HIPAA Business Associate Agreement

This Business Associate Agreement (“BAA”) is entered into by and between LivaNova USA, Inc. (“Business Associate”) and the healthcare provider (“Covered Entity”) to receive the Services (as defined below) from Business Associate and may be incorporated by reference as terms and conditions of a separate agreement, directive or other document. This BAA is effective as of the earlier of the date this BAA is signed on behalf of Covered Entity or, to the extent this BAA is incorporated by reference into a separate agreement, directive or other document, the date on which such agreement, directive or other document is signed on behalf of Covered Entity (the “Effective Date”).

WHEREAS, Business Associate may provide certain Services to Covered Entity in connection with patients of Covered Entity which Services may involve the use and/or disclosure of Protected Health Information (as defined below) by Business Associate for and/or on behalf of Covered Entity; and

WHEREAS, Business Associate and Covered Entity desire to enter into this BAA regarding the use and/or disclosure of Protected Health Information as required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) and the Standards for Security of Electronic Protected Health Information (the “Security Rule”) promulgated thereunder, and the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII and Division B, Title IV, of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5) (the “HITECH Act”), and the regulations implementing the HITECH Act.

NOW, THEREFORE, for and in consideration of the representations, warranties and covenants contained herein, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereto agree as follows:

1. DEFINITIONS. Capitalized terms used but not otherwise defined in this BAA shall have the same meaning given to those terms by HIPAA, the HITECH Act, or any of the implementing regulations promulgated thereunder, including without limitation the Privacy Rule and the Security Rule, as in effect or as amended from time to time.
   1. “Protected Health Information” or “PHI” has the same meaning as the term “protected health information” in 45 C.F.R. § 160.103 of the Privacy Rule, limited to the information created or received by Business Associate for and/or on behalf of Covered Entity for the purposes of the Services. For the avoidance of doubt, the term Protected Health Information shall include Electronic Protected Health Information (“Electronic PHI”).
   2. “Services” means the services provided here as updated by Business Associate from time to time.
2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE.
   1. Use and Disclosure. Business Associate agrees not to use or disclose PHI other than as permitted or required by this BAA or as Required by Law.
   2. Appropriate Safeguards. Business Associate agrees to use appropriate physical, technical and administrative safeguards and comply, where applicable, with the Security Rule with respect to Electronic PHI to prevent the use or disclosure of PHI other than as provided for by this BAA.
   3. Reporting. Business Associate agrees to promptly report to Covered Entity following Business Associate’s discovery of: (a) any use or disclosure of PHI not provided for by this BAA, or (b) any Breach or Security Incident of which it becomes aware, but in no case later than thirty (30) days after discovery of either (a) or (b); provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents will be given. “Unsuccessful Security Incidents” include but are not limited to firewall pings and other broadcast attacks, port scans, unsuccessful log-on attempts, denial-of service attacks, and any combination of the foregoing that do not result in unauthorized access to or acquisition, use, disclosure, modification or destruction of PHI. The notice shall include, to the extent available, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach, as well as any other available information set forth in 45 C.F.R. § 164.404(c).
   4. Mitigation. Business Associate agrees to take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.
   5. Subcontractors. Business Associate shall ensure that all Subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate agree in writing to substantially the same restrictions and conditions that apply to Business Associate with respect to such PHI.
   6. Access to Designated Record Sets. To the extent that Business Associate maintains PHI in a Designated Record Set, within thirty (30) days of a request by Covered Entity, Business Associate agrees to provide access to or make available PHI maintained in a Designated Record Set to Covered Entity as necessary for Covered Entity to satisfy the requirements of 45 C.F.R. § 164.524. If Business Associate receives a request for access to PHI directly from an Individual, Business Associate shall forward such request to Covered Entity. Covered Entity shall have the sole responsibility to make decisions regarding whether to approve a request for access to PHI.
   7. Amendments to Designated Record Sets. To the extent that Business Associate maintains PHI in a Designated Record Set, within thirty (30) days of a request by Covered Entity, Business Associate agrees to make any amendment(s) to PHI maintained in a Designated Record Set as necessary for Covered Entity to satisfy the requirements of 45 C.F.R.§ 164.526. If Business Associate receives a request for an amendment to PHI directly from an Individual, Business Associate shall forward such request to Covered Entity. Covered Entity will have the sole responsibility to make decisions regarding whether to approve a request for amendment to PHI.
   8. Access to Books and Records. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI created or received by Business Associate for and/or on behalf of Covered Entity available to the Secretary of the U.S. Department of Health and Human Services (“Secretary”) for purposes of the Secretary determining Covered Entity’s and Business Associate’s compliance with the Privacy Rule or the Security Rule.
   9. Accountings. Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Within thirty (30) days of Covered Entity’s request for an accounting of disclosures of PHI, Business Associate agrees to make available to Covered Entity such information in Business Associate’s possession as would be required for Covered Entity to respond to a request by an Individual for such an accounting of disclosures of PHI. If Business Associate receives a request for an accounting of disclosures of PHI directly from an Individual, Business Associate shall forward such request to Covered Entity. Covered Entity will have the sole responsibility to provide an accounting of disclosures.
   10. Covered Entity Obligations. To the extent Business Associate is required to carry out Covered Entity’s obligations under the Privacy Rule (and only to the extent included in the Services), Business Associate agrees to comply with the requirements of the Privacy Rule that apply to Covered Entity in performing such obligations.
3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE.
   1. Services. Business Associate may use or disclose PHI to provide the Services for and/or on behalf of Covered Entity, provided that such use or disclosure would not violate HIPAA if done by Covered Entity.
   2. Minimum Necessary Standard. Where required by applicable provisions of the Privacy Rule, Business Associate’s requests, uses and disclosures of PHI shall be reasonably limited to the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
   3. Use for Administration of Business Associate. Business Associate may use PHI for the proper management and administration of Business Associate and/or to carry out the present and/or future legal or regulatory responsibilities of Business Associate.
   4. Disclosure for Administration of Business Associate. Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that: (a) disclosures are Required by Law; or (b) Business Associate obtains reasonable assurances from the third party to whom the PHI is disclosed that such third party will (i) protect the confidentiality of the PHI, (ii) use or further disclose the PHI only as Required by Law or for the purpose for which it was disclosed to the third party, and (iii) notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
   5. Data Aggregation. Business Associate may use PHI to provide Data Aggregation services relating to the Health Care Operations of Covered Entity as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B).
   6. De-Identified Information. Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(b) and use and disclose such de-identified information for its own purposes.
4. OBLIGATIONS OF COVERED ENTITY.
   1. Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
   2. Minimum Necessary PHI. Where required by applicable provisions of the Privacy Rule, Covered Entity’s requests, uses and disclosures of PHI shall be reasonably limited to the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
   3. Permissions; Restrictions. Covered Entity represents and warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and any other applicable law for the disclosure of PHI to Business Associate.
   4. Notices by Covered Entity. Covered Entity shall promptly notify Business Associate in writing of:

      (a) any limitations in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, and shall specifically identify such limitations, to the extent that such limitations may affect Business Associate’s use or disclosure of PHI for the purposes described in this BAA;

      (b) any limitations in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, and shall specifically identify such limitations, to the extent that such limitations may affect Business Associate’s use or disclosure of PHI for the purposes described in this BAA;

      (c) any limitations in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, and shall specifically identify such limitations, to the extent that such limitations may affect Business Associate’s use or disclosure of PHI for the purposes described in this BAA;

      Any and all written notices shall be provided to Business Associate at the following address: LivaNova USA, Inc., 100 Cyberonics Blvd., Houston, TX 77058; Attention: Chief Privacy Officer.

5. OTHER USES AND DISCLOSURES OF PHI. Notwithstanding any other provision of this BAA, the restrictions and other requirements that apply to Business Associate with regard to PHI that is used and/or disclosed for and/or on behalf of Covered Entity to provide the Services shall not apply to PHI used or disclosed by Business Associate as described in this Section 5 because such uses and disclosures are not undertaken for or on behalf of Covered Entity, do not create a business associate relationship, and are expressly permitted by the Privacy Rule.
   1. Treatment and Payment Activities. To the extent Business Associate acts in the capacity of a Health Care Provider, it may use or disclose PHI it receives from Covered Entity for its own Treatment or Payment activities as permitted by 45 C.F.R. § 164.506(c).
   2. FDA-Related Activities. Business Associate, in its capacity as a medical device manufacturer subject to the jurisdiction of the FDA with respect to one or more FDA-regulated products or activities, may use or disclose PHI it receives from Covered Entity for the purposes of activities related to the quality, safety or effectiveness of such FDA-regulated products or activities as permitted by 45 C.F.R. § 164.512(b)(iii).
   3. HIPAA Authorization. Business Associate may use or disclose PHI it receives pursuant to a HIPAA authorization under 45 C.F.R. § 164.508.
6. TERM AND TERMINATION.
   1. Term. This BAA shall be effective as of the Effective Date and shall expire when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate for and/or on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such PHI in accordance with this Section 6.
   2. Termination Upon Breach. Either party (the “Non-Breaching Party”) may terminate this BAA if the other party (the “Breaching Party”) has breached a material term of this BAA and failed to cure such breach within thirty (30) days following written notice of the breach from the Non-Breaching Party to the Breaching Party.
   3. Effect of Termination.

      (a) Except as provided in Section 6.3(b), upon termination of this BAA for any reason, Business Associate shall: (i) return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity, and (ii) retain no copies of the PHI.

      (b) In the event that Business Associate reasonably determines that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

7. GENERAL.
   1. Allication. As of the Effective Date, this BAA supersedes any preexisting business associate agreement between the parties and automatically amends any preexisting contract or relationship — written or unwritten, formal or informal — between Business Associate and Covered Entity, and this BAA does and will apply to, and be deemed incorporated into, all present and future contracts and relationships — written or unwritten, formal or informal — between Business Associate and Covered Entity regardless of any specific reference to this BAA or lack thereof.
   2. Regulatory References. A reference in this BAA to a section in HIPAA, the HITECH Act, or any of the implementing regulations promulgated thereunder, including without limitation the Privacy Rule and the Security Rule, means the section as in effect or as amended or modified from time to time, including any corresponding provisions of subsequent superseding laws or regulations.
   3. Interpretation. Any conflict, inconsistency or ambiguity in or between this BAA and HIPAA or the HITECH Act shall be resolved in favor of a meaning that permits the parties to comply with HIPAA and the HITECH Act and any implementing regulations promulgated thereunder, including but not limited to the Privacy Rule and the Security Rule.
   4. Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for the Parties to comply with the requirements of HIPAA. No amendment to this BAA shall be effective unless it is in writing and signed by authorized representatives of Covered Entity and Business Associate.
   5. Survival. The following sections shall survive the expiration or termination of this BAA: Sections 1 (Definitions), 6.3 (Effect of Termination) and 7 (General).
   6. No Third Party Beneficiary. Nothing in this BAA is intended, nor shall be deemed, to confer any benefit on any third party.
   7. Authority to Sign. Each individual entering into this BAA on behalf of a party represents that such individual is duly authorized to enter into this BAA on behalf of such party.
   8. Counterparts. This BAA may be executed in counterparts, each of which when taken together shall constitute one original. Any PDF or facsimile signatures to this BAA shall be deemed original signatures to this BAA.