Business Associate Agreement

Last Updated: December 15, 2023

This Business Associate Agreement (“BAA”) is incorporated into the Eve Financial Merchant Agreement (the “Agreement”) by and between the Party defined as the Business in the Agreement (“Business” and “Covered Entity”) and Eve Financial, Inc. (“Company” and “Business Associate”). Covered Entity and Business Associate may each be referred to herein individually as a “Party” and collectively as the “Parties.”

WHEREAS, Business has notified Company that Business is a “Covered Entity” under the Health Insurance Portability and Accountability Act of 1996 and associated agency regulations promulgated thereunder (together, “HIPAA”) and that in connection with the Agreement, Company may provide certain services to Business (“Services”) and in providing those Services may use, disclose, receive, create, maintain, or access Protected Health Information (“PHI”) for or on behalf of Business;

WHEREAS, if providing Services to Business that involve the use, disclosure, receipt, creation, maintenance, or access to PHI for or on behalf of Business, Company becomes Business’s “Business Associate” under HIPAA and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5) and associated agency regulations and guidance (the “HITECH Act”);

WHEREAS, in accordance with HIPAA and the HITECH Act (collectively, “Applicable Law”), the Parties agree to comply with this Business Associate Agreement with respect to PHI to which Company may have access in the performance of Services for Business.

NOW, THEREFORE, in consideration of the mutual promises contained in this BAA, and other valuable consideration, Business and Company agree as follows:

  1. Defined Terms. Unless otherwise indicated below or elsewhere in this BAA, all capitalized terms shall have the meanings provided in the Agreement or in 45 C.F.R. §§ 160.103, 164.103, and 164.501.
    1. “Privacy Rule” means 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E, Standards for Privacy of Individually Identifiable Health Information.
    2. “PHI” means individually identifiable health information as defined in 45 C.F.R § 160.103, limited to the information Business Associate receives from, or creates, maintains, transmits, or receives on behalf of, Covered Entity as Covered Entity’s Business Associate. PHI shall not include Cardholder Information as defined in the Agreement.
    3. “Security Rule” means 45 C.F.R. Part 164, Subpart C, Security Standards for the Protection of Electronic Protected Health Information.
  1. Modification of the Agreement. This BAA modifies and amends the Agreement, inclusive of all other prior amendments or modifications to such Agreement, and is incorporated therein. The terms and provisions of this BAA shall control to the extent they are contrary, contradictory, or inconsistent with the terms of the Agreement. Otherwise, the terms and provisions of the Agreement shall remain in full force and effect.
  1. Obligations of Business Associate.
    1. Compliance with Privacy and Security Obligations. Company agrees that the requirements of HIPAA and the HITECH Act that relate to privacy and security and that are made applicable with respect to Business Associates shall be applicable to Company.
    2. Limits on Use and Disclosure. Except as otherwise limited in this BAA, Company may only use or disclose PHI to perform functions, activities, or Services for, or on behalf of Business as specified in the Agreement, this BAA, and as permitted or required by Applicable Law. Except as otherwise limited in this BAA, Company may also:
      1. Use PHI for the proper management and administration of Company, or to carry out the legal responsibilities of Company under the laws of the United States; to de-identify such information in accordance with 45 C.F.R. § 164.514(b) for Company’s own business purposes or in connection with the Services; or to provide Data Aggregation services to Business as permitted by 45 C.F.R. 164.504(e)(2)(i)(b); and
      2. Disclose PHI for the proper management and administration of Company, provided that disclosures are required by Applicable Law, or that Company obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and be used or further disclosed only as required by Applicable Law or for the purpose for which it was disclosed to the person, and that the person will notify Company of any instances of which it is aware in which the confidentiality of the information may have been breached.
    3. Minimum Necessary. Any use or disclosure of PHI will be limited to the minimum necessary for the permitted purpose. Company shall comply with any guidance issued by the Secretary regarding compliance with the minimum necessary standard
    4. Safeguards. Company will implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the availability, integrity, and confidentiality of PHI as permitted and/or required by HIPAA and the HITECH Act.
    5. Marketing and Sale. Notwithstanding anything in the Agreement to the contrary, Company shall not use PHI for Marketing (as defined by HIPAA) without the prior authorization of the Individual nor shall Company engage in the sale of PHI. The foregoing shall not be construed to prohibit Company from engaging in marketing activities utilizing Cardholder Data and as authorized by any agreements between Company and Cardholder.
    6. Reports of Unauthorized Access, Use, or Disclosure. Company shall report in writing to Business, without unreasonable delay, (i) any use or disclosure of PHI that is not authorized by this BAA or the Agreement including, but not limited to, Security Incidents, and (ii) any Breach of Unsecured PHI. Company shall deliver such notice no later than thirty (30) days after the date on which Company (or any member of Company’s workforce or agent of Company except the person(s) responsible for the Breach) became aware, or in the exercise of reasonable diligence should have become aware, of such unauthorized use or disclosure or Breach. Notice of any unauthorized use or disclosure or Breach shall, if known, (i) describe the event resulting in the unauthorized use or disclosure or Breach; (ii) describe the types of PHI that were involved in the unauthorized use or disclosure or Breach; and (iii) describe what the Company is doing to investigate, mitigate losses arising from, and protect against any further unauthorized use or disclosure or Breach. The Parties acknowledge and agree that this Section deems notice to have been provided for the ongoing existence or occurrence of attempted but unsuccessful Security Incidents such as unsuccessful network pings, attack on Company’s firewall, port scans, log-on attempts, denials of service, or any combination of the above, so long as no such attempt results in unauthorized use, disclosure, or Breach of electronic PHI, for which no additional notice to Business shall be required. This reporting obligations of Company in this Section 3(e) shall not relieve Business of its obligations under Section 10(d) of the Agreement with respect to any security breach involving any information Cardholder Information (as defined in the Agreement) or any other information involving Company’s customers.
    7. Mitigation Procedures. In the event of any improper use and/or disclosure of PHI by Company, Company shall work, and where practicable Business shall work cooperatively with Company, to implement reasonable procedures for mitigating the harmful effects of such improper use and/or disclosure.
    8. Access to Information. Throughout the term of this BAA, Company shall make available to Business such PHI provided to Company by or on behalf of Business for so long as such information is maintained by Company in a Designated Record Set. In the event any individual requests access to PHI directly from Company, Company shall forward such request to Business. Any denials of access to the PHI requested shall be the responsibility of Business.
    9. Availability of PHI for Amendment. Upon receipt of a request from Business for the amendment of an individual’s PHI or a record regarding an individual contained in a Designated Record Set (for so long as the PHI is maintained by Company in a Designated Record Set), Company agrees to provide such information to Business for amendment and to incorporate any such amendment as may be required by 45 C.F.R. § 164.526. In the event any individual requests an amendment to PHI directly from Company, Company shall forward such request to Business. Any review and consideration of a requested amendment shall be the responsibility of Business.
  1. Obligations of Covered Entity.
    1. Notice to Business Associate. Business will notify Company of any of the following, to the extent that they affect Company’s use or disclosure of PHI or its rights and obligations with respect to PHI: (i) any limitation in its notice of privacy practices in accordance with 45 C.F.R. § 164.520; (ii) any changes in, or revocation of, permission by an Individual to use or disclose the PHI; and (iii) any restriction on the use or disclosure of PHI that Business has agreed to in accordance with 45 C.F.R. §164.522.
    2. Minimum Necessary. Business will make reasonable efforts to disclose to, provide to, or request from, Company only the minimum necessary PHI for Company to perform or fulfill a specific function required or permitted under the Agreement, as required by HIPAA.
    3. Mitigation. Business will take immediate steps to notify Company and to mitigate an impermissible use or disclosure of PHI whether from Company to Business or from Business to Company, including Business’s staff, employees, and agents who disclose and receive PHI to and from Company in the course and scope of their employment, such as obtaining the recipient's satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means between Business and its staff, employees, and agents) or will be destroyed.
    4. No Violation of Law. Business will not request, direct, or cause Company to use or disclose PHI in a manner that would violate Applicable Law.
  1. Term and Termination. This BAA shall become effective as of the Effective Date of the Agreement. This BAA will automatically terminate upon the termination or expiration of the Agreement. Notwithstanding any provisions in this BAA or the Agreement to the contrary, either Party may terminate this BAA and the Agreement if it determines that the other Party has breached a material term of this BAA and has not cured such breach within thirty (30) days of receiving notice of the breach from the non-breaching Party. Upon termination of the Agreement or this BAA, Company will return or destroy the PHI, unless required otherwise by Applicable Law. If return or destruction of the PHI is not feasible, Company will extend the protections of this BAA until the PHI can be returned or destroyed, and this obligation shall survive termination of this BAA.
  1. Independent Contractors. In performing the Services herein specified, Company will be acting as an independent contractor engaged by Business to perform Services under the Agreement. Nothing contained in the Agreement or this BAA shall be construed to create a partnership or a joint venture, or to authorize Company to act as a general or special agent, except as specifically set forth in this BAA or the Agreement.
  1. HIPAA Amendment. Upon the effective date of any amendment or issuance of additional regulations to HIPAA, or any other law applicable to this BAA, the Parties agree to cooperate in amending the BAA so that the material obligations imposed on a Party or the Parties remain in compliance with such requirements, unless the cost for Company to comply with the change to HIPAA is unreasonable. If the cost to Company to comply with the change is unreasonable, Page 3 of 4 the Parties shall negotiate additional fees or charges which will permit Company to comply. If the Parties cannot agree to new fees or charges, Company may terminate this BAA and any underlying agreement for which this BAA is made a part.
  1. Miscellaneous Terms.
    1. The section titles used in this BAA are provided for convenience only and are not intended to affect the interpretation of any provision.
    2. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Business and Company to comply with Applicable Law.
    3. Any and all references in this BAA to a statute or regulation mean the section as in effect or as amended.
    4. This BAA may only be amended in accordance with the amendment provision of the Agreement.
    5. Nothing in this BAA is to be construed as conferring any right, remedy, or claim on any person or entity other than the Parties and their respective successors and assigns.
    6. This BAA may only be assigned by a Party in accordance with the assignment provision of the Agreement.
    7. This BAA will be governed by the governing law set forth in the Agreement, and any action brought under this BAA will be brought in accordance with the Agreement.
    8. Any notice to be provided under this BAA will be provided in accordance with the notice provisions of the Agreement.
    9. The unenforceability of any provision in this BAA will not affect the enforceability of any other provision.
    10. All waivers shall be in accordance with the nonwaiver provision in the Agreement.
  1. Questions or Complaints. If you have any questions about this BAA, please contact us at 1-800-530-3916, send an email to support@eve.co, or write to the following address: 2701 N. Thanksgiving Way #100, Lehi, UT 84043.
Copyright © Eve Financial