Legal Center

February 4, 2021
Download as PDF

Business Associate Agreement

Last Updated: February 4, 2021

Last Updated: January 2021

This Business Associate Agreement (this “BAA”) is incorporated by reference into the Subscription Services Order Form (“Order Form”) entered into between Covered Entity and Solv as defined in the Order Form. This BAA, along with the Subscription Services Order Form and the Solv Provider Terms of Service, shall collectively comprise the “Agreement.” This BAA shall apply if Customer, in connection with the Services provided to Customer by Solv under the Agreement, is acting as a Covered Entity as defined herein. In such event, Solv shall be considered to be acting as a Business Associate to Customer under the Agreement. This BAA shall have the same Effective Date as the effective date of the Order Form (the “BAA Effective Date”), unless otherwise agreed to by the parties. Customer and Solv are sometimes hereinafter referred to collectively as the “Parties” and individually as a “Party.” Customer shall be referred to in this BAA as “Customer” or “Covered Entity” and Solv shall be referred to herein as “Solv” or “Business Associate.”

Recitals

WHEREAS, Covered Entity possesses Individually Identifiable Health Information that is protected under HIPAA, the Privacy Rule, the Security Rule and the HITECH Standards, and is permitted to use or disclose such information only in accordance with such laws and regulations;

WHEREAS, Business Associate may receive such information from Covered Entity or create and receive such information on behalf of Covered Entity relating to the Covered Entity’s patients in connection with the Agreement whereby Business Associate would provide services and/or products to or on behalf of Covered Entity; and

WHEREAS, Covered Entity and Business Associate wish to ensure that such information is appropriately safeguarded;

NOW THEREFORE, in consideration of the mutual promises and other consideration contained herein, the sufficiency of which is hereby acknowledged, the Parties agree as follows:

  1. Definitions.
    The Parties agree that the following terms, when used in this BAA, shall have the following meanings, provided that the terms set forth below shall be deemed to be modified to reflect any changes made to such terms from time to time as defined in the Privacy Rule, the Security Rule and the HITECH Standards. Any terms capitalized, but not otherwise defined, in this BAA shall have the same meaning as those terms have under HIPAA, the Privacy Rule, the Security Rule and the HITECH Standards.
    1. Breach” has the same meaning as provided in 45 C.F.R. § 164.402.
    2. Electronic Protected Health Information” or “Electronic PHI” means Protected Health Information that is transmitted by or maintained in electronic media as defined in the Security Rule.
    3. HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
    4. HITECH Standards” means the privacy, security and security breach notification provisions applicable to a Business Associate under Subtitle D of the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), and any regulations promulgated thereunder.
    5. HHS” means the U.S. Department of Health and Human Services.
    6. Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, and:
      • is created or received by a health care provider, health plan, employer or health care clearinghouse; and
      • relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and:
        • that identifies the individual; or
        • with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
    7. Privacy Rule” means the regulations promulgated under HIPAA by HHS to protect the privacy of Protected Health Information, including, but not limited to, 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subpart A and Subpart E.
    8. Protected Health Information” or “PHI” means Individually Identifiable Health Information transmitted or maintained in any form or medium that (i) is received by Business Associate from Covered Entity, (ii) Business Associate creates for its own purposes from Individually Identifiable Health Information that Business Associate received from Covered Entity, or (iii) is created, received, transmitted or maintained by Business Associate on behalf of Covered Entity. Protected Health Information excludes Individually Identifiable Health Information in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g, records described at 20 U.S.C. § 1232g(a)(4)(B)(iv) and employment records held by the Covered Entity in its role as an employer.
    9. Security Rule” means the regulations promulgated under HIPAA by HHS to protect the security of Electronic Protected Health Information, including, but not limited to, 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and C.
    10. Security Incident” shall mean any Security Incident (as defined in 45 CFR 164.304) but shall not include incidental incidents that occur on a daily basis such as scans, “pings,” or routine unsuccessful attempts to penetrate computer networks or servers maintained or utilized by Business Associate.
    11. Unsecured Protected Health Information” shall mean protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals though the use of a technology or methodology specified by the Secretary of HHS in guidance, such as encryption with a valid process or physical destruction of documents.

  2. Status of PartiesThe Parties hereby acknowledge and agree that Covered Entity is a “Covered Entity” and that Business Associate is a “Business Associate” of Covered Entity, as such terms are defined in HIPAA and the Privacy and Security Rule.

  3. Permitted Uses and Disclosures.
    1. Performance of Services. Except as otherwise limited in this BAA or by applicable law, Business Associate may access, use and/or disclose Covered Entity’s PHI and/or ePHI in connection with the evaluation and performance of its obligations under the Agreement if such use or disclosure of PHI would not violate HIPAA, the Privacy Rule or the HITECH Standards if done by Covered Entity, or such use or disclosure is expressly permitted under Section 3 of this BAA.
    2. Minimum Necessary. With respect to the use, access, or disclosure of PHI by Business Associate as permitted under this BAA, Business Associate shall limit such use, access, or disclosure, to the extent practicable, to the minimum necessary to accomplish the intended purpose of such use, access, or disclosure. Business Associate shall determine what constitutes the minimum necessary to accomplish the intended purpose in accord with HIPAA, HIPAA Regulations and any applicable guidance issued by the Secretary of HHS.
    3. Documentation of Disclosures. With respect to any permitted disclosures of PHI by Business Associate, Business Associate shall document such disclosures including, but not limited to, the date of the disclosure, the name and, if known, the address of the recipient of the disclosure, a brief description of the PHI disclosed, and the purpose of the disclosure.
    4. Modification of PHI. Except as permitted under Section 6(b) below, Business Associate shall not modify any existing data to which it is granted access other than to correct errors,or derive new data from such existing data. Business Associate shall record any modification of data and retain such record for a period of seven (7) years.
    5. Other Permitted Uses and Disclosures of PHI. Except as otherwise limited in this BAA or by applicable law, Business Associate may use or disclose PHI (i) for the proper management and administration of Business Associate's business, (ii) to provide data aggregation services relating to the health care operations of Covered Entity, (iii) to de-identify any and all PHI obtained by Business Associate under the Agreement or this BAA, and use such de-identified data on Business Associate’s own behalf, all in accordance with the de-identification requirements of the Privacy Rule or (iv) to carry out Business Associate's legal responsibilities, subject to the limitation in Section 3(f), below. Business Associate shall obtain reasonable assurances from the person to whom the PHI is being disclosed that, as required under this BAA, the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed. Business Associate shall require that any Breaches or Security Incidents be immediately reported to Business Associate. Business Associate shall then report the Breach or Security Incident to Covered Entity in accordance with Section 5(b) hereof.
    6. Nondisclosure of PHI. Business Associate is not authorized and shall not use or further disclose Covered Entity's PHI other than as permitted or required under this BAA, or as required by law or regulation.
      • Disclosures Required By Law. Business Associate shall not, without the prior written consent of Covered Entity, disclose any PHI on the basis that such disclosure is Required by Law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. Business Associate shall notify Covered Entity at least five (5) days prior to making a disclosure of PHI pursuant to this subsection.
      • Legal Process. In the event Business Associate is served with legal process or request from a governmental agency that may potentially require the disclosure of PHI, Business Associate shall promptly, and in any case within two (2) business days of its receipt of such legal process or request, notify Covered Entity. Business Associate shall not disclose the PHI without Covered Entity’s consent unless pursuant to a valid and specific court order or to comply with a requirement for review of documents by a governmental regulatory agency under its statutory or regulatory authority to regulate the activities of either party.
    7. State Law Requirements. Business Associate shall comply with applicable state law confidentiality, privacy, security, document retention and breach notification requirements. To the extent that state law is more stringent than the HIPAA Regulations, any safeguard, use or disclosure of PHI or ePHI by Business Associate or its agents or subcontractors shall be made in accordance with state law.
    8. Subcontractors. Business Associate shall ensure that each subcontractor of Business Associate that creates, receives, transmits, or stores any PHI agrees to be bound in a written agreement by substantially similar restrictions and conditions that apply to Business Associate pursuant to this BAA, with respect to such PHI, and that acknowledges that the subcontractor is directly subject to the HIPAA Privacy and Security Rules to the same extent as Business Associate.
    9. Notification of Investigation or Lawsuit. Business Associate shall notify Covered Entity promptly upon receipt of notice of an investigation or of a lawsuit filed against Business Associate related to or arising from the use or disclosure of PHI by Business Associate pursuant to the Agreement.

  4. Obligations of Covered Entity.
    Covered Entity shall:
    1. Provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. § 164.520, to the extent that such changes or limitations may affect Business Associate's use or disclosure of PHI.
    2. Provide Business Associate with written notice of any restriction, changes in, or revocation of, permission by individuals to use or disclose PHI, to the extent that such changes affect Business Associate’s use or disclosure of PHI under this BAA. If Covered Entity notifies Business Associate that Covered Entity has agreed to be bound by additional restrictions on the uses or disclosures of PHI pursuant to HIPAA, the Privacy Rule or the HITECH Standards, Business Associate shall be bound by such additional restrictions and shall not disclose PHI in violation of such additional restrictions. Such notice shall be provided no less than five (5) days prior to the implementation of such restrictions.
    3. Comply with all provisions of HIPAA and other applicable state and federal privacy law and regulations and shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy or Security Rules if done by Covered Entity, except as provided under Section 3 of this BAA.

  5. Safeguards, Reporting, Mitigation and Enforcement.
    1. Safeguards. Business Associate shall use appropriate administrative, physical, and technical safeguards, including, among others, policies and procedures regarding the protection of PHI and/or ePHI and the provision of training on such policies and procedures to applicable employees and agents and subcontractors that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and/or ePHI that Business Associate accesses, uses, discloses, creates maintains or transmits on behalf of Covered Entity, and to prevent uses or disclosures of PHI not permitted by this BAA. Business Associate further agrees to use appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of any Electronic PHI in accordance with the Security Rule and the HITECH Standards.
    2. Notification. Business Associate shall notify Covered Entity in writing as soon as possible, but in no event more than ten (10) business days, after Business Associate becomes aware of any Breach of or Security Incident involving Covered Entity’s PHI. Business Associate shall identify as soon as practicable each individual whose unsecured PHI has been,or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach or Security Incident. Business Associate shall cooperate in good faith with Covered Entity in the investigation of any Breach or Security Incident.
    3. Prompt Corrective Actions. In addition to the notification requirements in Section 5(b) above, Business Associate shall take (i) prompt corrective action to remedy any Breach or Security Incident, (ii) mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Business Associate in violation of this BAA, and (iii) take any other action required by applicable federal and state laws and regulations pertaining to such Breach or Security Incident. In order to document compliance with this provision, Business Associate will provide written notice to Covered Entity as soon as possible but no later than thirty (30) calendar days following the initial report, that shall, at a minimum:
      1. Identify (if known) each individual whose PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed during such Breach;
      2. Identify the nature of the non-permitted access, use or disclosure, including the date of the Breach and the date of discovery of the Breach;
      3. Identify PHI accessed, used, or disclosed as part of the Breach (e.g., full name, social security number, date of birth, etc.);
      4. Identify who made the non-permitted access, use or disclosure and who received the non-permitted disclosure;
      5. Identify what corrective action Business Associate took or will take to prevent further non-permitted uses or disclosures;
      6. Identify what Business Associate has done or will do to mitigate any deleterious effect of the non-permitted access, use or disclosure and the corrective action Business Associate has taken or shall take to prevent future similar Breaches or Security Incidents;
      7. Indicate if a law enforcement official has stated that notification would impede a criminal investigation or cause damage to national security, and if so, whether such statement was made orally or in writing and the length of time for any delay in notification warranted by such statement; and
      8. Provide such other information, including a written report, as Covered Entity may reasonably request.
    4. Duty to Cooperate. In the event of any Breach or Security Incident, Business Associate shall cooperate with Covered Entity and shall provide such assistance as Covered Entity may reasonably request so that Covered Entity or its Client may comply with any obligations either of them has to investigate, remediate, mitigate, report, and or otherwise notify third parties of such Breach. This duty shall require Business Associate, at Covered Entity’s request, to provide notices (to Persons other than Covered Entity, including individuals, HHS, and others) in accordance with the HITECH Act. Business Associate shall not give any such notice absent Covered Entity’s request.
    5. Mitigation. Business Associate shall have procedures in place to mitigate, to the maximum extent practicable, any deleterious effect from any use or disclosure of PHI in violation of this BAA or applicable law.
    6. Sanctions. Business Associate shall have and apply appropriate sanctions against any employee, subcontractor or agent who uses or discloses PHI in violation of this BAA or applicable law.
    7. Covered Entity’s Rights of Access and Inspection. From time to time, upon reasonable notice or upon a reasonable determination by Covered Entity that Business Associate has materially breached this BAA, Covered Entity may inspect Business Associate’s internal practices, processes, books and records pertaining to the use and disclosure of PHI by Business Associate in connection with the services under the Agreement. The fact that Covered Entity inspects, fails to inspect or has the right to inspect, Business Associate’ systems and procedures does not relieve Business Associate of its responsibility to comply with this BAA, nor does Covered Entity’s (i) failure to detect or (ii) detection of, but failure to notify Business Associate or require Business Associate’ remediation of, any unsatisfactory practices constitute acceptance of such practice or a waiver of Covered Entity’s enforcement or termination rights under this BAA. The Parties’ respective rights and obligations under this Section 5(g) shall survive termination of this BAA.
    8. U.S. Department of Health and Human Services. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI, and the security of Electronic PHI, available to HHS for purposes of determining Covered Entity’s compliance with the Privacy Rule, the Security Rule and the HITECH Standards after the compliance dates, respectively, of these regulations and standards; provided, however, that Business Associate shall immediately notify Covered Entity upon receipt by Business Associate of any such request for access by the Secretary of HHS and shall provide Covered Entity with a copy thereof as well as a copy of all materials disclosed pursuant thereto. The Parties’ respective rights and obligations under this Section 5(h) shall survive termination of this BAA.
    9. Standard Transactions. To the extent Business Associate conducts Standard Transaction(s) on behalf of Covered Entity, Business Associate shall, without limitation, comply with the HIPAA Regulations, “Administrative Requirements for Transactions,” 45 C.F.R. § 162.100 et seq., and shall not: (a) Change the definition, data condition or use of a data element or segment in a standard; (b) Add any data elements or segments to the maximum defined data set; (c) Use any code or data elements that are either marked “not used” in the standard’s implementation specification or are not in the standard’s implementation specification(s); or (d) Change the meaning or intent of the standard’s implementation specifications.

  6. Obligation to Provide Access, Amendment and Accounting of PHI.
    1. Access to PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to provide access to, and copies of, PHI in accordance with HIPAA, the Privacy Rule and the HITECH Standards.
    2. Amendment of PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to amend PHI in accordance with HIPAA, the Privacy Rule and the HITECH Standards. In addition, Business Associate shall, as directed by Covered Entity, incorporate any amendments to Covered Entity’s PHI into copies of such information maintained by Business Associate.
    3. Accounting of Disclosures of PHI.
      1. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to provide an accounting of disclosures with respect to PHI in accordance with HIPAA, the Privacy Rule and the HITECH Standards.
      2. Business Associate agrees to maintain a process that allows for such accountings to be provided to Covered Entity upon request. Such accountings shall include (1) the date of disclosure, (2) the name of the entity or person who received PHI and, if known, the address of the entity or person, (3) a brief description of PHI disclosed, and (4) a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or a copy of the written request for disclosure.
      3. Upon termination or expiration of the Agreement, Business Associate shall provide to Covered Entity an accounting of all such disclosures made during the existence of the Agreement.
    4. Forwarding Requests from Individuals. In the event that any individual requests access to, amendment of or accounting of PHI directly from Business Associate, Business Associate shall within two (2) business days forward such request to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. However, if forwarding the individual’s request to Covered Entity would cause Covered Entity or Business Associate to violate HIPAA, the Privacy Rule or the HITECH Standards, Business Associate shall instead respond to the individual’s request as required by such law and notify Covered Entity of such response as soon as practicable.

  7. Material Breach, Enforcement and Termination.
    1. Term. This BAA shall be effective as of the BAA Effective Date and shall continue until the Agreement is terminated or in accordance with the provisions of this section 7.
    2. Termination. Business Associate may terminate this BAA pursuant to Section 7(c) hereof. Covered Entity may terminate this BAA:
      1. immediately if Business Associate is named as a defendant in a criminal proceeding for a violation of HIPAA, the Privacy Rule, the Security Rule or the HITECH Standards; or
      2. immediately if a finding or stipulation that Business Associate has violated any standard or requirement of HIPAA, HITECH or other security or privacy laws is made in any administrative or civil proceeding in which Business Associate has been joined.
    3. Remedies. If Business Associate determines that Covered Entity has materially breached any term of this BAA, Business Associate may pursue any or all of the following remedies:
      1. take any reasonable steps that Business Associate deems necessary to cure such breach or end such violation; and
      2. terminate this BAA immediately.

        If Covered Entity determines that Business Associate has materially breached any term of this BAA, Covered Entity may pursue any or all of the following remedies:

      3. exercise any of its rights of access and inspection under Section 5(h) of this BAA;
      4. take any reasonable steps that Covered Entity deems necessary to cure such breach or end such violation; and
      5. terminate this BAA and the Service BAA immediately.
    4. Knowledge of Non-Compliance. Any material non-compliance by Business Associate with HIPAA, the Privacy Rule, the Security Rule or the HITECH Standards will be considered a material breach of this BAA if Business Associate knew or reasonably should have known of such non­compliance and failed to take reasonable steps to cure such non-compliance.
    5. Reporting to HHS.
      1. If Covered Entity’s efforts to cure any material breach by Business Associate of this BAA are unsuccessful and if termination of this BAA is not feasible, Covered Entity may report the breach to the Secretary of HHS, and Business Associate agrees that it will not make any claims, whether at law, in equity or under this BAA, against Covered Entity with respect to such report.
      2. If Business Associate’ efforts to cure any material breach by Covered Entity of this BAA are unsuccessful and if termination of this BAA is not feasible, Business Associate may report the breach to the Secretary of HHS, and Covered Entity agrees that it will not make any claims, whether at law, in equity or under this BAA, against Business Associate with respect to such report.
    6. Effects of Termination. Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall: a) retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities; b) return to Covered Entity or destroy (in Business Associate’s sole discretion) the remaining PHI that Business Associate still maintains in any form; c) continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for herein, for as long as Business Associate retains the PHI; d) not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out herein which applied prior to termination; and e) return to Covered Entity or destroy (in Business Associate’s sole discretion) the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities. The Parties’ respective rights and obligations under this Section 7(f) shall survive termination of this BAA.
    7. Indemnification. Each Party agrees to indemnify and hold harmless the other Party, its affiliates and its respective officers, directors, employees and agents from and against loss, fines, penalties, damage, and expenses associated therewith (including, without limitation, court costs and reasonable attorneys’ fees) arising from third party claims to the extent caused by such Party’s breach of its obligations under this BAA, provided that: (i) the Party seeking indemnification (”Indemnitee”) shall promptly notify the other Party (“Indemnitor”) in writing of any claim for which such Party believes it is entitled to be indemnified pursuant to this BAA; (ii) the Indemnitee shall cooperate with the Indemnitor at the Indemnitor’s sole cost and expense; (iii) the Indemnitor shall have sole control of the defense and investigation of such claim and shall employ counsel of its choice to handle and defend the same, at the Indemnitor’s sole cost and expense. The Indemnitee may participate in the proceedings at its own cost and expense with counsel of its own choosing. The Parties’ respective rights and obligations under this Section 7(g) shall survive termination of this BAA.

  8. Miscellaneous Terms.
    1. State Law. Nothing in this BAA shall be construed to require Business Associate to use or disclose PHI without a written authorization from an individual who is a subject of the PHI, or written authorization from any other person, where such authorization would be required under state law for such use or disclosure.
    2. Assistance in Litigation or Administrative Proceedings. Each Party shall make itself, and its employees or agents assisting it in the performance of its obligations under this BAA, available to the other Party at no cost to testify as witnesses or otherwise, in the event of litigation or administrative proceedings being commenced against such Party, its directors, officers or employees based upon a claimed violation of HIPAA, the HIPAA Regulations or other laws relating to security and privacy, except where a Party or its employee or agent is a named adverse party. The Parties’ respective rights and obligations under this Section 8(b) shall survive termination of this BAA.
    3. Amendment. Covered Entity and Business Associate agree that amendment of this BAA may be required to ensure that Covered Entity and Business Associate comply with changes in state and federal laws and regulations relating to the privacy, security and confidentiality of PHI, including, but not limited to, changes under the Privacy Rule, the Security Rule and the HITECH Standards. This agreement may only be amended by written agreement between both parties.
    4. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended or shall be deemed to confer any rights, obligations, remedies or liabilities upon any person other than the Parties and their respective successors and assigns. The terms and conditions of this BAA shall inure to the benefit of and be binding upon the respective permitted successors and assigns of the Parties; provided, however, that this BAA may not be assigned by a Party without the prior written consent of the other Party, which shall not be unreasonably withheld; provided, further, that notwithstanding the foregoing, this BAA may be assigned by Solv to an affiliate or in connection with a merger, acquisition or sale of substantially all of the assets of its business, without the prior written consent of Covered Entity.
    5. Disclaimer. Each Party makes no warranty or representation that compliance by the other Party with this BAA, HIPAA, the Privacy Rule, the Security Rule and the HITECH Standards will be adequate or satisfactory for such other Party’s own purposes.
    6. Interpretation. The Parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with applicable law protecting the privacy, security and confidentiality of PHI, including, but not limited to, HIPAA, the Privacy Rule, the Security Rule and the HITECH Standards.
    7. Entire Agreement. This BAA constitutes the entire agreement between Business Associate and Covered Entity with respect to the PHI covered by this BAA and merges, integrates and supersedes all prior and contemporaneous agreements, addenda and understandings between them, whether written or oral, concerning such subject matter.
    8. Effect on Other Agreements. To the extent that any provisions of this BAA conflict with the provisions of the Agreement or any other agreement or understanding between the Parties, this BAA shall control with respect to the PHI covered by this Agreement.
    9. Survival. The Parties’ respective rights and obligations under Sections 6(h), 6(i), 7(f), 7(g) and 8(b) and others which by their nature are intended to survive the termination of this BAA shall survive termination of this Agreement. All provisions of this BAA shall survive the termination or expiration of the Agreement.
    10. Governing Law. This BAA shall be construed in accordance with the laws of the State of California.
    11. Notices. All notices required or permitted under this BAA shall be in writing and sent to the other Party as directed by such Party, from time to time, by written notice to the other. All such notices shall be deemed validly given upon receipt of such notice by certified mail, postage prepaid, facsimile transmission or personal or courier delivery to the Parties at the addresses set forth in the Order Form between the Parties.
    12. Severability. In the event that any provision of this BAA is determined to be invalid, illegal, or unenforceable by a court of competent jurisdiction, that provision shall be limited or eliminated to the minimum extent necessary so that this BAA shall otherwise remain in full force and effect and enforceable.

© 2026 Solv, all rights reserved

This site uses cookies to provide you with a great user experience. By using Solv, you accept our use of cookies.