EnlivenHealth Business Associate Agreement

Last Updated: May 8, 2025

This Business Associate Agreement ("BAA") is entered into by EnlivenHealth, Inc., (a wholly-owned subsidiary of Omnicell, Inc.), a North Carolina corporation, and its assigns and wholly owned subsidiaries, as applicable ("Business Associate") and Customer ("Covered Entity," each individually is referred to as a "Party," and together Business Associate and Covered Entity are the "Parties" to the BAA).

A. Definitions.

  1. Unless otherwise provided, all capitalized terms in the BAAsh all have the same meaning as provided under HIPAA.
  2. "Breach Notification Rule" means the Breach Notification for Unsecured Protected Health Information Final Rule.
  3. "Business Associate" shall have the same meaning as the term "business associate" in 45 CFR ⸹160.103 of HIPAA.
  4. "Covered Entity" shall have the same meaning as the term "covered entity" in 45 CFR ⸹160.103 of HIPAA.
  5. "Customer" means the entity and its affiliates that have entered into an Underlying Agreement with Business Associate.
  6. "HIPAA" collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act of 1996, its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including the Health Information Technology for Economic and Clinical Health ("HITECH") Act and the Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the HITECH Act and Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.
  7. "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information.
  8. "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 CFR ⸹160.103 of HIPAA, provided that it is limited to PHI that is created, received, maintained, or transmitted on behalf of Covered Entity by Business Associate pursuant to the Underlying Agreement.
  9. "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information.
  10. "Underlying Agreement" means a written agreement or agreements executed by and between Covered Entity and Business Associate pursuant to which PHI is created, received, maintained, or transmitted on behalf of Covered Entity by Business Associate.

B. Permitted Uses and Disclosures of PHI

  1. Except as otherwise limited in this BAA, Business Associate may Use and Disclose PHI in accordance with the terms of the Underlying Agreement or this BAA.
  2. Business Associate may use or disclose PHI as necessary for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate, provided that any Disclosures may occur only if (a) Required by Law; or (b)Business Associate obtains written reasonable assurances from the entity or person to whom the PHI is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person or entity, and the person or entity notifies Business Associate of any instances of which it becomes aware in which the confidentiality of PHI has been breached.
  3. Business Associate may aggregate and de-identify PHI in accordance with the standards set forth under HIPAA. Business Associate may Use and Disclose such de-identified data or portions thereof in perpetuity for its independent business purposes which may include research, development, product improvement and testing, so long as such Uses or Disclosures are nor prohibited by the Underlying Agreement, this BAA, or by HIPAA. The rights of Use and Disclosure of such de-identified data that is de-identified prior to termination of this BAA shall survive the termination or expiration of this BAA.
  4. Business Associate may create a Limited Data Set and use such Limited Data Set pursuant to a Data Use Agreement that meets the requirements of the Privacy Rule and Covered Entity will not unreasonably delay, prevent, or condition consent for such a Data Use Agreement.

C. Business Associate Responsibilities

To the extent that Business Associate is acting as a business associate under HIPAA, Business Associate agrees to the following:

  1. Compliance with Laws. Business Associate agrees to comply with the provisions of HIPAA applicable to Business Associate.
  2. Safeguards. Business Associate shall use reasonable and appropriate safeguards to prevent Use and Disclosure of PHI other than as permitted under this BAA or the Underlying Agreement and comply with Subpart C of 45 CFR Part 164 of the Security Rule.
  3. Subcontractors. In accordance with 45 CFR ⸹164.502(e)(1)(ii) and ⸹164.308(b)(2) of HIPAA, Business Associate shall require its subcontractors to agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this BAA with respect to the creation, maintenance of transmission of PHI.
  4. Minimum Necessary. Business Associate shall make reasonable efforts to limit Use and Disclosure of PHI to the minimum necessary to accomplish the intended purposes.
  5. Individual Rights.

a. Access. This Section 5(a) shall only apply if Business Associate maintains PHI in a Designated Record Set for Covered Entity: Within fifteen (15) days of Business Associate's receipt of a written request from Covered Entity, Business Associate shall make access to PHI available to Covered Entity. If an Individual makes a request for access directly to Business Associate, Business Associate will forward such request to Covered Entity within five (5) days of receipt by Business Associate. Except as Required by Law, Covered Entity shall solely be responsible for making determinations regarding the grant or denial of an Individual's request for PHI.

b. Amendment. This Section 5(b) shall only apply if Business Associate maintains PHI in a Designated Record Set for Covered Entity: Within fifteen (15) days of Business Associate's receipt of a written request for amendment of PHI from Covered Entity, Business Associate shall incorporate such amendments in the PHI subject to the request. If an Individual makes a request for amendment directly to Business Associate, Business Associate will forward such request to Covered Entity within five (5) days of receipt by Business Associate. Except as Required by Law, Covered Entity shall solely be responsible for making determinations regarding the grant or denial of an Individual's request for an amendment.

c. Accounting of Disclosures. Within fifteen (15) days of Business Associate's receipt of a written request, Business Associate shall make available to Covered Entity information relating to Disclosures made by Business Associate so that Covered Entity may respond to an Individual's request for an accounting of Disclosures in accordance with 45 CFR § 164.528. Such accounting is limited to Disclosures that were made in the six (6) years prior to the date of the request. If an Individual makes a request for an accounting of Disclosures directly to Business Associate, Business Associate will forward such request to Covered Entity within five (5) days of receipt by Business Associate. Except as Required by Law, Covered Entity shall solely be responsible for making determinations regarding the grant or denial of an Individual's request for an accounting of Disclosures.

  1. Disclosures to the Secretary. Business Associate shall make available its internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received on behalf of, Covered Entity to the Secretary or his or her agents or authorized designees for the purpose of determining Covered Entity's compliance with HIPAA, subject to attorney-client and other applicable legal privileges.
  2. Reporting. Business Associate shall report to Covered Entity: (a) any Security Incident of which it becomes aware, provided that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents. "Unsuccessful Security Incidents" include, but are not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, Use or Disclosure of PHI; (b) any Use or Disclosure of PHI that is not permitted or required by this BAA of which it becomes aware; and (c) any Breach of Unsecured PHI that Business Associate discovers in accordance with the Breach Notification Rule. Notification of a Security Incident or Breach shall be made to Covered Entity within five (5) business days following Business Associate's determination of Security Incident or Breach.
  3. Performance of Covered Entity Obligations. To the extent Business Associate is to carry out a Covered Entity obligation under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule applicable to Covered Entity in the performance of the obligation.

D. Covered Entity Responsibilities.

  1. Compliance with Laws. Covered Entity will comply with the provisions of HIPAA applicable to Covered Entity.
  2. Permissions. Covered Entity will and retains sole responsibility for acquiring all consents and permissions necessary from an individual for disclosure of PHI to Business Associate.
  3. Changes in Authorization. Covered Entity shall notify Business Associate in writing and in a timely manner of any changes in, or withdrawal of, any authorization provided to Covered Entity by any Individual pursuant to 45 CFR § 164.508, to the extent that such changes or withdrawal may affect Business Associate's Use or Disclosure of PHI.
  4. Restrictions to Use or Disclosure of PHI.
    Covered Entity shall notify Business Associate in writing and in a timely manner of any restrictions to the Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restrictions may affect Business Associate's Use or Disclosure of PHI.
  5. Notice of Privacy Practices. Covered Entity shall notify Business Associate, in writing and in a timely manner of any limitation(s) in its notice of privacy practices, to the extent that such limitation may affect Business Associate's use or disclosure of PHI.
  6. Permissible Requests. Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
  7. Impermissible Submissions. Covered Entity agrees that during the course of receiving technical support or otherwise it shall not submit PHI to Business Associate by: (a) email; (b) ticketing system; or (c) any other electronic means of communication, unless otherwise specified and agreed to by Business Associate.
  8. Notice. Covered Entity agrees that any notice by Business Associate pursuant to this BAA may be made to the contact information contained in the Underlying Agreement. It is Covered Entity's responsibility to ensure that such contact information is current and accurate. Covered Entity shall provide notice to Business Associate by email at privacy@omnicell.com or by physical address:

EnlivenHealth, Inc.

c/o Omnicell, Inc.

500 Cranberry Woods Dr

Cranberry Twp, PA 16066

Attn: Office of the General Counsel

E. Term and Termination.

  1. Term. This BAA shall be effective as of the date of the Underlying Agreement and shall continue until (a) the Underlying Agreement is terminated, or (b) terminated pursuant to this Section E.
  2. Termination. Either party may terminate this BAA provided the non-breaching party shall provide written notice to the other party and an opportunity to cure such breach. If the other party fails to cure such breach within thirty (30) days of receipt of notice, then the non-breaching party may terminate this BAA.
  3. Effect of Termination. Upon termination of this BAA, Business Associate agrees to return or destroy all PHI received from or created on behalf of Covered Entity. Notwithstanding anything to the contrary in this BAA or the Underlying Agreement, the foregoing shall not apply to copies of PHI that are subject to archival, backup, compliance, or legal policies or procedures, provided such copies will remain subject to the obligations set forth in this BAA for so long as such copies are maintained by Business Associate. Business Associate shall limit further Uses and Disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Business Associate retains the PHI.

F. Miscellaneous.

  1. Survival. The respective rights and obligations of the parties that are by their nature intended to survive termination or expiration of this BAA so shall survive.
  2. Governing Law. This BAA shall be governed the laws of the state of Delaware, without regard to applicable conflict of laws principles.
  3. Indemnification.

a. Business Associate agrees to indemnify, defend and hold Covered Entity harmless against all direct, actual, out-of-pocket and reasonable losses, liabilities, damages, claims, costs or expenses, including the cost of notifying affected Individuals, that Covered Entity are suffered as a result of non-affiliated third-party claims, demands, actions to the extent arising from or in connection with any Breach of PHI or violation of HIPAA under this BAA by Business Associate.

b. Covered Entity agrees to indemnify, defend and hold Business Associate harmless against all direct, actual, out-of-pocket and reasonable losses, liabilities, damages, claims, costs or expenses, including the cost of notifying affected Individuals, that Business Associate are suffered as a result of non-affiliated third-party claims, demands, actions to the extent arising from or in connection with any Breach of PHI or violation of HIPAA under this BAA by Covered Entity.

c. Each Party seeking indemnification will take reasonable steps to mitigate any potential expenses and will provide the indemnifying Party with (a) prompt written notice of any such claim or action (provided that delay in notification will only relieve the indemnifying party of its obligations to the extent prejudiced by delay in notification); (b) the sole control and authority over the defense or settlement of such claim or action (provided the indemnifying party may not agree in settlement to admissions of fault or ongoing commitments on behalf of the indemnified party without prior written consent of the indemnified party); and (c) proper and full information and reasonable assistance to settle and/or defend any such claim or action. The indemnified Party may employ separate counsel and participate in the defense at its own expense; provided that the indemnifying Party will control the defense and the indemnified party does not interfere with indemnifying Party's defense.

  1. Limitation of Liability. This BAA is subject to the same exclusion of damages and limitation on liability as set forth in the Underlying Agreement.

To the extent there is no exclusion of damages and/or limitation of liability set forth in the Underlying Agreement, in no event will Business Associate be liable to Covered Entity for any indirect, special, incidental, punitive, exemplary or consequential damages including loss of profits, loss of use, business interruption, or loss of data in connection with or arising out of this baa or its termination regardless of whether arising under contract, tort, or any other theory, even if business associate has been advised of the possibility of such damages. Business Associate's total cumulative liability to Covered Entity under this BAA or otherwise will not exceed the amount of payments actually paid by Covered Entity to Business Associate under the Underlying Agreement during the 12-month period preceding the date on which the claim arose. Multiple claims will not enlarge this limit. This limitation of liability shall apply notwithstanding any failure of essential purpose of any exclusive remedy herein.

  1. Assignment of Rights and Delegation of Duties.
    This BAA is binding upon and inures to the benefit of the parties and their respective successors and permitted assigns. However, neither party may assign any of its rights or delegate any of its obligations under this BAA without the prior written consent of the other party, which consent shall not be unreasonably withheld or delayed, with the exception of any assignment or deemed assignment resulting from an internal reorganization, merger or acquisition of a non-competitor of the non-assigning party. Assignments made in violation of this provision are null and void.
  2. Force Majeure. Non-performance of either Party will be excused to the extent performance is rendered impossible by strike, fire, war, flood, governmental acts or orders or restrictions, or act of God, or any other reason where failure to perform is beyond the reasonable control of the non-performing Party.
  3. Nature of Agreement. Nothing in this BAA shall be construed to create (a) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, (b) any fiduciary duty owed by one party to another party or any of its affiliates, or (c) a relationship of employer and employee between the parties.
  4. No Waiver. Failure or delay on the part of either party to exercise any right, power, privilege, or remedy hereunder shall not constitute a waiver thereof. No provision of this BAA may be waived by either party except by a writing signed by an authorized representative of the party making the waiver.
  5. Severability. The provisions of this BAA shall be severable, and if any provision of this BAA shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BAA shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
  6. No Third Party Beneficiaries. Nothing in this BAA shall be considered or construed as conferring any right or benefit on a person not party to this BAA nor imposing any obligations on either party hereto to persons not a party to this BAA.
  7. Interpretation. Any conflict, inconsistency, or ambiguity in or between this BAA and HIPAA shall be resolved in favor of a meaning that permits the parties to comply with HIPAA. Any conflict, inconsistency, or ambiguity between this BAA and the Underlying Agreement shall be resolved in favor of the BAA.
  8. Regulatory and Statutory References. Any reference in this BAA to a section of HIPAA shall mean such regulation or statute in effect on the effective date of this BAA or, if and to the extent applicable, as subsequently updated, amended, or revised.