Business Associate Agreement
XRHealth Business Associate Agreement
Last updated on March 14, 2025.
​
BUSINESS ASSOCIATE ADDENDUM
This Business Associate Addendum ("Addendum") is entered into as of the effective date specified in the Statement of Work, by and between the entity identified as the customer in the Statement of Work ("Customer") and Yellow XR, Inc. ("Business Associate").
​
RECITALS
-
The purpose of this Addendum is to ensure compliance with the business associate provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), including its regulations (45 CFR Parts 142 and 160-164), as well as the Health Information Technology for Economic and Clinical Health ("HITECH") Act of 2009.
-
Customer and Business Associate have entered into a Statement of Work (the "Agreement"), under which Business Associate may receive, use, or process Protected Health Information ("PHI") and/or Electronic Protected Health Information ("EPHI") in the course of delivering specific services ("Services") to Customer.
-
As a "Covered Entity" under the HIPAA Privacy Rule, Customer is subject to certain regulatory obligations regarding PHI and EPHI. Consequently, the Agreement must comply with the business associate requirements set forth in the HIPAA Privacy Rule.
-
Under HIPAA’s Privacy and Security Rules, business associates of a Covered Entity must enter into a written agreement that outlines their obligations regarding the handling, use, and disclosure of PHI and EPHI received from the Customer.
-
The HITECH Act imposes additional privacy and security safeguards, which must be incorporated into this Addendum.
NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS ADDENDUM, BUSINESS ASSOCIATE DOES NOT CURRENTLY COLLECT, STORE, OR MAINTAIN PHI OR EPHI IN THE COURSE OF PROVIDING ITS SERVICES. HOWEVER, SHOULD BUSINESS ASSOCIATE BEGIN TO RECEIVE, STORE, OR PROCESS PHI OR EPHI IN THE FUTURE, THE PROVISIONS OF THIS ADDENDUM SHALL AUTOMATICALLY APPLY TO SUCH DATA, AND BUSINESS ASSOCIATE SHALL FULLY COMPLY WITH ALL APPLICABLE HIPAA AND HITECH REQUIREMENTS.
NOW, THEREFORE, in consideration of the mutual commitments and assurances stated herein, the Parties agree as follows:
​
I. DEFINITIONS
A. Accounting. "Accounting" shall have the meaning assigned under 45 C.F.R. §164.528 and §13405 of the HITECH Act.​
B. Breach. A "Breach" refers to the unauthorized acquisition, access, use, or disclosure of Protected Health Information (PHI) that compromises its security or privacy. However, the following situations do not qualify as breaches:
-
Unintentional access, acquisition, or use of PHI by a workforce member or individual acting under the authority of a Covered Entity or Business Associate, provided that such actions were made in good faith, within their scope of authority, and do not lead to further unauthorized use or disclosure.
-
Inadvertent disclosure of PHI between two authorized individuals within the same Covered Entity, Business Associate, or an Organized Health Care Arrangement (OHCA) in which the Covered Entity participates—so long as the information is not further used or disclosed in an unauthorized manner.
-
Disclosure to an unauthorized person who is unable to retain or make further use of the information.
C. Business Associate. A "Business Associate" is defined in accordance with 45 C.F.R. §160.103.​​
D. Covered Entity. A "Covered Entity" shall have the meaning assigned under 45 C.F.R. §160.103.
E. Disclose/Disclosure. "Disclosure" refers to the release, transfer, or provision of access to PHI or Electronic Protected Health Information (EPHI), whether verbally, electronically, or in any recorded format.​
F. Electronic Health Record (EHR). An Electronic Health Record is an electronic system that collects, manages, and stores health-related information for individuals, which is accessed by authorized healthcare providers and staff, as defined in 42 U.S.C. §17921.​
G. Electronic Protected Health Information (EPHI). EPHI includes any PHI that is transmitted or stored using electronic media, as defined by the HIPAA Security Rule. This includes, but is not limited to, data on electronic storage devices (e.g., hard drives, memory cards) and transmission methods such as the internet, extranets, leased lines, dial-up connections, or the physical transport of electronic storage media.​
H. Protected Health Information (PHI). PHI refers to any information—whether in electronic, physical, or oral form—that relates to an individual's past, present, or future physical or mental health condition, the provision of healthcare, or any past, present, or future payments for healthcare services.​
I. Security. "Security" shall have the meaning as set forth in 45 C.F.R. §164.304.​
J. Unsecured Protected Health Information (Unsecured PHI). Unsecured PHI is any PHI that has not been protected through an approved method specified by the Secretary of Health and Human Services (HHS). The only recognized methods for securing PHI are encryption and destruction of the storage medium to render the data unreadable, indecipherable, or unusable.​
K. Use. "Use" refers to any sharing, application, employment, utilization, examination, or analysis of PHI by the Business Associate, in any form or medium.
​
II. GENERAL OBLIGATIONS
The Business Associate agrees to fully comply with all requirements imposed on Business Associates under the HIPAA Privacy and Security Rules and the HITECH Act regarding its use, disclosure, or handling of Protected Health Information (PHI) and Electronic Protected Health Information (EPHI). This applies to PHI and EPHI that the Business Associate receives from, creates for, or manages on behalf of the Customer.​
​
III. SCOPE OF PERMITTED USES AND DISCLOSURES
A. Permitted Use and Disclosure
The Business Associate is authorized to use and disclose PHI and EPHI only as permitted by this Addendum or as required by law. Business Associate guarantees that all use and disclosure of PHI and EPHI will be strictly limited to what is necessary to fulfill the Services outlined in the Agreement.
​B. Disclosures to Employees, Agents, and Contractors
The Business Associate may share PHI and EPHI with its employees, contractors, agents, or representatives, but only to the extent necessary for performing services on behalf of the Customer. Any further disclosure or use by subcontractors, agents, or representatives must comply with Section VII of this Addendum.
​C. Minimum Necessary Standard
The Business Associate agrees to only request, use, or disclose the minimum amount of PHI and EPHI necessary to carry out the Services. If PHI or EPHI is used, disclosed, released, shared, transferred, sold, rented, leased, published, or otherwise made accessible, it will be done only in the smallest amount necessary and to the fewest individuals required to achieve the intended purpose.
​D. [Reserved]
E. Use for Business Operations and Legal Responsibilities
Unless otherwise restricted by this Addendum, the Customer authorizes the Business Associate to use PHI and EPHI for its own business management, administration, and legal obligations. The Business Associate may disclose PHI and EPHI under the following conditions:
-
If required by law; or
-
If the Business Associate secures, in writing, prior to disclosure, the following from the recipient:
-
Written assurances that the third party will maintain confidentiality and will only use or disclose PHI/EPHI as required by law or for the purpose specified.
-
An agreement that the third party will immediately notify the Business Associate of any security breaches or violations related to PHI or EPHI, to the extent that they are aware of such breaches.
F. Compliance for Affiliated Covered Entities
If the Business Associate provides services to any Covered Entity that is an affiliate, subsidiary, or related corporate entity of the Customer, it must comply with all terms outlined in this Addendum for any PHI or EPHI received or created while performing services for such Covered Entities.
​
IV. SAFEGUARDS FOR THE PROTECTION OF PHI AND EPHI
The Business Associate guarantees that it will establish and maintain administrative, physical, and technical safeguards to appropriately protect the confidentiality, integrity, and availability of PHI and EPHI that it creates, receives, stores, or transmits on behalf of the Customer. These safeguards must ensure that PHI and EPHI are not used or disclosed in violation of this Addendum. Additionally, if the Business Associate is responsible for fulfilling any of the Customer's obligations under Subpart E of 45 C.F.R. Part 164, it must comply with the same regulatory requirements that apply to the Customer when performing such duties.
​
V. REPORTING AND MITIGATING UNAUTHORIZED DISCLOSURES
A. Reporting Unauthorized Use or Disclosure
If the Business Associate becomes aware of any unauthorized use or disclosure of PHI or EPHI that violates this Addendum, it must report the incident in writing to the Customer’s Privacy Officer as soon as possible, but no later than ten (10) days after discovering the violation.
B. Mitigation of Harm
The Business Associate must develop and implement procedures to minimize any potential harm caused by the unauthorized use or disclosure of PHI and EPHI. It must also take all reasonable steps requested by the Customer to mitigate any negative impact resulting from such a breach.
​
VI. USE AND DISCLOSURE TO SUBCONTRACTORS, AGENTS, AND REPRESENTATIVES
Before sharing PHI or EPHI with any subcontractor, agent, or representative who is authorized to create, receive, store, or transmit such information on behalf of the Business Associate, the Business Associate must obtain a written agreement from that party. This agreement must ensure that the recipient follows the same restrictions and obligations on PHI and EPHI use and disclosure as those imposed on the Business Associate under this Addendum.
​
VII. INDIVIDUAL RIGHTS
A. Right to an Accounting of Disclosures
Within 15 days of receiving a written request from the Customer, the Business Associate must provide all necessary records and information required for the Customer to comply with an individual's right to an accounting of disclosures under 45 CFR § 164.528.
B. Right to Access PHI and EPHI
The Business Associate must provide PHI and EPHI contained within a designated record set to either the Customer or the individual to whom the information pertains. This must be done at reasonable times and in a manner specified by the Customer, in compliance with 45 CFR § 164.524, which governs an individual's right to access their PHI and EPHI.
C. Right to Amend PHI and EPHI
The Business Associate must make any amendments to PHI and EPHI as directed by the Customer, ensuring compliance with the amendment requirements of 45 CFR § 164.526.
​
VIII. AUDIT, INSPECTION AND ENFORCEMENT
A. Customer reserves the right, upon reasonable notice, to inspect Business Associate’s internal practices, facilities, systems, books, records, and policies and procedures to assess compliance with this Addendum. Business Associate shall promptly rectify any violations identified during such inspections and provide written certification of the remediation to Customer. The existence of this inspection right, whether exercised or not, does not absolve Business Associate of its obligation to comply fully with this Addendum. Furthermore, any failure by Customer to identify noncompliant practices does not constitute acceptance of such practices or a waiver of its enforcement rights.
B. Business Associate agrees to make its internal practices, books, records, and policies and procedures related to the use and disclosure of Protected Health Information (PHI) and Electronic Protected Health Information (EPHI), if applicable, available to the U.S. Department of Health and Human Services (“HHS”), the Office for Civil Rights (“OCR”), or their designated agents for the purpose of enforcing the provisions of this Addendum and ensuring compliance with the HIPAA Privacy Rule. Business Associate further agrees to cooperate fully with HHS, OCR, or their agents in any investigation or compliance review regarding the adherence of either Customer or Business Associate to the HIPAA Privacy and Security Rules and this Addendum. To the extent permitted by law, Business Associate shall promptly notify Customer upon receiving any such request from HHS, OCR, or their agents.
​
IX. TERM AND TERMINATION
A. This Addendum takes effect on the referenced date and remains in force as long as the Agreement is active. Certain obligations will continue even after termination as outlined in this section. The Addendum will end in accordance with the Agreement’s termination provisions and this section.
B. Either party may immediately terminate the Agreement if the other party materially breaches this Addendum. However, at the non-breaching party’s discretion, they may first provide written notice of the breach and allow the breaching party thirty (30) days to correct it. If the breach is not resolved within this period, the non-breaching party may terminate the Agreement immediately. The Customer also reserves the right to report any material breach to the Department of Health and Human Services (HHS) or the Office for Civil Rights (OCR).
C. Upon termination, the Business Associate must retrieve all PHI and EPHI from its subcontractors, agents, or representatives and either return or destroy it, ensuring that no copies remain. If the Business Associate believes returning or destroying the PHI and EPHI is not feasible, it must notify the Customer in writing with a detailed explanation. In such cases, the Business Associate must continue applying all protections, restrictions, and limitations to the retained PHI and EPHI and limit any future use or disclosure to the specific purposes that make return or destruction infeasible. Regardless of termination, the Business Associate remains responsible for safeguarding any PHI or EPHI previously obtained, as required by law.
​
X. COMPLIANCE WITH THE HITECH ACT
A. The Business Associate agrees to use, disclose, and request only the minimum necessary amount of PHI from the Customer to fulfill its obligations under the Agreement.
B. The Business Associate must comply with 45 C.F.R. § 164.308 regarding administrative safeguards, ensuring that proper security measures are in place for PHI related to the Customer's patients. These measures include security management processes, assigned security responsibilities, workforce security, access management, security awareness and training, security incident procedures, contingency planning, evaluations, and contractual agreements with subcontractors.
C. The Business Associate must also comply with 45 C.F.R. § 164.310, which requires implementing physical safeguards to protect PHI. This includes access control, workstation security, workstation use policies, and device and media controls.
D. Additionally, the Business Associate must adhere to 45 C.F.R. § 164.312, which mandates technical safeguards for PHI. These include access controls, audit controls, data integrity protections, authentication measures, and secure transmission protocols.
E. In accordance with 45 C.F.R. § 164.316, the Business Associate must develop and maintain appropriate policies, procedures, and documentation related to PHI security. These policies must be comprehensive and properly documented.
F. The Business Associate must comply with all privacy requirements under the HITECH Act, which are incorporated into this Agreement. This includes limiting disclosures to the minimum necessary, providing individuals with electronic copies of their PHI if stored electronically, and following restrictions on the sale of PHI.
G. The Business Associate must also adhere to the HITECH Act’s security and notification requirements. If a security breach occurs, the Business Associate must notify the Customer’s HIPAA Officer in writing within ten (10) days of becoming aware of the breach. This notification must include details of each individual whose unsecured PHI was accessed, acquired, or disclosed. A breach is considered discovered on the day the Business Associate becomes aware of it, or the day it should have been known through reasonable diligence. Any employee, officer, or agent of the Business Associate, except the individual responsible for the breach, is considered to have knowledge of the breach.
H. The Business Associate is prohibited from engaging in any retaliatory actions against individuals who report suspected HIPAA violations to the Customer, HHS, or any regulatory authority. This includes intimidation, threats, or retaliation against whistleblowers seeking to enforce their rights under HIPAA and the HITECH Act.
​
XI. REMEDIES AND INDEMNIFICATION
A. The Business Associate acknowledges that any unauthorized use or disclosure of PHI or EPHI could cause irreparable harm to the Customer, which monetary damages alone cannot fully address. Therefore, in addition to any legal or equitable remedies available, the Customer is entitled to seek injunctive relief or specific performance in the event of a breach or threatened breach by the Business Associate, its employees, or its agents.
B. If a court determines that the Business Associate or any of its employees or agents has breached this Agreement, the Business Associate must cover all reasonable attorney’s fees incurred by the Customer as a result. If the Customer secures a judgment, all attorney’s fees—as determined by the court—will be included in that judgment.
C. The Customer is not liable to the Business Associate or any other party for any consequential, incidental, or punitive damages related to PHI, including any errors or omissions in the PHI, or for its performance or non-performance under this Agreement.
D. The Business Associate agrees to defend, indemnify, and hold harmless the Customer (Hospital) from all costs, expenses, liabilities, losses, damages, legal actions, fines, penalties, and claims, including reasonable attorney’s fees and court costs, arising from the Business Associate’s failure to comply with this Agreement or any applicable laws or regulations.
E. If a breach occurs due to the Business Associate, its agents, employees, or subcontractors, the Business Associate must reimburse the Customer for all reasonable costs incurred as a result, including attorney’s fees, notification costs to individuals and the media, credit monitoring expenses, and other necessary mitigating actions as determined by the Customer.
XII. MISCELLANEOUS
A. Neither party may assign this Addendum or its rights and obligations under it without the written consent of the other party.
B. This Addendum is governed by and will be interpreted according to the laws of the State of Pennsylvania.
C. Where necessary, all words in this Addendum will include their masculine, feminine, and neutral forms, and singular words will include their plural forms, and vice versa.
D. Headings within this Addendum are for reference only and do not affect its meaning or interpretation.
Any amendments to this Addendum must be in writing and executed in duplicate originals.
E. Notices, demands, or communications under this Addendum must be in writing and will be considered effectively given when sent by email (with confirmation received within three (3) calendar days), personally delivered, or sent by prepaid certified mail with return receipt requested. Notices should be addressed as follows:
To Business Associate:
Yellow XR Inc.
9510 Innovation Ln
La Jolla, CA 92093
Attn: TR Huang
Email: support@yellowxr.com
To Customer:
As specified in the Agreement or any updated address provided in writing by either party.
F. A waiver of any breach of this Addendum by either party does not waive the right to enforce future breaches of the same or other provisions.
G. This Addendum is self-operative, meaning no further agreements are required unless otherwise specified. However, if necessary, both parties agree to execute additional documents and take further actions to implement this Addendum.
H. This Addendum is fully incorporated into the Agreement and is considered an integral part of it.
If any provisions in this Addendum conflict with the Agreement, the terms of this Addendum take precedence.