Customer (“Customer”) may make Protected Health Information of Individuals available to Smile Virtual Consult, LLC (“SVC”) in conjunction with SVC’s web-based solution that connects potential patients interested in learning more about how to improve their smile with potential health care provider (the “SVC Service”).  Accordingly, SVC and Customer agree to the terms and conditions of this Business Associate Agreement to comply with the rules governing the handling of Protected Health Information (“PHI”) set forth in the Health Insurance Portability and Accountability Act (“HIPAA”) Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subpart E (“Privacy Rule”), the HIPAA Security Standards, 45 C.F.R. Part 160 and Part 164, Subpart C (“Security Rule”), the HIPAA Breach Notification Regulations, 45 C.F.R. Part 164, Subpart D (“Breach Notification Rule”), and the Health Information Technology for Economic and Clinical Health Act, 42 U.S.C. §§ 17921-17954 (“HITECH Act”) (collectively, “the HIPAA Requirements”), all as amended from time to time.

1. Definitions

Unless otherwise provided in this Business Associate Agreement, all capitalized terms in this Agreement shall have the same meaning as set forth in the HIPAA Requirements.

2. Uses And Disclosures Of Protected Health Information

a. SVC Service: SVC will use or disclose PHI only for those purposes necessary to provide the SVC Service, as otherwise expressly permitted in this Business Associate Agreement or Customer’s Subscription Use Agreement, or required by law. SVC will not further use or disclose such PHI.  To the extent SVC is to carry out one or more of Customer’s obligations under the Privacy Rule, SVC must comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligation(s).  SVC may not use or disclose PHI in a manner that would violate the Privacy Rule if done by Customer unless the use or disclosure is permitted in this Business Associate Agreement.

b. Subcontractors: SVC agrees that when one of its Subcontractors creates, transmits, receives or maintains PHI on behalf of SVC, SVC first will enter into an agreement with such Subcontractor that contains the same restrictions and conditions that apply to SVC with respect to such PHI.

c. SVC Management, Administration and Legal Responsibilities: SVC may use Customer’s PHI for SVC’s management and administration, or to carry out SVC’s legal responsibilities.  SVC may disclose PHI to a third party for such purposes only if the disclosure is required by law, or SVC secures written assurance from the receiving party that the receiving party will: (i) hold the PHI confidentially; (ii) use or disclose the PHI only as required by law or for the purposes for which it was disclosed to the recipient; and (iii) notify SVC of any other use or disclosure of PHI.

3. Safeguards For Protected Health Information

SVC will implement and maintain appropriate safeguards to prevent any use or disclosure of PHI for purposes other than those permitted by this Business Associate Agreement, including safeguards to protect the confidentiality, integrity, and availability of any electronic protected health information (“ePHI”), if any, that SVC creates, receives, maintains, and transmits on behalf of Customer.  SVC will comply with the provisions of the HIPAA Security Rule applicable to SVC.

4. Svc’s Reporting Obligations

a. Use or Disclosure Not Permitted by This Agreement: SVC will report in writing to Customer any use or disclosure of PHI for purposes other than those permitted by this Business Associate Agreement within 15 business days of SVC’s learning of such use or disclosure.

b. Security Incidents: SVC will report in writing to Customer any successful Security Incident of which SVC becomes aware within 15 business days of SVC learning of such Security Incident. SVC also will report the aggregate number of unsuccessful, unauthorized attempts to access, use, disclose, modify, or destroy ePHI or interfere with system operations in an information system containing ePHI, of which SVC becomes aware, although such reports will be provided upon request by Customer and no more often than once per month.

c. Breaches of Unsecured PHI: SVC will report in writing to Customer any Breach of Unsecured Protected Health Information, as defined in the Breach Notification Rule, within 15 business days of the date SVC learns of the incident giving rise to the Breach.  To the extent known, SVC will provide to Customer information regarding the Breach as required in the Breach Notification Rule.

5. Access To Protected Health Information

a. Customer Access: Within 15 business days of a request by Customer for access to PHI in a Designated Record Set, SVC will make requested PHI available to Customer.

 b. Individual Access: Within 15 business days of SVC’s receipt of a request from an Individual for access to PHI in a Designated Record Set, SVC will forward such request in writing to Customer.  SVC will make no determinations regarding the grant or denial of an Individual’s request to access PHI.

6. Amendment Of Protected Health Information

a. Customer Request: Within 15 business days of receiving a request from Customer to amend an Individual’s PHI in a Designated Record Set, SVC will provide such PHI to Customer for amendment.  Alternatively, if Customer’s request includes specific instructions on how to amend the PHI in the Designated Record Set, SVC will incorporate such amendment into the PHI it holds in a Designated Record Set within 15 business days of receipt of the Customer request.

b. Individual Request: Within 15 business days of SVC’s receipt of a request from an Individual for an amendment to PHI in a Designated Record Set, SVC will forward such request in writing to Customer.  SVC will make no determinations regarding amendments to PHI.

7. Accounting Of Disclosures Of Protected Health Information

a. Disclosure Records: SVC will keep a record of any disclosure of PHI that SVC makes, if Customer would be required to provide an accounting to Individuals of such disclosures under 45 C.F.R. § 164.528. SVC will maintain its record of such disclosures for as long as required by the Privacy Rule.

b. Data Regarding Disclosures: For each disclosure for which it is required to keep a record under this Section, SVC will record and maintain the following information: (1) the date of disclosure; (2) the name of the entity or person who received the PHI and the address of such entity or person, if known; (3) a description of the PHI disclosed; and (4) a brief statement of the purpose of the disclosure.

c. Provision to Customer: Within 15 business days of receiving a request from Customer, SVC will provide to Customer its records of disclosures.

d. Request by Individual: Within 15 business days of SVC’s receipt of a request from an Individual for an accounting of disclosures, SVC will forward the request and its record of disclosures to Customer. SVC will not provide an accounting of its disclosures directly to any Individual.

8. Restrictions On Use Or Disclosure Of Protected Health Information

If Customer advises SVC of any changes in, or restrictions to, the permitted use or disclosure of PHI, SVC will restrict the use or disclosure of PHI consistent with the Customer’s instructions.

9. Access To Books And Records

SVC will make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by or on behalf of Customer, available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the HIPAA Requirements.  No attorney-client, accountant-client or other legal privilege will be deemed waived by SVC or Customer as a result of this Section.

10. Termination

a. Material Breach: Either party may terminate this Business Associate Agreement by providing the other party notice of the breaching party’s material breach.  Such notice must provide the breaching party at least thirty days to cure the alleged breach (the “Cure Period”).  If the noticed party fails to cure the breach within the Cure Period, this Business Associate Agreement shall terminate upon the expiration of the Cure Period.  If the breaching party cures the alleged breach before the Cure Period expires, the notice shall be null and void and this Business Associate Agreement shall remain in effect.

b. Return or Destruction of PHI:  Within 30 days of termination of this Business Associate Agreement, SVC will return to Customer all PHI that SVC maintains in any form or format.  Alternatively, SVC may destroy all such PHI and provide written documentation of such destruction.

c. Retention of PHI if Return or Destruction is Infeasible:  If SVC believes that returning or destroying PHI at the termination of this Agreement is infeasible, it will notify Customer in writing of its determination within 30 days of the effective date of termination of this Agreement.  In that event, SVC will extend the protections, limitations and restrictions of this Business Associate Agreement to its use or disclosure of PHI retained after termination and limit further uses or disclosures to those purposes that make the return or destruction of the PHI infeasible.

IN WITNESS WHEREOF, the Parties have executed this Agreement to be effective as of the Effective Date.

Customer:                                                                                      Smile Virtual Consult, LLC

By:                                                                                                   By:                                                                    

Title:                                                                                                Title:                                                                 

Date:                                                                                               Date: