Laserfiche WebLink
15039916.1 <br />Business Associate Agreement <br />This Business Associate Agreement (“Agreement”) is entered into, effective as of February 1, <br />2023, by and between Carrot Fertility, Inc. (“Business Associate”) and City of Everett (the “Plan <br />Sponsor”), on behalf of the City of Everett Health Reimbursement Arrangement (HRA) Plan <br />(“the Plan”). <br />The parties acknowledge and agree that the Plan Sponsor intends to treat certain services <br />provided by the Business Associate pursuant to the parties’ separate services agreement (the <br />“Customer Agreement”) as provided under a group health plan within the meaning of the <br />Employee Retirement Income Security Act of 1974. The parties further acknowledge and agree <br />that the Plan Sponsor intends to treat the Plan as a “covered entity” within the meaning of the <br />Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information <br />Technology for Economic and Clinical Health ("HITECH") Act, and implementing regulations, <br />including the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 <br />and Part 164 (collectively, the “HIPAA Rules”). Accordingly, this Agreement is necessary in the <br />event or to the extent that, in providing services to the Plan Sponsor pursuant to the Customer <br />Agreement, the Business Associate creates, receives, uses or discloses Protected Health <br />Information, including Electronic Protected Health Information, regarding any participant in the <br />Plan. The Plan Sponsor and the Business Associate hereby agree as follows: <br />1. Definitions <br />Capitalized terms used herein without definition shall have the respective meanings assigned to <br />such terms under the HIPAA Rules. <br />2. Obligations and Activities of Business Associate <br />Business Associate agrees to: <br />(a) Not use or disclose Protected Health Information other than as permitted or required by the <br />Agreement or as Required By Law; <br />(b) Use appropriate safeguards and comply, where applicable, with subpart C of 45 CFR Part <br />164 with respect to Electronic Protected Health Information, to prevent use or disclosure of <br />Protected Health Information other than as provided for by the Agreement; <br />(c) Report to the Plan any Use or Disclosure of Protected Health Information not provided for by <br />the Agreement of which it becomes aware, including any Breach of Unsecured Protected Health <br />Information as required at 45 CFR 164.410, and any Security Incident of which it becomes <br />aware as soon as reasonably possible, but in no case later than within ten (10) business days. <br />Notice is hereby deemed provided, and no further notice will be provided, of unsuccessful <br />attempts at such unauthorized access, use or disclosure, such as pings and other broadcast <br />attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or <br />interception of encrypted information where the key is not compromised, or any combination of <br />the above, so long as no such incident results in unauthorized access to, or use or disclosure of, <br />the Plan's electronic PHI; <br />(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that <br />any subcontractors that create, receive, maintain, or transmit Protected Health Information, <br />DocuSign Envelope ID: D630F73D-D64F-4694-A24A-FC8220069016