BUSINESS ASSOCIATE AGREEMENT
Last Updated: 8/12/2025
This Business Associate Agreement (“BAA”) is entered into as of the Effective Date of the Agreement by and between EnlivenHealth, Inc. and its assigns and wholly owned subsidiaries, as applicable (“Business Associate”) and Customer (“Covered Entity”). Each individually is referred to as a “Party,” and together Business Associate and Covered Entity are the “Parties” to the BAA.
A. Definitions.
- Unless otherwise provided, all capitalized terms in the BAA will have the same meaning as provided under “HIPAA”, the Health Insurance Portability and Accountability Act of 1996, PL 104-91, as amend by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), the Genetic Information Nondiscrimination Act and other modifications, and implementing regulations at 45 C.F.R. parts 160, 162, and 164, subparts A, C (“Security Rule”), D (the “Breach Notification Rule”) and E (the “Privacy Rule”), in effect as of the Effective date.
- “Business Associate” will have the same meaning as the term “business associate” in 45 CFR §160.103 of HIPAA.
- “Covered Entity” will have the same meaning as the term “covered entity” in 45 CFR §160.103 of HIPAA.
- “Customer” means the entity and its affiliates that have entered into an Underlying Agreement with Business Associate.
- “Protected Health Information” or “PHI” will have the same meaning as the term “protected health information” in 45 CFR §160.103 of HIPAA, provided that it is limited to PHI that is created, received, maintained, or transmitted on behalf of Covered Entity by Business Associate pursuant to the Underlying Agreement.
- “Security Incident” will have the same meaning as the term “security incident” in 45 CFR §164.304 For clarity, a Security Incident does not include Unsuccessful Security Incidents.
- “Underlying Agreement” means a written agreement or agreements executed by and between Covered Entity and Business Associate pursuant to which PHI is created, received, maintained, or transmitted on behalf of Covered Entity by Business Associate.
- “Unsuccessful Security Incidents” include, but are not limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, Use or Disclosure of PHI.
B. Permitted Uses and Disclosures of PHI.
Except as otherwise limited in this BAA, Business Associate may Use and Disclose PHI in accordance with the terms of the Underlying Agreement, this BAA, or as Required by Law.
- Business Associate may use or disclose PHI as necessary for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate, provided that any Disclosures may occur only if (a) Required by Law; or (b) Business Associate obtains written reasonable assurances from the entity or person to whom the PHI is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person or entity, and the person or entity notifies Business Associate of any instances of which it becomes aware in which the confidentiality of PHI has been breached.
- Business Associate may aggregate and de-identify PHI in accordance with the standards set forth under HIPAA. Business Associate may use or disclose such de-identified data or portions thereof in perpetuity for its independent business purposes which may include research, development, product improvement and testing, so long as such uses or disclosures are nor prohibited by the Underlying Agreement, this BAA, or by HIPAA. The rights of use and disclosure of such de-identified data that is de-identified prior to termination of this BAA will survive the termination or expiration of this BAA.
- Business Associate may create a Limited Data Set and use or disclose such Limited Data Set pursuant to a Data Use Agreement that meets the requirements of the Privacy Rule and Covered Entity will not unreasonably delay, prevent, or condition consent for such a Data Use Agreement.
C. Business Associate Responsibilities. To the extent that Business Associate is acting as a business associate under HIPAA, Business Associate agrees to the following:
- Compliance with Laws. Business Associate agrees to comply with the provisions of HIPAA applicable to Business Associate.
- Safeguards. Business Associate will use reasonable and appropriate safeguards to reasonably prevent Use and Disclosure of PHI other than as permitted under this BAA or the Underlying Agreement and comply with Subpart C of 45 CFR Part 164 of the Security Rule.
- Subcontractors. In accordance with 45 CFR §164.502(e)(1)(ii) and §164.308(b)(2) of HIPAA, Business Associate will require its downstream business associate subcontractors or agents to agree in writing to substantially similar restrictions, conditions, and requirements that apply to Business Associate under this BAA with respect to the creation, maintenance of transmission of PHI.
- Minimum Necessary. Business Associate will make reasonable efforts to limit Use and Disclosure of PHI to the minimum necessary to accomplish the intended purposes.
- Individual Rights. These Sections 5(a) and 5(b) will only apply if Business Associate maintains PHI in a Designated Record Set for Covered Entity:
- Access. Within fifteen (15) days of Business Associate’s receipt of a written request from Covered Entity, Business Associate will make access to PHI available to Covered Entity. If an Individual makes a request for access directly to Business Associate, Business Associate will forward such request to Covered Entity within five (5) days of receipt by Business Associate. Except as Required by Law, Covered Entity will solely be responsible for making determinations regarding the grant or denial of an Individual’s request for PHI.
- Amendment. This Section 5(b) shall only apply if Business Associate maintains PHI in a Designated Record Set for Covered Entity: Within fifteen (15) days of Business Associate’s receipt of a written request for amendment of PHI from Covered Entity, Business Associate will incorporate such amendments in the PHI subject to the request. If an Individual makes a request for amendment directly to Business Associate, Business Associate will forward such request to Covered Entity within five (5) days of receipt by Business Associate. Except as Required by Law, Covered Entity will solely be responsible for making determinations regarding the grant or denial of an Individual’s request for an amendment.
- Accounting of Disclosures. Within fifteen (15) days of Business Associate’s receipt of a written request, Business Associate will make available to Covered Entity information relating to Disclosures made by Business Associate so that Covered Entity may respond to an Individual’s request for an accounting of Disclosures in accordance with 45 CFR §164.528. Such accounting is limited to Disclosures that were made in the six (6) years prior to the date of the request. If an Individual makes a request for an accounting of Disclosures directly to Business Associate, Business Associate will forward such request to Covered Entity within five (5) days of receipt by Business Associate. Except as Required by Law, Covered Entity will solely be responsible for making determinations regarding the grant or denial of an Individual’s request for an accounting of Disclosures.
- Disclosures to the Secretary. Business Associate will make available its internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received on behalf of, Covered Entity to the Secretary or his or her agents or authorized designees for the purpose of determining Covered Entity’s compliance with HIPAA, subject to attorney-client and other applicable legal privileges.
- Reporting.
- Business Associate will report to Covered Entity at the email address provided: (a) any Security Incident of which it becomes aware, provided that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents; and (b) any Breach of Unsecured PHI that Business Associate Discovers in accordance with the Breach Notification Rule, 45 CFR §164.410(c). Notification of a Security Incident or Breach will be made to Covered Entity within seven (7) business days following Business Associate’s determination of Security Incident or Breach.
- If the Breach of Unsecured PHI impacts covered entities other than Covered Entity, such that Business Associate plans to provide and/or coordinate the provision of the notifications required by Applicable Law on behalf of all covered entities impacted by such Breach of Unsecured PHI, Covered Entity may, but is not required to, be included within such notification process and Business Associate shall make all notifications on behalf of Covered Entity consistent with all requirements of Applicable law. Unless waived in writing by Covered Entity, before sending any notice to any third party, including, without limitation, any Individual(s), the media and/or the Secretary, Business Associate shall first provide a draft of the notice to the Covered Entity.
- Performance of Covered Entity Obligations. To the extent Business Associate expressly agrees to carry out one or more Covered Entity obligation(s) under the Privacy Rule pursuant to an Underlying Agreement, Business Associate will comply with the requirements of the Privacy Rule applicable to Covered Entity in the performance of the obligation.
D. Covered Entity Responsibilities.
- Compliance with Laws. Covered Entity will comply with the provisions of HIPAA applicable to Covered Entity.
- Permissions. Covered Entity will and retains sole responsibility for acquiring all consents and permissions necessary from an individual for Disclosure of PHI to and Use by Business Associate.
- Changes in Authorization. Covered Entity will notify Business Associate in writing and in a timely manner of any changes in, or withdrawal of, any authorization provided to Covered Entity by any Individual pursuant to 45 CFR §164.508, to the extent that such changes or withdrawal may affect Business Associate’s Use or Disclosure of PHI.
- Restrictions to Use or Disclosure of PHI. Covered Entity will notify Business Associate in writing and in a timely manner of any restrictions to the Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restrictions may affect Business Associate’s Use or Disclosure of PHI.
- Notice of Privacy Practices. Covered Entity will notify Business Associate, in writing and in a timely manner of any limitation(s) in its notice of privacy practices, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
- Permissible Requests. Covered Entity will not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
- Impermissible Submissions. Covered Entity agrees that during the course of receiving technical support or otherwise it will not submit PHI to Business Associate by: (a) email; (b) ticketing system; or (c) any other electronic means of communication, unless otherwise specified and agreed to by Business Associate.
- Notice. Covered Entity agrees that any notice by Business Associate pursuant to this BAA may be made to the contact information contained in the Underlying Agreement. It is Covered Entity’s responsibility to ensure that such contact information is current and accurate. Covered Entity will provide notice to Business Associate by email at privacy@omnicell.com and by physical address:
EnlivenHealth, Inc.
500 Cranberry Woods Dr
Cranberry Twp, PA 16066
Attn: Office of the General Counsel
E. Term and Termination.
- Term. This BAA will be effective as of the date of the last signature hereto, and will continue until (a) the last Underlying Agreement between the parties is terminated, or (b) terminated pursuant to this Section E.
- Termination. Either Party may terminate this BAA provided the non-breaching Party will provide written notice to the other Party and an opportunity to cure such breach. If the other Party fails to cure such breach within thirty (30) calendar days of receipt of notice, then the non-breaching Party may terminate this BAA, unless Business Associate is making reasonable progress towards cure and has a reasonably anticipated timeline for completion.
- Effect of Termination. Upon termination of this BAA, Business Associate agrees to return or destroy all PHI received from or created on behalf of Covered Entity no later thirty (30) days post termination. Notwithstanding anything to the contrary in this BAA or the Underlying Agreement, the foregoing will not apply to copies of PHI that is subject to archival, backup, compliance, or legal policies or procedures, provided such copies will remain subject to the obligations set forth in this BAA for so long as such copies are maintained by Business Associate. Business Associate will limit further Uses and Disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Business Associate retains the PHI.
F. Miscellaneous.
- Interpretation and Entire Standalone Agreement. This BAA is a standalone agreement and constitutes the entire and only agreement of the parties with respect to the HIPAA Regulations [and any applicable state law over personally identifiable information cited] and supersedes and cancels any and all prior negotiations, understandings and agreements concerning same. If any terms of this Agreement are inconsistent with the Underlying Agreement, the terms of this Agreement shall survive and control. This Agreement may be amended, modified, superseded, canceled, renewed or extended only by a written document signed by the parties. Any conflict, inconsistency, or ambiguity in or between this BAA and the Underlying Agreement or HIPAA will be resolved in favor of a meaning that permits the Parties to comply with HIPAA.
- Survival. The respective rights and obligations of the Parties that are by their nature intended to survive termination or expiration of this BAA so will survive.
- Governing Law. This BAA will be governed the laws of the state of Texas, without regard to applicable conflict of laws principles.
- Indemnification.
- Business Associate agrees to indemnify, defend and hold Covered Entity harmless against all direct, actual, out-of-pocket and reasonable losses, claims (whether in law or in equity) , obligations, actions, liabilities, damages, costs or expenses (including reasonable attorneys’ fees, including the cost of notifying affected Individuals, that Covered Entity suffered as a result of non-affiliated third-party claims, demands, actions to the extent directly resulting from any breach of the BAA by Business Associate.
- Covered Entity agrees to indemnify, defend and hold Business Associate harmless against all direct, actual, out-of-pocket and reasonable losses, claims (whether in law or in equity), obligations, actions, liabilities, damages, costs or expenses, including the cost of notifying affected Individuals, that Business Associate are suffered as a result of non-affiliated third-party claims, demands, actions to the extent directly resulting from any breach of the BAA, by Covered Entity.
- Indemnity is conditioned upon each Party seeking indemnification taking reasonable steps to mitigate any potential expenses and will providing the indemnifying Party with (a) prompt written notice of any such claim or action (provided that delay in notification will only relieve the indemnifying Party of its obligations to the extent prejudiced by delay in notification); (b) the sole control and authority over the defense or settlement of such claim or action (provided the indemnifying Party may not agree in settlement to admissions of fault or ongoing commitments on behalf of the indemnified Party without prior written consent of the indemnified Party); and (c) proper and full information and reasonable assistance to settle and/or defend any such claim or action. The indemnified Party may employ separate counsel and participate in the defense at its own expense; provided that the indemnifying Party will control the defense and the indemnified Party does not interfere with indemnifying Party’s defense.
- Limitation of Liability.
- Notwithstanding anything to the contrary in the Underlying Agreement, in no event will Business Associate be liable to Covered Entity for any indirect, special, incidental, punitive, exemplary or consequential damages including loss of profits, loss of use, business interruption, or loss of data in connection with or arising out of this BAA or the subject matter thereof, or its termination regardless of whether arising under contract, tort, or any other theory, even if Business Associate has been advised of the possibility of such damages.
- Business Associate’s total cumulative liability to Covered Entity pursuant to this BAA or with respect to the subject matter thereof will not exceed the amount of payments actually paid by Covered Entity to Business Associate pursuant to the applicable Pricing Supplement or Statement of Work of the Underlying Agreement during the 12-month period preceding the date on which the claim arose. The limitations set forth in this BAA and the Underlying Agreement are not separate caps, will be viewed cumulatively, and will adjust because claims under one agreement will reduce the amount available in the other agreement; provided that Covered Entity will not and is not permitted to make any claims of liability under the Underlying Agreement with respect to PHI (including Use or Disclosure of PHI) or Business Associate’s obligations under this BAA or the subject matter hereof. Multiple claims will not enlarge this limit. This limitation of liability will apply notwithstanding any failure of essential purpose of any exclusive remedy herein.
- Amendment. To the extent that Applicable Law is amended in the future and to the extent that such amendments contain requirements and/or provisions that change Business Associate’s obligations, its provision of the services or products in the Underlying Agreement(s), the Parties agree that this BAA will be deemed to be automatically amended to the extent necessary to include such additional requirements and/or provisions, provided that, if Business Associate determines it necessary, the Parties will enter into a mutually agreed upon amendment to this BAA in order to incorporate any such additional requirements and/or provisions.
- Assignment of Rights and Delegation of Duties. This BAA is binding upon and inures to the benefit of the Parties and their respective successors and permitted assigns. However, neither Party may assign any of its rights or delegate any of its obligations under this BAA without the prior written consent of the other Party, which consent will not be unreasonably withheld or delayed, with the exception of any assignment or deemed assignment resulting from an internal reorganization, merger or acquisition of a non-competitor of the non-assigning Party. Assignments made in violation of this provision are null and void.
- Force Majeure. Non-performance of either Party will be excused to the extent performance is rendered impossible by strike, fire, terrorism, war, flood, governmental acts or orders or restrictions, or act of God, or any other reason where failure to perform is beyond the reasonable control of the non-performing Party.
- Nature of Agreement. Nothing in this BAA will be construed to create (a) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates, (b) any fiduciary duty owed by one Party to another Party or any of its affiliates, or (c) a relationship of employer and employee between the Parties.
- No Waiver. Failure or delay on the part of either Party to exercise any right, power, privilege, or remedy hereunder will not constitute a waiver thereof. No provision of this BAA may be waived by either Party except by a writing signed by an authorized representative of the Party making the waiver.
- Severability. The provisions of this BAA will be severable, and if any provision of this BAA will be held or declared to be illegal, invalid or unenforceable, the remainder of this BAA will continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
- No Third Party Beneficiaries. Nothing in this BAA will be considered or construed as conferring any right or benefit on a person not Party to this BAA nor imposing any obligations on either Party hereto to persons not a Party to this BAA.
- Incorporation and Application. This BAA will supersede any preexisting business associate agreement between the Parties and automatically applies to the Underlying Agreement