BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“Agreement”) is made as of 04/19/2024 (“Effective Date”) by and between X (“Covered Entity”) and Keystone Pharmacy, LLC (“Business Associate”).

BACKGROUND

Covered Entity and Business Associate wish to enter into this Agreement for purposes of complying with the Privacy, Security, Breach Notification, and Enforcement regulations at 45 CFR parts 160 and 164 (collectively the “HIPAA Standards”). The provisions of this Agreement apply with respect to all Protected Health Information (“PHI”), as defined in 45 CFR § 160.103, created, received, maintained or transmitted by Business Associate in its representation of Covered Entity.

TERMS

In consideration of the mutual covenants contained herein, Business Associate and Covered Entity agree as follows:

1. Obligations of Business Associate.

(a) Business Associate will not use or disclose PHI other than as permitted or required by this Agreement or as required by law.

(b) Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Standards, and to prevent use or disclosure of PHI other than as provided for by this Agreement. Business Associate will comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI.

(c) Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.

(d) To the extent the Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164, Business Associate will comply with the requirements of 45 CFR Part 164, Subpart E that apply to Covered Entity in the performance of such obligations.

(e) Business Associate will report to Covered Entity (i) any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, and (ii) any security incident (as defined in 45 CFR § 164.304) of which it becomes aware. Business Associate will notify Covered Entity of any breach of unsecured PHI, as defined in 45 CFR § 164.402, without unreasonable delay and in no case later than 10 calendar days after Business Associate discovers the breach.

(i) The parties agree and acknowledge that this section constitutes notice by Business Associate to Covered Entity that attempted but unsuccessful security incidents, such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service, and similar events, regularly occur and that no further notice will be made by Business Associate to Covered Entity unless there has been a successful security incident.

(f) Business Associate will ensure that any agent, including a subcontractor, that receives PHI from Business Associate, or creates, receives, maintains, or transmits PHI on behalf of Business Associate, agrees to the same restrictions, conditions and requirements that apply to Business Associate with respect to such PHI, and agrees to implement reasonable and appropriate safeguards to protect the security and privacy of such PHI, by entering into an agreement with Business Associate that meets the applicable requirements of the HIPAA Standards.

(g) Business Associate will make books and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services (“Secretary”) or the Secretary’s designee, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Standards.

(h) At Covered Entity’s request, Business Associate will make available PHI in Business Associate’s possession to enable Covered Entity to respond to a request by an individual for access to PHI in accordance with 45 CFR § 164.524.

(i) At Covered Entity’s request, Business Associate will make available PHI in Business Associate’s possession for amendment, and will incorporate any amendments to PHI, in accordance with 42 CFR § 164.526.

(j) Business Associate will maintain and will provide to Covered Entity on request such documentation of disclosures of PHI as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Upon receipt of a request for an accounting directly from an individual, Business Associate will provide to the individual an accounting of disclosures made by Business Associate containing the information described in 42 CFR § 164.528.

2. Uses and Disclosures by Business Associate.

(a) Business Associate may use or disclose PHI to perform services for or on behalf of Covered Entity, provided that such use or disclosure would not violate the HIPAA Standards if made by Covered Entity.

(b) Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

(c) Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, if (1) the disclosure is required by law, or (2) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

3. Remedies for Breach. Upon Covered Entity’s knowledge of a material breach of this Agreement by Business Associate, Covered Entity may either (i) provide an opportunity for Business Associate to cure the breach or end the violation, and terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; (ii) immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible; or (iii) if neither termination nor cure is feasible, report the violation to the Secretary.

4. Term and Termination.

(a) This Agreement will be effective as of the Effective Date and will continue in effect until terminated. Either party may terminate this Agreement at any time, with or without cause, by giving 30 days’ written notice.

(b) Upon termination of this Agreement, for any reason, Business Associate will return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity, if feasible. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate will extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

5. Miscellaneous.

(a) This Agreement may not be assigned by either party without the prior written consent of the other party. Subject to the foregoing, this Agreement will be binding upon and will inure to the benefit of the parties and their respective successors and assigns.

(b) This Agreement may be amended only by written consent of the parties.

(c) Nothing in this Agreement shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. There are no third-party beneficiaries to this Agreement.

(d) This Agreement constitutes the entire agreement between the parties concerning its subject matter, and supersedes all prior and contemporaneous agreements and understandings, express or implied, oral or written.

(e) This Agreement will be deemed to have been made in Mississippi and will be governed by and construed in accordance with Mississippi law. The section headings in this Agreement are for convenience only and will not affect its interpretation.

(f) This Agreement may be executed in any number of counterparts, each of which shall be deemed an original and all of which shall be deemed for all purposes to be one agreement. A facsimile or imaged signature shall be deemed an original signature for all purposes.

(g) Any notice or other communication by either party to the other will be in writing and will be deemed to have been given when hand delivered, sent by nationally-recognized overnight delivery service, or mailed, postage prepaid, registered or certified mail, addressed as follows:

If to Covered Entity:


If to Business Associate:
Keystone Pharmacy, LLC
106 Highland Way
Suite #206
Madison, MS 39110

or to such other address as either party may designate by notice pursuant to this section.

IN WITNESS WHEREOF, Covered Entity and Business Associate have executed this Agreement effective as of the Effective Date.

Keystone Pharmacy, LLC
By: Jeffrey Clark

X

I agree to use electronic records and signatures

Complete Agreement