Business Associate Agreement

This Business Associate Agreement (“Agreement”) is made and entered into by and between Zelis Healthcare, LLC, on behalf of itself and its direct and indirect subsidiaries and affiliates (hereinafter, collectively referred to as “Zelis”), with offices located at 149 Newbury Street, Fifth Floor, Boston, MA 02116 and the healthcare provider that clicks “Agree” or “I Agree” to this Agreement (hereinafter, the “Provider”).  Zelis and Provider shall each individually be referred to as a “Party” and together collectively referred to as the “Parties.” 

These Terms of Use are effective as of 4/8/2026

Recitals

A.        Provider has retained Zelis to represent and provide services to Provider that may be subject to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005 (“HITECH”) and the related regulations promulgated by HHS, including the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules”, and collectively, “HIPAA”). 

B. Pursuant to one or more service agreements between Provider and Zelis (“Service Agreement”), Zelis has agreed to provide services to Provider (“Services”). This Agreement supplements the terms of the Service Agreement and is incorporated into and made a part thereof. In the event of a conflict, this Agreement shall control with respect to the subject matter hereof.

C.         To perform the Services, Zelis may be required to create, receive, maintain, transmit, Use and Disclose PHI from Provider, and therefore will be considered a “business associate” or “sub-business associate” of Provider and will have certain legal obligations under HIPAA, as set forth below. Accordingly, the Parties agree to the terms and conditions set forth below:

Terms of Agreement

  1. Definitions. The capitalized terms used in this Agreement to the extent not defined herein shall have the same meaning as those terms in the HIPAA Rules. Protected Health Information and Electronic Protected Health Information shall be referred to as “PHI” in this Agreement and shall have the same meaning as defined in the HIPAA rules except that it is understood to be only that PHI created, received, maintained, transmitted, Used, and Disclosed in the provision of Services to Provider. 
  2. Performance and Compliance With Law. The Parties will work together in good faith to determine the applicability of HIPAA, to comply with HIPAA, and to amend this Agreement as necessary for Provider and Zelis to comply with HIPAA, as modified and/or supplemented from time to time. 
  3. Interpretation.  Any ambiguity herein shall be resolved in favor of a meaning that permits both Zelis and Provider to comply with HIPAA.
  4. Zelis’s Obligations
    • 4.1 Use and Disclosure of PHI. Except as otherwise provided in this Agreement, Zelis may Use or Disclose PHI as reasonably necessary to provide the Services to Provider, and to undertake other activities of Zelis permitted or required of Zelis by this Agreement or as required by law. Zelis will not Use or Disclose PHI in a manner other than as provided in this Agreement, as permitted under the Privacy Rule, or as required by law. Zelis will limit the Receipt, Use, and Disclosure of PHI to the Minimum Necessary. Upon request and to the extent permitted by HIPAA, Zelis will make available to Provider any PHI that Zelis or any of its agents or subcontractors have in their possession.
    • 4.2 Provider authorizes Zelis to Use the PHI for the proper management and administration of Zelis’s business and to carry out its legal responsibilities. Zelis may Disclose PHI to a third party for the proper management and administration of Zelis and/or to carry out its legal responsibilities, provided the Disclosures are 1) required by law, or 2) Zelis obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Zelis of any instances of which it is aware in which the confidentiality of the information has been breached. Zelis may Use PHI to provide Data Aggregation services relating to the Health Care Operations of the Provider. Zelis may deidentify PHI pursuant to 45 C.F.R. § 164.514 and such deidentified information will not be subject to the terms of this Agreement.
    • 4.3 Disclosures to Third Parties. Zelis shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Zelis agree to substantially the same restrictions, conditions, and requirements that apply to Zelis with respect to such information.
    • 4.4 Access to PHI. Upon request, to the extent maintained by Zelis and if the PHI is not also maintained by Provider, Zelis agrees to furnish Provider with copies of the PHI maintained by Zelis in a Designated Record Set within thirty (30) days of such request to enable Provider to respond to an Individual’s request for access to PHI under 45 C.F.R. § 164.524. In the event any Individual or personal representative requests access to the Individual’s PHI directly from Zelis, Zelis will direct the Individual to contact Provider. Any Disclosure of, or decision not to Disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Provider.
    • 4.5 Amendment of PHI. Upon request and instruction from Provider, Zelis will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Zelis as directed by Provider within thirty (30) days of such request to enable Provider to respond to an Individual’s request for amendment of PHI under 45 C.F.R. § 164.526.
    • 4.6 Accounting of PHI Disclosures. Zelis will document and, at the request of Provider, report to Provider all Disclosures of PHI that are required for Provider to provide an accounting under 45 C.F.R. § 164.528 within thirty (30) days of such request.
    • 4.7 Safeguards Against Misuse of PHI. Zelis will use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the Agreement; Zelis will use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent the Use or Disclosure of PHI other than as provided by this Agreement.
    • 4.8 Reporting of Violations and Security Incidents. Without unreasonable delay, and in any event no more that fifteen (15) days after determining there is other than a low probability that PHI has been compromised, Zelis will report to Provider any Use or Disclosure of Unsecured PHI not permitted under this Agreement any Breach of Unsecured PHI, or any successful Security Incident (“Incident Report”); provided, however, the Parties acknowledge and agree that this Section constitutes notice by Zelis to Provider of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below). The Parties further stipulate and agree that with respect to any such Unsuccessful Security Incident, no further or more detailed report to Provider is needed or required under this Agreement. The Incident Report provided to Provider from Zelis shall comply with HIPAA and shall include, to the extent possible and applicable: (a) the identification of each Individual whose Unsecured PHI was Used or Disclosed; (b) a brief description of what happened; the date of the Use or Disclosure and the date of discovery, if known; (c) a description of the types of Unsecured PHI that were involved in the Breach; (d) any steps the Individuals should take to protect themselves from potential harm resulting from the Breach; and (e) a brief description of what Zelis is doing to investigate the Breach, mitigate losses, and protect against further Breaches. Provider hereby assumes any and all notification obligations under HIPAA, and specifically, without limitation, obligations under section 13402 of HITECH. Zelis shall respond to requests for information from Provider regarding any Incident Report and shall cooperate in any reasonable investigation and information requests from Provider. As used herein, the term “Unsuccessful Security Incidents” will include, but not be limited to, pings and other broadcast attacks on Zelis’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, Use or Disclosure of PHI
    • 4.9 Availability of Books and Records. Zelis will make its internal practices, books, and records that are not protected by applicable legal privilege or attorney work product protection doctrine relating to the Use and Disclosure of PHI available, upon request, to the Secretary of the United States, Department of Health and Human Services for the purposes of determining Zelis’s and Provider’s compliance with HIPAA and this Agreement.
    • 4.10 Zelis’s Performance of Provider Obligations. To the extent Zelis carries out one or more of Provider’s obligations under Subpart E of 45 C.F.R. § Part 164, Zelis shall comply with the requirements of Subpart E that apply to Provider in the performance of such obligation(s).
  5. Provider’s Obligations
    • 5.1 With regard to the Use and/or Disclosure of PHI by Zelis, Provider agrees to:
      • (a) Notify Zelis of any limitation(s) in its Notice of Privacy Practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Zelis’s Use or Disclosure of PHI.
      • (b) Notify Zelis of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, to the extent that such changes may affect Zelis’s Use or Disclosure of PHI.
      • (c) Notify Zelis of any restriction to the Use or Disclosure of PHI that Provider has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Zelis’s Use or Disclosure of PHI. Except for Data Aggregation or management and administrative activities of Zelis, Provider shall not request Zelis to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by Provider.
  6. Terms and Termination.
    • 6.1 Term. This Agreement will take effect upon the earlier of the time that Provider clicks “Agree” or “I Agree” to this Agreement, the receipt by Zelis of PHI, or when Provider accesses, browses or uses the Services and continues thereafter indefinitely until terminated in accordance with this Agreement. This Agreement will terminate upon discharge of Zelis’s obligations under the Service Agreement and this Agreement, including the obligations set forth in Section 7.2 below, and/or termination of the Services Agreement.
    • 6.2 Effect of Termination. Upon termination of this Agreement, at the request of Provider and within a reasonable time not to exceed thirty (30) days, Zelis will return or destroy all PHI received or created under the Service Agreement and/or this Agreement. If return or destruction is not requested, and/or in the event that Zelis determines that returning or destroying the PHI is infeasible, Zelis will extend the protections of this Agreement to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Zelis maintains such PHI.
  7. Breach of this Agreement.
    • 7.1 If either Party breaches its obligations under this Agreement, the non-breaching Party will provide the other with notice and a thirty (30) day period to cure the breach. If the breaching Party fails to cure the breach or cure is not possible within thirty (30) days, the non-breaching Party may terminate this Agreement immediately upon written notice and without further legal action or declaration. If neither termination nor cure is feasible, the breaching Party will comply with applicable reporting requirements. If the breaching Party is unable to comply or otherwise does not comply with the applicable reporting requirements set forth in Section 13402 of the HITECH Act, the non-breaching Party will comply with its obligations under that section.
  8. Miscellaneous.
    • 8.1 Entire Agreement. This Agreement and the Services Agreement constitute the entire agreement between the Parties and supersede all prior negotiations, discussions, representations, or proposals, whether oral or written, unless expressly incorporated herein, related to the subject matter of this Agreement. Unless otherwise expressly provided herein, this Agreement may not be modified unless in writing signed by the duly authorized representatives of the Parties. Notwithstanding the foregoing, to the extent that Provider has executed a separate business associate agreement with Zelis, the terms of that business associate agreement will supersede this Agreement.
    • 8.2 Severability. If any provision of this Agreement or part thereof is found to be invalid, the remaining provisions will remain in full force and effect.
    • 8.3 Waiver. Any failure of a Party to insist upon strict compliance with any term, undertaking, or condition of this Agreement will not be deemed to be a waiver of such term, undertaking, or condition. To be effective, a waiver must be in writing, signed, and dated by the Parties.
    • 8.4 No Third-Party Beneficiaries. Except as otherwise provided in HIPAA or this Agreement, there are no third-party beneficiaries to this Agreement.
    • 8.5 Regulatory References. A reference in this Agreement to a section in HIPAA means the section as in effect or as amended at the time.