customers.

2.5 Restrictive Agreements. CONTRACTOR shall comply with any agreement that EXABEAM makes that either: (i) restricts the use, disclosure, creation, receipt, maintenance, or transmission of PHI pursuant to 45 CFR 164.522(a), or (ii) requires Confidential Communication about PHI pursuant to 45 CFR 164.522(b), provided EXABEAM notifies CONTRACTOR of the restriction or Confidential Communication obligations.

3. Disclosure to Third Parties:

3.1 Consent Requirement. CONTRACTOR shall not provide, disclose, or allow access of PHI or PII to any third party, including but not limited to any subcontractors, affiliates, or agents (collectively, “Third Party”), without the prior written consent of EXABEAM.

3.2 Agreements by Third Parties. CONTRACTOR shall enter into an agreement with any permitted Third Party that will have access to PHI or PII that is received from or made available by CONTRACTOR on behalf of EXABEAM pursuant to which such Third Party agrees to be bound by restrictions, terms, and conditions at least as restrictive as those applicable to CONTRACTOR under this BAA, including but not limited to the safeguards described in Section 4 (“Security Requirements and Safeguards”) herein.

3.3 Disclosures to Third Parties. To the extent CONTRACTOR discloses or makes available PHI or PII to a Third Party, CONTRACTOR shall, prior to making any such PHI or PII available, and throughout the term of its engagement with the Third Party, ensure:

  • CONTRACTOR has an effective business associate agreement in place with such Third Party that includes the same restrictions, conditions, and requirements that apply to CONTRACTOR under this BAA;
  • Any such disclosure to or use by such Third Party is solely for a limited purpose approved, in writing, by EXABEAM;
  • Unless prohibited by applicable law, CONTRACTOR has obtained written consent from EXABEAM prior to disclosing or making PHI or PII available to such Third Party;
  • CONTRACTOR has an agreement in place requiring such Third Party to immediately notify CONTRACTOR (who will, in turn notify EXABEAM in accordance with Section 5 of this BAA), of any:
    • Security Incident or Breach;
    • Unauthorized disclosure or use of, or access to, PHI or PII;
  • CONTRACTOR will not transmit any PHI or PII outside the country of origin without EXABEAM’s prior written consent.

As between CONTRACTOR and EXABEAM, CONTRACTOR shall be solely liable for any Breach or unauthorized access, use, or disclosure of PHI or PII by, or caused by, any Third Party. CONTRACTOR agrees to provide EXABEAM a list of all its Third Parties upon request.

4. Security Requirements and Safeguards:

4.1 CONTRACTOR agrees that it will implement all appropriate safeguards, including at least the minimum provisions set forth in EXABEAM’s Vendor Data Security Policy, the terms of which are incorporated into this BAA by reference, to prevent access, use, or disclosure of PHI or PII that are not expressly authorized by this BAA or the Agreement. Safeguards include administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and PII that it uses, discloses, creates, receives, maintains, or transmits on behalf of as required by 45 CFR Part 160 and Subparts A and C of Part 164 (“Security Rule”). CONTRACTOR shall comply with the Security Rule and implement all measures set forth in HIPAA’s Security Rule and any associated regulations.

4.2 CONTRACTOR shall require any approved Third Party to provide satisfactory assurances, as evidenced by written contract in accordance with 45 C.F.R. §164.504(e)(1)(i), that such Third Party complies with the same privacy and security safeguard obligations with respect to PHI and PII that are applicable to CONTRACTOR under this BAA, including but not limited to the provisions set forth in Section 3 (“Disclosure to Third Parties”) and EXABEAM’s Vendor Data Security Policy. For clarity, a Third Party shall not be entitled to disclose any PHI or PII to any other party without the prior, written approval of EXABEAM.

5. Breaches and Security Incidents

5,1 Events. CONTRACTOR shall, within twenty-four (24) hours of becoming aware, report to EXABEAM any Security Incident, Breach, or any other violation or suspected violation of this BAA (“Event”). CONTRACTOR agrees to mitigate, to the extent practicable, any harmful effect of any unauthorized access, use, or disclosure of PHI or PII by CONTRACTOR or a Third Party. Such mitigation efforts shall include, but are not limited to, compliance with applicable law or contractual data breach requirements. CONTRACTOR shall fully cooperate with EXABEAM’s breach notification and mitigation activities, and shall be responsible for all costs incurred by EXABEAM for those required activities. The report to EXABEAM shall be in writing and e-mailed to dpo@exabeam.com unless otherwise specified by EXABEAM.

5.2 Reports. Such report must include at a minimum:

  • The date and time the Event occurred and the date it was discovered;
  • A complete description of the PHI or PII involved, including but not limited to (i) the nature and attributes of the information involved in the Event and (ii) the volume of information compromised or attempted to be compromised in the Event;
  • A complete description of the Event, its cause, and the effect it had on EXABEAM’s systems and data. This should include, but is not limited to: (i) the names of the affected systems, servers, programs, etc., and (ii) the names of the entities or individuals with unauthorized access to the PHI or PII as a result of the Event;
  • Contact information for communications regarding the Event;
  • A description of the initial mitigation steps taken to contain the Event and an assessment of the level of compromise to PHI or PII incurred by CONTRACTOR and/or Third Parties;
  • A description of the plan to correct the compromises to PHI or PII and to prevent reoccurrences of the Event in the future; and
  • Such other information, including a written report, as EXABEAM may reasonably request or as otherwise required by law.

5.3 Attempted Incidents. Both parties recognize, however, that the significant number of meaningless attempts to, without authorization, access, use, disclose, modify or destroy PHI or PII in CONTRACTOR’s information systems could make a real-time reporting requirement formidable for both parties. Both parties believe that the HIPAA notice requirements are met by instituting a process by which:

  • CONTRACTOR discloses to the rate and types of attempted incidents that are occurring at the time this BAA is signed;
  • CONTRACTOR monitors the rate and nature of such attempts over time; and
  • CONTRACTOR reports to EXABEAM any substantive changes to the rate or nature of such attempts that could adversely affect EXABEAM directly or indirectly.

The following are illustrative of unsuccessful Security Incidents when they do not result in unauthorized access, use, maintenance, disclosure, transmission, modification, or destruction of PHI or PII or interference with an information system:

  • Pings on a firewall;
  • Port scans;
  • Attempts to log on to a system or enter a database with an invalid password or username; and
  • Malware (e.g., worms, viruses).

If CONTRACTOR observes through ongoing monitoring successful Security Incidents that extend beyond these routine, unsuccessful attempts in such a way that they could impact the Confidentiality, Integrity or Availability of PHI or PII, CONTRACTOR agrees to promptly notify EXABEAM.

5.4 Notifications. CONTRACTOR shall comply with applicable laws that require notification to authorities or Data Subjects in the event of an unauthorized access to or release of PII or PHI, as defined by applicable state or federal law (“Notification Event”), whether such Notification Event was the responsibility of CONTRACTOR or a Third Party to which CONTRACTOR disclosed PII or PHI.  When notification to Data Subjects is required by law or determined by EXABEAM, in its sole discretion, to be necessary, whether such Notification Event was the responsibility of CONTRACTOR or a Third Party to which CONTRACTOR disclosed PII or PHI, CONTRACTOR shall coordinate with EXABEAM to (a) investigate the Notification Event, (b) inform all affected Data Subjects, and (c) mitigate the Notification Event. At EXABEAM sole discretion, mitigation includes but is not limited to securing credit monitoring or protection services for affected Data Subjects for a period determined by EXABEAM.  CONTRACTOR shall be responsible for any and all costs incurred from responding to and mitigating such Notification Events, including but not limited to mailing costs, personnel costs, attorney fees, credit monitoring costs, and other related expenses or costs.

6. Request for Access to PHI or PII

6.1 Requests for PHI or PII Access. Within two (2) business days of a request for access to any PHI or PII, whether such request originates from a Data Subject or regulatory authority, CONTRACTOR shall, within two (2) business days, forward such request to EXABEAM. For the avoidance of doubt and to the extent legally permitted to do so, CONTRACTOR shall not disclose or release any PHI or PII in response to such request without first consulting with and obtaining the written consent of EXABEAM.

6.2 Producing ePHI in Accessible Format. To the extent CONTRACTOR maintains ePHI in a Designated Record Set, with respect to such ePHI of a Data Subject, CONTRACTOR agrees that the Data Subject, and EXABEAM on behalf of the Data Subject, shall have the right to obtain an electronic copy of such information in the form and format requested by the Data Subject or EXABEAM, if such ePHI is readily reproducible in the form and format so requested. If the information is not readily reproducible in the form or format requested by either the Data Subject or EXABEAM, CONTRACTOR shall make the information available in a reasonable electronic format as mutually agreed to by the Data Subject, CONTRACTOR, and EXABEAM. CONTRACTOR’s ability to transmit ePHI shall be subject to the limitation set forth in Section 6(a) of this BAA. If such disclosure is authorized, in writing, by EXABEAM, CONTRACTOR agrees to transmit an electronic copy of ePHI directly to a person or entity designated by the Data Subject, provided that the direction is in writing and is clear, conspicuous, and specific.

7. Amendments. In the event CONTRACTOR receives a request from a Data Subject relating to an amendment to or deletion of PHI or PII, EXABEAM shall be notified promptly, but in no event less than two (2) business days from the date of the request. CONTRACTOR shall comply with any instructions provided by EXABEAM relating to such request, so long as such instructions are consistent with applicable law.

8. Accounting of Disclosures

8.1 Disclosure Log. CONTRACTOR shall maintain clear records of all disclosures of PHI made by CONTRACTOR (“Disclosure Log”). The Disclosure Log shall include all instances of use, access, and disclosure of PHI or PII occurring in the past six (6) years. Each record shall include all items set forth in 45 CFR 164.528(b)(2).

8.2 Within ten (10) business days of notice by EXABEAM to CONTRACTOR that it has received a valid request for an accounting of disclosures of PHI regarding a Data Subject from a Covered Entity, as described in 45 CFR 164.528, CONTRACTOR shall make available to EXABEAM any information requested by EXABEAM or the Covered Entity for the purpose of fulfilling the accounting request. If the request for accounting is delivered directly to CONTRACTOR, CONTRACTOR shall, within two (2) business days of receipt of such request, forward such request to EXABEAM and shall take no further action unless EXABEAM instructs otherwise.

8.3 For disclosures that it is required to track, CONTRACTOR shall, at a minimum, provide EXABEAM with the following information:

  • The date of the disclosure;
  • The name of the entity or person who received the PHI, and, if known, the address of such entity or person;
  • A brief description of the PHI;
  • A brief statement of the purpose of such disclosure, which includes an explanation of the basis for such disclosure; and
  • CONTRACTOR shall further provide any additional information to the extent required by HIPAA, any accompanying regulations, and applicable law.

8.4 To the extent CONTRACTOR is to carry out one or more of EXABEAM’s obligations under Subpart E of 45 CFR Part 164, comply with requirements of Subpart E that apply to EXABEAM in the performance of such obligation(s).

9. Audits and inspections

9.1 CONTRACTOR hereby agrees to make its internal practices, books, and records relating to the use and disclosure of PHI or PII received from, or created or received by CONTRACTOR on behalf of EXABEAM available to: (i) The Secretary of the Department of Health and Human Services for determining EXABEAM and CONTRACTOR’s compliance with HIPAA; (ii) to EXABEAM for its purposes in responding to a formal investigation or enforcement action by the Secretary of Health and Human Services or any other governmental or regulatory authority, or for the purpose of evaluating and/or responding to a compliance review performed, conducted, overseen, or managed, in whole or in part, by governmental or regulatory agencies.

9.2 CONTRACTOR shall, on an annual basis, provide an attestation that it and its Third Parties are in compliance with the terms of this BAA (including any attachments hereto) and shall permit EXABEAM to audit its books, records, and operations to determine compliance with CONTRACTOR’s obligations under this BAA.

10. Term and Termination

10.1 Term. The term of this Agreement shall be effective as of the effective date of the Agreement and shall terminate only when CONTRACTOR no longer has any access to any PHI or PII covered by this BAA.

10.2 Termination for Cause. EXABEAM may terminate the Agreement if EXABEAM determines that CONTRACTOR has violated a material term of this BAA. In addition to any other rights EXABEAM may have in the Agreement, this BAA, or by operation of law or in equity, EXABEAM may in its sole discretion, upon breach or violation of this BAA: (i) provide reasonable opportunity for CONTRACTOR to cure or end any such violation with the time specified by EXABEAM; (ii) if CONTRACTOR reasonably believes cure is not possible or if CONTRACTOR does not cure such breach or violation, EXABEAM may immediately terminate the Agreement. EXABEAM’s option to have a breach cured shall not be construed as a waiver of any other rights EXABEAM has in the Agreement, this BAA, or by operation of law or in equity.

10.3 Effect of Termination. The obligations of CONTRACTOR and rights of EXABEAM under this section shall survive the termination of this BAA or the Agreement. Upon the termination of any Agreement for any reason, CONTRACTOR shall return or destroy all PHI or PII received from, or created, received, or maintained by CONTRACTOR that CONTRACTOR still maintains in any form and shall retain no copies of such information. CONTRACTOR will require any Third Party to which CONTRACTOR has disclosed PHI or PII to return the same to CONTRACTOR (so that CONTRACTOR may return to EXABEAM or destroy the same) in whatever form or medium received from CONTRACTOR, including all copies thereof and all data, compilations and other works derived therefrom that allow identification of any individual who is a subject of the PHI or PII, and certify to CONTRACTOR that such information has been returned or destroyed. CONTRACTOR will complete these obligations as promptly as possible, but not later than thirty (30) days following the effective date of termination or expiration of any Agreement and shall provide an attestation that all PHI and PII provided under this BAA has been returned or destroyed. Notwithstanding the foregoing, EXABEAM may request, and CONTRACTOR shall comply, that PHI and PII is returned or destroyed sooner than thirty (30) days.

If such return or destruction of PHI or PII by CONTRACTOR its Third Party is not feasible:

  • CONTRACTOR shall not use or disclosure of such information for any purpose; and
  • The obligation to protect the privacy and safeguard the security of PHI and PII as specified in this BAA will be continuous and survive termination or other conclusion of this BAA or any other Agreements, including statements of work, entered into between CONTRACTOR and CONTRACTOR. Moreover, CONTRACTOR shall, on an annual basis, provide an attestation to that it and its Third Parties are in compliance with the BAA (including the attached Data Security Policy) and shall permit EXABEAM to audit its books, records and operations to determine compliance with CONTRACTOR’s obligations under the BAA.

11. TRANSACTION STANDARDS

11.1 ICD-10 Code Sets. If CONTRACTOR’s services or products use or require the use of Code Sets, as defined in HIPAA, then CONTRACTOR shall utilize the International Classification of Diseases (ICD), 10th Revision, Clinical Modification (“ICD-10-CM”), or the most current ICD codes, for diagnosis coding, and the International Classification of Diseases, 10th Revision, Procedural Coding System (“ICD-10-PCS”), or the most current ICD codes, for inpatient hospital procedure coding for all services or products for which CONTRACTOR is contractually obligated to provide to EXABEAM.

11.1.1 EXABEAM is not responsible for any additional services, programming, processing, testing, or other implementation costs incurred by CONTRACTOR to implement ICD-10-CM and ICD-10-PCS, as these are the responsibility of CONTRACTOR.  EXABEAM shall have no obligation to reimburse CONTRACTOR for any costs related to testing, implementation, or remediation associated with CONTRACTOR’s implementation of ICD-10-CM and ICD-10-PCS.

11.1.2 If CONTRACTOR reasonably determines that CONTRACTOR’s products or services have not implemented or addressed the applicable provisions of the HIPAA Code Set Standards or the provisions set forth in this BAA, and provided CONTRACTOR does not remediate such issue within thirty (30) calendar days of notification, or as otherwise agreed to by EXABEAM in writing, EXABEAM may withhold payments to CONTRACTOR until such time as the issue is remediated to EXABEAM’s reasonable satisfaction.

11.2 Compliance with HIPAA Standard Transactions.

11.2.1 If CONTRACTOR or a Third Party performs or conducts (in whole or in part) electronic Transactions on behalf of EXABEAM for which the Department of Health and Human Services (“DHHS”) has established Standards (collectively referred to as “Transactions”), CONTRACTOR shall comply (and shall require any Third Party involved in the receipt or processing of such Transactions to comply) with the requirements of the Transaction Rule, 45 C.F.R. Part 162, including any Implementation Guide specifications incorporated into HIPAA by reference.

11.2.1.1 CONTRACTOR will not enter into, or permit its Third Party to enter into, any Trading Partner Agreement in connection with the conduct of Standard Transactions on behalf of EXABEAM that:

  • Changes the definition, data condition, or use of a data element or segment in a Standard Transaction;
  • Adds any data element or segment to the maximum defined data set;
  • Uses any code or data element that is marked “not used” in the Standard Transaction’s implementation specification or is not in the Standard Transaction’s implementation specification; or
  • Changes the meaning or intent of the Standard Transaction’s implementation specification.

11.2.1.2 EXABEAM is not responsible for any additional services, programming, processing, testing, or other implementation costs incurred by CONTRACTOR to attain compliance with the HIPAA Standard Transaction as these are the responsibility of CONTRACTOR.  EXABEAM shall have no obligation to reimburse CONTRACTOR for any costs related to testing, implementation, or remediation associated with CONTRACTOR’s compliance with HIPAA Standard Transaction Rules.

11.2.3 Compliance Testing. Upon EXABEAM’s request, CONTRACTOR shall conduct end-to-end or other Transactions and Code Set compliance testing and certify to EXABEAM that CONTRACTOR complies with the applicable laws.

11.2.3.1 Upon EXABEAM’s request, CONTRACTOR shall provide a copy of its compliance certification (for both levels 1 and 2) from an approved third-party certification company. Absent EXABEAM’s reasonable determination of Transactions or Code Set compliance issues, such requests shall be limited to once per year.

11.2.3.2 Upon ‘s written notice of a Transactions or Code Set compliance issue, EXABEAM and CONTRACTOR, as applicable, shall investigate and remediate such issue within a mutually agreed upon timeframe. Remediation shall include any testing activities that may be required to validate compliance. If EXABEAM and CONTRACTOR disagree on the interpretation of the standard, regulation or rules, the parties agree to submit a request for clarification and/or interpretation to an industry recognized or designated body, including but not limited to, the Accredited Standards Committee (ASC) X12 or Workgroup for Electronic Data Interchange (WEDI).

11.4 If EXABEAM reasonably determines that CONTRACTOR is not in compliance with the Transactions or Code Set rules or the provisions set forth in this Section, and provided CONTRACTOR does not remediate such compliance issue within thirty (30) calendar days of notification, EXABEAM may terminate the Agreements and shall be entitled to damages, which may include, but shall not be limited to, pro-rated refund of fees paid.  To the extent EXABEAM is fined, assessed a penalty, or is otherwise held responsible for any Transactions or Code Set compliance issue and such non-compliance is related to CONTRACTOR’s actions or omissions, CONTRACTOR shall reimburse EXABEAM for all such fines, penalties, or other associated costs imposed on EXABEAM.

12. Miscellaneous

12.1 Third Party Rights. Except as required by law, the terms of this BAA do not grant any rights to any third parties.

12.2 Independent Contractor Status. For the purposes of this BAA, CONTRACTOR is an independent contractor of EXABEAM, and shall not be considered an agent of EXABEAM. Nothing in this BAA or any services or similar agreement between the parties shall give rise to an agency relationship between EXABEAM and CONTRACTOR, and the parties expressly disclaim the existence of any such relationship.

12.3 Compliance with Laws. CONTRACTOR, including but not limited to its Third Parties, agree to comply with all applicable state and federal laws, statutes, regulations, rulings, or enactments of any governmental authority governing the use of PHI and PII, including, without limitation, state data breach security laws applicable to each Data Subject.

12.4 Changes in Law. EXABEAM and CONTRACTOR agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of HIPAA and any other applicable law. The parties shall amend this BAA to conform to any new or revised legislation, rules, or regulations to which EXABEAM is subject now or in the future including, without limitation, HIPAA.

12.5 Ownership. Under no circumstances shall CONTRACTOR be deemed in any respect to be the owner of any PHI or PII of or provided by EXABEAM.

12.6 Ambiguity and Amendments to Law. Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA. In the event HIPAA, or any other applicable law, becomes effective after the Effective Date of this BAA, this BAA will automatically be amended so that the obligations they impose of CONTRACTOR shall remain in compliance with such regulations.

12.7 Subpoenas and Court Orders. In the event CONTRACTOR receives a subpoena, court or administrative order, or other discovery request or mandate for release of PHI or PII, CONTRACTOR shall notify EXABEAM in writing prior to responding to such request to enable EXABEAM to object. CONTRACTOR shall notify EXABEAM of the request as soon as reasonably practicable, but in any event within two (2) business days of receipt of such request.

12.8 Equitable Relief. CONTRACTOR stipulates that its unauthorized use or disclosure of PHI or PII while performing services pursuant to this BAA would cause irreparable harm to EXABEAM and, in such event, EXABEAM shall be entitled to institute proceedings in any court of competent jurisdiction to obtain damages and injunctive relief.

12.9 Indemnification. Notwithstanding any limitation of liability provided in this or any other agreements, including statements of work, between the parties, CONTRACTOR shall indemnify and hold harmless EXABEAM and its officers, trustees, employees, affiliates, agents, subcontractors, and any of its customers, from any and all claims, penalties, fines, costs, liabilities, or damages, including but not limited to reasonable attorney fees, incurred by EXABEAM arising from or in connection with: (i) CONTRACTOR’s violation of any obligations under this BAA; or (ii) any government fines and penalties, or third party claims, damages, fines, costs, or other related harm associated with Notification Events. CONTRACTOR further agrees to indemnify and hold EXABEAM, or in such case that EXABEAM functions as a business associate to one or more covered entities, each and every one of its covered entity business partners or customers harmless from any and all liability, damages, costs (including reasonable attorney fees and costs) and expenses imposed upon or asserted against EXABEAM and any of its covered entity business partners or customers arising out of any claims, demands, awards, settlements, fines, or judgments relating to CONTRACTOR’s access, use, or disclosure of PHI or PII contrary to the provisions of this BAA or applicable law. Notwithstanding anything to the contrary in the Agreement, any breach of this BAA by CONTRACTOR and the foregoing indemnification obligations shall not be subject to any limitation of liability set forth in the Agreement.

Version 200310