Embark Logo HD

Embark Business Associate Agreement

Last modified June 7, 2021

This Business Associate Agreement (“BAA”) is made between Embark EMR, an affiliate of Build TBD, LLC, an Indiana corporation (“Embark”) and          (See Signature)          (“CE”, “Covered Entity”), the registered holder of the HIPAA Account (defined below).

This BAA is effective as of       (See Signature)      (“Effective Date”), which is the date when both parties have completed signing this BAA.
This BAA is an addendum to the Embark EMR Terms of Service available at embarkemr.com/terms-conditions/.

This BAA may be electronically signed by the parties.

RECITALS

  1. CE is a “covered entity” under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) and 45 CFR Part 160.103. The CE represents that as a covered entity, it is required to enter into so-called “business associate” contracts with certain contractors that may have access to certain health- related personal information regulated by HIPAA. If the CE does not qualify as a covered entity as outlined above, the terms of this agreement shall be null and void.
  2. Pursuant to the Agreement (as defined on Embark’s website, and updated from time to time at Embark’s sole discretion), Embark provides certain services to CE, including the provision of the Account and the services accessible within that Account. To facilitate Embark’s provision of such services, CE wishes to transfer certain information to Embark from time to time, some of which may constitute Protected Health Information (defined below).
  3. Any account which collects, transfers or deals with any PHI (defined below) must have a fully executed BAA with Embark on file, and as such, be a subscriber of Embark’s HIPAA compliant infrastructure in order for the data in the account to be considered as PHI and for the Account to be considered as a Covered Entity.
  4. CE and Embark acknowledge that Embark provides a platform and toolset that may enable CE to build HIPAA compliant applications. However, it is the sole responsibility of the CE to utilize the tools provided by Embark in the correct manner in order to ensure that the resulting application built within the Embark platform does comply with all of the requirements of HIPAA. Further, it is acknowledged herein that certain features of the standard Embark platform are modified or disabled inside of the Embark HIPAA environment due to their inability to conform to HIPAA requirements.
  5. CE and Embark desire to protect the privacy, and provide for the security, of Protected Health Information within the Account in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act of 2009, Public Law 111-005 (“HITECH Act”), and HIPAA Regulations (defined below) promulgated thereunder by the U.S. Department of Health and Human Services and other applicable laws, including without limitation state patient privacy laws, as such laws may be amended from time to time.
  6. As part of the HIPAA Regulations, the Privacy Rule and the Security Rule (each defined below) require CE to enter into a contract with Embark containing specific requirements prior to the disclosure of Protected Health Information, as set forth in, but not limited to, Title 45, s 164.314(a), 164.502(e) and 164.504(e) of the Code of Federal Regulations (“C.F.R.”) and contained in this BAA.

NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this BAA, CE and Embark agree as follows:

1. Definitions

Capitalized terms not otherwise defined in this BAA shall have the meanings assigned to such terms under HIPAA, the HITECH Act, and the HIPAA Regulations (collectively, “Privacy Laws”), as applicable.

The following terms shall have the following meanings in this BAA:

  • “Account” is a Embark EMR account under the Agreement:
    • (i) that is designated by Embark as a HIPAA compatible account on Exhibit A,
    • (ii) that uses only the HIPAA Eligible features to store and transmit any “Protected Health Information” as defined below,
    • (iii) to which you have applied HIPAA compliant processes and controls. For the purposes of this BAA, the “Account” refers to your HIPAA compliant account subscription.
  • “Electronic Protected Health Information” or “EPHI” means Protected Health Information that is maintained in or transmitted by electronic media.
  • “HIPAA Regulations” means, collectively, the Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Parts 160 and 164.
  • “Privacy Rule” means the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and 164, Subparts A and E.
  • “Protected Health Information” or “PHI” shall have the same meaning as 45 C.F.R. §160.103.
  • “Protected Information” means PHI provided by CE to Embark or created or received by Embark Bridge application users on CE’s behalf in connection with the Account provided by Embark pursuant to the Agreement.
  • “Security Rule” means the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and 164, Subparts A and C.
  • “Suspended HIPAA Account” refers to the Account when it has been suspended pursuant to Section 6(b) (Suspension Events).
  • “Suspension Period” means the maximum period of time for which Embark is obligated to maintain a Suspended HIPAA Account before closing it, given a specific reason for the suspension. Suspension Periods exist to provide CE with an opportunity to export or back up its Account data before the closure of the Account. For purposes of this Agreement, the Suspension Period shall be for thirty (30) days from the date that Embark notifies CE that their account has been suspended.
  • “Unsecured PHI” has the meaning given to such term under 42 U.S.C. § 17932(h), 45 C.F.R. §164.402 and guidance issued pursuant to the HITECH Act including, but not limited to that issued on April 17, 2009 and published in 74 Federal Register 19006 (April 27, 2009), by the Secretary of the U.S. Department of Health and Human Services (“Secretary”).

2. Applicability

This BAA applies only to HIPAA Accounts. You acknowledge that this BAA does not apply to any other accounts you may have now or in the future, and that any of your accounts that do not satisfy all of the HIPAA Account requirements are not subject to this BAA. HIPAA eligible services include Embark EMR with its data management and application authoring capabilities excluding Embark FileStor, non-secure DataHub connections and certain messaging services. It also includes password- protected application deployment through SSL. Non-SSL deployment is not available. Embark may, in its sole discretion, from time to time add or remove Services to the HIPAA Eligible Services.

3. Obligations of Embark

  1. Permitted Access, Use or Disclosure. Embark may not use or disclose PHI in a manner that would violate Privacy Laws if done by Covered Entity, except as permitted or required by this Agreement. Embark agrees that it shall keep confidential all PHI protected under Privacy Laws that Embark receives, accesses, or otherwise obtains under and/or in connection with this Agreement, and will only use or disclose PHI as permitted or required by this BAA and the Agreement, or required by law. To the extent Embark is to carry out one or more of CE’s obligations under Subpart E of 45 CFR Part 64, Embark will comply with the requirements of Subpart E that apply to CE. Except as otherwise limited in the Agreement or this BAA, Embark may access, use, or disclose Protected Information:
    1. to perform its services as specified in the Agreement and as permitted in this BAA;
    2. to de-identify Protected Health Information in accordance with 45 CFR 164.514(a)- (c), and shall be permitted to use such de-identified information as permitted by applicable law and
    3. for the proper administration of Embark, provided that such access, use, or disclosure would not violate HIPAA, the HITECH Act, the HIPAA Regulations, or applicable state law if done or maintained by CE.
  2. Minimum Necessary. Embark shall request, use, and disclose only the minimum amount of Protected Information necessary to accomplish the purpose of the request, use, or disclosure. Because the definition of “minimum necessary” is in flux, Embark, making reasonable efforts, will keep itself informed of guidance issued by the qualified governmental entity with respect to what constitutes “minimum necessary.” Notwithstanding the foregoing, the parties agree that based on the nature of the services provided to CE by Embark under the Agreement, Embark may be unable to determine what constitutes “minimum necessary” under HIPAA, and thus Embark shall be entitled to rely on CE’s direction as to what constitutes “minimum necessary” with respect to the access, use, or disclosure of CE’s Protected Information in the possession or under the control of Embark.
  3. Disclosures to Subcontractors and/or Third Parties. Embark shall ensure that all representatives, subcontractors, persons and/or entities to whom Embark discloses or provides the PHI execute a written Embark Agreement, as required under the Privacy Laws, in which such third persons and/or entities expressly agree to the same restrictions and conditions that apply to Embark with respect to the PHI. If a Embark agreement is not required by the Privacy Laws, Embark shall obtain reasonable assurances from all persons and entities who have access to, or are recipients of, the PHI that: (i) the PHI shall be held confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the third party; and (ii) the third party shall promptly notify Embark of any Compromise of PHI, and Embark shall, in turn, notify Covered Entity.
  4. Availability of Books and Records. Embark shall make its internal practices, books, and such records as are not protected by applicable legal privilege or work product protection relating to the use, disclosure, and/or compromise of PHI available to the Secretary of the United States, Department of Health and Human Services and/or other authorized lawful authority as required by law or authorized by Covered Entity in writing, to determine compliance with applicable Privacy Laws.
  5. Prohibited Uses and Disclosures. Notwithstanding any other provision in this BAA, Embark shall comply with the following requirements:
    1. Embark shall not use or disclose Protected Information for fundraising or marketing purposes, except as provided under the Agreement and consistent with Privacy Laws;
    2. Embark shall not directly or indirectly receive remuneration in exchange for Protected Information, except with the prior written consent of CE and as permitted by Privacy Laws; however, this prohibition shall not affect payment by CE to Embark for services provided pursuant to the Agreement.
  6. Appropriate Safeguards. Embark shall use commercially reasonable efforts to prevent the unauthorized or unlawful access of Protected Information and shall implement appropriate safeguards designed to protect the confidentiality of Protected Information. Embark shall use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of EPHI. Embark shall comply with each of its obligations under the applicable requirements of the Security Rule.
  7. Access to Protected Information. To the extent Embark maintains a Designated Record Set on behalf of the CE outside CE’s Embark Account, Embark shall make Protected Information maintained by Embark or its agents or subcontractors in Designated Record Sets available to CE for inspection and copying within 10 days of a request by CE to enable CE to fulfill its obligations under the Privacy Rule If Embark maintains an Electronic Health Record, Embark shall provide such information in electronic format to enable CE to fulfill its obligations under Privacy Laws. To the extent that a patient makes a request to Embark for a Designated Record Set or Electronic Health Record that Embark maintains on behalf of the CE, Embark shall forward such request to the CE within 10 calendar days of receipt and advise the patient that the CE will respond to the request. CE agrees that it, and not Embark, is responsible for responding to the patient to fulfill its obligations under the Privacy Laws.
  8. Amendment of PHI. To the extent Embark maintains a Designated Record Set on behalf of CE outside CE’s Embark Account, within 10 days of receipt of a request from the CE for an amendment of Protected Information or a record about an individual contained in a Designated Record Set, Embark or its agents or subcontractors shall make Protected Information available to CE so that CE may make any amendments that CE directs or agrees to in accordance with the Privacy Rule.
  9. Accounting Rights. To the extent Embark uses and discloses Protected Information, Embark and its agents or subcontractors shall maintain and make available to CE within 10 days of notice by CE of a request for an accounting of disclosures of Protected Information the information required to provide an accounting of disclosures to enable CE to fulfill its obligations under Privacy Laws. Any requests made to Embark for an accounting shall be referred to CE within five (5) business days. CE shall be responsible for responding to all requests from Individuals for an accounting, and shall reimburse Embark for any costs associated with providing such an accounting. CE acknowledges that any uses and disclosures it makes using CE’s Embark Account must be documented by CE for purposes of providing an accounting under Privacy Laws and is not the responsibility of Embark. 
  10. Restrictions. Embark shall comply with all reasonable and required restrictions on the use and disclosure of PHI requested by individuals granted by Covered Entity upon receipt of notice provided under Section 4(g) (Restrictions and Revocations). Embark shall refer Individuals requesting restrictions on the use and disclosure of PHI directly from Embark to Covered Entity within five (5) business days from the date Embark receives any such request. Covered Entity shall be responsible for responding to requests from Individuals for restrictions.

4.Obligations of Covered Entity

  1. Identification of Accounts. Only the accounts on Exhibit A are designated as Accounts. None of CE’s other accounts with Embark, if any, may contain PHI.
  2. Acceptable Collection Methods. Accounts must be “HIPAA-enabled” accounts. CE acknowledges that once the Account becomes a HIPAA-enabled account, that classification is irreversible. CE may only create, transmit, receive, maintain, and otherwise access PHI through HIPAA-enabled accounts.
  3. Subscription Plan. Only certain Embark subscription plans support HIPAA-enabled accounts (“HIPAA Subscription Plans”), and this BAA may only be entered into if the Account is under a HIPAA Subscription Plan. For example, if CE is not an HIPAA Subscriber, this BAA may only be entered into if the applicable account is migrated under a Embark HIPAA Subscription Plan. CE must maintain the Account under a HIPAA Subscription Plan and may not downgrade or otherwise change the Account to a subscription plan that is not a HIPAA Subscription Plan. Embark will not remove support for HIPAA-enabled accounts from a HIPAA Subscription Plan during the Term. In order for this BAA to be applicable, the Account must be in good standing and CE must be current in paying the fees that commensurate with being an HIPAA Subscriber.
  4. Appropriate Use of Accounts. CE is responsible for implementing appropriate access, privacy and security safeguards in order to protect PHI in compliance with HIPAA and this BAA.
  5. Appropriate Configuration. CE is solely responsible for configuring, and will configure, all Accounts as follows:
    1. Establish each and every user of your account with strong passwords and require them to replace their password at least every 3 months with another strong password. CE is responsible for verifying the identity of Embark Bridge Users and maintaining users’ profiles, access rights and the management of their activities inside the Embark Bridge system. Further, CE is responsible for the same as it relates to any of CE application users, for applications that are built and deployed using the Embark platform.
    2. Require all Account administrators, application authors and application users to become trained and fully aware of HIPAA requirements, as needed given individual access levels.
    3. Apply Authentication to every DataPage and Application that transmits PHI.
    4. Require and enforce strong passwords for application users and require them to change their passwords frequently.
  6. Necessary Consents. CE shall obtain any necessary authorizations, consents, and other permissions that may be required under applicable law prior to placing PHI in a Embark Account.
  7. Restrictions and Revocations. CE will promptly notify Embark in writing of any patient- requested restrictions, changes to, or revocation of, consent and/or authorization to use and/or disclose PHI that may affect Embark’s ability to perform its obligations under this BAA and the Agreement. CE will not agree to any restriction requests or place any restrictions in any Notice of Privacy Practices (“Notice”) that would cause Embark to violate this BAA or any applicable law.
  8. Notice of Privacy Practices. CE will promptly provide Embark a copy of its Notice, and any changes to the Notice that may affect Embark’s use or disclosure of PHI or performance of this BAA.
  9. Accounting of PHI Disclosures. CE will include in individual accountings requested under the Privacy Laws, including without limitation, 45 C.F.R. § 164.528, any disclosures by Embark.
  10. Compliance with HIPAA. CE shall not request Embark to access, use, or disclose Protected Information, nor to otherwise act, in any manner that would not be permissible under HIPAA or the HITECH Act if done by CE. CE shall not request Embark take any action that is inconsistent with Privacy Laws or this BAA.

5. Reporting of Improper Access, Use or Disclosure

  1. Generally. Embark shall promptly notify CE of any Security Incident of which Embark becomes aware and/or any access, use, or disclosure of Protected Information in violation of the Agreement, this BAA, and/or Privacy Laws of which it becomes aware. Embark shall take: (i) prompt corrective action to cure any deficiencies in its policies and procedures that may have led to the incident; and (ii) any action pertaining to such unauthorized access, use, or disclosure required of Embark by applicable federal and state laws and regulations. The parties agree that this section satisfies any notices necessary by Embark to CE of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to CE shall be required. For purposes of this Agreement, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on Embark’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of electronic PHI.
  2. Breaches of Unsecured PHI. Without limiting the generality of the reporting requirements set forth in Section 5(a), Embark also shall notify CE of a Breach of Unsecured PHI in writing without unreasonable delay and in no case later than 5 business days after discovery. The notice shall include the following information if known (or can be reasonably obtained) by Embark: (i) contact information for the individuals who were or who may have been impacted by the Breach (e.g., first and last name, mailing address, email address); (ii) a brief description of the circumstances of the Breach, including the date of the Breach and date of discovery (as defined in 42 U.S.C. § 17932(c)); (iii) a description of the types of Unsecured PHI involved in the Breach (e.g., names, social security numbers, date of birth, addresses, account numbers of any type, disability codes, diagnostic and/or billing codes and similar information); and (iv) a brief description of what Embark has done or is doing to investigate the Breach and to mitigate harm to the individuals impacted by the Breach.
  3. Mitigation. Embark shall mitigate, to the extent practicable, any deleterious effects known to Embark of any unauthorized or unlawful access or use or disclosure of Protected Information not authorized by the Agreement, this BAA, or Privacy Laws; provided, however, that unless otherwise agreed in writing by the parties or required by Privacy Laws, such mitigation efforts shall not require Embark to bear the costs of notifying individuals impacted by such unauthorized or unlawful access, use, or disclosure of Protected Information. Embark shall remain fully responsible for all aspects of its reporting duties to CE under this Section 5.
  4. Meet and Confer. Upon any suspected or actual Breach, unauthorized disclosure of the PHI or breach of this Agreement, Covered Entity will meet and confer in good faith with Embark before notifying affected individuals, government agencies, and/or commencing any legal action.
  5.  

6. Term and Termination

  1. Term. This BAA shall be effective as of the Effective Date and shall continue until the Enterprise Agreement is terminated (the “Term”).
  2. Suspension Events.
    1. Lapsed Account. The Account is provided to CE by Embark on a paid subscription basis, which means that the Account must be periodically renewed in accordance with the Agreement if CE wishes to continue receiving services from Embark in connection with the Account. If the Account is not renewed, or if CE fails to pay any fees due in relation to the Account (such as renewal, overages and consulting fees), Embark may suspend CE’s access to the Account. In such case, CE may reinstate the Account by renewing it, or paying any overdue fees due in relation to it (as the case may be), before the end of the Suspension Period.
    2. Breach by CE. If CE materially breaches this BAA and the breach is not cured by CE within 15 days of receiving written notice of such breach, Embark may suspend and ultimately terminate the Account upon notice to the CE. In such case, the Account may only be reinstated at the discretion of Embark and only if the breach is cured.
    3. Suspended Account. If Embark suspends the Account, Embark will preserve all data contained in the Suspended Account for the Suspension Period, but functionality for the Account will be disabled (except for certain billing and account administration functions) and the Protected Information will no longer be directly accessible to CE through the Account’s online interface. All Protected Information contained in the Suspended Account will continue to be subject to this Agreement. During the Suspension Period, CE may:
      1. Access the Suspended Account to retrieve billing details and make account payments to bring the account current, and in such case Embark shall remove the Account from Suspended status;
      2. Submit a written request to Embark for an export of CE’s data contained in the Suspended HIPAA Account. The fulfillment of this request will be subject to the CE brining the account current and paying all past due amounts and paying for an applicable fees relating to the export service. Embark will use commercially reasonable efforts to fulfill such request promptly; and
      3. Close its Suspended Account by submitting a written notice to Embark. Embark will fulfill such closure request promptly upon receiving the notice and final payment for its services rendered to the effective date of termination. Further, Embark may respond to an individual customer or patient’s request for access to their individual PHI record or records by exporting the subject data to the CE for provision to the individual whose PHI is contained in the Embark system. In this circumstance, CE shall provide a copy of the customer/patient’s written request. Embark shall invoice the CE for the applicable access fees for exporting the records.
      4. Effect of Account Closure. This BAA will terminate upon the termination of the underlying Terms of Service and closure of the applicable Account (including termination by Embark at the end of the Suspension Period). If CE requests Embark to close the Account, CE is solely responsible for ensuring that such closure will not cause CE or Embark to violate any applicable laws.
    4. Termination. This BAA may be terminated:
      1. by CE upon written notice if Embark materially breaches this BAA and the breach is not cured by Embark within 30 business days of receiving written notice of such breach; or
      2. by Embark for any reason upon 90 days’ prior written notice, provided that Embark shall provide reasonable assistance to CE to destroy or return any of CE’s Protected Information before the effective date of termination. In such case, CE will be entitled to receive a pro rata refund of any fees prepaid by the Customer applicable to the Account for the period following the closure of the Account;
      3.  by Embark at the end of the Suspension Period should the CE not act to remedy the issue which led to the Account’s suspension; or
      4. by CE or Embark should CE or Embark choose not to renew Embark’s services in accordance with its rights under the Agreement.
    5. Effect of Termination. Upon termination of this BAA:
      1. the Account will be closed by Embark and the Agreement will terminate with respect to the Account; and
      2. Embark shall, if feasible, return or destroy within thirty (30) days of the Account’s termination all Protected Information that Embark or its agents or subcontractors still maintain in any form, and shall retain no copies of such Protected Information. If return or destruction is not feasible, Embark shall continue to extend the protections of this BAA to such information, and limit further use of such Protected Information to those purposes that make the return or destruction of such Protected Information infeasible. CE acknowledges that it is CE’s responsibility to export or backup any PHI that it wishes to retain before any termination is effected and Embark shall have no responsibility for any liability that may arise from any data loss caused as a result of that termination.

7. Compliance with State Law

Nothing in this BAA shall be construed to require Embark to use or disclose Protected Information without a written authorization from an individual who is a subject of the Protected Information, or without written authorization from any other person, where such authorization would be required under state law for such use or disclosure, or otherwise violate applicable state law.

8. Amendments to Comply with Law

Because state and federal laws relating to data security and privacy are rapidly evolving, amendment of the Agreement or this BAA may be required to provide for procedures to ensure compliance with such developments. Embark and CE shall take such action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, and other applicable laws relating to the security or confidentiality of PHI. Upon the request of either party, the other party shall promptly enter into negotiations concerning the terms of an amendment to this BAA embodying written assurances consistent with the standards and requirements of HIPAA, the HITECH Act, or other applicable laws. If such negotiations are unsuccessful, either party may terminate this BAA and close the Account upon 30 days’ written notice to the other party. 

9.No Third-party Beneficiaries

Nothing express or implied in the Agreement or this BAA is intended to confer, nor shall anything herein confer upon any person other than CE, Embark and their respective successors or permitted assigns, any rights, remedies, obligations or liabilities whatsoever.

10. Indemnification

Subject to the limitations defined in Section 11 (Limitation of Liability) below, each party (an “Indemnifier”) shall indemnify and hold harmless the other party (the “Indemnified”) from and against any and all fines, losses, liabilities, expenses, damages or injuries that the Indemnified sustains as a result of, or arises out of, a third party claim that: (a) the Indemnifier has violated an applicable law or regulation (including the HIPAA Regulations) in connection with this BAA, or (b) arises out of a breach of this BAA by the Indemnifier or its agents or subcontractors (including the unauthorized use or disclosure of any Protected Information).

11. Limitation of Liability

  1. DIRECT DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL A PARTY BE LIABLE TO THE OTHER FOR INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, SPECIAL OR EXEMPLARY DAMAGES (EVEN IF THAT PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), ARISING IN CONNECTION WITH THIS BAA (INCLUDING SUCH DAMAGES INCURRED BY THIRD PARTIES), SUCH AS, BUT NOT LIMITED TO DATA LOSS, LOSS OF REVENUE OR ANTICIPATED PROFITS OR LOST BUSINESS , EXCEPT IN THE CASE OF , A BREACH OF SECTION 12 (CONFIDENTIALITY) OR CLAIMS BASED ON GROSS NEGLIGENCE OR WILLFUL MISCONDUCT.
  2. LIABILITY CAP. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS BAA, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, EXCEED THE LESSER OF THE TOTAL AMOUNTS ACTUALLY PAID BY CE TO US UNDER THE AGREEMENT FOR THE SERVICE THAT GAVE RISE TO THE CLAIM DURING THE 12 MONTHS PRECEDING THE INCIDENT CAUSING THE LIABILITY, OR ONE HUNDRED THOUSAND DOLLARS (US$100,000).

12. Confidential Information

  1. Confidentiality. Embark shall use the Protected Information only to exercise its rights and fulfill its obligations under this BAA or the Agreement. Embark will not disclose the Protected Information, except to its affiliates, officers, employees, directors, agents, contractors, legal counsel, financial advisors, and other similar professionals who need to know it (“Representatives”) and who have agreed to treat the Protected Information in accordance with the confidentiality provisions in this BAA. Embark will be responsible for any actions of its Representatives in violation of this Section 12. Embark may disclose the Protected Information when required by law, regulation, legal process, or court order.
  2. Exceptions. For the purposes of Section 12 (Confidentiality) only, the confidentiality obligations therein do not cover Protected Information that: (a) Embark already lawfully knew at the time of receipt from CE; (b) becomes public through no fault of Embark; (c) was independently developed by Embark without reference to the Protected Information; or (d) was rightfully and lawfully given to Embark by a third party who did not acquire that information through a breach of confidence.

13. Notices

All notices hereunder shall be in writing and shall be deemed to have been duly given if delivered personally, by overnight courier or, in the case of notices to CE, by email, addressed as follows:
To CE:                                                                        
By email to the Account’s registered email address (as may be updated by CE from time to time), and by copy, to the Account’s main contact and address as entered in the Embark Bridge system.
To Embark:
Embark EMR, LLC  7040 Creekside Lane, Indianapolis, IN  46220    attn: Legal Department
With a copy by email to info@Embark.com or to such other persons or places as Embark may from time to time designate by written notice to CE.

14. General

  1. Interpretation; Precedence. The provisions of this BAA shall prevail over any provisions in the Agreement that conflict or appear inconsistent with any provision in this BAA. This BAA and the Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA and the HITECH Act. Any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with HIPAA and the HITECH Act. Except as specifically required to implement the purposes of this BAA, or to the extent inconsistent with this BAA, all other terms of the Agreement shall remain in force and effect.
  2. Entire Agreement. This BAA supersedes any and all prior and contemporaneous business associate agreements or addenda between the parties with respect to the Account and any Additional Accounts (defined below) and constitutes the final and entire agreement between the parties hereto with respect to the subject matter hereof. Each party to this BAA acknowledges that no representations, inducements, promises, or agreements, oral or otherwise, with respect to the subject matter hereof, have been made by either party, or by anyone acting on behalf of either party, which are not embodied herein. No other agreement, statement or promise, with respect to the subject matter hereof, not contained in this BAA shall be valid or binding.
  3. Regulatory References. A reference in this BAA to a section of regulations means the section as in effect or as amended, and for which compliance is required.
  4. Amendments. Embark may propose amendments to this BAA by written notice to CE (including by email to the email address associated with the Account). If CE does not object to such amendments in writing within 30 days of such notice, the amendments will become effective on the day following the end of the notice period, or such later date as may be stated in the amendments. If CE objects to such amendments in writing within the aforementioned notice period, and either a) the CE and Embark have not agreed to a revised amendment agreed to in writing by both parties, or b) Embark has not revoked the proposed amendments before the end of such period, then CE may terminate this BAA immediately, or at the end of the notice period, by written notice to Embark.
  5. Governing Law and Jurisdiction. This BAA is governed by the laws of the State of California, without regard to its conflict of law rules. Each party submits to the exclusive jurisdiction of the state courts located in Santa Clara County and the federal courts located in the Northern District of California with respect to the subject matter of this BAA.
  6. Assignment. Neither party may assign this BAA or the Agreement without the consent of the other party (such consent not to be unreasonably withheld). Notwithstanding the foregoing, Embark may assign this BAA to an affiliate or to a successor or acquirer, as the case may be, in connection with a merger, acquisition, corporate reorganization, or the sale of all or substantially all of Embark’s assets, provided that the assignee agrees to be bound by the terms of this BAA. In such case, Embark may also assign the Agreement to the third party to which the BAA was assigned.