Business Associate Addendum

Last Updated: October 10, 2023


This Business Associate Addendum (“Addendum”) is entered into as of Effective Date and supplements the terms of the Agreement that requires Business Associate to perform a service, function or activity that may involve the use or disclosure of Protected Health Information, by and between Customer (hereinafter “Covered Entity”) and Augmedix Operating Corp. f/k/a Augmedix, Inc. (hereinafter “Business Associate”).  The purpose of this Addendum is to set forth the obligations of the Parties with respect to such Protected Health Information in accordance with applicable federal law.

The Parties hereby agree as follows:

1. Definitions

Capitalized terms used in this Addendum, but not defined herein, shall have the same meaning as those terms in HIPAA. In addition, the following definitions apply:

1.1           HIPAA.  “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations and HITECH, as each is amended from time to time (collectively, “HIPAA”).

1.2           HITECH. “HITECH” means Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. §§17921-17954, and its implementing regulations.  Reference in this Addendum to any section of HITECH shall be deemed a reference to that provision, as interpreted and/or limited by its implementing regulations, and its existing and future implementing regulations, when and as each is effective.

1.3           Privacy Rule. “Privacy Rule” means the federal privacy regulations issued pursuant to HIPAA, as amended from time to time.

1.4           Protected Health Information. “Protected Health Information” or “PHI” mean protected health information as defined in 45 C.F.R. 160.103 that Business Associate creates, receives, Uses, maintains, transmits, or Discloses from or on behalf of Covered Entity pursuant to the Agreement.

1.5           Security Rule. “Security Rule” means the federal security regulations issued pursuant to HIPAA, as amended from time to time.

2. Obligations and Activities of Business Associate

Business Associate agrees to:

2.1           not Use or Disclose PHI other than as permitted or required by this Addendum or as Required by Law;

2.2           use appropriate safeguards, and comply with the Security Rule with respect to electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this Addendum;

2.3           report without unreasonable delay to Covered Entity: (i) any Use and/or Disclosure of PHI of which it becomes aware that is not permitted by this Addendum; and/or (ii) any Security Incident of which Business Associate becomes aware;

2.4           without unreasonable delay and in no case later than sixty (60) calendar days after discovery, Business Associate shall notify Covered Entity of a Breach of any Unsecured Protected Health Information all in accordance with 45 C.F.R. § 164.410; Notwithstanding the preceding, the parties stipulate and agree that this paragraph constitutes notice by Business Associate to Covered Entity with respect to any Unsuccessful Security Incident, which is defined for purposes of this BAA as any Security Incident that does not result in unauthorized access, use, disclosure, modification or destruction of Electronic PHI of Covered Entity or interference with system operations adversely affecting the ability of Business Associate to maintain, process or safeguard electronic protected health information of Covered Entity. By way of example, such Unsuccessful Security Incidents may include: (i) pings on the firewall of Business Associate; (ii) port scans; (iii) attempts to log on to a system or enter a database with an invalid password or username; (iv) denial-of-service attacks that do not result in a server being taken off-line; or (v) malware (worms, viruses, etc.). The parties further stipulate and agree that with respect to any such Unsuccessful Security Incident, no further or more detailed report to Covered Entity is needed or required under this BAA;

2.5       take reasonable measures to mitigate, to the extent practicable, any harmful effect known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA;

2.6       in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to equivalent restrictions, conditions, and requirements that apply to Business Associate with respect to such information, including to the extent that Business Associate provides electronic PHI to a subcontractor, it shall require the subcontractor in writing to, where applicable, comply with the Security Rule with respect to that electronic PHI;

2.7           in the event that Business Associate in connection with the Services uses or maintains a Designated Record Set of information of or about an Individual on behalf of Covered Entity, within thirty (30) days of a written request from Covered Entity, Business Associate will make that information available to the Covered Entity in accordance with 45 C.F.R. 164.524;

2.8           in the event that Business Associate in connection with the Services uses or maintains a Designated Record Set of information of or about an Individual on behalf of Covered Entity, within thirty (30) days of a written request from Covered Entity, Business Associate will make any amendment(s) to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 C.F.R. 164.526;

2.9           within thirty (30) days of a written request from Covered Entity, make available to the Covered Entity the information required to provide an accounting of Disclosures as provided in 45 C.F.R. 164.528, and, in accordance with 42 U.S.C. § 17935(c), and when directed by Covered Entity, make such an accounting directly to the Individual;

2.10        to the extent that Business Associate agrees in writing to carry out any of Covered Entity’s obligations under the Privacy Rule, comply with any applicable requirements of the Privacy Rule in the performance of such obligations;

2.11       request, Use and Disclose only the minimum amount of PHI necessary to accomplish the purpose of that request, Use or Disclosure, provided, that Business Associate shall comply with 42 U.S.C. § 17935(b);

2.12       make its internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA;

2.13       not directly or indirectly receive remuneration in exchange for any PHI as prohibited by 45 C.F.R. § 164.502(a)(5)(ii); and

2.14       not make or cause to be made communication about a product or service that is prohibited by 45 C.F.R. §§ 164.501 and 164.508(a)(3).

3. Obligations of Covered Entity

 Covered Entity agrees to:

3.1           use appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate pursuant to this Addendum and the Agreement, in accordance with the standards and requirements of HIPAA, the Privacy Rule and Security Rule, until such PHI is received by Business Associate;

3.2           promptly notify Business Associate, in writing, of any limitations in its Notice of Privacy Practices in accordance with 45 C.F.R. §164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI;

3.3           promptly notify and provide Business Associate with any changes in, revocations of, or restrictions to any permission or authorizations by an Indi­vidual to Use or Disclose his or her PHI, if such changes affect Contractor’s permitted or required Uses or Disclosures;

3.4           make reasonable efforts to Use, Disclose and request of Business Associate, only the minimum amount of PHI reasonably necessary to accomplish the intended purpose of the Use, Disclosure or request; and

3.5           obtain from individuals any applicable consents, authorizations and other permissions necessary or required by law for Covered Entity and Business Associate to fulfill their obligations under this Addendum.

4. Permitted Uses and Disclosures by Business Associate

Except as otherwise limited herein, Business Associate:

4.1           may Use or Disclose PHI as specified in this Addendum and as necessary to perform the Services pursuant to the Agreement;

4.2           may de-identify PHI in accordance with 45 C.F.R. 164.514(a)-(c) and may provide data aggregation services relating to the health care operations of the Covered Entity;

4.3           may Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate; and

4.4           may Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the Disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was Disclosed to the person, and the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

5. Term and Termination

5.1           Term. The term of this Addendum shall be effective as of the Effective Date, and shall continue until the Addendum is terminated in accordance with this Addendum or the Agreement.

5.2           Termination for Cause. Either party may terminate this Addendum if the other party breaches a material term of this Addendum and fails to cure such breach after thirty (30) days’ notice of such breach.

5.3           Termination without Cause.  Either party may terminate this Addendum in accordance with the terms of the Agreement.

5.4           Obligations of Business Associate Upon Termination. Upon termination of this Addendum for any reason, Business Associate shall return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI that the Business Associate still maintains in any form, except that Business Associate may retain PHI if its return or destruction is infeasible.  If Business Associate retains PHI after the termination or expiration of this Addendum, Business Associate shall extend any and all protections, limitations and restrictions contained in this Addendum to Business Associate’s Use and/or Disclosure of any PHI that is retained, and shall further Use and/or Disclosure such PHI solely for the purposes that make return or destruction of the PHI infeasible.  The obligations of Business Associate under this Section 5.4 shall survive the termination of this Addendum.

6. Miscellaneous

6.1           Regulatory References. A reference in this Addendum to a section in HIPAA means the section as in effect or as amended and any implementing regulations thereof.

6.2           Interpretation. Any ambiguity in this Addendum shall be interpreted to permit compliance with HIPAA.

6.3           No Third Party Beneficiaries. Nothing express or implied in this Addendum is intended or shall be deemed to confer upon any person other than Covered Entity, Business Associate, and their respective successors and assigns, any rights, obligations, remedies or liabilities.

6.4           Primacy. To the extent that any provisions of this Addendum conflict with the provisions of the Agreement, this Addendum shall control with respect to Business Associate’s duties as a business associate of Covered Entity pursuant to the Agreement.

6.5           Superseding Agreement.  This Addendum supersedes any and all previous business associate agreements between the parties.