______________________________________________

and

HIPAA BUSINESS ASSOCIATE AMENDMENT

This HIPAA Business Associate Amendment (the “Amendment”) is entered into on

________________, 2024 (“Effective Date”) and supplements and is made a part of all
agreements, existing now or in the future (collectively the “Agreement”), by and between
___________________(a “Covered Entity”) and __________________ (“Business
Associate”). The parties to this Agreement may be singularly referred to herein as a “Party” and
collectively as the “Parties”.

RECITALS

Whereas, under the above Agreements, Business Associate has access to certain data
which includes both Protected Health Information (“PHI”) (defined in paragraph 1(e)) and non-
PHI disclosed or made available by or on behalf of Covered Entity to Business Associate and
derivatives thereof.

Whereas, Covered Entity and Business Associate are required to comply with the Health
Insurance Portability and Accountability Act (“HIPAA”) (defined in paragraph 1(b)) and other
laws which protect the privacy, security and confidentiality of a patient’s PHI.

Whereas, HIPAA requires Covered Entity to enter into a contract with Business
Associate containing specific requirements to protect the security and confidentiality of patients’
PHI, as set forth in, but not limited to, HIPAA and contained in this Amendment.

Now therefore, in consideration of the foregoing and the mutual promises and the
exchange of information pursuant to this Amendment, the Parties agree to amend the Agreement
by incorporating all of the following into the Agreement:

AGREEMENT

1. Definitions. All terms not defined herein shall have the meaning ascribed to them by
HIPAA (defined below), including Business Associate, Covered Entity, Data Aggregation,
Designated Record Set, Required by Law and Security Incident. A change to HIPAA which
modifies any defined term or which alters the regulatory citation for the definition shall be
deemed incorporated into this Amendment.

(a) “Breach” shall have the meaning given to such term in HIPAA and shall include:
(i) the unauthorized acquisition, access, use, or disclosure of PHI which compromises the
security or privacy of such information; and (ii) the unauthorized acquisition of computerized

Page 1 of 10 rev. 5.30.2024

data that compromises the security, confidentiality, or integrity of PHI, or “breach of the security
of the system” as defined under California Civil Code § 1798.82(g).

(b) “HIPAA” shall mean the Health Insurance Portability and Accountability Act of
1996 (Public Law 104-191), the Health Information Technology for Economic and Clinical
Health Act (the “HITECH Act”) (Public Law 111-005) and the rules, guidance and regulations
promulgated thereunder, as amended from time to time, including 45 C.F.R. Parts 160 and 164.

(c) “Patient” shall have the same meaning as the term “individual” under HIPAA
and shall include a person who qualifies as a personal representative.

(d) “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable
Health Information codified at 45 C.F.R. Parts 160 and 164, Subparts A and E, as amended by
the HITECH Act and as may otherwise be amended from time to time.

(e) “Protected Health Information” (“PHI”) shall have the meaning given to such
term under HIPAA and shall include any information, whether oral or recorded in any form or
medium, limited to the information created or received by Business Associate from or on behalf
of Covered Entity (i) that relates to the past, present or future physical or mental health condition
of a Patient, the provision of health care to a Patient, or the past, present or future payment for
the provision of health care to a Patient; and (ii) that identifies the Patient or with respect to
which there is a reasonable basis to believe the information can be used to identify the Patient.

(f) “Secretary” shall mean the Secretary of the U.S. Department of Health and
Human Services or her/his designee.

(g) “Security Rule” shall mean the HIPAA regulations that are codified at 45 C.F.R.
Parts 160 and 164, Subparts A and C, as amended by the HITECH Act and as may otherwise be
amended from time to time.

2. Scope of Amendment. This Amendment applies to the PHI of Covered Entity to which
Business Associate may be exposed as a result of the services that Business Associate will
provide to Covered Entity pursuant to the Agreement. Business Associate shall abide by HIPAA
and California law, as applicable, including but not limited to the California Confidentiality of
Medical Information Act, Cal. Civil Code § 56 et seq., and Cal. Civil Code § 1798.80 et seq, or
other applicable law or regulation. (unless such California law is contrary to HIPAA and is
preempted by HIPAA in accordance with 45 C.F.R. Sections 160.201 et seq) with respect to PHI
of Covered Entity, as outlined below.

3. Uses and Disclosures by Business Associate

(a) For Covered Entity. Except as otherwise provided in the Agreement and this
Amendment, Business Associate shall create, maintain, transmit, access, use or disclose PHI
only for the benefit of Covered Entity and to perform functions, activities, or services as
specified in the Agreement. Business Associate may also use PHI to provide Data Aggregation
services on Covered Entity’s behalf. To the extent Business Associate is required to carry out

Page 2 of 10 rev. 5.30.2024

one or more of Covered Entity’s obligations under the Privacy Rule, Business Associate shall
comply with the requirements of the Privacy Rule that apply to Covered Entity in the
performance of such obligation(s).

(b) Management of Business Associate. Except as otherwise provided in the

Agreement or this Amendment, Business Associate may use or disclose PHI for its proper
management and administration, to carry out its legal responsibilities, or as Required by Law,
provided that in the case of disclosure, Business Associate shall obtain reasonable assurances
from the person or entity to whom the information is disclosed that (i) the person or entity will
maintain the confidentiality of the information and further use and disclose it only as required by
law or for the purpose of which it was disclosed to the person or entity; and (ii) that the person or
entity agrees to notify Business Associate of any instances of which it is aware in which
confidentiality of the information has been breached.

(c) Prohibited Uses and Disclosures. Business Associate shall not use or disclose
PHI for fundraising or marketing purposes. In accordance with HIPAA, Business Associate
shall also not disclose PHI to a health plan for payment or Health Care Operations purposes if a
Patient has requested this special restriction of Covered Entity or Business Associate. Finally,
Business Associate shall not sell PHI.

4. Obligations of Business Associate

(a) Minimum Necessary. Business Associate shall use reasonable efforts to use only
the minimum amount of PHI necessary to perform the specified functions, activities or services,
in accordance with Covered Entity’s minimum necessary policies and procedures. In the event
of inadvertent access by Business Associate to more than the minimum necessary amount of
Covered Entity’s PHI, Business Associate will: (i) treat all such PHI in accordance with the
Agreement and this Amendment; (ii) promptly notify Covered Entity, in accordance with
paragraph 3(d) below, of such access; (iii) erase, delete, and/or return such PHI as quickly as
possible; and (iv) take all necessary actions to prevent further access to PHI beyond the
minimum necessary amount.

(b) Safeguards. Business Associate shall use appropriate safeguards to prevent use
or disclosure of PHI other than as provided for by the Agreement and this Amendment. Business
Associate shall implement administrative, physical and technical safeguards that reasonably and
appropriately protect the confidentiality, security, integrity and availability of PHI that it
receives, maintains, transmits or creates on behalf of Covered Entity and that comply with the
requirements of HIPAA. In addition, if Business Associate conducts credit card transactions (i)
such safeguards shall consist of or include the recommendations of the Payment Card Industry
Data Security Standards, found at https://www.pcisecuritystandards.org and (ii) Business
Associate shall not store security code (i.e. CVC) information or credit card magnetic strip
information in any form.

(c) Mitigation. Business Associate shall promptly mitigate, to the extent practicable,
any harmful effect of a use or disclosure of PHI by Business Associate or one of its agents or
subcontractors in violation of the Agreement and this Amendment.

Page 3 of 10 rev. 5.30.2024

 (d) Notify Covered Entity. Business Associate shall promptly notify Covered Entity
of any Security Incident or Breach in writing in the most expedient time possible, and not to
exceed twenty-four (24) hours in the event of a Breach, following Business Associate’s
discovery of such Security Incident or Breach. This Section constitutes notice by Business
Associate to Covered Entity of the ongoing existence and occurrence of attempted, but
successful security incidents for which no additional notice to Covered Entity shall be required,
including but not limited to pings and other broadcast attacks on Business Associate’s firewall,
port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so
long as such incident does not result in unauthorized access, use or disclosure of PHI.
Notwithstanding any notice provisions in the Agreement, such notice shall be made to the
_______________ Corporate Compliance Officer or his/her designee by email to
[email protected]. Business Associate shall cooperate in good faith with Covered Entity in
the investigation of any Breach or Security Incident. The notice to be provided pursuant to this
Section 4(d) shall be substantially in the same form as Exhibit A, which is attached hereto.

(e) Breach Notification. Following notification to Covered Entity of a Breach,

Business Associate shall promptly cooperate with Covered Entity in determining which entity
shall provide any required Breach notification to regulatory agencies and affected individuals. If
the Parties agree that Business Associate shall provide any required Breach notification,
Business Associate shall provide such notification timely and provide Covered Entity with
documentation of Business Associate’s actions, including documentation of the names and
addresses of those to whom the notifications were provided.

(f) Access. If Business Associate holds PHI in Designated Record Sets, Business
Associate shall provide prompt access to the PHI to Covered Entity whenever so requested by
Covered Entity, or, if directed by Covered Entity, to a Patient in order to meet the requirements
of HIPAA and California law, as applicable. If requested, such access shall be in electronic
format. If Patient requests directly from Business Associate (i) to inspect or copy his or her PHI,
or (ii) requests its disclosure to a third party, the Business Associate shall promptly notify the
___________________ Corporate Compliance Officer or his/her designee by email to
[email protected] of such request.

(g) Amendments. Business Associate shall promptly make amendment(s) to PHI in

Designated Record Sets as requested by Covered Entity and shall do so in the time and manner
requested by Covered Entity to enable it to comply with HIPAA and California law, as
applicable. Within fifteen (15) business days following Business Associate’s amendment of PHI
as requested by Covered Entity, Business Associate shall provide written notice to Covered
Entity confirming that Business Associate has made the amendments or addenda to PHI as
directed by Covered Entity and containing any other information as may be necessary for
Covered Entity to provide adequate notice to the Patient in accordance with HIPAA. If Patient
requests an amendment to his or her PHI directly from Business Associate, the Business
Associate shall promptly notify the _________________ Corporate Compliance Officer or
his/her designee by email to [email protected] of such request and await such official’s
denial or approval of the request.

Page 4 of 10 rev. 5.30.2024

 (h) Internal Records. Business Associate shall promptly make its internal practices,
books, records, including its policies and procedures, relating to the use, disclosure, or security
of PHI that the Business Associate received from, maintained or created for or on behalf of
Covered Entity, available to the Secretary, in a time and manner designated by the Secretary, to
enable the Secretary to determine compliance with HIPAA. Business Associate shall cooperate
with the Secretary if the Secretary undertakes an investigation or compliance review of Covered
Entity. Business Associate shall permit the Secretary access to its facilities, books, records,
accounts, and other sources of information, including PHI, during normal business hours. No
attorney-client, or other legal privilege will be deemed to have been waived by Business
Associate by virtue of this provision of the Agreement. Business Associate shall provide to
Covered Entity a copy of any PHI that Business Associate provides to the Secretary concurrently
with providing such PHI to the Secretary, unless prohibited by law or contrary to the request of
the Secretary.

(i) Accountings. Business Associate shall maintain the information required to

furnish accounting pursuant to the requirements of 45 C.F.R. § 164.528 and shall furnish such
information to Covered Entity promptly upon request by an individual for an accounting in
accordance with 45 C.F.R. § 164.528. Business Associate shall maintain this record for a period
of six (6) years and make it available to Covered Entity upon request in an electronic format so
that Covered Entity may meet its disclosure accounting obligations under HIPAA.

(j) Destruction. If, during the term of the Agreement, Business Associate wishes to
destroy any PHI, it shall notify Covered Entity in writing about its intent to destroy data at least
ten (10) days before such date of destruction, and shall comply with the requirements for
destruction of PHI found in Section 5(c) of this Amendment. Except as otherwise provided
herein, if Covered Entity requests the return of any PHI, Business Associate shall comply as
requested.

(k) HIPAA Compliance. Business Associate shall comply with the Security Rule
with respect to electronic PHI. The written policies and procedures and documentation required
to be maintained by Business Associate under the Agreement, this Amendment and HIPAA shall
be made available to Covered Entity, upon Covered Entity’s request.

(l) Agents and Subcontractors. Business Associate shall ensure that any agent,
including a subcontractor, to whom it provides PHI agrees in a written contract with Business
Associate to the same restrictions and conditions that apply to Business Associate through this
Amendment with respect to such PHI. Notwithstanding anything to the contrary in the
Agreement or this Amendment, Business Associate shall not use any agent or subcontractor to
perform any service requiring access to PHI under the Agreement without the express written
consent of an authorized representative of Covered Entity. If Business Associate knows of a
pattern of activity or practice of an agent or subcontractor that constitutes a violation of the agent
or subcontractor’s obligations to Business Associate, Business Associate shall take reasonable
steps to end the violation, and if such steps are unsuccessful, Business Associate must terminate
the arrangement if feasible.

Page 5 of 10 rev. 5.30.2024

 (m) Data Ownership. All PHI is owned by Covered Entity unless otherwise agreed
in writing.

5. Term and Termination

(a) Term. The term of this Amendment shall be coterminous with the Agreement.
However, Business Associate shall have a continuing obligation to safeguard the confidentiality
of PHI received from Covered Entity after the termination of the Agreement.

(b) Termination for Cause. If Business Associate breaches any of its obligations, or
is named as a defendant in a criminal proceeding for a violation of HIPAA, Covered Entity shall
have the option to do the following:

(i) Cure. Provide Business Associate an opportunity to cure the breach, to

the extent curable, and end the violation within a reasonable time specified by Covered Entity. If
Business Associate does not cure the breach or end the violation as and within the time specified
by Covered Entity, or if the breach is not curable, Covered Entity may terminate its obligations
to Business Associate, including, but not limited to, its future payment obligations and
obligations to provide information, materials, equipment or resources to Business Associate; or

(ii) Immediate Termination. Immediately terminate the Agreement, if

Covered Entity reasonably determines that Business Associate (1) has acted with gross
negligence in performing its obligations; (2) is in violation of the law; (3) willfully has violated
or is violating the privacy and security provisions of this Amendment or HIPAA; or (4) is unable
to provide, if requested, written assurances to Covered Entity of its ability to protect the
confidentiality and security of the PHI. Such termination of the Agreement shall be without
prejudice to other legal remedies available to Covered Entity.

(c) Effect of Termination.

(i) Disposition of PHI. Upon termination of the Agreement for any reason
and subject to Section 5(c)(ii) below, Business Associate shall promptly return to Covered Entity
a copy of all PHI, including derivatives thereof, and shall take all reasonable steps to promptly
destroy all other PHI held by Business Associate by: (i) shredding; (ii) securely erasing; or (iii)
otherwise modifying the information in those records to make it unreadable or undecipherable
through any means. This provision shall apply to PHI in the possession of subcontractors or
agents of Business Associate. Business Associate shall certify in writing that it has complied
with the requirements of this Section.

(ii) Infeasible; Survival. If the return or destruction of PHI is infeasible,

Business Associate shall promptly notify Covered Entity of the conditions that make such return
or destruction infeasible and Business Associate shall limit the further use or disclosure of all
PHI to the purposes that make its return or destruction infeasible. If Business Associate
subsequently wishes to destroy PHI, Business Associate shall comply with Section 5(a) above.
If Covered Entity requests the return of any PHI, Business Associate shall comply as requested.

Page 6 of 10 rev. 5.30.2024

6. Credit Monitoring. If either Party is Required by Law to notify individuals whose PHI
was inappropriately accessed, used, or disclosed by Business Associate, its employees,
subcontractor(s) or its agents, and the PHI contains: (i) the individual’s first initial or first name,
last name, and social security number; (ii) the individual’s first initial or first name, last name,
and driver’s license or state identification card; (iii) the individual’s first initial or first name, last
name, account number, credit or debit card number, in combination with any required security
code, access code, or password that would permit access to an individual's financial account;
and/or (iv) the individual’s first initial or first name, last name, and PHI, then Business Associate
and Covered Entity shall work together to structure a credit monitoring offering commensurate
to the risk posed by the breach and Business Associate shall, in any event, pay the costs of credit
monitoring for one (1) year for such individuals and the costs and fees related to timely
notification in accordance with law.

7. Miscellaneous

(a) General. The Agreement, including this Amendment and attachments hereto, are
intended to be construed in harmony with each other; but if any provision in this Amendment
conflicts with the provisions of the Agreement, or its other attachments, the provisions in this
Amendment shall be deemed to control and such conflicting provision or part thereof shall be
deemed removed and replaced with the governing provision herein to the extent necessary to
reconcile the conflict. Except as amended by this Amendment, all other terms of the Agreement
remain in full force and effect. This Amendment supersedes and replaces any previous oral or
written agreements between Business Associate and Covered Entity relating to the subject matter
hereof, except that the indemnification provisions of this Amendment and the Agreement shall
be read in tandem and be considered separate, concurrent obligations. Signatures submitted via
facsimile or electronic means shall be deemed original signatures of the Parties and shall be valid
and binding upon the Parties hereto. Any limitation of liability provision in the Agreement, if
any, shall not be deemed to limit Business Associate’s liability for damages related to a Business
Associate’s privacy or security obligations under this Agreement. To the extent this Section
conflicts with the Agreement or other agreement or document by and between the Parties, this
Section supersedes and amends the Agreement and such other agreement or document.

(b) Amendment. The Parties agree to promptly modify or amend this Amendment to
permit Parties to comply with any new laws, rules or regulations that might modify the terms and
conditions herein. This Amendment may not be modified, nor shall any provision hereof be
waived or amended, except in a writing duly signed and agreed to by Business Associate and
Covered Entity.

(c) Audits. Upon reasonable notice to Business Associate, Covered Entity or its
authorized agents shall have the right to inspect and audit Business Associate’s facilities,
systems, records, and privacy and security controls and procedures as may be necessary to verify
Business Associate’s compliance with the terms of the Agreement, this Amendment and HIPAA.
Covered Entity shall be responsible for all costs incurred in order to perform the audit.

(d) No Third-Party Beneficiary. The provisions and covenants set forth in this
Amendment are expressly entered into only by and between Business Associate and Covered

Page 7 of 10 rev. 5.30.2024

Entity, and are only for their benefit. Neither Business Associate nor Covered Entity intends to
create or establish any third-party beneficiary status or right (or the equivalent thereof) in any
other third party and no such third party shall have any right to enforce or enjoy any benefit
created or established by the provisions and covenants in this Amendment.

(e) Indemnification. To the fullest extent permitted by law, Business Associate shall
promptly and fully defend, indemnify and hold harmless Covered Entity, its affiliates and
respective officers, directors, agents and employees (“Indemnified Parties”) against any and all
claim, demand, injury, lawsuit, liability, loss, expense, fine, penalty, assessment, cost, damage,
judgment, award or attorney’s fees (including the reasonable costs of Covered Entity’s in-house
counsel), resulting from or relating to: (i) the breach of this Amendment by Business Associate;
(ii) the acts or omissions of Business Associate or its agents or subcontractors, including
reasonable attorneys’ fees and costs of investigation, notification and mitigation resulting from
any Security Incident or Breach of unsecured PHI caused by Business Associate or its agents or
subcontractors, or affecting PHI in the custody or control of Business Associate or its agents or
subcontractors, regardless of whether the security incident or breach of unsecured PHI was due
to a violation of this Amendment; (iii) any wrongful termination or any other claim or action
against Covered Entity with respect to the actual or constructive termination by Business
Associate of any agent, business associate or personnel employed or contracted by Business
Associate, whether or not providing services under the Agreement; and (iv) any action to enforce
this Section (collectively, “Claims”). The Claims covered by this Section shall include Claims
made or recovered against the Indemnified Parties and Claims issued in favor of a third party.
This Section shall survive the expiration or termination of this Amendment, and any limitation of
liability contained in the Agreement or other contract between the Parties shall not apply to the
indemnification obligations under this Section.

(f) Insurance. Business Associate shall obtain and continuously maintain insurance,
including cyber coverage with limits of liability not less than Five Million Dollars ($5,000,000)
per occurrence and five million dollars ($5,000,000) annual aggregate providing coverage with
respect to Business Associate’s duties under this Agreement for Business Associate and its
employees, agents and independent contractors. Business Associate shall provide Covered
Entity with certificates of insurance or other written evidence of the insurance policy required
herein prior to the effective date of the Agreement and as of each annual renewal of such
insurance policies during the term of the Agreement. In addition to the certificates of insurance,
the Business Associate must provide an additional insured policy endorsement from its insurance
carrier naming Covered Entity, its officers, officials, employees, and volunteers as additional
insureds. The certificates of insurance and policy endorsements must state that (a) Covered
Entity, its officers, officials, employees, and volunteers are additional insureds, but only insofar
as the operations under the Agreement are concerned; and (b) the insurer will not cancel the
insured’s coverage without thirty (30) days’ prior written notice to Covered Entity.

(g) Assistance in Litigation or Administrative Proceedings. Business Associate

shall make itself, and any employees, subcontractors, or agents, available to Covered Entity, at
no cost to Covered Entity, to testify as witnesses, or otherwise, if litigation or administrative
proceedings are commenced against Covered Entity, its directors, officers or employees based
upon a claimed violation of HIPAA, the Privacy Rule, the Security Rule, or other laws relating to

Page 8 of 10 rev. 5.30.2024

security and privacy, except where Business Associate or its subcontractor, employee or agent is
a named adverse party.

(h) Subpoenas. If Business Associate receives a subpoena or request from any

judicial, administrative or other party arising out of or in connection with this Agreement,
including, but not limited to, any unauthorized use or disclosure of PHI, Business Associate shall
promptly forward a copy of such subpoena, notice or request to Covered Entity and afford
Covered Entity the opportunity to exercise any rights it may have under law, to the extent such
disclosure is permitted by law or is not inconsistent with the request of a government agency.

(i) Survival. The respective rights and obligations of Business Associate under
Section 4 of this Amendment shall survive the termination of the Agreement. In addition,
Section 5(c) (Effect of Termination), Section 7(e) (Indemnification), Section 7(g) (Assistance in
Litigation and Administrative Proceedings), Section 7(h) (Subpoenas), Section 7(i) (Survival),
and Section 7(j) (Governing Law) shall survive the termination of this Agreement.

(j) Governing Law. This Amendment shall be governed by and construed in

accordance with the laws of the State of California (to the extent not preempted by HIPAA).
Any legal suit, action, or proceeding arising out of or related to this Amendment will be
instituted exclusively in the state or federal courts of the United States or the courts of the State
of California, in each case located in the County of Fresno, and each Party irrevocably submits to
the exclusive jurisdiction of such courts in any such suit, action, or proceeding.

IN WITNESS WHEREOF, each of the undersigned has caused this Amendment to be agreed
and accepted.

Business Associate: Covered Entity:

________________________________ _________________________________________

By: _______________________________ By:

Name: Name:
Title: Title:

Page 9 of 10 rev. 5.30.2024

 Exhibit A

Notification of Unauthorized Use or Disclosure of PHI/Breach of Unsecured PHI

Attn: Corporate Compliance Officer

This notification is made pursuant to Section 4 of the HIPAA Business Associate Amendment
between _____________________ (including its subsidiaries and affiliated entities), (“Covered
Entity”) and____________________________(“Business Associate”).

Business Associate hereby notifies Covered Entity that there has been a breach of Protected
Health Information (“PHI”) that Business Associate has used or has had access to under the
terms of the Business Associate Agreement.

1. Description of the breach:

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________

2. Date of the breach: ________________________________________________________

3. Date of the discovery of the breach: __________________________________________

4. Number of individuals affected by the breach: __________________________________

5. The types of PHI that were involved in the breach

 Full Name  Social Security Number

 Date of Birth  Home Address

 Account Number  Other _________________________

6. Description of what Business Associate is doing to investigate the breach, mitigate losses,
and protect against further breaches:
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________

7. Business Associate contact information:

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________

Page 10 of 10 rev. 5.30.2024