This Business Associate Agreement (“Agreement”) is entered into by and between                                     , a Covered Entity as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and Lemod, LLC, a Business Associate (“Business Associate”), as of the Effective Date below.

1. Effective Date and Term

This Agreement becomes effective upon execution and shall remain in effect until terminated in accordance with Section 6. The terms of this Agreement shall apply to all services provided by Business Associate to Covered Entity involving access to Protected Health Information (“PHI”).

2. Definitions

All capitalized terms not defined herein shall have the same meaning as set forth in HIPAA, HITECH (the Health Information Technology for Economic and Clinical Health Act), and their implementing regulations.

3. Permitted Uses and Disclosures of PHI

Business associates may use or disclose PHI only to the extent necessary to perform services for or on behalf of Covered Entity, as outlined in any underlying service agreement, and only in a manner that would be permissible under HIPAA if done by the Covered Entity.

4. Obligations of Business Associate

a. Compliance with HIPAA and HITECH

Comply with applicable requirements of HIPAA and HITECH, including but not limited to 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316.

b. Use and Disclosure Limitations

Not use or disclose PHI other than as permitted or required by this Agreement, or as required by law.

c. Minimum Necessary

Limit use, disclosure, or request for PHI to the minimum necessary to accomplish the intended purpose.

d. Safeguards

Implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, and to ensure confidentiality, integrity, and availability of electronic PHI.

e. Subcontractors and Agents

Ensure that any subcontractor or agent to whom PHI is disclosed agrees to the same restrictions, conditions, and obligations applicable to Business Associate under this Agreement.

f. Individual Rights

• Provide access to PHI in a designated record set upon request from Covered Entity, in accordance with 45 C.F.R. § 164.524.

• Make amendments to PHI as directed by Covered Entity under 45 C.F.R. § 164.526.

• Maintain and make available documentation of PHI disclosures as required under 45 C.F.R. § 164.528.

g. Reporting of Breaches and Security Incidents

• Report any use or disclosure of PHI not provided for by this Agreement, including security incidents and breaches, within 72 hours of discovery.

• Conduct and document a risk assessment to determine whether a breach is reportable under 45 C.F.R. § 164.402.

h. Accounting for Disclosures

Maintain records and provide an accounting of disclosures of PHI for a period of six (6) years upon request by the Covered Entity.

i. Access for Audits

Make internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with HIPAA.

5. De-Identified Data

Business Associate may use or disclose de-identified information, provided it complies with 45 C.F.R. § 164.514 and does not include any key or code that enables re-identification.

6. Termination

a. Termination for Cause

Covered Entity may terminate this Agreement immediately upon learning of a material breach. Alternatively, Covered Entity may provide written notice with a 5-business-day cure period before termination.

b. Obligations Upon Termination

Upon termination of this Agreement, Business Associate shall return or securely destroy all PHI. If return or destruction is infeasible, Business Associate shall notify Covered Entity and extend the protections of this Agreement to any retained PHI for as long as it is maintained.

7. Amendment

This Agreement may be amended as necessary to comply with HIPAA, HITECH, and applicable regulations. Any such amendment must be in writing and signed by both parties.

8. Interpretation

Any ambiguity in this Agreement shall be interpreted to ensure compliance with HIPAA, HITECH, and related laws.

9. No Third Party Beneficiaries

Nothing in this Agreement is intended to confer any rights, remedies, or benefits upon any third party.

10. Survival

All obligations with respect to PHI under this Agreement shall survive termination of this Agreement.

IN WITNESS WHEREOF

the parties have executed this Agreement by their duly authorized representatives as of the dates set forth below:

Covered Entity: 

Name: ________________________

By: ___________________________

Title: __________________________

Date: __________________________

Business Associate:

Name: Lemod, LLC (DBA Model Rewards)

By: ___________________________

Title: _________________________

Date: _________________________