EXHIBIT B

TRUBLU DENTAL LINE BUSINESS ASSOCIATE AGREEMENT

In accordance with the regulations set forth in 45 C.F.R. Parts 160 and 164 issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) set forth in 42 U.S.C. § 17921 et seq., Customer (“Covered Entity” or “Entity”) and TruBlu Dental Line, LLC, a Delaware Limited Liability Corporation (“Business Associate”) agree to this EXHIBIT B to Business Associate’s Terms of Service. Covered Entity and Business Associate are sometimes hereinafter referred to individually as a “Party” and collectively as the “Parties.”

RECITALS

  • Covered Entity is a “covered entity,” as defined in HIPAA.
  • HIPAA requires covered entities to protect the privacy of “Protected Health Information” (as defined below) by entering into agreements with persons and entities providing services for covered entities that involve the use or disclosure of protected health information.
  • Business Associate is directly subject to HITECH and certain HIPAA provisions.
  • Business Associate has been engaged by Covered Entity to provide certain services that involve the use or disclosure of Protected Health Information (the “Services”).
  • The Parties desire to continue their business relationship in a manner consistent with HIPAA and HITECH.

NOW THEREFORE, in exchange for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree to incorporate the forgoing recitals as rewritten herein and further agree as follows:

  1. Definitions
    1. Generally. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules (as defined below): Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, Use, and Workforce.
    2. Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 C.F.R. §160.103, and in reference to the party to this agreement, shall mean TruBlu Dental Line, LLC.
    3. Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 C.F.R. §160.103, and in reference to the party to this Agreement, shall mean Customer.
    4. HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
  1. Obligations Of Business Associate
    1. Use or Disclosure of Information.
      1. Business Associate shall not Use or Disclose Protected Health Information other than as required to perform the Services or as Required By Law. Moreover, Business Associate shall at all times comply with the provisions of the HIPAA Rules applicable to Business Associate.
      2. Business Associate agrees to limit Uses and Disclosures and requests for Protected Health Information to the Minimum Necessary.
      3. Business Associate shall not Use or Disclose Protected Health Information in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity except for the specific Uses and Disclosures set forth in paragraphs iv, v, and vi below.
      4. Business Associate may Use Protected Health Information for the proper management and administration of the Business Associate or to carry out the Business Associate’s legal responsibilities.
      5. Business Associate may Disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the Business Associate’s legal responsibilities, provided the Disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that the information shall remain confidential and Used or further Disclosed only as Required by Law or for the purposes for which it was Disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been Breached.
      6. Business Associate may provide Data Aggregation services relating to the Health Care Operations of the Covered Entity.
    2. Safeguards. Business Associate shall use appropriate administrative, physical and technical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this Agreement, including, without limitation, appropriate training and discipline of Business Associate’s Workforce and restrictions on access to Protected Health Information.
    3. Mitigation. Business Associate shall immediately mitigate any harmful effect resulting from Use or Disclosure of Protected Health Information by Business Associate, or its Subcontractors or agents, in violation of the requirements of this Agreement.
    4. Reporting Breaches. Business Associate shall notify Covered Entity upon Business Associate’s discovery of a Breach of Unsecured Protected Health Information within ten (10) days of Business Associate’s discovery of such Breach. Such notice shall include the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach. Business Associate shall reasonably cooperate with and assist Covered Entity in making notification to third parties as required by the HIPAA Rules in the event of a Breach due solely to Business Associate.
    5. Reporting Noncompliance. Business Associate shall report to Covered Entity any:
      1. Use or Disclosure of Protected Health Information not expressly provided for by this Agreement within ten (10) days of Business Associate’s discovery of such Use or Disclosure; and
      2. Any Security Incident of which Business Associate becomes aware in the following manner: (i) any actual, successful Security Incident shall be reported to Covered Entity in writing, after reasonable investigation by Business Associate; and (ii) any attempted, unsuccessful Security Incident, of which Business Associate becomes aware, shall be reported to Entity in writing, on a reasonable basis. If the HIPAA Rules are amended to remove the requirement to report unsuccessful attempts at unauthorized access, this subsection shall no longer apply as of the effective date of the amendment of the HIPAA Rules. Notwithstanding the foregoing, the parties acknowledge and agree that this Section 2.e constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of services attacks, and any combination of the above, so long as no such incidents results in unauthorized access, Use, or Disclosure of Covered Entity’s electronic PHI.
    6. Subcontractors and Agents. In accordance with 45 C.F.R. §164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall, if applicable, ensure that any Subcontractors or agents that create, receive, maintain, or transmit Protected Health Information on the Business Associate’s behalf agree in writing to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
    7. Access. Within fifteen (15) business days of receipt of a request from Covered Entity, Business Associate shall make available Protected Health Information in a Designated Record Set or otherwise provide access to Protected Health Information to the Covered Entity and/or the Individual in order to comply with the Individual’s right to access Protected Health Information as provided in 45 C.F.R. § 164.524.
    8. Accounting. Business Associate shall maintain and, within fifteen (15) business days of receipt of a request from Covered Entity, make available the information required to provide an accounting of Disclosures to the Covered Entity and/or the Individual as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. §164.528. If an Individual makes a request for an accounting of Disclosures directly to Business Associate, Business Associate shall provide such accounting to the Individual within fifteen (15) business days of receipt of the request.
    9. Amendments. Business Associate shall make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. §164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. §164.526, within fifteen (15) business days of Business Associate’s receipt of such request.
    10. Compliance With Investigations. Business Associate shall make all internal practices, books, records, and agreements with Subcontractors and agents relating to the Use and Disclosure of Protected Health Information received or maintained pursuant to this Agreement available to Covered Entity or the Secretary for purposes of determining Covered Entity’s and/or Business Associate’s compliance with the HIPAA Rules.
    11. Subpoenas. Business Associate shall notify Covered Entity within five (5) business days of Business Associate’s receipt of any subpoena, discovery request, or other lawful process for Protected Health Information that is not accompanied by an order of a court or administrative tribunal. To the extent that Covered Entity decides to assume responsibility for challenging the validity of such request, Business Associate agrees to cooperate fully with Covered Entity in such challenge.
    12. Performance of Covered Entity’s Obligations. To the extent Business Associate is to carry out any obligation of Covered Entity under the HIPAA Rules, Business Associate shall agree to comply with the same requirements that apply to Covered Entity in the performance of such obligation.
  1. Obligations of Covered Entity
    1. Notice of Privacy Practices and Restrictions.
      1. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity’s notice of privacy practices under 45 C.F.R. §164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of Protected Health Information.
      2. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to Use or Disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate’s Use or Disclosure of Protected Health Information.
      3. Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by under 45 C.F.R. §164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of Protected Health Information.
    2. Minimum Necessary. Covered Entity shall limit any disclosure of PHI to the Minimum Necessary to accomplish the intended purpose of such Disclosure, as specified by the HIPAA Rules and any relevant guidance by the U.S. Department of Health and Human Services.
    3. Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to Use or Disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except for the specific Uses or Disclosure of set forth in paragraphs iv, v, and vi of Section 2.a.
  1. Termination
    1. Term. The term of this Agreement shall begin on the Effective Date and shall terminate upon the termination or expiration of the engagement for the Services or on the date either Party terminates this Agreement for cause as authorized in paragraph “b” of this Section, whichever is sooner.
    2. Cause for Termination. Either Party may immediately terminate this Agreement and the engagement for the Services upon a material breach of the provisions of this Agreement or the HIPAA Rules by the other Party. Termination shall be effective upon delivery of written notice of termination to the other Party.
    3. Effect of Termination. Upon termination of this Agreement for any reason, Business Associate, with respect to Protected Health Information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
      1. Retain only that Protected Health Information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
      2. Return to Covered Entity or, if agreed to by Covered Entity, destroy the remaining Protected Health Information that the Business Associate maintains in any form;
      3. Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic Protected Health Information to prevent Use or Disclosure of the Protected Health Information, other than as provided for in this Section 4.c, for as long as Business Associate retains the Protected Health Information;
      4. Not Use or Disclose the Protected Health Information retained by Business Associate other than for the purposes for which such Protected Health Information was retained and subject to the same conditions set forth in Section 2.a which applied prior to termination; and
      5. Return to Covered Entity or, if agreed to by Covered Entity, destroy the Protected Health Information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
    4. Survival. The obligations of Covered Entity under this Section and Section 5 shall survive the termination or expiration of this Agreement and Business Associate’s Terms of Service.
  2. Indemnification.
    1. Indemnification of Covered Entity by Business Associate. Business Associate shall indemnify, defend and hold Covered Entity, and any of Covered Entity’s officers, employees, representatives, agents, successors or assigns, harmless from and against any liability and costs, including attorneys’ fees, arising from a violation of HIPAA due solely to the acts or omissions of Business Associate.
    2. Indemnification of Business Associate by Covered Entity. Covered Entity shall indemnify, defend and hold Business Associate, and any of Business Associate’s officers, employees, representatives, agents, successors or assigns, harmless from and against any liability and costs, including attorneys’ fees, arising from a violation of HIPAA due solely to the acts or omissions of Covered Entity.
  1. Miscellaneous
    1. Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended, and for which compliance is required.
    2. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary or appropriate for the Parties to comply with the requirements of the HIPAA Rules.
    3. Remedies. Covered Entity hereby agrees that Business Associate may suffer irreparable damage upon Covered Entity’s breach of this Agreement and that such damages shall be difficult to quantify. The hereby agrees that, in addition to all other available remedies at law or in equity, Business Associate may file an action for an injunction to enforce the terms of this Agreement against Covered Entity, in addition to any other remedy Business Associate may have.
    4. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits compliance with the HIPAA Rules.
    5. No Third Party Rights. Nothing in this Agreement is intended or shall be construed to confer any rights or entitlements to remedy on any person or entity other than Covered Entity and Business Associate.
    6. Entire Agreement. This Agreement represents the Parties’ complete understanding and agreement with respect to the subject matter of this Agreement and shall supersede any prior agreements and understandings between the Parties with respect to the subject matter of this Agreement. This Agreement may not be modified, terminated or extended orally.