Business Associate Agreement

This Business Associate Agreement (“BAA”) is effective, as of the date executed by Counterparty below, by and between Merge API, Inc., a Delaware corporation having its principal place of business at 353 Sacramento St., Floor 21, San Francisco, CA 94111 (“Company” or “Merge”), and Counterparty (defined below).

Merge provides its proprietary, Software-as-a-Service solution for integrating various types of platforms, such as HR, payroll, recruiting, and accounting systems (“Service(s)”) to Customers and End Customer (each as defined below). The provision of the Services pursuant to Merge’s Master Services Agreement, available at http://merge.dev/baa (“Services Agreement”) may involve the Processing of PHI subject to HIPAA (each as defined further below). The purpose of this BAA is to set forth the terms under which Merge processes PHI.

THIS BAA APPLIES BETWEEN THE PARTIES WHERE COUNTERPARTY EXECUTES THE BAA BY CLICKING A BOX INDICATING ACCEPTANCE, TRANSFERS PHI TO MERGE FOR PROCESSING BY MEANS OF THE SERVICE, OR OTHERWISE AFFIRMATIVELY INDICATES ACCEPTANCE OF THIS BAA. BY DOING SO, YOU: (A) AGREE TO THIS BAA ON BEHALF OF THE ORGANIZATION, COMPANY, OR OTHER LEGAL ENTITY FOR WHICH YOU ACT (“COUNTERPARTY”); AND (B) REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND COUNTERPARTY AND ITS AFFILIATES TO THIS BAA. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS BAA, YOU MAY NOT DIRECTLY OR INDIRECTLY TRANSFER PHI TO MERGE. MERGE RESERVES THE RIGHT TO MODIFY OR UPDATE THE TERMS OF THIS BAA IN ITS DISCRETION, THE EFFECTIVE DATE OF WHICH WILL BE THE EARLIER OF (I) 30 DAYS FROM THE DATE OF SUCH UPDATE OR MODIFICATION AND (II) COUNTERPARTY’S CONTINUED TRANSFER OF PHI.

In the provision of services by Merge involving Counterparty, the following roles (“Roles”) apply among the parties:

Counterparty	Description	Role / Data Processing Function(s)
Customer	Party that purchases a Subscription to the Service	For Customer PHI processed by Merge, Customer is the Covered Entity and Merge is the Business Associate For End Customer PHI processed by Merge received from Customer, Customer is the Business Associate and Merge is the Subcontractor
End Customer	The Customer’s customer that enables integration between the Service and Partner’s platform in order for Merge to Process the End Customer’s PHI for the benefit of the Customer	For End Customer PHI processed by Merge, End Customer is the Covered Entity; Customer is the Business Associate; and Merge is the Subcontractor
Partner	Provider of a SaaS solution used by End Customer (e.g., typically in the HRIS, ATS, accounting, ticketing or CRM space)	End Customer is the Covered Entity; Partner is the Business Associate; Merge is the Business Associate to End Customer and/or Subcontractor to Partner

Counterparty

Description

Role / Data Processing Function(s)

Customer

Party that purchases a Subscription to the Service

For Customer PHI processed by Merge, Customer is the Covered Entity and Merge is the Business Associate

For End Customer PHI processed by Merge received from Customer, Customer is the Business Associate and Merge is the Subcontractor

End Customer

The Customer’s customer that enables integration between the Service and Partner’s platform in order for Merge to Process the End Customer’s PHI for the benefit of the Customer

For End Customer PHI processed by Merge, End Customer is the Covered Entity; Customer is the Business Associate; and Merge is the Subcontractor

Partner

Provider of a SaaS solution used by End Customer (e.g., typically in the HRIS, ATS, accounting, ticketing or CRM space)

End Customer is the Covered Entity; Partner is the Business Associate; Merge is the Business Associate to End Customer and/or Subcontractor to Partner

Covered Entity is or may be subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the implementing regulations thereof (“HIPAA Regulations”). “PHI” has the meaning set forth in the HIPAA Regulations and refers to Protected Health Information maintained, transmitted, created or received by Business Associate, or a Subcontractor, for or from a Covered Entity and/or Business Associate, as the case may be. Capitalized terms used in this BAA will have the meanings as defined under applicable law, as set forth herein or in the Services Agreement or DPA between Merge and the Counterparty.

The parties may maintain, transmit, create or receive data that constitutes PHI to perform tasks on behalf of Covered Entity and/or Business Associate as applicable pursuant to the terms of this BAA;

To the extent required by the HIPAA Regulations and applicable state law, the parties may be directly subject to certain privacy and security obligations and penalty provisions of HIPAA, HITECH, the HIPAA Regulations and state law.

The parties agree as follows:

Use and Disclosure

Each party will comply with the requirements of the HIPAA Regulations and this BAA that apply to its Role.

A party may use and disclose PHI only as permitted or required by this BAA or as required by law.

To the extent a party receives notice of a reasonable restriction from Covered Entity that would limit its use or disclosure of PHI: (i) Business Associate will promptly notify Subcontractor of such restriction; and (ii) each party will use commercially reasonable efforts to comply with the restriction applicable to their Role.

For clarity, if Subcontractor handles PHI on behalf of Business Associate, the terms and conditions of this BAA that apply to Business Associate apply with equal force and effect to Subcontractor.

Appropriate Safeguards. Business Associate and Subcontractor agree to maintain reasonable and appropriate administrative, technical and physical safeguards to protect PHI from uses or disclosures not permitted by this BAA, including maintaining policies and procedures to detect, prevent or mitigate identity theft based on PHI or information derived from PHI. Business Associate and Subcontractor agree to comply with the applicable requirements of the HIPAA Regulations with respect to electronic PHI and any guidance issued by the Secretary of the Department of Health and Human Services (“HHS”).

Incident Notification.

If Merge becomes aware of or discovers any use or disclosure of PHI in violation of this BAA, any Personal Data Breach (as defined in the DPA) involving PHI, or any Breach of Unsecured Protected Health Information (each as defined in the HIPAA Regulations) related to any individual who is the subject of PHI, Merge will promptly report such use, disclosure, incident, or breach to Covered Entity and Counterparty and shall include the information specified in the HIPAA Regulations. Merge will mitigate, to the extent practicable, any harmful effect known to it of a use or disclosure of PHI by Merge not permitted by this BAA.

If Counterparty becomes aware of any use or disclosure of PHI in violation of this BAA, or any Breach of Unsecured Protected Health Information related to any individual who is the subject of PHI, Counterparty will promptly report such use, disclosure, incident, or breach to Covered Entity and Counterparty and shall include the information specified in the HIPAA Regulations. Counterparty will mitigate, to the extent practicable, any harmful effect known to it of a use or disclosure of PHI by Counterparty not permitted by this BAA.

Access to Designated Record Sets. Within fifteen (15) days of a request by Covered Entity for access to PHI about an individual contained in a Designated Record Set (as defined at the HIPAA Regulations), Business Associate or Subcontractor will make available to Covered Entity such PHI in the form requested by Covered Entity. If the requested PHI is maintained electronically, Business Associate or Subcontractor will provide a copy of the PHI in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by Covered Entity and the individual. If any individual requests access to PHI directly from Business Associate or Subcontractor, Business Associate or Subcontractor will within ten (10) days forward such request to Covered Entity. Any denials of access to the PHI requested shall be the responsibility of Covered Entity.

Amendments to Designated Record Sets. Within fifteen (15) days of receipt of a request from Covered Entity for the amendment of an individual’s PHI contained in a Designated Record Set (for so long as the PHI is maintained in the Designated Record Set), Business Associate or Subcontractor will provide such information to Covered Entity for amendment and incorporate any such amendments in the PHI. In the event a request for an amendment is delivered directly to Business Associate or Subcontractor, Business Associate or Subcontractor shall within ten (10) days of receiving such request forward the request to Covered Entity.

Access to Books and Records. Except for disclosures of PHI excluded from the accounting obligation as set forth in the HIPAA Regulations or regulations issued pursuant to HITECH, Business Associate and Subcontractor will record for each disclosure the information required to be recorded by covered entities pursuant to the HIPAA Regulations. Within twenty (20) days of notice by Covered Entity to Business Associate that it has received a request for an accounting of disclosures of PHI, Business Associate and/or Subcontractor will make available to Covered Entity, or the individual (if requested by Covered Entity), the information required to be maintained pursuant to this Section 6. In the event the request for an accounting is delivered directly to Business Associate or Subcontractor, Business Associate or Subcontractor shall within ten (10) days forward such request to Covered Entity.

Accountings. At Covered Entity’s or HHS’ request, Business Associate or Subcontractor shall make its internal practices, books and records relating to the use and disclosure of PHI available to HHS for purposes of determining compliance with the HIPAA Regulations.

Permitted Uses and Disclosures. Neither Business Associate nor Subcontractor are authorized to use or disclose PHI in a manner that would violate the HIPAA Regulations if done by Covered Entity, provided that Business Associate and/or Subcontractor may:

use the PHI for its proper management and administration and to carry out its legal responsibilities;

disclose PHI for its proper management and administration and to carry out its legal responsibilities, provided that disclosures do not violate the HIPAA Regulations;

use and disclose PHI to report violations of law to appropriate Federal and State authorities;

aggregate the PHI in its possession with the PHI of other covered entities that it has in its possession through its Role to other covered entities, provided that such aggregation conforms to the requirements of the HIPAA Regulations; and

use PHI to create de-identified information, and use such de-identified information for its own purposes, provided that the de-identification and use thereof conforms to the requirements of the HIPAA Regulations.

Responsibilities of the Business Associate with Subcontractor. If applicable, for the use and/or disclosure of PHI by Subcontractor, Business Associate agrees:

To inform Subcontractor of any changes in the notice of privacy practices (“Notice”) that Business Associate provides, directly or indirectly, to individuals pursuant to the HIPAA Regulations, that affect Subcontractor’s use or disclosure of PHI, and provide to Subcontractor, upon request, a copy of the Notice currently in use.

To inform Subcontractor of any changes in, or revocation of, the authorization provided to Business Associate by individuals pursuant to HIPAA Regulations, to the extent relevant to the Services being provided under the Services Agreement.

To inform Subcontractor of any opt-outs exercised by any individual from fundraising activities of Business Associate pursuant to HIPAA Regulations, to the extent relevant to the Services being provided under the Services Agreement.

To notify Subcontractor, in writing and in a timely manner, of any arrangements permitted or required of Business Associate under HIPAA Regulations that may impact in any manner the use and/or disclosure of PHI required by Subcontractor under this BAA, including, but not limited to, agreed upon restrictions regarding the use and/or disclosure of PHI as provided for in HIPAA Regulations.

HIPAA Transaction Standards. If Business Associate or Subcontractor conducts standard transactions (as defined in the HIPAA Regulations) for or on behalf of Covered Entity, Business Associate or Subcontractor will comply and will require by written contract each agent or contractor (including any subcontractor) involved with the conduct of such standard transactions to comply, with each applicable requirement of the HIPAA Regulations. Neither Business Associate nor Subcontractor will enter into, or permit its agents or contractors (including subcontractors) to enter into, any trading partner agreement in connection with the conduct of standard transactions for or on behalf of Covered Entity that: (a) changes the definition, data condition, or use of a data element or segment in a standard transaction; (b) adds any data elements or segments to the maximum defined data set; (c) uses any code or data element that is marked “not used” in the standard transaction’s implementation specification or is not in the standard transaction’s implementation specification; or (d) changes the meaning or intent of the standard transaction’s implementation specification. Business Associate and Subcontractor agree to participate in any test modification conducted by Covered Entity in accordance with the HIPAA Regulations.
Term and Termination. This BAA remains in effect until the Services Agreement is terminated or expires. Either party may terminate this BAA and the Services Agreement effective immediately if it determines that the other party has breached a material provision of this BAA and failed to cure such breach within thirty (30) days of being notified by the other party of the breach. If the non-breaching party determines that cure is not possible, such party may terminate this BAA and the Services Agreement effective immediately upon written notice to other party.
Limitation of Liability. This BAA is subject to the limitations on liability set forth in the Services Agreement.
Effect of Termination. Upon termination of this BAA, Merge agrees to either return or destroy, at no cost to Counterparty, all PHI that Merge maintains in any form. Notwithstanding the foregoing, to the extent that it is not feasible to return or destroy such PHI, the terms and provisions of this BAA shall survive termination of this BAA, and Merge will only use or disclose such PHI solely for such purpose or purposes which prevented the return or destruction of such PHI.
Miscellaneous. To the extent Business Associate is acting as a business associate under the HIPAA Regulations, Business Associate shall be subject to the penalty provisions specified in HITECH. Upon the effective date of any final regulation or amendment to final regulations promulgated by HHS with respect to PHI, this BAA will be deemed to be automatically amended such that the obligations imposed on the parties remain in compliance with such regulations. If any term or condition of this BAA conflicts with the Services Agreement or DPA, the terms of this BAA will prevail.

‍

Last Updated: June 23, 2022