BUSINESS ASSOCIATE AGREEMENT

Effective Date: July 29 2024

Last Updated: July 29, 2024

THIS Business Associate Agreement (this “Agreement”), governs the access and use of Protected Health Information (as defined below) by FluteSpace Inc., a Delaware corporation (“FluteSpace”) received in the course of the use of FLUTE Lite solution along with related software, websites, networks, applications, mobile applications, and other services provided by FluteSpace (collectively, the “Services”).

All software, applications, content and materials available under the Services are owned and operated by FluteSpace has been developed for use by health care providers. FluteSpace may, in the course of such use of the Services (the “Terms”), create, receive, maintain, or transmit Protected Health Information (as defined below) for or on behalf of the users of the Services.

By entering into an order form or service order referencing this Agreement or by accessing, downloading, installing or using the Services you acknowledge that you are a licensed healthcare provider and that you have read, understood and agree to be bound by this Agreement as a Covered Entity (as defined under HIPAA).


You and FluteSpace are hereinafter sometimes referred to collectively as the “Parties” and individually as a “Party.” NOW, THEREFORE, in consideration of the mutual promises contained herein and the exchange of information pursuant to this Agreement, the Parties agree as follows:

BACKGROUND

Covered Entity is a “covered entity” as defined under the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (hereinafter referred to as “HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005 (hereinafter referred to as the “HITECH Act”), and related regulations promulgated by HHS (as defined below) (“HIPAA Regulations”). Covered Entity complies with the HIPAA Privacy and Security Rules (both defined below) and the HITECH Act and requires that Business Associates of Covered Entity agree to and comply with said rules and regulations as a condition of doing business with Covered Entity.

WHEREAS

  1. The Covered Entity is engaged in the business of providing AI solutions in the healthcare sector with the expertise of clinicians (“Business”);
  2. The Covered Entity is desirous of obtaining certain services from the Business Associate, as more fully detailed in the Services Agreement (as defined below), which may involve access to paper and/or electronic records containing PHI (as defined below);
  3. By providing such services pursuant to the Services Agreement, the Business Associate will become a “business associate” of the Covered Entity as such term is defined under HIPAA;
  4. Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Privacy Rule.
  5. In this regard, the Parties are desirous of entering into this Agreement to protect PHI and EPHI (as defined below), and to amend, modify, and supersede any existing agreements between them, whether oral or written, with the execution of this Agreement;

NOW, THEREFORE, IN CONSIDERATION OF THE MUTUAL COVENANTS, TERMS, CONDITIONS AND UNDERSTANDING SET FORTH IN THIS AGREEMENT, THE PARTIES AGREE AS FOLLOWS:

DEFINITIONS

General

  • In this Agreement, unless the context otherwise requires, the following words and expressions shall bear the meanings ascribed to them below. Any terms used, but not otherwise defined in this Clause 1, shall have the meaning as otherwise defined in the Agreement, HIPAA, the HITECH Act, and HIPAA Regulations as in effect or as amended from time to time.
  • Specific
    1. Affiliate” means with respect to any person, any other person who, directly or indirectly, controls, is controlled by, or is under common control with such person.
    2. Breach” shall have the same meaning as the term “breach” under Section 13400(1) of the HITECH Act.
    3. Designated Record Set” has the same meaning as given to such term under the Privacy Rule, including 45 CFR §164.501.B.
    4. Electronic Health Record” shall have the same meaning as the term “electronic health record” under Section 13400(5) of the HITECH Act.
    5. Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information” under 45 CFR §160.103, limited to the information that the Business Associate creates, receives, maintains, or transmits from or on behalf of the Covered Entity.
    6. HHS” means the U.S. Department of Health and Human Services.
    7. Individual” shall have the same meaning as the term “individual” under 45 CFR §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
    8. Privacy Rule” shall mean that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
    9. Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by the Business Associate from or on behalf of a Covered Entity.
    10. Required by Law” shall have the same meaning as the term “required by law” in 45 CFR 164.103.
    11. Secretary” shall mean the Secretary of the U.S. Department of Health and Human Services or his/ her designee.
    12. Security Rule” shall mean the Security Standards for the Protection of EHI provided in 45 CFR Part 160 and Part 164, Subparts A and C.
    13. Services Agreement” shall mean any present or future agreements, either written or oral, between the Business Associate and the Covered Entity under which the Business Associate provides services to the Covered Entity or its clients that involve the use or disclosure of Protected Health Information. The Services Agreement shall be amended by and incorporate the terms of this Agreement.
    14. Unsecured Protected Health Information” or “Unsecured PHI” shall have the same meaning as the term “unsecured protected health information” in Section 13402(h)(1) of the HITECH Act.

PERMITTED USES AND DISCLOSURES

  1. The Business Associate hereby agrees not to use or disclose Protected Health Information other than as reasonably necessary to provide the services described in the Services Agreement, or permitted or required by the Business Associate Agreement or Required by Law.
  2. Additional Business Associate Activities. Except as otherwise limited by this Agreement or federal or state law, the Covered Entity hereby authorizes the Business Associate to use the PHI in its possession for the proper management and administration of the Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are Required by Law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this Agreement and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.
  3. Business Associate shall not use or disclose PHI in a manner other than as provided in this Agreement, as permitted under the Privacy Rule, or as Required by Law. The Business Associate may use or disclose PHI, to the maximum extent permissible, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI.
  4. Upon the written request of the Covered Entity or any Individual, the Business Associate shall take all reasonable steps to provide such Covered Entity’s PHI or Individual’s PHI, as the case may be, to the Covered Entity that is available with the Business Associate or any of its agents or subcontractors.
  5. The Business Associate may use or disclose PHI to report any violations of law to appropriate federal or state authorities, in accordance with 45 CFR §164.502(j)(1).

COVENANTS OF THE PARTIES

  • Business Associate Covenants. The Business Associate hereby agrees and covenants to:
    1. Use or disclose only the minimum necessary PHI in performing its services under the Services Agreement.
    2. Not to use or further disclose PHI except as permitted under this Agreement, or under any federal or state laws.
    3. Use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in this Agreement. Without limiting the generality of the foregoing, the Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, maintains, or transmits on behalf of the Covered Entity, as required by the Security Rule, and ensure that any agent, including a subcontractor, to whom Business Associate provides such Electronic Protected Health Information agrees to implement similar reasonable and appropriate safeguards to protect the Electronic Protected Health Information.
    4. Report in writing to the Covered Entity of any Security Incident (as defined under the Security Rule) of which the Business Associate becomes aware and any Breach, or use, or disclosure of PHI not permitted under this Agreement, within five (5) days following the discovery of such Security Incident, Breach, use or disclosure. A Breach is considered “discovered” as of the first day on which the Breach is known or reasonably should have been known, to the Business Associate or any of its employees, officers, or agents, other than the person committing the Breach.
    5. Promptly notify the Covered Entity in writing upon any Breach or Unsecured PHI in accordance with the requirements set out in 45 CFR §164.410, but in no event later than 30 (thirty) calendar days from the discovery of the Breach.
    6. Any notice of a Security Incident, unauthorized use or disclosure of PHI, or Breach shall include the identification of each Individual whose Protected Health Information has been or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during such Security Incident or Breach as well as any other relevant information regarding the Security Incident or Breach.
    7. Mitigate, to the reasonable extent, any harmful effect that is known to Business Associate arising from a use or disclosure of PHI by the Business Associate or its employees, officers or agents in violation of the requirements of this Agreement (including, without limitation, any Security Incident or Breach of Unsecured Protected Health Information). The Business Associate hereby agrees to reasonably cooperate and coordinate its efforts with the Covered Entity in (i) the investigation of any such unauthorized use or disclosure of PHI; and (ii) the preparation of any reports or notices to the Individual, a regulatory body or any third party required to be made under HIPAA, HIPAA Regulation, the HITECH Act, or any other federal or State laws, provided that any such reports or notices shall be subject to the prior written approval of the Covered Entity.
    8. Maintain the integrity of any PHI transmitted by or received from the Covered Entity for the tenure of this Agreement.
    9. Ensure that all of its employees, agents, representatives, and members of its workforce, whose services may be used to fulfil obligations under this Agreement are or shall be appropriately informed of the terms of this Agreement and are under legal obligations to the Business Associate, by contract or otherwise, sufficient to enable them to comply with all provisions of this Agreement.
    10. Comply with its policies and procedures with respect to the privacy and security of PHI, and other confidential information disclosed by the Covered Entity.
    11. Facilitate the rights of access, amendment, and accounting as set forth in Clauses 4, 5, and 7, respectively.
  • Covered Entity Covenants. The Covered Entity hereby agrees and covenants to:
    1. Notify the Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect the Business Associate’s use or disclosure of PHI.
    2. Notify the Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect the Business Associate’s use or disclosure of PHI.
    3. Notify the Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect the Business Associate’s use or disclosure of PHI.
    4. Except for data aggregation or management and administrative activities of the Business Associate, Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

ACCESS TO PHI

Upon receipt of a written request from the Covered Entity for access to PHI about an Individual contained in a Designated Record Set, the Business Associate shall in the time and manner reasonably requested by Covered Entity in the written request, make available to the Covered Entity, or, as directed by the Covered Entity, to the Covered Entity or the Individual to whom such PHI relates or his or her authorized representative, such PHI for so long as such information is maintained in the Designated Record Set as defined in 45 CFR §164.524. In the event any Individual requests access to PHI directly from the Business Associate, the Business Associate shall, within 10 (ten) business days, forward such request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or his or her personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Covered Entity.

AMENDMENT OF PHI

  1. Upon receipt of a written request from the Covered Entity for the amendment of an Individual’s PHI or a record regarding an Individual contained in a Designated Record Set, the Business Associate agrees to make any amendment(s) to such Individual’s PHI in a Designated Record Set that the Covered Entity directs or agrees to, pursuant to 45 CFR §164.526, and in the time and manner reasonably requested by the Covered Entity. Any such request by the Covered Entity to amend such information shall completed within 15 (fifteen) business days of the Covered Entity’s request.
  2. In the event that any Individual requests the Business Associate to amend such Individual’s PHI or record in a Designated Record Set, the Business Associate shall, within 10 (ten) business days, forward this request to the Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Covered Entity.

ACCOUNTING OF DISCLOSURES OF PHI

  1. The Business Associate hereby agrees to document such disclosures of PHI and information related to such disclosures as may be required by the Covered Entity to respond to a request made by an Individual for an accounting of disclosures of PHI in accordance with HIPAA, HIPAA Regulations and the HITECH Act.
  2. Upon receipt of a written request by the Covered Entity, the Business Associate shall make available to the Covered Entity, or at the direction of the Covered Entity, to the Covered Entity or an Individual, in the time and manner reasonably requested by Covered Entity which shall not be less than 10 (ten) business days from the receipt of written request, information relating to disclosures made by the Business Associate as is in the Business Associate’s possession and is required by the Covered Entity to comply with its accounting obligations as required by 45 CFR §164.528.
  3. In the event an Individual directly requests the Business Associate for an accounting, the Business Associate shall, within 10 (ten) business days, forward such request to the Covered Entity.In the event an Individual directly requests the Business Associate for an accounting, the Business Associate shall, within 10 (ten) business days, forward such request to the Covered Entity.

ACCESS TO BOOKS AND RECORDS

The Business Associate agrees to make its internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of the Covered Entity available to the Secretary, in a time and manner designated by the Secretary, for purposes of determining the Business Associate or the Covered Entity’s compliance with the Privacy Rule.

SERVICES AGREEMENT

The Business Associate has agreed to provide certain services to the Covered Entity under the Services Agreement, attached herein as ANNEXURE A. The terms of this Agreement are hereby incorporated into the Services Agreement (including any amendments, modifications, or alterations). In the event of any conflict between the provisions of the Services Agreement and this Agreement, the provisions of this Agreement shall supersede and prevail. The Services Agreement together with this Agreement constitutes the entire agreement between the Parties with respect to the subject matter contained herein.

TERM AND TERMINATION

  1. Unless otherwise terminated in the manner provided in Clause 9.2, this Agreement shall become effective on the Effective Date and shall terminate when all of the PHI provided by the Covered Entity or created or received by the Business Associate on behalf of the Covered Entity, is destroyed or returned to the Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, safeguards are extended to such information, in accordance with the termination provisions in this clause.
  2. Termination by the Covered Entity. In accordance with 45 CFR 164.504(e)(2)(iii), the Covered Entity may forthwith terminate this Agreement, the Services Agreement, and any related agreements if the Covered Entity makes a determination that the Business Associate has breached a material term of this Agreement, and has failed to cure that material breach, to the Covered Entity’s reasonable satisfaction, within 30 (thirty) days from the receipt of notice notifying the Business Associate of such breach. If cure or termination is not feasible, Covered Entity shall report the problem to the Secretary.
  3. Termination by the Business Associate. If the Business Associate determines that the Covered Entity has breached a material term of this Agreement, then the Business Associate shall provide the Covered Entity with a written notice of the existence of the breach, a period of 30 (thirty) calendar days to cure the breach. The Covered Entity’s failure to cure the breach within the 30 (thirty) days period will be grounds for immediate termination of the Agreement, the Services Agreement, and any related agreement, by the Business Associate. The Business Associate may report the breach to HHS.
  4. Consequences of Termination. Upon termination in accordance with Clauses 9.2 and 9.3, the Business Associate agrees to return to the Covered Entity or destroy all PHI received from the Covered Entity or created or received by the Business Associate on behalf of the Covered Entity in the manner set forth under 45 CFR§ 164.504(e)(2)(I). This provision shall apply to PHI that is in the possession of subcontractors or agents of the Business Associate. The Business Associate shall not retain any copies of the PHI. Prior to undertaking the foregoing, the Business Associate further agrees to recover any PHI in the possession of its subcontractors or agents. If it is not feasible for the Business Associate to return or destroy all PHI, the Business Associate will notify the same to the Covered Entity in writing. Such notification shall include: (i) a statement that the Business Associate has determined that it is infeasible to return or destroy the PHI in its possession, and (ii) the specific reasons for such determination. Upon mutual agreement of the Parties that the return or destruction of Protected Health Information is infeasible, the Business Associate further agrees to extend any and all safeguards, limitations, and restrictions contained in this Agreement to the Business Associate’s use and/or disclosure of any PHI retained after the termination of this Agreement, and to limit any further uses and/or disclosures of PHI to the purposes that make the return or destruction of the PHI not feasible, for so long as Business Associate maintains such PHI. This Clause 9 shall survive the termination of the Services Agreement or this Agreement.

MISCELLANEOUS

  • Regulatory References. A reference in this Agreement to a section or provision in HIPAA, HIPAA Regulations, or the HITECH Act means the section as in effect or as amended or modified from time to time, including any corresponding provisions of subsequent superseding laws or regulations.
  • Amendments and Waivers. Except as set forth herein, this Agreement may not be modified, nor shall any provision be waived or amended, except as mutually agreed in writing duly signed by authorized representatives of the Parties. Upon enactment of any law, regulation, court decision or relevant government publication and/or policy affecting the use or disclosure of PHI, Parties shall amend this Agreement in such manner as deemed necessary to comply with same. The failure of either Party to enforce at any time any provision of this Agreement shall not be construed as a waiver of such provision, nor in any way to affect the validity of this Agreement or the right of either Party thereafter to enforce each and every such provision.
  • Notices. Any notice required or permitted under this Agreement shall be given in writing and delivered by email or by hand via an internationally recognized overnight delivery services (e.g., Federal Express), or via registered mail or certified mail, postage pre-paid and return receipt requested, to the following:

      If to the Covered Entity:

Name

Address

Attention

Title

Email

FluteSpace, Inc.

35818 Augustine Place, Fremont, CA 94536,USA

CEO

nikhil@flutespace.com

Name: FluteSpace Inc.

Address: 1-101, Holtech CGHS Ltd., Plot No. 2 Sector – 9, Dwarka, New Delhi - 110077, INDIA

Attention: Puneet Grover

Title : CPO (Chief Privacy Officer)

Email: puneet@flutespace.com

  • Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Counterparts may be delivered via facsimile, electronic mail (including pdf or any electronic signature complying with the US federal ESIGN Act of 2000) or other transmission method or any counterpart so delivered shall be deemed to have been duly and validly delivered and be valid and effective for all purposes.
  • Titles and Subtitles. The titles and subtitles used in this Agreement are used for convenience only and are not considered in construing or interpreting this Agreement.
  • Fees and Expenses. The Covered Entity shall pay all costs and expenses that the Business Associate incurs with respect to the negotiation, execution, delivery and performance of this Agreement and the Services Agreement.
  • Severability. The invalidity or unenforceability of any provision hereof shall in no way affect the validity or enforceability of any other provision.
  • Entire Agreement. This Agreement (including the Annexure hereto), the Services Agreement and any related agreements constitute the full and entire understanding and agreement between the Parties with respect to the subject matter hereof, and any other written or oral agreement relating to the subject matter hereof existing between the Parties are expressly cancelled.
  • Governing Law and Dispute Resolution. This Agreement shall be governed by, and construed in accordance with, the laws of the State of Delaware without regard to conflict of law principles that would result in the application of any law other than the law of the state of Delaware. The Parties hereby submit to the jurisdiction of the courts located in the state of Delaware, Hamilton County including any appellate court thereof.
  • Successors and Assigns. The terms and conditions of this Agreement shall inure to the benefit of and be binding upon the respective successors-in-interest and assigns of the Parties. Nothing in this Agreement, express or implied, in intended to confer upon any party other than the Parties hereto or their respective successors-in-interest and assigns any rights, remedies, obligations or liabilities under or by reason of this Agreement, except as expressly provided in this Agreement.
  • Interpretation. Any ambiguity in this Agreement shall be resolved to permit the Business Associate and Covered Entities to comply with HIPAA, HIPAA Regulations and the HITECH Act.

About
Product
Why FLUTE
Terms and Conditions
Privacy Policy
Help & Support

Copyright 2024