VOICE MEDIA GROUP

Services Agreement

Business Associate Addendum

(Updated September 28, 2023)

This HIPAA Business Associate Addendum (“Addendum”) is effective as of the Start Date of the Services Agreement (the “Services Agreement”) to which this Addendum is attached or referenced (the “Effective Date”), and is entered into between Client and Provider (on behalf of Provider and each of its controlled affiliated companies as set forth on Appendix 1). Terms used but not defined in this Addendum shall have the meanings given such terms in the Services Agreement. Client is referred to in this Addendum as “Company” and the applicable Provider entity is referred to in this Addendum as “Business Associate.” This Addendum is incorporated into the Services Agreement and made part of the Business Arrangements (as defined below).

WHEREAS, Company and Business Associate have entered into, or are entering into, or may subsequently enter into, agreements or other arrangements (collectively, the “Business Arrangements”) pursuant to which Business Associate may provide services to Company that require Business Associate or its service providers to access, create, use, or disclose certain health information that is protected by the HIPAA Regulations (as defined below);

WHEREAS, pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the U.S. Department of Health & Human Services promulgated the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Standards”), at 45 C.F.R. Parts 160 and 164, Subparts A and E, requiring certain individuals and entities subject to the Privacy Standards (each a “Covered Entity”, or collectively, “Covered Entities”) to protect the privacy of certain Protected Health Information (“Protected Health Information”, or “PHI”), and has issued the Security Standards for the Protection of Electronic Protected Health Information (the “Security Standards”), at 45 C.F.R. Parts 160 and 164, Subparts A and C, for the protection of electronic Protected Health Information (“EPHI”), as amended by applicable provisions of the Health Information Technology for Economic and Clinical Health Act (Title XIII, Subtitle D) and its implementing regulations (the “HITECH Act”) (collectively, the “HIPAA Regulations”);

WHEREAS, in order to protect the privacy and security of PHI, including EPHI, created or maintained by or on behalf of a Covered Entity, the HIPAA Regulations require Covered Entities and their “business associates” (as defined by 45 C.F.R. § 160.103) to enter into a “business associate contract” with certain individuals and entities providing services for or on behalf of the Covered Entity if such services require the use or disclosure of PHI or EPHI; and

WHEREAS, Business Associate and Company desire to enter into this Addendum as a “business associate contract” under the HIPAA Regulations.

NOW THEREFORE, in consideration of the mutual promises set forth in this Addendum and the Business Arrangements, and other good and valuable consideration, the sufficiency and receipt of which are hereby acknowledged, the parties agree as follows:

  • 1. Business Associate Obligations.
    • 1.1 All capitalized terms not otherwise defined in this Addendum or the Services Agreement shall have the meanings set forth in the HIPAA Regulations, as applicable, and all references to PHI herein shall be construed to include EPHI. Notwithstanding the foregoing or anything to the contrary herein, this Addendum applies only to HIPAA Accounts, and any reference to PHI is limited when used in this Addendum to the PHI actually created, received, maintained or transmitted by Business Associate from or on behalf of Company through a HIPAA Account. A “HIPAA Account” shall mean any request or order for Business Associate’s services under the Business Arrangements that (a) involves processing “protected health information” as defined by 45 C.F.R. § 160.103 and (b) that Company has identified as required by Section 7.5 of this Addendum. Company acknowledges and agrees that this Addendum does not apply to any other services or orders that Company may place now or in the future that do not meet the criteria of a HIPAA Account or to any of Company’s information that does not constitute PHI as set forth in this Section 1.1. Certain services or functionality of services under the Business Arrangements may not be available to HIPAA Accounts, and Business Associate is not obligated to provide such services or functionality to a HIPAA Account.
    • 1.2 Business Associate agrees not to use or disclose PHI other than as permitted or required by this Addendum or as required by law. To the extent Business Associate is to carry out Company’s obligations under the Privacy Standards, comply with the requirements of the Privacy Standards that apply to Company in the performance of such obligations.
    • 1.3 Business Associate shall use appropriate safeguards, and comply, where applicable, with the Security Standards with respect to EPHI, to prevent the use or disclosure of PHI other than as provided for by this Addendum. Business Associate agrees to report to Company any use or disclosure of PHI not provided for by this Addendum of which it becomes aware, including any Breach of Unsecured PHI as required at 45 CFR § 164.410. Business Associate agrees to promptly report to Company any Security Incident of which it becomes aware; provided, however, that to avoid unnecessary burden on either party, this Section constitutes notice by Business Associate to Company of, and no further notice shall be provided for, “pings” and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the foregoing, so long as such incident does not result in unauthorized access, use, or disclosure of EPHI.
    • 1.4 If Business Associate discovers that a Breach of Unsecured PHI of Company has occurred, in accordance with 45 C.F.R. § 164.410, Business Associate shall, to the extent possible, notify Company of the identification of each individual whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed by the Breach, along with any other information that the HIPAA Regulations require to be included in notification to the individual, if available.
  • 2. Use and Disclosure of PHI. Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of Company, pursuant to the Business Arrangements or as otherwise requested by Company, and as required by law. Business Associate may de-identify any and all PHI provided that the de-identification conforms to the requirements of the Privacy Standards. Business Associate agrees not to use or disclose PHI in a manner that would violate the requirements of the HIPAA Regulations if the PHI were used or disclosed by Company in the same manner, except for the specific uses and disclosures set forth below:
    • 2.1 Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out its legal and ethical responsibilities. Business Associate may also use or disclose PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
    • 2.2 Business Associate may disclose PHI for the proper management and administration of the Business Associate or to carry out its legal and ethical responsibilities, provided that (i) such disclosures are required by law, or (ii) Business Associate (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the third party, and (b) requires the third party to agree to notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been Breached.
    • 2.3 Business Associate may use PHI to provide Data Aggregation services relating to the Health Care Operations of Company.
  • 3. Subcontractors. Business Associate may disclose PHI to subcontractors as necessary to provide the services contemplated by the Business Arrangements or as otherwise requested by Company. If any subcontractors create, receive, maintain or transmit PHI on behalf of Business Associate, Business Associate shall, in accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), require such subcontractors to agree in writing to the same or substantially similar restrictions and conditions that apply to the Business Associate under this Addendum with respect to such PHI.
  • 4. Individual Rights Regarding Designated Record Sets. If Business Associate maintains a Designated Record Set on behalf of Company, Business Associate shall (i) make available PHI to Company or, as directed by Company, an individual who is the subject of the PHI, under conditions and limitations required under 45 CFR §164.524, and (ii) make available PHI for amendment and incorporate any amendments to PHI maintained by Business Associate as requested by Company in accordance with 45 CFR §164.526.
  • 5. Accounting of Disclosures. Business Associate shall make available to Company in response to a request from an individual, information required for an accounting of disclosures of PHI with respect to the individual, in accordance with 45 CFR §164.528.
  • 6. Records. Business Associate shall make available to the Secretary, its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Company for the purpose of determining Company’s compliance with the HIPAA Regulations. This Section shall not be deemed a waiver of any privilege, including the attorney-client and/or work-product privileges, applicable to any such information.
  • 7. Obligations of Company.
    • 7.1 Company shall not request or cause Business Associate to use or disclose PHI in any manner that would violate this Addendum or the HIPAA Regulations. Company shall ensure that no restrictions on processing are agreed to, nor will any applicable notices of privacy practices include any restrictions on processing of PHI, that would cause Business Associate to violate this Addendum or applicable law.
    • 7.2 Company shall notify Business Associate within three (3) business days of any limitation(s) in its notice of privacy practices under 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
    • 7.3 Company shall ensure that it obtains an Individual’s authorization, consent, or other permission or the authorization, consent, or other permission of Individual’s personal representatives, to the extent required under the Privacy Standards or applicable law and in the form required by the Privacy Standards or applicable law, for Business Associate’s uses and disclosures of PHI contemplated by this Addendum and the Business Arrangements, and shall inform Business Associate within three (3) business days of any changes in, or withdrawal of, such written authorization provided to Company by Individuals or their personal representatives, including without limitation revocations of authorizations pursuant to 45 C.F.R. § 164.508, that may affect Business Associate’s use or disclosure of PHI.
    • 7.4 Company shall notify Business Associate in writing within three (3) business days of any arrangements of Company that may impact the use or disclosure of PHI by Business Associate under this Addendum or the Business Arrangements, including without limitation any restrictions on the use or disclosure of PHI agreed to by Company or that Company is required to abide by under 45 C.F.R. § 164.522.
    • 7.5 Company shall notify Business Associate in writing and in advance of each services order that involves processing “protected health information” as defined in 45 C.F.R. § 160.103. Company shall not disclose any “protected health information” as defined in 45 C.F.R. § 160.103 to Business Associate except in connection with a HIPAA Account.
  • 8. Term and Termination.
    • 8.1 This Addendum shall commence on the Effective Date and shall remain in effect until the termination of the Business Arrangements, unless sooner terminated in accordance with the terms of this Section 8.
    • 8.2 Either party may terminate this Addendum by providing thirty (30) days’ written notice to the other party if it determines that the other party has violated a material term of this Addendum and the other party has not cured the breach or ended the violation within the thirty (30) day period. Company acknowledges and agrees that if Company terminates this Addendum, Business Associate may cease providing some or all of the services under the Business Arrangements without liability or penalty if such services involve the use or disclosure of “protected health information” as defined in 45 C.F.R. § 160.103, as determined by Business Associate in its sole discretion.
    • 8.3 Upon termination of this Addendum for any reason, Business Associate shall, with respect to PHI received from Company, or created, maintained, or received by Business Associate on behalf of Company:
      • (i) Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities.
      • (ii) Destroy the remaining PHI that is in the possession or control of Business Associate; provided, however, that in the case of PHI for which it is not feasible to destroy, Business Associate shall extend the protections of this Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the destruction infeasible, for so long as Business Associate maintains such PHI. The parties acknowledge and agree that Business Associate may archive customer information on its back-up systems, and therefore it is likely that any destruction of such PHI is not feasible. The obligations under this Section 8.3 shall survive termination of this Addendum and shall continue as long as Business Associate maintains such PHI.
  • 9. Effect of Addendum; Conflicts; Amendments. This Addendum is incorporated into and made a part of the Business Arrangements and a party’s obligations, rights, and remedies under this Addendum shall be subject to the terms, conditions, limitations, and exclusions of the Business Arrangements. Except as expressly amended by this Addendum, the Business Arrangements shall remain in full force and effect. In the event of any conflict between the terms of this Addendum and the terms of the Business Arrangements, the terms of this Addendum shall control solely with respect to the use or disclosure of PHI. All modifications to this Addendum, shall require an amendment, and no amendment to this Addendum shall be effective unless it is in writing and executed by both parties.
  • 10. No Third Party Beneficiary. The terms and provisions of this Addendum are intended solely for the benefit of the parties hereto and their respective permitted successors or assigns, and it is not the intention of the parties to confer third-party beneficiary rights upon any other person or entity.
  • 11. Modifications to Comply with Standards. In the event that additional regulations are promulgated under the HIPAA Regulations, or any existing HIPAA Regulations are amended, and a party determines in good faith that any such regulation adopted or amended after the execution of this Addendum shall cause any paragraph or provision of this Addendum to be invalid, void, or in any manner unlawful or subject either party to penalty, then the parties agree to negotiate in good faith to modify and amend this Addendum as reasonably necessary to address such risk, but in the event that the parties are unable to reach an agreement on such modification, either party will have the right to terminate this Addendum upon thirty (30) days’ prior written notice to the other party. A reference in this Addendum to a section in the HIPAA Regulations means the section as in effect or as amended, supplemented, or replaced from time to time.

APPENDIX 1
Controlled Affiliated Companies
Voice Media Group, LLC
V Digital Services, LLC
New Times Media, LLC
Dallas Observer, LP
Denver Westword, LLC
Miami New Times, LLC
Phoenix New Times, LLC
VMG Advertising, LLC