BUSINESS ASSOCIATE AGREEMENT

Feb 1, 2025
This BUSINESS ASSOCIATE AGREEMENT is made as of ___________,
by and between
dsf
____________________________,
having its principal offices at
df
____________________________
dd
____________________________
dd
____________________________
(“Covered Entity")

and

Cognix Health LLC

with a primary business address at
970 Peachtree Industrial Blvd,
STE 305,
Suwanee, GA 30024
("Business Associate" “Cognix Health").

RECITALS
WHEREAS, Business Associate now and in the future may have relationships
with Covered Entity in which Business Associate is entrusted with confidential
patient information for use in providing services or products to Covered Entity.

Testing Document - NOT LEGALLY BINDING

 WHEREAS, Business Associate and Covered Entity (each a “Party” and
collectively the “Parties”) desire to enter into this Business Associate Agreement
(“Agreement”) to reflect their understanding of and adherence to maintaining the
confidentiality, integrity, and availability of Protected Health Information as
required under local, state, and federal regulation. Unless otherwise expressly
defined in this Agreement, all terms in this Agreement will have the meanings set
forth in the Agreement or in HIPAA. “HIPAA” means the Administrative
Simplification Subtitle of the Health Insurance Portability and Accountability Act of
1996, as amended by Subtitle D of the Health Information Technology for
Economic and Clinical Health Act (“HITECH”), and their implementing regulations
published by the United States Department of Health and Human Services
(“HHS”) at 45 CFR Parts 160, 162, and 164, and as may be applicable to the
services rendered by Business Associate to the Covered Entity, under the
Gramm-Leach-Bliley Act ("GLB"); the Confidentiality of Substance Use Disorder
Patient Records at 42 CFR Part 2 (“Part 2”); Family Educational Rights and
Privacy Act (”FERPA”), and implementing regulations.
WHEREAS, the Office of the Secretary of the Department of Health and Human
Services has issued regulations requiring certain transmissions of electronic data
be conducted in specified standardized formats at 45 CFR Parts 160 and 162
(“Electronic Transmissions Rule”).
WHEREAS, both parties desire to make technical and procedural arrangements
to assure that their business relationships meet these regulatory requirements on
or before their respective compliance dates.
WHEREAS, both Parties desire to set forth the terms and conditions pursuant to
which Protected Health Information that is provided by, or created or received by,
the Business Associate on behalf of the Covered Entity (“Protected Health
Information”), will be handled between themselves and third parties.
NOW THEREFORE, in consideration of the foregoing and for other good and
valuable consideration, the receipt and sufficiency of which are hereby
acknowledged, the Parties hereby agree as follows:

DEFINITIONS
Regulatory citations in this Agreement are to the United States Code of Federal
Regulations, as promulgated April 14, 2001, interpreted and amended from time
to time by HHS, for so long as such regulations are in effect. Unless otherwise
specified in this Agreement, all terms not otherwise defined shall have the

Testing Document - NOT LEGALLY BINDING

 meaning established for purposes of Title 45 parts 160 through 164 of the United
States Code of Federal Regulations, as amended from time to time.

TERMS AND CONDITIONS

1. PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH

INFORMATION
1.1 Services
(a) Business Associate provides services (which may include transaction
services as well as servicing hardware or software products) (“Services”) that
involve the use and/or disclosure of Protected Health Information. These
Services are provided to Covered Entity under various agreements ("Service
Agreements") that specify the Services to be provided by Business Associate.
Except as otherwise specified herein, the Business Associate may make any and
all uses of Protected Health Information created or received from or on behalf of
Covered Entity necessary to perform its obligations under the Service
Agreements. Moreover, Business Associate may disclose Protected Health
Information for the purposes authorized by this Agreement only:
(i) to its employees, Business Associates and agents in accordance with
Section 2.1(f) below,
(ii) as directed by the Covered Entity, or
(iii) as otherwise permitted by the terms of this Agreement including, but not
limited to, Section
1.2 and Section 1.3 below, or
(i) as required by law.
(b) Business Associate may aggregate the Protected Health Information in its
possession with the Protected Health Information of other Covered Entities and
covered entities that the Business Associate has in its possession through its
capacity as a Business Associate to such other entities, provided that the
purpose of such aggregation is to provide Covered Entity with data analyses
relating to the Health Care Operations of the Covered Entity.
(c) Pursuant to the Master Agreement between Business Associate and
Covered Entity, Business Associated my use, reproduce, aggregate, and modify
Protected Health Information and any Personally Identifiable Information

Testing Document - NOT LEGALLY BINDING

 contained in the Covered Entity’s data for the purpose of creating De-identified
Data from the Protected Health Information and Personally Identifiable
Information. De-identified Data means former Protected Health Information and
Personally Identifiable Information that is stripped of its identifiable elements, in
accordance with the Health Insurance Portability and Accountability Act and its
implementing regulations, so as to render the individual’s data de-identified, and
no longer constitutes PHI or personally identifiable health information.
1.2 Public Health Activities.
Business Associate may use, analyze, and disclose the Protected Health
Information in its possession for the public health activities and purposes set forth
at 45 C.F.R. § 164.512(b)

1.3 Business Activities of the Business Associate.

Unless otherwise limited herein, the Business Associate may:
(a) consistent with 45 C.F.R. § 164.504(e)(4), use and disclose the Protected
Health Information in its possession for its proper management and
administration and to fulfill any present or future legal responsibilities of the
Business Associate; and
(b) de-identify any and all Protected Health Information provided that Business
Associate implements de-identification criteria in accord with 45 C.F.R. §
164.514(b). Covered Entity acknowledges and agrees that de-identified
information is not Protected Health Information and that Business Associate may
use such de-identified information for any lawful purpose.
1.4 Unauthorized Use and Disclosure of Protected Health Information. Business
Associate shall not use or further disclose any Protected Health Information
received from, or created or received on behalf of, the Covered Entity, in a
manner that would violate the requirements of 42 CFR Part 2, 45 CFR Part 160
and in subparts A and E of 45 CFR. Part 164 (the “Privacy Rule”) if done by the
Covered Entity.

2. RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED

HEALTH INFORMATION
2.1. Responsibilities of the Business Associate. With regard to its use and/or
disclosure of Protected Health Information, the Business Associate agrees to:

Testing Document - NOT LEGALLY BINDING

 (a) use and/or disclose the Protected Health Information only as permitted under
the Minimum Necessary standard or required by this Agreement or as otherwise
required by law.

(b) use all reasonable and appropriate safeguards to prevent use or disclosure
of Protected Health Information received from, or created or received on behalf
of, the Covered Entity other than as provided for in this Agreement or as required
by state, federal, or applicable international law. Such safeguards shall include
regular auditing of the security of the Protected Health Information and data
Business Associate maintains for Covered Entity. Additionally, these safeguards
will include, but not be limited to:

(i) Training
(a) provide training to relevant employees, contractors, and Business Associates
on how to prevent the improper Use or Disclosure of Protected Health
Information prior to granting physical and/or systems access to Protected Health
Information;
(b) update and repeat training on a regular basis to ensure the confidentiality,
integrity, and availability of Personal Health Information as required under HIPAA
and applicable federal, state and local laws and regulations that pertain to this
Agreement;
(c) ensure that each employee, contractor, and Business Associate who is
required to receive training certifies, in electronic or written form, that they have
received training. This certification shall include at minimum the name of the
person who has received training, the date of the training, and an attestation of
compliance for the training topics covered. All training materials and training
certification documents shall be retained as required by HIPAA regulation.
(ii) Administrative Safeguards
(a) adopt, distribute, maintain, and review policies and procedures regarding the
safeguarding of Protected Health Information in accordance with its applicable
administrative procedures and HIPAA regulation;
(b) enforce and document those policies and procedures, including sanctions for
anyone found not in compliance;

Testing Document - NOT LEGALLY BINDING

 (c) conduct an organization-wide risk management assessment as required
under HIPAA to address and mitigate any security risks and vulnerabilities
identified in the risk analysis and, if necessary, revise its policies and procedures
accordingly through a risk response plan.
(d) Business Associate shall maintain at its own cost and expense insurance
covering Business Associate for claims, losses, liabilities, judgments,
settlements, lawsuits, regulatory actions, and other costs or damages arising out
of its performance under this Agreement.

(iii) Technical and Physical Safeguards

(a) implement reasonable and appropriate technical safeguards to protect
Protected Health Information, including access controls, authentication and
transmission security as required under applicable local, state, and federal law;
(b) implement reasonable and appropriate physical safeguards to protect
Protected Health Information, including workstation security and device and
media controls as required under law;
(c) encrypt all Protected Health Information stored or transmitted in accordance
with the Secretary of Health and Human Service’s guidance to Render
Unsecured Protected Health Information Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals;
(d) ensure reasonable and appropriate safeguards including but not limited to
Business Contingency and a Disaster Recovery Plan that satisfies all HIPAA
Security Rule requirements.

(c) report to the designated Privacy Officer of the Covered Entity, in writing, any
use and/or disclosure of the Protected Health Information that is not permitted or
required by this Agreement of which Business Associate becomes aware within
ten (10) days of Business Associate’s discovery of such unauthorized use and/or
disclosure, modification, or destruction of information or interference with system
operations in an Information System in a manner that actually negatively impacts
the confidentiality, integrity, or availability of Protected Health Information.
Business Associate agrees that if any of its employees, agents, Business
Associates, and representatives use or disclose Protected Health Information
received from, or created or received on behalf of, the Covered Entity, or any
derivative De-identified Information in a manner not provided for in this

Testing Document - NOT LEGALLY BINDING

 Agreement, Business Associate shall ensure that such employees, agents,
Business Associates, and representatives shall receive training on Business
Associate’s procedures for compliance with the Privacy Rule, or shall be
sanctioned or prevented from accessing any Protected Health Information
Business Associate receives from, or creates or receives on behalf of, the
Covered Entity. Continued use of Protected Health Information in a manner
contrary to the terms of this agreement shall constitute a material breach of this
Agreement.
(i) Law Enforcement Delay. The Business Associate will not be considered in
violation of this Agreement to the Covered Entity when subject to a Law
Enforcement Delay under 45 C.F.R. §164.412.

(d) may use Protected Health Information to report violations of law to

appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)
(1). If permitted by law, Business Associate shall prior to disclosing Protected
Health Information Required By Law to an administrative or oversight agency, law
enforcement, or in response to a subpoena, court order, etc., notify Covered
Entity of such pending disclosure and provide the Covered Entity with a copy of
the disclosure request and all information to be disclosed pursuant thereto prior
to the disclosure in order that the Covered Entity may have adequate time to
oppose such disclosure if the Covered Entity deems it necessary.

(e) establish procedures for mitigating, to the greatest extent possible, any
deleterious effects from any improper use and/or disclosure of Protected Health
Information that the Business Associate reports to the Covered Entity.

(f) agree to require and ensure that all of its Business Associates and agents
that receive, use or have access to Protected Health Information under this
Agreement, adhere to the same restrictions and conditions on the use and/or
disclosure of Protected Health Information that apply to the Business Associate
pursuant to this Agreement or the Privacy Rule that apply to Business Associate
with respect to such information. In no event shall the Business Associate assign
any of its rights or obligations under this Agreement without the prior written
consent of the Covered Entity.

Testing Document - NOT LEGALLY BINDING

 (g) Audit.
(i) Audit by Secretary of Health and Human Services.
Make available all records, books, agreements, internal practices, policies and
procedures relating to the use and/or disclosure of Protected Health Information
received from, or created or received on behalf of, the Covered Entity available to
the Secretary of Health and Human Services upon request for purposes of
determining the Covered Entity’s compliance with HIPAA and the Privacy Rule;
(ii) Audit by the Covered Entity.
Make available records, books, agreements, internal practices, policies and
procedures relating to the use and/or disclosure of Protected Health Information
received from, or created or received on behalf of the Covered Entity upon
request, and no more than once annually, for purposes of determining the
Business Associate’s compliance with HIPAA. In no event will Business Associate
be obligated to share any Protected Health Information from any other covered
entity customer during an audit.

(h) maintain an accounting of disclosures of Protected Health Information it

receives from, or creates or receives on behalf of, the Covered Entity in
accordance with the Privacy Rule. Within fifteen (15) days of a request by the
Covered Entity, Business Associate shall make available to the Covered Entity
the information required to provide an accounting of disclosures in accordance
with 45 CFR 164.528. If Business Associate receives, directly or indirectly, a
request from an individual requesting an accounting of disclosures of Protected
Health Information, Business Associate shall notify the Covered Entity in writing
promptly of such individual’s request no later than five (5) business days of
receiving request. The Covered Entity shall be solely responsible for determining
whether to provide or not provide an accounting to the requesting individual.

(i) Standard Electronic Transactions.

(i) The parties agree that Business Associate shall, on behalf of the Covered
Entity, transmit data for transactions that are required to be conducted in
standardized format under the Electronic Transactions Rule.
(ii) Business Associate shall comply with the Electronic Transactions Rule for
all transactions conducted on behalf of the Covered Entity that are required to be
in standardized format.

Testing Document - NOT LEGALLY BINDING

 (iii) Business Associate shall ensure that any of its business associates to whom
it delegates any of its duties under its contract with the Covered Entity, agrees to
conduct and agrees to require its agents or business associates to comply with
the Electronic Transactions Rule for all transactions conducted on behalf of the
Covered Entity that are required to be in standardized format.
2.2. Responsibilities of the Covered Entity.
With regard to the use and/or disclosure of Protected Health Information by the
Business Associate, the Covered Entity agrees:
(a) to obtain any consent and/or authorization that may be required by 45 CFR §
164.506, § 164.508, 42 CFR Part 2, or applicable state law prior to furnishing
Business Associate the protected health information pertaining to an individual;
(b) that it will not furnish Business Associate protected health information that is
subject to any arrangements permitted or required of the Covered Entity under
45 CFR Parts 160 and 162, and 42 CFR Part 2, that may impact in any manner
the use and/or disclosure of Protected Health Information by the Business
Associate under this Agreement and the Services Agreement(s), including, but
not limited to, restrictions on use and/or disclosure of Protected Health
Information as provided for in 45 C.F.R. § 164.522 and agreed to by the Covered
Entity; and
(c) that it will inform Business Associate of any known limitations on the use or
disclosure of Protected Health Information contained in Covered Entity’s Notice
of Privacy Practices, any known changes in, or revocation of, any authorizations
by an individual to use or disclose his or her Protected Health Information, and
any known restrictions on the uses or disclosures of PHI that its Covered Entity
client has agreed to or is required to comply with under 45 C.F.R. § 164.522.

2.3. Responsibilities of the Parties with Respect to Designated Record Sets.

This Section 2.3 applies only if, in the course of performing the Services,
Business Associate and Covered Entity agree that Business Associate maintains
Designated Records Sets containing Protected Health Information.
(a) Business Associate agrees to:
(i) at the request of, and in the time and manner reasonably designated by the
Covered Entity, provide access to the Protected Health Information requested by
an individual to the Covered Entity in order to satisfy a request by such individual
under HIPAA; and

Testing Document - NOT LEGALLY BINDING

 (ii) at the request of, and in the time and manner reasonably designated by the
Covered Entity, make any amendment(s) to the Protected Health Information of
an individual that the Covered Entity directs.
(b) Covered Entity agrees to:
(i) notify Business Associate, in writing, of any Protected Health Information that
Covered Entity seeks to make available to an individual and agree with Business
Associate as to the time, manner, and form in which Business Associate shall
provide such information to Covered Entity;
(ii) notify Business Associate, in writing, of any amendment(s) to the Protected
Health Information in the possession of Business Associate that Covered Entity
believes are necessary because of its belief that the Protected Health Information
that is the subject of the amendment(s) has been or could be relied upon by
Business Associate or others to the detriment of the individual who is the subject
of the Protected Health Information; and
(iii) be solely responsible for the decision to disclose or not to disclose, and to
amend or not amend any individual’s Protected Health Information.

3. REPRESENTATIONS AND WARRANTIES OF THE PARTIES

3.1. General Representations.

Each Party represents and warrants to the other Party:
(a) that it will reasonably cooperate with the other Party in the performance of
the mutual obligations under this Agreement; and
(b) that it is in material compliance with the provisions of this Agreement as
required by 45 CFR Parts 2, 160, 162, and 164.

4. TERM AND TERMINATION

4.1. Term.
This Agreement shall become effective on the Effective Date and shall continue
in effect unless terminated as provided in this Section 4. In addition, certain
provisions and requirements of this Agreement shall survive the expiration or
termination of this Agreement in accordance with Section 5.4 herein.

Testing Document - NOT LEGALLY BINDING

 4.2. Termination by the Covered Entity.
As provided for under 45 CFR § 164.504(e)(2)(iii), the Covered Entity may
immediately terminate this Agreement and any related Services Agreements if
the Covered Entity makes the determination that the Business Associate has
breached a material term of this Agreement. Alternatively, the Covered Entity may
choose to:
(a) provide the Business Associate with five (5) days written notice of the
existence of an alleged material breach; and
(b) afford the Business Associate an opportunity to cure said alleged material
breach upon mutually agreeable terms. Nonetheless, in the event that mutually
agreeable terms cannot be achieved within thirty (30) days, Business Associate
must cure said breach to the satisfaction of the Covered Entity within ninety (90)
days. Failure to cure in the manner set forth in this Section 4.2 shall be grounds
for the immediate termination of this Agreement.

4.3. Termination by Business Associate.

Business Associate may immediately terminate this Agreement and any related
Services Agreements if Business Associate makes the determination that
Covered Entity has breached a material term of this Agreement. Alternatively,
Business Associate may choose to:
(a) provide Covered Entity with five (5) days written notice of the existence of an
alleged material breach; and
(b) afford Covered Entity an opportunity to cure said alleged material breach
upon mutually agreeable terms. Nonetheless, in the event that mutually
agreeable terms cannot be achieved within thirty (30) days, Covered Entity must
cure said breach to the satisfaction of Business Associate within ninety days.
Failure to cure in the manner set forth in this Section 4.3 shall be grounds for the
immediate termination of this Agreement.

4.4. Automatic Termination.

This Agreement will automatically terminate without any further action of the
parties upon the termination or expiration of all Services Agreement(s) between
Covered Entity and Business Associate.

Testing Document - NOT LEGALLY BINDING

 4.5. Return of Protected Health Information.
(a) Upon the termination of this Agreement pursuant to this Section 4, Business
Associate agrees within ninety (90) days to return in a manner designated by the
Covered Entity, or destroy with proof of destruction being provided to the
Covered Entity, all Protected Health Information of Covered Entity, including such
information in possession of Business Associate's Business Associates, if it is
feasible to do so. If return or destruction of said Protected Health Information is
not feasible, the Business Associate will notify the Covered Entity in writing. Said
notification shall include:
(i) a statement that the Business Associate has determined that it is infeasible to
return or destroy the Protected Health Information in its possession, and
(ii) the specific reasons for such determination.

Business Associate agrees to extend any and all protections, limitations and
restrictions contained in this Agreement to any Protected Health Information
retained after the termination of this Agreement, and to limit any further uses and/
or disclosures to the purposes that make the return or destruction of the
Protected Health Information infeasible. Notwithstanding the foregoing, Business
Associate shall not destroy any Protected Health Information in less than three
(3) years from the date it is received by Business Associate.
(b) Business Associate may consider all Protected Health Information as
abandoned (“Abandoned”) by the Covered Entity if attempts to return Protected
Health Information to the Covered Entity under section 4.5(a) and Covered Entity
has not responded within ninety (90) days from the termination of this
Agreement.
(c) Protected Health Information deemed Abandoned in accordance with section
4.5(b) will be destroyed by the Business Associate on the first (1st) day following
four (4) years from the termination of this Agreement.

5. MISCELLANEOUS

5.1. Entire Agreement.

Testing Document - NOT LEGALLY BINDING

 This Agreement supersedes all prior or contemporaneous understandings or
contracts, and constitutes the entire agreement existing between the Parties
regarding the subject matter of this Agreement.

5.2. Change in Law.

(a) Business Associate agrees that it will comply with any changes in HIPAA, the
Privacy Rule, and the Electronic Transactions Rule by the compliance date
established for any such changes. The Parties agree to negotiate in good faith
mutually agreeable amendment(s) to this Agreement to give effect to such
changes in law; provided, however, that if the Parties are unable to agree on
mutually agreeable amendment(s) within ninety (90) days of the relevant change
in law, either Party may terminate this Agreement upon written notice to the other
Party.
(b) The Parties acknowledge that certain aspects of this Agreement may be
affected by laws, treaties, and regulations of the United States, as well as
applicable laws, treaties, and regulations (collectively, the “Applicable Laws”).
Parties assume responsibility for compliance with all Applicable Laws pertaining
to this Agreement including laws relating to data protection.

5.3. Construction of Terms.

(a) The terms of this Agreement shall be construed in light of any interpretation
and/or guidance on HIPAA and the Privacy Regulation issued by HHS from time
to time.
(b) In the event any terms of this Agreement conflict with any terms of the
Services Agreement, the terms of this Agreement shall govern and control.
5.4. Survival.
Section 6 and this Section 5.4 shall survive termination of this Agreement. The
respective rights and obligations of Business Associate and Covered Entity under
the provisions of Sections 2.1, 2.2, and 4.5, solely with respect to Protected
Health Information Business Associate retains in accordance with Section 4.5
because it is not feasible to return or destroy such Protected Health Information,
shall survive termination of this Agreement for so long as such information is
retained.
5.5. Amendment; Waiver; Assignment.

Testing Document - NOT LEGALLY BINDING

 This Agreement may not be modified, nor shall any provision hereof be waived or
amended, except in a writing duly signed by authorized representatives of the
Parties. A waiver with respect to one event shall not be construed as continuing,
or as a bar to or waiver of any right or remedy as to subsequent events.

5.6. Counterparts; Facsimiles.

This Agreement may be executed in any number of counterparts, each of which
shall be deemed an original. Facsimile copies hereof shall be deemed to be
originals.

5.7 Disputes.
If any controversy, dispute or claim arises between the Parties with respect to this
Agreement, the Parties shall make good faith efforts to resolve such matters
informally
5.8 Effective Date.
The Effective Date of this Agreement shall be the later of , or the date on which
both parties have executed the Agreement.
5.9 Affiliates.
This Agreement shall be binding upon the parties and their current and future
Affiliates, successors and permitted assigns. “Affiliate” shall mean any entity
owned or controlled by, under common ownership or control with, or which owns
or controls, either party to this Agreement or any of its subsidiaries.
5.10 Governing Law.
This Agreement is governed by the laws of the State of Alabama without giving
effect to Alabama’s conflict of laws principles.

5.11. Notices.
All notices to be given hereunder to a Party shall be made via U.S. Mail or
express courier to such Party’s address given below, and/or via facsimile to the
facsimile telephone numbers listed below. Each Party may change its address
and that of its representative for notice by the giving of notice thereof in the
manner herein below provided.

Testing Document - NOT LEGALLY BINDING

 6. LIMITATION OF LIABILITY
NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY
INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OF
ANY KIND OR NATURE, WHETHER SUCH LIABILITY IS ASSERTED ON THE
BASIS OF CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT
LIABILITY), OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES.

IN WITNESS WHEREOF, each of the undersigned has caused this Business

Associate Agreement to be duly executed in its name and on its behalf effective
as of the Effective Date.

“Covered Entity” “Business Associate” “Cognix

Health”
dd
Name: _____________________
Sign: Cognix Health

___________________________ Sign: Neerav Vyas

Date: Feb 1, 2025
Title: Co-Founder & CTO
df
Address: ___________________
Date: Feb 1, 2025
dd
___________________________
Address: 970 Peachtree Industrial
dd Blvd, STE 305,
———————————————
Suwanee, GA 30024
1234567891
Phone: _____________________
Phone: 404.641.1956
a@gmail.com
Email: _______________________
Email: compliance@cognixhealth.com

Testing Document - NOT LEGALLY BINDING