Confidential

HIPAA Business Associate Addendum

  1. SECTION II - OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
    1. Performance of Services. To the extent that the provision of Maven’s services under the Underlying Agreement renders Maven a Business Associate, as defined by HIPAA, Business Associate, its agents and employees (collectively referred to as “Business Associate”) agrees not to use or further disclose PHI other than as permitted or required by this BAA or as Required by Law.
    2. Safeguards for Protection of PHI. In accordance with 45 CFR Part 164, Subpart C, Business Associate shall develop, implement, maintain and use appropriate administrative, technical and physical safeguards to prevent the use or disclosure of PHI, in any form or media, received from, or created or received by Business Associate on behalf of, Covered Entity, other than as provided for by this BAA. Business Associate shall document and keep such security measures current.
    3. Reporting of Unauthorized Use and/or Security Breach. Business Associate will promptly report to Covered Entity any breach of security or use or disclosure of PHI, including breaches of unsecured PHI, as required by 45 CFR§164.410, upon becoming aware of such breach and in no case later than thirty (30) calendar days after discovery. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a security breach or use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.
    4. Responding to and Reporting Security Incidents. Business Associate shall implement policies and procedures to address Security Incidents. Such policies and procedures shall include provisions for identifying and responding to suspected or known Security Incidents, mitigating, to the extent practicable, harmful effects of Security Incidents that are known to the Business Associate, and documenting Security Incidents and their outcomes. Business Associate shall promptly notify Covered Entity of any Security Incident of which it becomes aware, in accordance with 45 CFR §164.314; provided, however, the obligation to report a Security Incident shall not include the reporting of immaterial incidents such as unsuccessful attempts to penetrate Business Associate’s information systems.
    5. Use of Subcontractors. Business Associate agrees to ensure that any agent and/or subcontractor, to whom it provides PHI received from, or created or received by Business Associate, on behalf of Covered Entity, and who creates, maintains, or transmits PHI on behalf of Business Associate, adheres to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such information.
    6. Access to PHI. Business Associate agrees to provide access to PHI in a Designated Record Set in order to meet the requirements under 45 CFR §164.524. In the event that Business Associate, in connection with the services, uses or maintains an Electronic Health Record of information of or about an Individual, then Business Associate shall upon request by Covered Entity or the Individual provide an electronic copy of the PHI to the Covered Entity or to the Individual or a third party designated by the Individual, all in accordance with 45 CFR §164.524(c)(2)(ii).
    7. Amendments by Business Associate. Business Associate agrees to make available for amendment and incorporate any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526.
    8. Access by DHHS. Business Associate agrees to make its internal practices, books and records including policies and procedures and PHI relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for the purposes of the Secretary determining Covered Entity’s and Business Associate’s compliance with HIPAA and its implementing regulations.
    9. Accounting of Disclosures. Business Associate agrees to document disclosures of PHI and information related to such disclosures and to make an accounting of disclosures available to Covered Entity, or take other measures as reasonably necessary to satisfy Covered Entity’s obligations under 45 CFR §164.528.
    10. Carrying Out Obligations of Covered Entity. To the extent Business Associate is to carry out Covered Entity’s obligations under 45 CFR Part 164, Subpart E, Business Associate shall comply with the requirements of such Subpart that apply to the Covered Entity in the performance of such obligations.
    11. Security of Electronic PHI. Business Associate shall develop, implement, maintain and use appropriate administrative, technical and physical safeguards to preserve the confidentiality, integrity and availability of all electronic PHI received from, or created or received by Business Associate, on behalf of Covered Entity, which pertains to an Individual. Business Associate shall comply with the requirements set forth in 45 CFR §§164.306, 164.308, 164.310, 164.312, 164.314 and 164.316.
    12. Electronic Transactions and Code Set Standards. If Business Associate conducts any Standard Transaction for, or on behalf of, Covered Entity, Business Associate shall comply, and shall require any subcontractor or agent conducting such Standard Transaction to comply, with each applicable requirement of 45 CFR Part 162.
  2. SECTION III - PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
    1. General. Except as otherwise limited in this BAA or as provided in Section 3.2, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate HIPAA if done by the Covered Entity or the “minimum necessary” policies and procedures of the Covered Entity. Except as permitted by this BAA, Covered Entity shall not request or require Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by the Covered Entity.
    2. Specific. Except as otherwise limited in this BAA, Business Associate may use PHI if necessary for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose PHI if necessary to carry out the legal responsibilities of the Business Associate, provided that disclosure is required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B). Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR§164.502(j)(1).
    3. Except as otherwise limited in this BAA, Business Associate may de-identify PHI provided that the de- identification conforms to the requirements of the Privacy and Security Standards. The parties acknowledge and agree that de-identified data does not constitute PHI and is not subject to the terms of this BAA. Business Associate may use and disclose de-identified health information for any purpose permitted by law.
    4. Minimum Necessary. Business Associate shall request, use and/or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use and/or disclosure.
  3. SECTION IV - OBLIGATIONS OF COVERED ENTITY
    1. Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity (except as permitted by Article 3 of this BAA).
    2. Minimum Necessary. When Covered Entity discloses PHI to Business Associate, Covered Entity shall provide the minimum amount of PHI necessary for the accomplishment of Business Associate’s purposes under the Underlying Agreement.
    3. Permissions; Restrictions. Covered Entity warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Business Associate. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use of disclosure of PHI. Covered Entity shall not agree to any restriction on the use of disclosure of PHI under 45 CFR 164.522 that restricts Business Associate’s use or disclosure of PHI under the Underlying Agreement unless such restriction is Required by Law or Business Associate grants its written consent.
    4. Notice of Privacy Practices. Except as Required by Law, with Business Associate’s consent, or this BAA, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Business Associate’s use or disclosure of PHI under any other agreement between the parties.
  4. SECTION V - TERM/TERMINATION
    1. Term. The term of this BAA shall be effective as of the Effective Date stated below and shall terminate upon the termination of the Underlying Agreement.
    2. Effect of Termination.
      1. Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
        1. Retain only that PHI which is necessary to carry out its legal responsibilities;
        2. Return to Covered Entity (or, if agreed to in writing by Covered Entity, destroy) the remaining PHI that Business Associate still maintains in any form;
        3. Continue to use appropriate safeguards and comply with 45 CFR Part 164 Subpart C with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Subsection, for so long as Business Associate retains the PHI;
        4. Not use or disclose PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set forth in Section 3.2 that applied prior to termination; and
        5. Return to Covered Entity (or, if agreed to in writing by Covered Entity, destroy) the PHI retained by Business Associate when it is no longer needed by Business Associate to carry out its legal responsibilities.
      2. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties in writing that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
  5. SECTION VI - MISCELLANEOUS
    1. Priority of BAA. If any portion of this BAA is inconsistent with the terms of the Underlying Agreement, the terms of this BAA shall prevail. Except as set forth above, the remaining provisions of the Underlying Agreement shall remain unchanged.
    2. Documentation. Both parties shall retain all documentation required by HIPAA for six (6) years from the date of its creation or the date when the document was last in effect, whichever is later.
    3. Construction. This BAA shall be construed as broadly as necessary to implement and comply with ARRA and the HIPAA regulations. The parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with ARRA and HIPAA regulations.
    4. Modification of BAA. The parties recognize that this BAA may need to be modified from time to time to ensure consistency with amendments to and changes in applicable federal and state laws and regulations, including, but not limited to HIPAA. The parties agree to execute any additional amendments to this BAA reasonably necessary for each Party to comply with HIPAA. This BAA shall not be waived, amended or altered, in whole or in part, except in writing signed by the parties.

This HIPAA Business Associate Agreement (the "BAA") is incorporated into and forms part of the agreement between the Customer and Maven Clinic, Co. ("Maven") under which Maven provides the Services (the "Agreement"). Unless otherwise defined herein, capitalized terms used in this BAA have the same meaning given to them under the Agreement. Customer enters into this BAA on behalf of itself and in the name and on behalf of its Affiliates permitted to use the Services under the Agreement.


WHEREAS, pursuant to that certain Order Form and Maven Management Agreement, effective as of the Effective Date (the “Underlying Agreement”), and to the extent that Maven performs services under the Underlying Agreement that renders Maven a Business Associate under HIPAA, in connection with those services, Covered Entity discloses to Business Associate and/or Business Associate discloses and/or uses certain protected health information (“PHI”) that is subject to protection under the Health Insurance Portability and Accountability Act of 1996, as amended from time to time (“HIPAA”);


WHEREAS, the parties desire to comply with the HIPAA standards for the privacy and security of PHI;


NOW THEREFORE, for and in consideration of the recitals above and the mutual covenants and conditions herein contained, Covered Entity and Business Associate enter into this BAA to provide a full statement of their respective responsibilities.

SECTION I – DEFINITIONS

Unless otherwise provided herein, capitalized terms shall have the same meaning as set forth in HIPAA, as amended, and its implementing regulations.


“ARRA” - shall mean the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, Pub. Law No. 111-5 and its implementing regulations. References in this BAA to a section or subsection of title 42 of the United States Code are references to sections of ARRA, and any reference to provisions of ARRA in this BAA shall be deemed a reference to that provision and its existing and future implementing regulations, when and as each is effective.


“Designated Record Set” has the meaning given to such term under HIPAA, including 45 CFR §164.501.B.


“HIPAA” - The term “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended by the Health Information Technology for Economic and Clinical Health Act, and as otherwise amended from time to time.


“Individual” - The term “Individual” shall have the same meaning as the term “Individual” in 45 CFR Section


160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).


“Privacy Rule” - The term “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.


“Protected Health Information or PHI” - The term “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 CFR §160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.


“Required by Law” - The term “required by law” shall have the same meaning as the term “required by law” in 45 CFR §164.103.


“Secretary” - The term “Secretary” shall mean the Secretary of the United States Department of Health and Human Services or his/her designee.


“Security Rule” - The term “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C

SECTION II - OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

  1. Performance of Services. To the extent that the provision of Maven’s services under the Underlying Agreement renders Maven a Business Associate, as defined by HIPAA, Business Associate, its agents and employees (collectively referred to as “Business Associate”) agrees not to use or further disclose PHI other than as permitted or required by this BAA or as Required by Law.
  2. Safeguards for Protection of PHI. In accordance with 45 CFR Part 164, Subpart C, Business Associate shall develop, implement, maintain and use appropriate administrative, technical and physical safeguards to prevent the use or disclosure of PHI, in any form or media, received from, or created or received by Business Associate on behalf of, Covered Entity, other than as provided for by this BAA. Business Associate shall document and keep such security measures current.
  3. Reporting of Unauthorized Use and/or Security Breach. Business Associate will promptly report to Covered Entity any breach of security or use or disclosure of PHI, including breaches of unsecured PHI, as required by 45 CFR §164.410, upon becoming aware of such breach and in no case later than thirty (30) calendar days after discovery. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a security breach or use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.
  4. Responding to and Reporting Security Incidents. Business Associate shall implement policies and procedures to address Security Incidents. Such policies and procedures shall include provisions for identifying and responding to suspected or known Security Incidents, mitigating, to the extent practicable, harmful effects of Security Incidents that are known to the Business Associate, and documenting Security Incidents and their outcomes. Business Associate shall promptly notify Covered Entity of any Security Incident of which it becomes aware, in accordance with 45 CFR §164.314; provided, however, the obligation to report a Security Incident shall not include the reporting of immaterial incidents such as unsuccessful attempts to penetrate Business Associate’s information systems.
  5. Use of Subcontractors. Business Associate agrees to ensure that any agent and/or subcontractor, to whom it provides PHI received from, or created or received by Business Associate, on behalf of Covered Entity, and who creates, maintains, or transmits PHI on behalf of Business Associate, adheres to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such information.
  6. Access to PHI. Business Associate agrees to provide access to PHI in a Designated Record Set in order to meet the requirements under 45 CFR §164.524. In the event that Business Associate, in connection with the services, uses or maintains an Electronic Health Record of information of or about an Individual, then Business Associate shall upon request by Covered Entity or the Individual provide an electronic copy of the PHI to the Covered Entity or to the Individual or a third party designated by the Individual, all in accordance with 45 CFR §164.524(c)(2)(ii).
  7. Amendments by Business Associate. Business Associate agrees to make available for amendment and incorporate any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526.
  8. Access by DHHS. Business Associate agrees to make its internal practices, books and records including policies and procedures and PHI relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for the purposes of the Secretary determining Covered Entity’s and Business Associate’s compliance with HIPAA and its implementing regulations.
  9. Accounting of Disclosures. Business Associate agrees to document disclosures of PHI and information related to such disclosures and to make an accounting of disclosures available to Covered Entity, or take other measures as reasonably necessary to satisfy Covered Entity’s obligations under 45 CFR §164.528.
  10. Carrying Out Obligations of Covered Entity. To the extent Business Associate is to carry out Covered Entity’s obligations under 45 CFR Part 164, Subpart E, Business Associate shall comply with the requirements of such Subpart that apply to the Covered Entity in the performance of such obligations.
  11. Security of Electronic PHI. Business Associate shall develop, implement, maintain and use appropriate administrative, technical and physical safeguards to preserve the confidentiality, integrity and availability of all electronic PHI received from, or created or received by Business Associate, on behalf of Covered Entity, which pertains to an Individual. Business Associate shall comply with the requirements set forth in 45 CFR §§164.306, 164.308, 164.310, 164.312, 164.314 and 164.316.
  12. Electronic Transactions and Code Set Standards. If Business Associate conducts any Standard Transaction for, or on behalf of, Covered Entity, Business Associate shall comply, and shall require any subcontractor or agent conducting such Standard Transaction to comply, with each applicable requirement of 45 CFR Part 162.
  13. Reproductive Health Care Data. Business Associate agrees to prohibit the use and disclosure of Protected Health Information for any reason specified in 45 CFR § 164.502(a)(5)(iii). Furthermore, Business Associate agrees to require a valid attestation (in compliance with the requirements outlined in 45 CFR § 164.509(b)(1)) before using or disclosing Protected Health Information potentially related to Reproductive Health Care for any of the following purposes: health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners. Furthermore, Business Associate will cease use and disclosure and promptly notify Covered Entity after it acquires actual knowledge that material information in the attestation is false, or discovers information reasonably showing that any representation made in the attestation was materially false, leading to a use or disclosure prohibited by 45 CFR § 164.502(a)(5)(iii).

SECTION III - PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

  1. General. Except as otherwise limited in this BAA or as provided in Section 3.2, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate HIPAA if done by the Covered Entity or the “minimum necessary” policies and procedures of the Covered Entity. Except as permitted by this BAA, Covered Entity shall not request or require Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by the Covered Entity.
  2. Specific. Except as otherwise limited in this BAA, Business Associate may use PHI if necessary for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
  3. Except as otherwise limited in this BAA, Business Associate may disclose PHI if necessary to carry out the legal responsibilities of the Business Associate, provided that disclosure is required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B). Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
  4. De-Identification and Minimum Necessary. Except as otherwise limited in this BAA, Business Associate may de-identify PHI provided that the de-identification conforms to the requirements of the Privacy and Security Standards. The parties acknowledge and agree that de-identified data does not constitute PHI and is not subject to the terms of this BAA. Business Associate may use and disclose de-identified health information for any purpose permitted by law. Business Associate shall request, use and/or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use and/or disclosure.

SECTION IV – OBLIGATIONS OF COVERED ENTITY

  1. Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity (except as permitted by Article 3 of this BAA).
  2. Minimum Necessary. When Covered Entity discloses PHI to Business Associate, Covered Entity shall provide the minimum amount of PHI necessary for the accomplishment of Business Associate’s purposes under the Underlying Agreement.
  3. Permissions; Restrictions. Covered Entity warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Business Associate. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use of disclosure of PHI. Covered Entity shall not agree to any restriction on the use of disclosure of PHI under 45 CFR 164.522 that restricts Business Associate’s use or disclosure of PHI under the Underlying Agreement unless such restriction is Required by Law or Business Associate grants its written consent.
  4. Notice of Privacy Practices. Except as Required by Law, with Business Associate’s consent, or this BAA, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Business Associate’s use or disclosure of PHI under any other agreement between the parties.

SECTION V - TERM/TERMINATION

  1. Term. The term of this BAA shall be effective as of the Effective Date stated below and shall terminate upon the termination of the Underlying Agreement, unless terminated earlier in accordance with this Section V.
  2. Effect of Termination.
    1. Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
      1. Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
      2. Return to Covered Entity (or, if agreed to in writing by Covered Entity, destroy) the remaining PHI that Business Associate still maintains in any form;
      3. Continue to use appropriate safeguards and comply with 45 CFR Part 164 Subpart C with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Subsection, for so long as Business Associate retains the PHI;
      4. Not use or disclose PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set forth in Section 3.2 that applied prior to termination; and
      5. Return to Covered Entity (or, if agreed to in writing by Covered Entity, destroy) the PHI retained by Business Associate when it is no longer needed by Business Associate to carry out its legal responsibilities.
    2. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties in writing that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

SECTION VI - MISCELLANEOUS

  1. Priority of BAA. If any portion of this BAA is inconsistent with the terms of the Underlying Agreement, the terms of this BAA shall prevail. Except as set forth above, the remaining provisions of the Underlying Agreement shall remain unchanged.
  2. Documentation. Both parties shall retain all documentation required by HIPAA for six (6) years from the date of its creation or the date when the document was last in effect, whichever is later.
  3. Construction. This BAA shall be construed as broadly as necessary to implement and comply with ARRA and the HIPAA regulations. The parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with ARRA and HIPAA regulations.
  4. Modification of BAA. The parties recognize that this BAA may need to be modified from time to time to ensure consistency with amendments to and changes in applicable federal and state laws and regulations, including, but not limited to HIPAA. The parties agree to execute any additional amendments to this BAA reasonably necessary for each Party to comply with HIPAA. This BAA shall not be waived, amended or altered, in whole or in part, except in writing signed by the parties.
Business Associate:
MAVEN CLINIC CO.
By: 		Covered Entity:
By:
Name: Name:
Title: Title:
Date: Date:
Address (including email address) For Notice: Maven Clinic Co.
160 Varick, 6th Floor
New York, NY 10013 Attn: General Counsel
Email: contracts@mavenclinic.com 		Address (including email address) for Notice:

Last updated: Aug 01, 2025