BAA

ShowAndTell  BUSINESS ASSOCIATE AGREEMENT  This Business Associate Agreement (“Agreement”) is entered into by and between ShowAndTell, Inc. (“Business Associate”) and a Client executing an Order incorporating this Agreement by reference, or who otherwise agrees or enters into the Client Term and Conditions (“Covered Entity”), which are each a respective covered entity or a business associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The parties are entering into this Agreement to assist the Covered Entity in complying with HIPAA, and to set forth Business Associate’s obligations under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”), and 45 CFR Parts 160 and 164, Subpart C (the “Security Rule”), Subpart D (the “Data Breach Notification Rule”), and Subpart E (the “Privacy Rule”) (collectively, the “HIPAA Regulations”) and applicable State law.   This Agreement applies to any Protected Health Information Business Associate receives from Covered Entity, or creates, receives or maintains on behalf of Covered Entity, under its Client Terms and Conditions or other governing client agreement with Covered Entity (the “Terms”). Capitalized terms used herein but not otherwise defined have the meanings set forth in the Terms.  AGREEMENT Definitions. Except as otherwise defined in this Agreement, capitalized terms shall have the definitions set forth under the HIPAA Regulations, as amended from time to time.  “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103 of the HIPAA Regulations, provided that it is limited to such protected health information that is received by Business Associate from, or created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity. “Security Incident” shall have the meaning given to the term “security incident” at 45 CFR § 164.304, as applied to the electronic Protected Health Information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.  “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, use, or disclosure of Protected Health Information. Permitted Uses and Disclosures. Business Associate may use and disclose Covered Entity’s Protected Health Information to provide Covered Entity with the services under the Terms. Except as expressly provided below, this Agreement does not authorize Business Associate to make any use or disclosure of Protected Health Information that Covered Entity would not be permitted to make under Subpart E of 45 CFR Part 164. Obligations of Business Associate. Business Associate will: Not use or further disclose Covered Entity’s Protected Health Information except as permitted by the Terms or this Agreement, or as required by law; Use appropriate safeguards, and comply, where applicable, with the HIPAA Security Rule with respect to electronic Protected Health Information, to prevent use or disclosure of Covered Entity’s Protected Health Information other than as provided for by the Terms or this Agreement. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity; Report to Covered Entity any use or disclosure of Covered Entity’s Protected Health Information not provided for by the Terms or this Agreement of which it becomes aware, including breaches of unsecured Protected Health Information as required by the Data Breach Notification Rule (45 CFR § 164.410), and any Security Incident of which Business Associate becomes aware without unreasonable delay, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; Ensure that any of Business Associate’s subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree in writing to substantially similar, and no less restrictive, restrictions and conditions as those that apply to Business Associate with respect to such information, including compliance with the HIPAA Security Rule with respect to electronic Protected Health Information; To the extent that Business Associate maintains Protected Health Information in a Designated Record Set, make any Protected Health Information in a designated record set available to Covered Entity to enable Covered Entity to meet its obligation to provide access to the information in accordance with 45 CFR § 164.524; To the extent that Business Associate maintains Protected Health Information in a Designated Record Set, make any Protected Health Information in a designated record set available for amendment and incorporate any amendments to Protected Health Information as directed by Covered Entity pursuant to 45 CFR § 164.526; 

Make available to Covered Entity the information concerning disclosures that Business Associate makes of Covered Entity’s Protected Health Information required to enable Covered Entity to provide an accounting of disclosures in accordance with 45 CFR § 164.528; To the extent that Business Associate carries out Covered Entity’s obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations; and Make Business Associate’s internal practices, books, and records relating to Business Associate’s use and disclosure of Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of the United States Department of Health and Human Services for purposes of determining Covered Entity’s compliance with the HIPAA Regulations, subject to attorney-client and other applicable legal privileges. Proper Management and Administration of Business Associate. Business Associate may use Covered Entity’s Protected Health Information for the proper management and administration of Business Associate or to carry out Business Associate’s own legal responsibilities.  Business Associate may disclose Protected Health Information for these purposes if Business Associate is required to do so by law, or if Business Associate obtains reasonable assurances from the recipient of the information (1) that it will be held confidentially, and used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and (2) that the recipient will notify Business Associate of any instances of which the recipient is aware in which the confidentiality of the information is breached. Data Aggregation. Business Associate may use Covered Entity’s Protected Health Information for data aggregation, as permitted by the Privacy Rule. De-identification. Business Associate may de-identify Covered Entity’s Protected Health Information, in compliance with the requirements of 45 CFR § 164.514. Business Associate shall be the owner of such de-identified data. Covered Entity Obligations. With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees:   Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by Covered Entity (except to the extent permitted by HIPAA for a business associate). Covered Entity is responsible for maintaining a Notice of Privacy Practices, as required by HIPAA. Covered Entity represents and warrants that it has obtained any necessary authorizations, consents, and other permissions that may be required under any applicable law to provide Protected Health Information to Business Associate and for Business Associate to provide the services. Covered Entity shall notify Business Associate in writing of any limitations in an applicable notice of privacy practices, to the extent that such limitations may affect Business Associate’s use or disclosure of Protected Health Information. Covered Entity shall notify Business Associate in writing of any changes in, or revocation of, authorization by an Individual to use or disclose Protected Health Information, to the extent that such changes or revocation may affect Business Associate’s use or disclosure of Protected Health Information. Covered Entity shall notify Business Associate in writing of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information. Term and Termination. This Agreement shall continue in effect until the earlier of (1) expiration of the Terms or (2) termination at any time by Business Associate pursuant to this section of this Agreement. Business Associate may immediately terminate the Terms and/or this Agreement if the Covered Entity is in material breach or default of any obligation in this Agreement. Business Associate may, but does not have the duty to, provide Covered Entity with an opportunity to cure any material breach of the Agreement or end the violation within thirty (30) days. Business Associate may immediately terminate this Agreement, regardless of whether the Covered Entity is in breach or default of any obligation in this Agreement. Such termination shall take effect immediately.  Upon expiration or termination of this Agreement, Business Associate shall return or destroy all Protected Health Information in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Agreement. If it is not feasible to return or destroy any portions of the Protected Health Information upon termination of this Agreement, as determined by the Business Associate, then Business Associate shall extend the protections of this Agreement, without limitation, to such Protected Health Information and limit any further use or disclosure of the Protected Health Information to those purposes that make the return or destruction infeasible for the duration of the retention of the Protected Health Information.  No Third-Party Relationships. This Agreement is between the parties hereto. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, any rights, remedies, obligations, or liabilities whatsoever upon any person other than Business Associate and Covered Entity and any respective successors and assigns. Applicable Law. This Agreement shall be construed, administered, and governed by the governing law set forth in the Terms, except to the extent preempted by applicable federal law.  Notices. All notices hereunder shall be in writing, and be provided in accordance with the provision for notices set forth in the Terms.  

Interpretation. This Agreement is to be interpreted in accordance with HIPAA, the HITECH Act, and the regulations promulgated thereunder, as amended from time to time.  Counterparts. This Agreement may be executed in separate counterparts, none of which need contain the signatures of both parties, and each of which, when so executed, shall be deemed to be an original, and such counterparts shall together constitute and be one and the same instrument.