BUSINESS ASSOCIATE AGREEMENT
This BUSINESS ASSOCIATE AGREEMENT governs the provision of Protected Health Information (“PHI”) (as defined in 45 C.F.R. §164.501) by Provider, which is also sometimes referred to hereinafter as the Covered Entity (as hereinafter defined) to Noble, for the purposes of Provider providing mental health services to third parties remotely/via telemedicine (the “Services”) utilizing Noble’s online platform known as the Noble app (available at noble.health). Noble and Provider are sometimes referred to hereinafter each as a “Party” and collectively as the “Parties”.

RECITALS

Provider is a “Covered Entity” as that term is defined in 45 C.F.R. Part 160 and Part 164, Subparts A, C and E, the Security Standards for the Protection of Electronic Protected Health Information and Standards for Privacy of Individually Identifiable Health Information (“Security and Privacy Rule”), which are a part of the implementing regulations for HIPAA.

In connection with the provision of the Services, Provider has regular occasion to disclose to Noble certain PHI that is subject to protection under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Subtitle D of Title XIII of the American Recovery and Reinvestment Act of 2009 (“HITECH Act”).

Noble, as a recipient of PHI from Covered Entity, is a “Business Associate” of Covered Entity as that term is defined in the 45 C.F.R. § 160.103.

The Parties acknowledge that, pursuant to HIPAA and the HITECH Act, all Business Associates of Covered Entities must agree in writing to comply with the Security Rule and certain mandatory provisions regarding the use and disclosure of PHI under the Privacy Rule.

The purpose of this Agreement is to comply with the requirements of the Privacy and Security Rules, including, but not limited to, the Business Associate contract requirements at 45 C.F.R. §§164.502(e), 164.504(e), and as may be amended.

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the Parties agree as follows:

1. Definitions. Unless otherwise provided in this Agreement, capitalized terms have the same meanings as set forth in the Privacy Rule and Security Rules.
2. Scope of Use and Disclosure by Noble of Protected Health Information. Unless otherwise limited herein, in addition to any other Uses and/orDisclosures permitted or authorized by this Agreement or required by law, Noble may:
   1. Use the PHI in its possession for its proper management and administration and to fulfill any legal responsibilities of Noble.
      Disclose the PHI in its possession to a third party for the purpose of Noble’s proper management and administration or to fulfill any legal responsibilities of Noble; provided, however, that the disclosures are Required By Law or Noble has received from the third party written assurances that (i) the information will be held confidentially and used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the third party; and (ii) the third party will notify the Noble of any instances of which it becomes aware in which the confidentiality of the information has been breached.
      Engage in Data Aggregation activities, consistent with the Privacy Rule.
      De-identify any and all PHI created or received by Noble under this Agreement; provided, that the de-identification conforms to the requirements of the Privacy Rule.
      Obligations of Noble. In connection with its Use and Disclosure of PHI, Noble agrees that it will:
      Use or further Disclose PHI only as permitted or required by this Agreement or as Required by Law and further agrees to comply with the use and disclosure provisions in 45 CFR § 164.502(e)(2) and the requirements of § 164.504(e) shall apply to Noble in the same way they apply to the Covered Entity.
      Use reasonable and appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this Agreement.
      To the extent practicable, mitigate any harmful effect that is known to Noble of a Use or Disclosure of PHI by Noble in violation of this Agreement.
      Noble shall report to Covered Entity orally and in writing within five days of discovery, the breach of any PHI including unsecured PHI not provided for by this Agreement or any security incident involving or potentially involving the covered entity’s PHI of which Noble becomes aware. Noble shall pay for the full cost of breach notification for any breach for which it is responsible.
      Require contractors or agents to whom Noble provides PHI to agree to the same restrictions and conditions that apply to Noble pursuant to this Agreement.
      Make available to the Secretary of Health and Human Services Noble’s internal practices, books and records relating to the Use or Disclosure of PHI received from, or created or received by Noble on behalf of, Covered Entity for purposes of determining Covered Entity’s compliance with the Privacy Rule, subject to any applicable legal privileges.
      If applicable, within fifteen (15) days of receiving a written request from Covered Entity, make available the information necessary for Covered Entity to make an accounting of Disclosures of PHI about an Individual in a Designated Record Set.
      If applicable, within ten (10) days of receiving a written request from Covered Entity, make available PHI in a Designated Record Set necessary for Covered Entity to respond to Individuals’ requests for access to PHI about them that is not in the possession of Covered Entity.
      If applicable, within fifteen (15) days of receiving a written request from Covered Entity incorporate any amendments or corrections to the PHI in a Designated Record Set in accordance with the Privacy Rule.
      Not make any Disclosures of PHI that Covered Entity would be prohibited from making.
      Obligations of Covered Entity. Covered Entity agrees that it:
      Has included, and will include, in Covered Entity’s Notice of Privacy Practices required by the Privacy Rule that Covered Entity may disclose PHI for Health Care Operations purposes.
      Has obtained, and will obtain, from individuals any consents, authorizations and other permissions necessary or required by laws applicable to Covered Entity for Noble and Covered Entity to fulfill their obligations under this Agreement.
      Will promptly notify Noble in writing of any restrictions on the Use and Disclosure of PHI about Individuals that Covered Entity has agreed to that may affect Noble’s ability to perform its obligations under this Agreement.
      Will promptly notify Noble in writing of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, if such changes or revocation may affect Noble’s ability to perform its obligations under this Agreement.
      Termination.
      Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Noble, Covered Entity shall either:
      Provide an opportunity for Noble to cure the breach or end the violation and terminate this Agreement if Noble does not cure the breach or end the violation within the time specified by Covered Entity; or
      Immediately terminate this Agreement if Noble has breached a material term of this Agreement and cure is not possible; or
      If neither termination nor cure are feasible, Covered Entity shall report the violation to the Secretary.
      Automatic Termination. This Agreement will automatically terminate upon the cessation of Covered Entity’s conducting the Services.
      Effect of Termination. Upon termination of this Agreement, Noble will return or destroy all PHI received from Covered Entity or created or received by Noble on behalf of Covered Entity that Noble still maintains and retain no copies of such PHI; provided that if such return or destruction is not feasible, Noble will extend the protections of this Agreement to the PHI and limit further Use and Disclosure to those purposes that make the return or destruction of the information infeasible.
      Amendment. Noble and Covered Entity agree to take such action as is necessary to amend this Agreement for Covered Entity to comply with the requirements of the Privacy or Security Rules or other applicable law.
      Survival. The obligations of Noble under Section 5.c of this Agreement shall survive any termination of this Agreement.
      No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
      Other Applicable Law. This Agreement does not, and is not intended to, abrogate any responsibilities of the parties under any other applicable law.