Business Associate Agreement

Last Modified: March 17, 2022

THIS BUSINESS ASSOCIATE AGREEMENT (this “BA Agreement”) is by and between Firefly Lab, LLC. (“Firefly”) and the account registrant (“Customer”), each individually a “Party” and together the “Parties.” This BA Agreement shall apply and become effective to the extent, and as of the date that, Firefly acts as a HIPAA Business Associate to Customer, or to any entity associated with Customer that is a HIPAA Covered Entity regarding Protected Health Information (“PHI”) provided to Firefly by or through Customer in connection with the Services. “Services” means the Firefly website, portal, services, products, or software provided by Firefly for the purposes of scheduling, recordkeeping, education, case logging, and the tracking and logging of continuing medical education.

Firefly may receive, use, obtain, access, maintain, transmit, or create PHI from or on behalf of Customer while performing the Services. The purpose of this BA Agreement is to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 and the associated regulations, 45 C.F.R. parts 160-164, as may be amended (including the “Privacy Rule” and the “Security Rule”) (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act and the associated regulations, as may be amended (“HITECH”). “HIPAA” and “HITECH” are hereafter collectively referred to in this BA Agreement as “HIPAA.” Unless otherwise defined in this BA Agreement, capitalized terms have the meanings given in HIPAA.

The Parties agree as follows:

Section 1. Permitted Uses and Disclosures.

Firefly may use and/or disclose PHI only as permitted or required by this BA Agreement or as otherwise Required by Law. Firefly may disclose PHI to, and permit the use of PHI by, its employees, contractors, agents, or other representatives to the extent necessary for the performance of the Services. Customer will provide to Firefly no more than the minimum PHI necessary for Firefly to perform the Services. Customer represents that it has authority to provide PHI to Firefly in connection with the Services and that doing so will not violate any law, policy, contract, mandate or requirement to which Customer is subject. As applicable, Firefly will request, use and disclose only PHI that constitutes a Limited Data Set, if practicable, and will otherwise limit its use, request or disclosure (if any), of PHI to the minimum necessary for the intended purpose of the request, use or disclosure. Firefly will not use or disclose PHI in a manner that would violate HIPAA if disclosed or used in such a manner by Customer. Firefly will comply with the Privacy Rule requirements applicable to Customer if and to the extent Firefly’s performance of the Services involves carrying out Customer’s Privacy Rule obligations; however, for the avoidance of doubt, Firefly has not been engaged by or on behalf of Customer for this purpose. In addition, Business Associate is authorized to use Protected Health Information to de-identify the Protected Health Information in accordance with 45 C.F.R. 164.514(a)-(c).

Section 2. Safeguards for the Protection of PHI.

Firefly will implement and maintain appropriate administrative, physical and technical security safeguards designed to ensure that PHI obtained by or on behalf of Customer is not used or disclosed by Firefly in violation of this BA Agreement. Such safeguards will be designed to protect the confidentiality and integrity of such PHI obtained, accessed, created, maintained, or transmitted from or on behalf of Customer. Firefly will comply with the applicable requirements of the Security Rule.

Section 3. Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures.

Firefly will promptly report to Customer, upon discovery, any Security Incident or Breach (as defined below) by it or any of its employees, directors, officers, agents, subcontractors or representatives concerning the use or disclosure of PHI. For purposes of this BA Agreement, “Breach” means any acquisition, access, use or disclosure of PHI under this BA Agreement that is (a) in violation of the Privacy Rule or (b) not permitted under this BA Agreement. Firefly will be deemed to have discovered a Breach as of the first day on which the Breach is, or should reasonably have been, known to (a) Firefly or (b) any employee, officer, or other agent of Firefly other than the individual committing the Breach. Firefly further will investigate the Breach and promptly provide to Customer information Customer may require to make notifications of the Breach to Individuals and/or other persons or entities. Firefly will cooperate with Customer in addressing the Breach.

Notice is hereby deemed given for attempted but Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents will be given. “Unsuccessful Security Incidents” include but are not limited to firewall pings and other broadcast attacks, port scans, unsuccessful log-on attempts, denial-of-service attacks, and any combination of the foregoing that do not result in unauthorized access, acquisition, use, or disclosure of PHI.

Firefly will establish and implement procedures and other reasonable efforts for mitigating any harmful effects arising from any improper use and/or disclosure of PHI.

Section 4. Use and Disclosure of PHI by Subcontractors, Agents, and Representatives.

Firefly will require any subcontractor, agent, or other representative that is authorized to receive, use, maintain, transmit, or have access to PHI obtained or created under the BA Agreement, to agree, in writing, to: (1) adhere to the same restrictions, conditions and requirements regarding the use and/or disclosure of PHI and safeguarding of PHI that apply to Firefly under this BA Agreement; and (2) comply with the applicable requirements of the Security Rule.

Section 5. Individual Rights.

Firefly will comply with the following individual rights requirements as applicable to PHI used or maintained by Firefly:

5.1 Right of Access. Firefly agrees to provide access to PHI, at the request of Customer, as necessary to satisfy Customer’s obligations with regard to the individual access requirements under HIPAA.

5.2 Right of Amendment. Firefly agrees to make any amendment(s) to PHI as directed by Customer to meet the amendment requirements under HIPAA.

5.3 Right to Accounting of Disclosures. Firefly agrees to document any disclosures of PHI as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA, and to provide all such documentation to Customer or to an Individual, as necessary to satisfy Customer’s obligations with regard to an Individual’s right to an accounting of disclosures. Firefly will otherwise comply with its obligations regarding an Individual’s right to an accounting of disclosures under HIPAA.

Section 6. Use and Disclosure for Firefly’s Purposes.

6.1 Use. Except as otherwise limited in this BA Agreement, Firefly may use PHI for the proper management and administration of Firefly or to carry out the legal responsibilities of Firefly.

6.2 Disclosure. Except as otherwise limited in this BA Agreement, Firefly may disclose PHI for the proper management and administration of Firefly or to carry out the legal responsibilities of Firefly, provided the disclosures are Required by Law, or Firefly obtains reasonable assurances from the person to whom the PHI is disclosed that the PHI will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Firefly immediately upon discovery of any instances in which the confidentiality of the PHI has been Breached, as defined and described in Section 3 of this BA Agreement.

Section 7. Access to Records.

Firefly will make its internal practices, books, records, and policies and procedures relating to the use and disclosure of PHI received from, or created or received by Firefly on behalf of Customer available to the federal Department of Health and Human Services (“HHS”), the Office for Civil Rights (“OCR”), or their agents for purposes of monitoring Customer’s compliance with HIPAA.

Section 8. Term and Termination.

8.1 Term. This BA Agreement will become effective on the Effective Date. Unless terminated sooner pursuant to Section 8.2, this BA Agreement will remain in effect for the duration of all Services provided by Firefly and for so long as Firefly will remain in possession of any PHI received from Customer, or created or received by Firefly on behalf of Customer.

8.2 Termination. In the event of a material breach of this BA Agreement, the non-breaching Party may immediately terminate this BA Agreement. Alternatively, in the non-breaching Party’s sole discretion, the non-breaching Party may provide the breaching Party with written notice of the existence of the material breach and afford the breaching party thirty (30) days to cure the material breach. In the event the breaching Party fails to cure the material breach within such time period, the non-breaching Party may immediately terminate this BA Agreement.

8.3 Effect of Termination. Upon termination of this BA Agreement, Firefly will recover any PHI relating to this BA Agreement in the possession of its subcontractors, agents or representatives. Firefly will return to Customer or destroy all such PHI plus all other PHI relating to this BA Agreement in its possession, and will retain no copies. If Firefly cannot feasibly return or destroy the PHI, Firefly will ensure that any and all protections, requirements and restrictions contained in this BA Agreement will be extended to any PHI retained after the termination of this BA Agreement, and that any further uses and/or disclosures will be limited to the purposes that make the return or destruction of the PHI infeasible.

Section 9. Miscellaneous.

9.1 Indemnity and Limitation of Liability. The indemnity, disclaimer of warranties and limitation of liability provisions in the Terms of Use expressly apply to this BA Agreement. Subject to Section 9.8 of this BA Agreement, the other Firefly Terms of Use are not otherwise diminished, limited or restricted by this BA Agreement.

9.2 Survival. The respective rights and obligations of the Parties under Sections 7 (Access to Records), 8.3 (Effect of Termination),) and 9 (Miscellaneous) will survive termination of this BA Agreement indefinitely.

9.3 Amendments. This BA Agreement constitutes the entire agreement between the Parties with respect to its subject matter. It may not be modified, nor will any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties.

9.4 Waiver. A waiver with respect to one event will not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.

9.5 Compliance with HIPAA. Any ambiguity in this BA Agreement will be resolved in favor of a meaning that permits the Parties to comply with their respective obligations under HIPAA.

9.6 No Third Party Beneficiaries. Nothing express or implied in this BA Agreement is intended to confer, nor will anything herein confer, upon any person other than the Parties and their respective successors and permitted assigns, any rights, remedies, obligations or liabilities whatsoever.

9.7 Notices. All required reports or notices to Customer under this Agreement will be made by Firefly via either a general notice on Firefly’s website or web application, an individualized notice to Customer on the Firefly web application, or electronic mail to Customer’s e-mail address on record in Customer’s account. Such notice will be deemed to have been given upon the expiration of forty-eight (48) hours after posting or twelve (12) hours after sending by email. Customer will send required notices to Firefly via email addressed to privacy@fireflylab.org.

9.8 Inconsistencies. If any of the terms of this BA Agreement conflict with or are inconsistent with the Terms of Use, the terms of this BA Agreement will prevail.