Business Associate Agreement

This Business Associate Agreement ("BAA") is entered into between the covered entity or business associate identified in the signature block ("Covered Entity") and MangoApps, Inc. ("Business Associate" or "MangoApps"), and supplements the MangoApps Master Subscription Agreement or other written agreement between the parties governing Covered Entity's use of the Service (the "Agreement"). It applies to Protected Health Information ("PHI") that MangoApps creates, receives, maintains, or transmits on behalf of Covered Entity through the Service. This BAA is effective only when executed by both parties; PHI may not be submitted to the Service before execution (see the Agreement's Regulated Data terms). With respect to PHI, this BAA controls over any conflicting term of the Agreement, including the Data Processing Agreement.

1. Definitions

"HIPAA" means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations at 45 C.F.R. Parts 160 and 164, as amended, including by the Health Information Technology for Economic and Clinical Health Act ("HITECH"). Capitalized terms used but not defined in this BAA — including "Protected Health Information," "Breach," "Unsecured PHI," "Security Incident," "Designated Record Set," "Subcontractor," and "Secretary" — have the meanings given in HIPAA. "PHI" is limited to Protected Health Information that MangoApps creates, receives, maintains, or transmits on behalf of Covered Entity under the Agreement.

2. Permitted Uses and Disclosures

MangoApps may use and disclose PHI (a) to provide the Service and perform its obligations under the Agreement; (b) as required by law; (c) for MangoApps' proper management and administration and to carry out its legal responsibilities, provided any disclosure for those purposes is required by law or made subject to written confidentiality assurances and notice-of-breach obligations from the recipient; (d) to provide data aggregation services relating to Covered Entity's health care operations, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B); and (e) to de-identify PHI in accordance with Section 8. MangoApps will not use or disclose PHI other than as permitted by this BAA or required by law, will request, use, and disclose only the minimum PHI necessary, and will not sell PHI or use or disclose PHI for marketing or fundraising.

3. Obligations of MangoApps

Safeguards. MangoApps will use appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as provided by this BAA, and will comply with the HIPAA Security Rule (45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316) with respect to electronic PHI.

Reporting. MangoApps will report to Covered Entity (a) any use or disclosure of PHI not provided for by this BAA of which it becomes aware; (b) any Breach of Unsecured PHI without unreasonable delay and in no case later than thirty (30) days after discovery, including, to the extent available, the identification of affected individuals and the information required by 45 C.F.R. § 164.410; and (c) any Security Incident of which it becomes aware — except the parties agree this paragraph constitutes notice, with no further reporting required, of Unsuccessful Security Incidents: routine events such as pings, port scans, denial-of-service attempts without PHI access, and login attempts that do not result in unauthorized access to or acquisition of PHI.

Subcontractors. MangoApps will ensure, by written agreement in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), that any Subcontractor that creates, receives, maintains, or transmits PHI on MangoApps' behalf agrees to restrictions and conditions at least as protective as those in this BAA.

Individual rights. To the extent PHI is held in a Designated Record Set, MangoApps will make PHI available to Covered Entity — including through the Service's built-in export, correction, and administration tools — as necessary for Covered Entity to satisfy its obligations of access and amendment under 45 C.F.R. §§ 164.524 and 164.526, and will incorporate amendments to PHI as directed by Covered Entity. If an individual contacts MangoApps directly to exercise HIPAA rights, MangoApps will promptly forward the request to Covered Entity and will not respond substantively except as required by law.

Accounting of disclosures. MangoApps will document disclosures of PHI, and information related to them, as required for Covered Entity to respond to a request for an accounting under 45 C.F.R. § 164.528 (including date, recipient, description of the PHI, and purpose), and will make that information available to Covered Entity within thirty (30) days of written request, for the six (6) years preceding the request (but not before the effective date of this BAA).

HHS availability; mitigation; transactions. MangoApps will make its internal practices, books, and records relating to its use and disclosure of PHI available to the Secretary for purposes of determining compliance with HIPAA; will mitigate, to the extent practicable, any harmful effect known to it of a use or disclosure of PHI in violation of this BAA; and, to the extent it conducts Standard Transactions for or on behalf of Covered Entity, will comply with the applicable requirements of 45 C.F.R. Part 162.

Carve-out. To the extent MangoApps is to carry out one or more of Covered Entity's obligations under Subpart E of 45 C.F.R. Part 164 as expressly agreed in writing, MangoApps will comply with the requirements of Subpart E that apply to Covered Entity in the performance of those obligations.

4. Obligations of Covered Entity

Covered Entity will (a) not request or cause MangoApps to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity; (b) notify MangoApps of any limitation in its notice of privacy practices, any restriction on use or disclosure it has agreed to under 45 C.F.R. § 164.522, and any revocation of an individual's authorization, in each case to the extent it affects MangoApps' permitted uses or disclosures; (c) use the Service's available security and administrative configurations appropriately for PHI, including access controls and user management; and (d) submit PHI only to the Service capabilities reasonably designed to handle it under the Agreement. As between the parties, Covered Entity is responsible for providing any required Breach notifications to individuals, the Secretary, and the media under 45 C.F.R. §§ 164.404–164.408, and MangoApps will reasonably cooperate with those efforts.

5. Term and Termination

This BAA is effective as of the date last signed below and continues until the Agreement expires or terminates or until all PHI is returned or destroyed, whichever is later. If either party materially breaches this BAA, the non-breaching party may provide written notice describing the breach, and may terminate this BAA — and, at its election, the portion of the Service involving PHI — if the breach is not cured within thirty (30) days of notice. Covered Entity may suspend further submission of PHI to the Service during an uncured material breach. If termination is not feasible, the parties will comply with their respective reporting obligations under HIPAA.

Return or destruction. Upon termination, MangoApps will return or destroy all PHI it maintains on behalf of Covered Entity, per Covered Entity's election made within thirty (30) days and consistent with the Agreement's Return of Hosted Data terms, and will retain no copies. If return or destruction is infeasible (including for PHI in routine backups pending scheduled destruction or PHI required to be retained by law), MangoApps will notify Covered Entity, extend the protections of this BAA to that PHI, and limit further use and disclosure to the purposes that make return or destruction infeasible, for as long as it maintains the PHI.

6. No Agency

The parties are independent contractors. Nothing in this BAA or the Agreement creates an agency relationship between Covered Entity and MangoApps within the meaning of the Federal common law of agency, including for purposes of 45 C.F.R. § 164.404(a)(2), and neither party has authority to bind the other.

7. Liability

Any liability arising under or related to this BAA is subject to the exclusions and limitations of liability set forth in the Agreement, except to the extent such limitation is prohibited by applicable law. Nothing in this BAA creates rights in any third party, including any individual whose PHI is processed; the parties have not agreed to third-party beneficiaries.

8. De-Identified Data

MangoApps may create, use, and disclose information de-identified in accordance with 45 C.F.R. § 164.514(b) (Safe Harbor or Expert Determination). De-identified information is not PHI, is not subject to this BAA, and shall not include any identifier or key that could reasonably permit re-identification. MangoApps' use of de-identified information — including for system improvement, security analysis, product analytics, and service optimization — is governed by the Agreement.

9. Regulatory Amendment; Interpretation; Survival

The parties will amend this BAA in a writing signed by both parties to the extent necessary for either party to comply with HIPAA or other applicable privacy and security laws as they are amended. Any ambiguity in this BAA shall be interpreted to permit compliance with HIPAA. The obligations of this BAA survive its expiration or termination with respect to any PHI that MangoApps continues to maintain. This BAA, together with the Agreement, is the entire agreement of the parties regarding PHI and supersedes any prior business associate agreement between them.

To execute this BAA, or for questions: legal@mangoapps.com. Related documents: Master Subscription Agreement, Data Processing Agreement, subprocessor list.