If Customer is a Covered Entity and includes Protected Health Information in its Customer Personal Data uploaded through the Harmonic Security (“Harmonic” or “Business Associate”) Data Protection Service ( the “Service”), this HIPAA Business Associate Agreement (“Agreement”) is incorporated upon execution of Harmonic Subscription Agreement or the Harmonic End User License Agreement (each “Service Agreement”) that incorporates the Harmonic Data Processing Agreement (“DPA”). If there is any conflict between a provision in the Service Agreement or the DPA and a provision in  the Agreement, this Agreement will control. Capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as ascribed to those terms in the HIPAA rules (“HIPAA”)  and the HITECH Act (the “HITECH Act”)

A. The Parties have entered into an Agreement, under which the Business Associate agrees to provide the Service to the Covered Entity. The purpose of this Agreement is to comply with applicable provisions of the Privacy, Security, Breach Notification and Enforcement Rules, set forth at 45 CFR Parts 160 and 164 (collectively the “HIPAA”), established under the Health Insurance Portability and Accountability Act of 1996, and the security provisions of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”).

B. This Agreement sets forth the terms and conditions pursuant to which the Business Associate can use “protected health information,” as defined in the HIPAA, that is received by the Business Associate from or on behalf of the Covered Entity during the term of the Subscription Agreement and after its termination ("PHI").  In all other respects, the Agreement shall continue in full force and effect and shall govern the respective rights of the parties.  The parties agree that this Agreement applies if and to the extent that Harmonic has access to, creates, transmits, and/or receives PHI.

In consideration of the foregoing and of the mutual covenants and agreements herein contained, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

1. The Service.  In connection with Harmonic’s performance under the Agreement, the Covered Entity may provide Harmonic with access to, or have the Business Associate create, maintain, transmit, and/or receive certain PHI.  The Parties acknowledge and agree that to the extent of its use or disclosure of PHI, Harmonic is a “business associate” under the HIPAA.  The Business Associate is an independent contractor and not an agent of the Covered Entity.  Except as otherwise specified herein, Business Associate may use PHI only as necessary to perform its obligations as set forth in the Agreement (the “Service”).  All other uses are prohibited, except as specifically authorized by this Agreement or otherwise authorized by the Covered Entity in writing.

2. Responsibilities of Business Associate 

‍Business Associate hereby agrees to comply with the following:

a.  Compliance with Law. Business Associate warrants that it, its agents, and its subcontractors:  (i) shall use or disclose PHI only in connection with fulfilling its duties and obligations under this Agreement and the Service Agreement; (ii) shall not use or disclose PHI other than as permitted or required by this Agreement or required by law; (iii) shall not use or disclose PHI in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by the Covered Entity; and (iv) shall only use and disclose the minimum necessary PHI for its specific purposes.

b. Permitted Uses and Disclosures. Subject to the restrictions set forth throughout this Agreement, the Business Associate may use the information received from the Covered Entity if necessary for (i) the proper management and administration of the Business Associate; or (ii) to carry out the legal responsibilities of the Business Associate. Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that: (i) disclosures are required by law, or (ii) Business Associate obtains reasonable assurances from the person or entity to whom the information is disclosed that it will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. 

(i) Business Associate is permitted, for Data Aggregation purposes to the extent permitted under HIPAA, to use, disclose, and combine PHI created or received on behalf of Covered Entity by Business Associate pursuant to this Agreement with PHI, as defined by 45 C.F.R. § 160.103, received by Business Associate in its capacity as a business associate of other covered entities, to permit data analyses that relate to the Health Care Operations of the respective covered entities and/or Covered Entity. 

(ii) Business Associate may de-identify any and all PHI created or received by Business Associate under this Agreement.  Once PHI has been de-identified pursuant to 45 C.F.R. § 164.514(b), such information is no longer PHI and no longer subject to this Agreement.

(iii) Business Associate acknowledges that, as between Business Associate and Covered Entity, all PHI shall be and remain the sole property of Covered Entity, including any and all forms thereof developed by Business Associate in the course of its fulfillment of its obligations pursuant to this Agreement and the Services under the Agreement.

c. Safeguards. Use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.

d.  Reporting Obligations. In the event of a Breach of any Unsecured PHI that the Business Associate accesses, maintains, retains, modifies, records, or otherwise holds or uses on behalf of the Covered Entity, the Business Associate agrees to report to the Covered Entity in writing any use and/or disclosure of PHI that is not permitted or required by this Agreement, including Breaches of unsecured PHI and successful Security Incidents involving PHI.  The Parties acknowledge that unsuccessful Security Incidents that occur within the normal course of business shall not be reported pursuant to this Agreement. Such unsuccessful Security Incidents include, but are not limited to, port scans or “pings”,  unsuccessful log-on attempts, broadcast attacks on the Business Associate’s firewall, denials of service, or any combination thereof if such incidents are detected and neutralized by the Business Associate’s anti-virus and other defensive software and not allowed past the Business Associate’s firewall. In the event of a Breach of unsecured PHI, the Business Associate shall notify the Covered Entity of such Breach in according with the following rules:

(i) A breach shall be treated as discovered by the Business Associate as defined by 45 C.F.R. § 164.410 and applicable law.

(ii) Business Associate shall provide the required notification as soon as practicable and in no case later than 60 calendar days after discovery of a Breach.

(iii) The notification shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach.

(iv) Business Associate shall provide Covered Entity with the following information with respect to the Breach at the time of the required notification or as soon thereafter as information becomes available:

(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;

(2) A description of the types of unsecured PHI that were involved in the Breach;

(3) Any steps individuals should take to protect themselves from potential harm resulting from the Breach; and

(4) A brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breaches.

e. Subcontractors. Notwithstanding anything to the contrary in the Agreement or this Agreement, Business Associate, subject to the restrictions set forth in this provision, may use subcontractors to fulfill its obligations under this Agreement.  Business Associate must require all of its subcontractors and agents that create, receive, maintain, transmit, use, or have access to PHI to agree, in writing, to adhere to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI.

f. Access. To the extent the Business Associate maintains PHI in a Designated Record Set, in order to allow the Covered Entity to respond to a request by an Individual for access to PHI pursuant to 45 C.F.R. § 164.524, the Business Associate, within thirty (30) business days of receiving a written request from the Covered Entity, will provide access to PHI in a Designated Record Set to the Covered Entity. In the event that any Individual requests access to PHI directly from Business Associate, Business Associate shall forward such request to the Covered Entity within twenty (20) business days. The Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI, and the Business Associate will make no such determinations. Except as Required by Law, only the Covered Entity will be responsible for releasing PHI to an Individual pursuant to such a request.  Any denial of access to PHI determined by the Covered Entity pursuant to 45 C.F.R. § 164.524 and conveyed to the Business Associate by the Covered Entity shall be the responsibility of the Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.

g. Amendment. To the extent Business Associate maintains PHI in a Designated Record Set, in order to allow the Covered Entity to respond to a request by an Individual for an amendment to PHI, within thirty (30) business days of receiving a written request from the Covered Entity, make available to the Covered Entity such PHI. In the event that any Individual requests amendment of PHI directly from Business Associate, Business Associate shall forward such request to the Covered Entity within twenty (20) business days. The Covered Entity will be responsible for making all determinations regarding the grant or denial of an individual’s request for an amendment to PHI, and the Business Associate will make no such determinations. Within ten (10) business days of receipt of a request from the Covered Entity to amend an individual’s PHI in the Designated Record Set, the Business Associate shall incorporate any approved amendments, statements of disagreement, and/or rebuttals into its Designated Record Set as required by 45 C.F.R. § 164.526.

h. Accountings of Disclosures. In order to allow the Covered Entity to respond to a request by an individual for an accounting pursuant to 45 C.F.R. § 164.528, the Business Associate shall, within thirty (30) business days of a written request by the Covered Entity for an accounting of disclosures of PHI about an individual, make available to the Covered Entity such PHI.  At a minimum, the Business Associate shall provide the Covered Entity with the following information: (a) the date of the disclosure; (b) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of such disclosure. In the event that any Individual requests an accounting of disclosures of PHI directly from Business Associate, Business Associate shall forward such request to the Covered Entity within twenty (20) business days. The Covered Entity will be responsible for preparing and delivering an accounting to the individual. Business Associate shall implement an appropriate record-keeping process to enable it to comply with the requirements of this Agreement.

i. Books and Records. Within thirty (30) business days of receiving a written request from Covered Entity, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies, and procedures relating to the use and/or disclosure of PHI received from, or created or received by, Business Associate on behalf of Covered Entity for purposes of enabling Covered Entity to determine Business Associate’s compliance with the terms of this Agreement.

j.  Minimum Necessary. Disclose to its subcontractors, agents, or other third parties, and request from the Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted under this Agreement or the Agreement.

k. Covered Entity Obligations. To the extent the Business Associate is to carry out one or more of the Covered Entity’s obligations under the HIPAA, comply with the requirements of the HIPAA that apply to the Covered Entity in the performance of such obligations. The Business Associate may not use or disclose PHI in a manner that would violate the HIPAA if done by Covered Entity.

l. Comply with those provisions of the HIPAA extended to Business Associates, including without limitation:

(i) implementing policies and procedures to prevent, detect, contain, and correct security violations;

(ii) implementing policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed; 

(iii) implementing technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access rights as specified in applicable regulations; and

(iv) implementing reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA. 

3. Responsibilities of Covered Entity. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would violate applicable federal and state laws if such use or disclosure were made by Covered Entity. The Covered Entity may request the Business Associate to disclose PHI directly to another party only for the purposes allowed by HIPAA and the HITECH Act. The Covered Entity hereby agrees to:

a.  Inform the Business Associate of any changes in the form of notice of privacy practices (the “Notice”) that the Covered Entity provides to individuals pursuant to 45 C.F.R. § 164.520, and provide the Business Associate with a copy of the Notice currently in use.

b. Inform Business Associate of any changes in, or withdrawal of, the consent or authorization provided to the Covered Entity by individuals, pursuant to 45 C.F.R. §164.506 or §164.508, with respect to PHI used by the Business Associate.

c. Notify the Business Associate, in writing and in a timely manner, of any restrictions on the use and/or disclosure of PHI used by the Business Associate agreed to by the Covered Entity as provided for in 45 C.F.R. §164.522.

4. Term and Termination.

‍a.  Term.  This Agreement will become effective on the Effective Date. Unless terminated sooner pursuant to Section 4.b below, this Agreement shall terminate upon the termination or expiration of the Agreement and when all PHI provided by either party to the other, or created or received by the Business Associate on behalf of the Covered Entity is, in accordance with this Section, destroyed, returned to the Covered Entity, or protections are extended.

b. Termination. Where either Party has knowledge of a material breach by the other Party, the non-breaching Party shall provide the breaching Party with an opportunity to cure. Where said breach is not cured to the reasonable satisfaction of the non-breaching Party within twenty (20) business days of the breaching Party’s receipt of notice from the non-breaching Party of said breach, the non-breaching Party shall, if feasible, terminate this Agreement and the portion(s) of the Agreement affected by the Breach.  Where either Party has knowledge of a material breach by the other Party and a cure is not possible, the non-breaching Party shall, if feasible, terminate this Agreement and the portion(s) of the Agreement affected by the breach.

c. Effect of Termination. Upon termination of this Agreement, the Business Associate will recover any PHI relating to the Agreement in the possession of its subcontractors, agents, or representatives. Business Associate will (i) if feasible as determined by Business Associate, return or destroy all PHI received from, or created or received by Business Associate for or on behalf of Covered Entity that Business Associate or any of its subcontractors and agents still maintain in any form, and Business Associate shall retain no copies of such information; or (ii) if Business Associate determines that such return or destruction is not feasible, extend the protections of this Agreement to such information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible, in which case Business Associate’s obligations under this Section shall survive the termination of this Agreement. The respective rights and obligations of the Covered Entity and the Business Associate under this section shall survive the termination of this Agreement.

5. Amendment. If any of the regulations promulgated under HIPAA or the HITECH Act are amended or interpreted in a manner that renders this Agreement inconsistent therewith, the parties shall amend this Agreement to the extent necessary to comply with such amendments or interpretations.

6. Compliance with HIPAA. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Covered Entity to comply with the HIPAA. The Parties agree to amend this Agreement from time to time as necessary for the Covered Entity to comply with the requirements of the HIPAA.

7. Interpretation and Conflicting Terms. In the event that any terms of this Agreement conflict with any terms of the Agreement, the terms of this Agreement shall govern and control.

8. Severability. The provisions of this Agreement shall be severable, and if any provision of this Agreement shall be held or declared to be illegal, invalid, or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid, or unenforceable provision had not been contained herein.