This Business Associate Agreement is entered into by and between
(Business Associate) as of the "Effective Date"
; of this agreement posted.
This Business Associate Agreement (the “Agreement”) shall apply to the extent that the Mediprocity Customer signee is a “Covered Entity” or "HIPAA Business Associate," as defined below. Execution of the Agreement does not automatically qualify either party as a “Covered Entity” or “HIPAA Business Associate” under law or regulation unless that party is considered a “Covered Entity” or “HIPAA Business Associate” under the applicable laws or regulations. This Agreement defines the rights and responsibilities of each of us with respect to Protected Health Information as defined in the Health Insurance Portability and Account ability Act of 1996, the Health Information Technology for Economic and Clinical Health (HITECH) provisions of the American Recovery and Reinvestment Act of 2009, the Omnibus Final Rule (as applied to 45 CFR Parts 160 and 164) and the regulations promulgated thereunder, as each may be amended from time to time (collectively, “HIPAA”). This Agreement shall be applicable only in the event and to the extent Mediprocity meets, with respect to you, the definition of a HIPAA Business Associate set forth at 45 C.F.R. Section §160.103, or applicable successor provisions.
Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.
. “Agreement” shall mean the Description of Services Ordered, the Mediprocity Agreement, any Mediprocity Addendum to the End User Licenses and HIPAA Statement (including this Agreement), and the Mediprocity Terms & Conditions Policy, collectively.
b. Business Associate
. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Mediprocity, Incorporated (“Mediprocity”).
c. HIPAA Business Associate
. “HIPAA Business Associate” shall mean an organization that has a HIPAA Business Associate Agreement with one or more “Covered Entities” or other "HIPAA Business Associates".
d. Covered Entity
. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103.
e. HIPAA Customer
. “HIPAA Customer” shall mean a client of Mediprocity that is either (1) a Covered Entity, or (2) a HIPAA Business Associate, who has signed Mediprocity's Business Associate Agreement.
“CFR” shall mean the Code of Federal Regulations.
. “Disclosure” of PHI means “the release, transfer, provision of, access to, or divulging in any other manner, of PHI outside the entity holding the information,” as per 45 CFR 160.103.
h. Electronic Protected Health Information
. “Electronic Protected Health Information” (ePHI) shall have the same meaning as the term “electronic protected health information” in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of HIPAA
. “Individual” shall have the same meaning as the term “individual” in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
j. Privacy Rule
. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
k. Protected Health Information
. “Protected Health Information” (PHI) shall have the same meaning as the term “protected health information” in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of HIPAA Customer.
l. Required by Law
. “Required by Law” shall have the same meaning as the term “required by law” in 45 CFR 164.103.
. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
n. Security Rule
. “Security Rule” shall mean those requirements of the 45 CFR Part 164.308, 164.310, 164.312, 164.314, and 164.316.
. “Use” of PHI shall mean “the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information,” as per 45 CFR 160.103.
p. HIPAA Rules
. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
shall have the meaning given to such term in 45 C.F.R. § 164.402 and applicable State data breach notification law.
r. Breach Notification Rule
shall mean the rule related to breach notification for Unsecured Protected Health Information at 45 C.F.R. Parts 160 and 164.
s. “Designated Record Set”
shall have the meaning given to such term under the Privacy Rule at 45 C.F.R. § 164.501
t. "Electronic Protected Health Information"
or ("EPHI") shall have the same meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. § 160.103.
u. “Privacy Rule”
shall mean the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and Part 164, Subparts A and E.
v. “Protected Health Information”
or “PHI” shall have the meaning given to such term under the Privacy and Security Rules at 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
w. “Security Rule”
shall mean the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. § 164 Subparts A and C.
Other terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms in the Privacy, Security or Breach Notification Rules.
What is considered ePHI by Business Associate
There are many kinds of data that HIPAA Customer may store in or pass through Business Associate’s services. As Business Associate cannot know specifically which information is ePHI and which is not, though Business Associate is required to ensure the security and privacy of all HIPAA Customer’s ePHI as per the Security and Privacy Rules, Business Associate uses a blanket definition to consider certain classes of data to be “ePHI” so it can ensure the security and privacy of actual ePHI in a straight forward and consistent manner.
Data will not be considered ePHI if:
- It is not created or received by Business Associate from or on behalf of HIPAA Customer
- It is created or received by Business Associate from or on behalf of a free trial account
- The HIPAA Customer adds information into their user profile or organization profile.
Business Associate otherwise will treat the following classes of data as “ePHI” for the purposes of ensuring the security and privacy of that data as per the Security and Privacy Rules:
Sent & Received Message. The content of all sent messages is fully encrypted.
i. The subject, sender address, recipient addresses, and other message content is considered ePHI, and is fully encrypted on Mediprocity.
ii. Sent Email, Push and SMS notifications include only usernames and a link sent by HIPAA Customer to other HIPAA Customers and no ePHI is included.
iii. Camera functionality on the native apps do not allow any storage of ePHI on local device and are fully encrypted.
iv. Camera functionality on a web enabled browser could allow for saving of data locally and a warning is present to the user.
v. Notices to pick up secure messages are not themselves considered ePHI.
vi. All technology should be used following Mediprocity’s Terms & Conditions in order to remain in compliance.
is a “HIPAA Customer” as defined under the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191) and its implementing regulations (collectively, “HIPAA”), as amended by the regulations promulgated pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (Division A, Title XIII and Division B, Title IV of Public L. 111–5) (which was part of the American Recovery and Reinvestment Act of 2009), and Mediprocity is a “Business Associate” as defined under HIPAA Omnibus Rule; and
B. WHEREAS, in connection with the [Secure Messaging] agreement between Covered Entity and Business Associate for Business Associate to provide a [Secure Messaging Platform] for and on behalf of HIPAA Customer (the “Agreement”), HIPAA Customer may provide Business Associate with Protected Health Information (defined below); and
C. WHEREAS, HIPAA Customer and Business Associate intend to protect the privacy and provide for the security of ePHI disclosed to Business Associate pursuant to this BAA, which is drafted to satisfy specific components of HIPAA and relevant implementing regulations, including the Privacy Rule (defined below), the Security Rule (defined below) and the Breach Notification Rule (defined below).
NOW, THEREFORE, In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the parties agree as follows:
2. PRIVACY RULE PERMITTED USES AND DISCLOSURES OF BUSINESS ASSOCIATE
a. Permitted Uses and Disclosures of PHI.
Except as provided in Paragraphs (b), (c), and (d), below, Business Associate may only use or disclose PHI to perform functions, activities or services for, or on behalf of Covered Entity, as specified in the Agreement.
b. Use for Management and Administration
. Except as otherwise limited in this BAA, Business Associate may, consistent with 45 C.F.R. 164.504(e)(4), use PHI if necessary (i) for the proper management and administration of Business Associate, or (ii) to carry out the legal responsibilities of Business Associate.
c. Disclosure for Management and Administration
. Except as otherwise limited in this BAA, Business Associate may, consistent with 45 C.F.R. 164.504(e)(4), disclose PHI for the proper management and administration of Business Associate, provided (i) the disclosure is Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed (“Person”) that it will be held confidentially and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the Person, and that the Person agrees to immediately notify Business Associate in writing of any instances of which it becomes aware in which the confidentiality of the information has been breached or is suspected to have been breached.
d. Reporting Violations
. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1). Business Associate agrees to report to HIPAA Customer any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410. Such notice will be made within 14 days of the discovery of the breach.
3. PRIVACY RULE OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
a. Limitations on Disclosure
. Business Associate shall not use or disclose PHI other than as permitted or required by this BAA, the Agreement, or as Required by Law. Business Associate shall not use or disclose PHI in a manner that would violate the Privacy Rule if done by HIPAA Customer,
unless expressly permitted to do so pursuant to the Privacy Rule, the Agreement, and this BAA.
Business Associate agrees to not Use or Disclose PHI other than as permitted or required by this Agreement or as permitted or required by law. In particular, Business Associate has obligations under the HIPAA HITECH Act and agrees to abide by those requirements.
Business Associate provides many mechanisms by which HIPAA Customer can safeguard ePHI, which, when properly utilized by HIPAA Customer, will ensure compliance with the provisions of the Privacy Rule and the Security Rule. As the use of Business Associate’s services with respect to ePHI varies significantly from one HIPAA Customer to another, Business Associate by default does not control 3rd party software used on mobile devices or browsers used to access Mediprocity.
Business Associate will, upon request, advise the HIPAA Customer as to the most appropriate measures it should take with regards to Business Associate’s services in order to ensure compliance with the Privacy Rule and the Security Rule, and will assist HIPAA Customer in taking those measures. However, it is the sole responsibility of HIPAA Customer to choose and utilize those optional security measures that it deems appropriate for its business practices with respect to Business Associate and to utilize those services properly.
b. Appropriate Safeguards.
Business Associate shall use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted by the Agreement, this BAA, or as Required by Law.
c. Obligations on Behalf of HIPAA Customer.
To the extent Business Associate carries out an obligation for which HIPAA Customer is responsible under the Privacy Rule, Business Associate must comply with the requirements of the Privacy Rule that apply to HIPAA Customer in the performance
of such obligation.
. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of HIPAA, the Agreement, or this BAA.
e. Reporting of Improper Use or Disclosure
. Business Associate shall report to HIPAA Customer in writing any use or disclosure of PHI not permitted by the BAA within five (5) days of becoming aware of such use or disclosure.
f. Business Associate’s Subcontractors
. Business Associate shall ensure, consistent with 45 C.F.R. § 164.502(e)(1)(ii), that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions and conditions that apply
through this BAA to Business Associate with respect to such PHI.
g. Access to PHI
. Business Associate shall provide access, at the request of HIPAA Customer, and in the time and manner reasonably designated by HIPAA Customer, to PHI in a Designated Record Set, to HIPAA Customer or, as directed by HIPAA Customer, to an Individual or a third party
designated by the Individual, in order to meet the requirements under the Privacy Rule at 45 C.F.R. § 164.524.
h. Amendment of PHI.
Business Associate shall make any PHI contained in a Designated Record Set available to HIPAA Customer (or an Individual as directed by Covered Entity) for purposes of amendment per 45 C.F.R. § 164.526. Business Associate shall make any amendment(s) to PHI in a
Designated Record Set that HIPAA Customer directs or agrees to pursuant to the Privacy Rule, at the request of HIPAA Customer, and in the time and manner reasonably designated by HIPAA Customer. If an Individual requests an amendment of PHI directly from Business Associate or its
Subcontractors, Business Associate shall notify HIPAA Customer in writing within Seven (7) days of receiving such request. Any denial of amendment of PHI maintained by Business Associate or its Subcontractors shall be the responsibility of Covered Entity.
i. Accounting of Disclosures.
Business Associate shall provide to HIPAA Customer in the time and manner designated by HIPAA Customer, information collected in accordance with Section 3(i) of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of
disclosures of PHI in accordance with 45 C.F.R. § 164.528. In the event that the request for an accounting is delivered directly to Business Associate or its Subcontractors, Business Associate shall provide a copy of such request to Covered Entity, in writing, within Seven (7) days of Business
Associate’s receipt of such request.
j. Documentation of Disclosures. Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
At a minimum, such information shall include: (i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably
informs the Individual of the basis for the disclosure, or a copy of the Individual’s authorization, or a copy of the written request for disclosure.
k. Retention of PHI.
Notwithstanding Section 6(c) of this BAA, Business Associate and its Subcontractors shall retain all PHI throughout the term of the Agreement and shall continue to maintain the information required under Section 3(i) this BAA for a period of six (6) years after termination of
l. Governmental Access to Records.
Business Associate shall make its internal practices, books and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available
to the Secretary and HIPAA Customer for purposes of determining HIPAA Customer’s compliance with the Privacy Rule as applicable.
m. Minimum Necessary
. Business Associate shall only request, use and disclose the Minimum Necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
n. Red Flags Rule Compliance.
To the extent that (i) HIPAA Customer is subject to compliance with the identity theft regulations of the Federal Trade Commission, 16 C.F.R. § 681.2 ("Red Flags Rule"), and (ii) HIPAA Customer provides Business Associate, pursuant to the terms of the
Agreement, with patient information subject to the requirements of the Red Flags Rule, Business Associate shall (1) have and follow policies to detect and prevent identity theft in accordance with the Red Flags Rule; (2) immediately report to HIPAA Customer any pattern, practice, or specific
activity that indicates the possible existence of identity theft (“Red Flags”) involving any individual about whom HIPAA Customer has provided information to Business Associate pursuant to the terms of the Agreement; and (3) take appropriate steps to assist HIPAA Customer in preventing or
mitigating identity theft when a Red Flag is detected.
4. SECURITY RULE OBLIGATIONS OF BUSINESS ASSOCIATE
a. Compliance with the Security Rule
. Business Associate agrees to comply with the Security Rule with respect to Electronic Protected Health Information and have in place reasonable and appropriate Administrative, Physical, and Technical Safeguards to protect the Confidentiality, Integrity, and
Availability of ePHI and to prevent the use or disclosure of ePHI other than as permitted by the Agreement, this BAA, and as Required by Law.
. Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits ePHI on behalf of Business Associate agrees in writing to comply with the Security Rule with respect to such ePHI.
c. Security Incident/Breach Notification Reporting.
Business Associate shall report any Security Incident promptly upon becoming aware of such incident. Separate from the requirements related to Security Incident reporting, Business Associate shall also make the reports set forth below in
Section 5, related to a Breach of Unsecured PHI. Business Associate will make all available breach information within (7) days.
5. BREACH NOTIFICATION (FEDERAL AND STATE) RULE OBLIGATIONS OF BUSINESS ASSOCIATE
a. Notification Requirement. Immediately following Business Associate’s discovery of a Breach, or upon Business Associate’s reasonable belief that a Breach has occurred, Business Associate shall provide written notification of such Breach to HIPAA Customer within Seven (7) days.
b. Discovery of Breach. For purposes of reporting a Breach to HIPAA Customer, the discovery of a Breach shall occur on the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to or suspected by the Business
Associate. Business Associate will be considered to have had knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known to any person (other than the person committing the Breach) who is an employee, officer or agent of the Business
c. Content of Notification. Any notice referenced above in Section 5(a) of this BAA will include, to the extent known to the Business Associate, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired,
or disclosed during such Breach, as well as the information, to the extent known by Business Associate, that HIPAA Customer is required to include in its notification to the individual pursuant to the Breach Notification Rule or applicable State data breach notification laws. Business Associate
will also provide (on a continuing basis as information is discovered) to HIPAA Customer other available information that HIPAA Customer is required to include in its notification to the individual pursuant to the Breach Notification Rule or applicable State data breach notification laws.
d. Cooperation with HIPAA Customer. Business Associate shall:
i. Cooperate and assist HIPAA Customer with any investigation into any Breach or alleged Breach, including those conducted by any Federal agency, State Attorney General, State agency (or their respective agents);
ii. Comply with HIPAA Customer’s determinations regarding HIPAA Customer’s and Business Associate’s obligations to mitigate to the extent practicable any potential harm to the individuals impacted by the Breach; and
iii. As directed by the HIPAA Customer, assist with the implementation of any decision by HIPAA Customer or any Federal agency, State agency, including any State Attorney General, or their respective agents, to notify and provide mitigation to individuals impacted or potentially impacted by
6. TERM AND TERMINATION
The term of this BAA shall commence as of the Effective Date, and shall terminate when all of the PHI provided by HIPAA Customer to Business Associate, or created or received by Business Associate on behalf of HIPAA Customer, is destroyed or returned to HIPAA Customer or, if it is
infeasible to return or destroy PHI, protections are extended to such information, in accordance with the provisions of this Section 6.
b. Termination for Cause
. Upon HIPAA Customer’s knowledge of a material breach of the terms of this BAA by Business Associate, HIPAA Customer shall:
(i) Provide an opportunity for Business Associate to cure, and, if Business Associate does not cure the breach within thirty (30) days, HIPAA Customer may immediately terminate this BAA and the Agreement;
(ii) Immediately terminate this BAA and the Agreement if HIPAA Customer has determined that (a) Business Associate has breached a material term of this BAA, and (b) cure is not possible; or
(iii) Immediately terminate this BAA if the Agreement has been terminated.
c. Effect of Termination.
i. Except as provided in paragraph (ii) of this Section 6(c), upon termination of this BAA for any reason, Business Associate shall return or destroy all PHI received from HIPAA Customer, or created or received by Business Associate on behalf of HIPAA Customer, and shall retain no copies of
the PHI except as required by the Agreement. This provision shall apply to PHI that is in the possession of Subcontractors of Business Associate.
ii. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to HIPAA Customer notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of
PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
7. Obligations of HIPAA Customer
a. HIPAA Customer is obliged to utilize Business Associate’s services in a way that ensures that HIPAA Customer is in compliance with the Privacy Rule.
b. HIPAA Customer shall notify Business Associate of any limitation(s) in its notice of privacy practices of HIPAA Customer in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
c. HIPAA Customer shall notify Business Associate of any changes in, or revocation of, permission by Individual to Use or Disclose PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
d. HIPAA Customer shall notify Business Associate of any restriction to the Use or Disclosure of PHI that HIPAA Customer has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
e. HIPAA Customer shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the Privacy Rule if done by HIPAA Customer.
f. HIPAA Customer agrees not to use Business Associate’s services for the transmission or storage of ePHI, except for that ePHI which meets one or more of the classes of ePHI supported by Business Associate as defined in Section 2.
g. HIPAA Customer agrees to indemnify and hold harmless Business Associate, its directors, officers, shareholders, parents, subsidiaries, affiliates, and agents, from and against all losses, expenses, damages and costs, including reasonable attorneys’ fees, resulting from HIPAA Customer's
failure to fulfill its obligations under this Agreement and to use Business Associate’s services in such a manner as to prevent the unauthorized disclosure of PHI.
h. HIPAA Customer agrees to notify Business Associate of any of its users whose PHI should not be Disclosed to insurers or Health Plans due to the fact that they pay in full for their own insurance and have requested confidentiality.
a. Regulatory References
. A reference in this BAA to a section in the Privacy, Security, or Breach Notification Rule means the section as in effect or as amended, and for which compliance is required.
. The respective rights and obligations of Business Associate under Section 6(c) of this BAA shall survive the termination of the BAA.
c. No Third Party Beneficiaries.
Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy, Security or Breach Notification Rules, as well as HIPAA and HITECH.
e. Effect on Agreement
. Except as specifically required to implement the purposes of this BAA, or to the extent inconsistent with this BAA, all other terms of the Agreement shall remain in force and effect.
. The provisions of this BAA shall prevail over any provisions in the Agreement that may conflict or appear inconsistent with any provision in this BAA. Any ambiguity in this BAA shall be resolved to permit Covered Entity to comply with the Privacy, Security, and Breach Notification
Rules, as well as HIPAA and HITECH.
Covered Entity makes no warranty or representation that compliance by Business Associate with this BAA is satisfactory for Business Associate to comply with any obligations it may have under HIPAA, the Privacy Rule, or any other applicable law or regulation pertaining to the
confidentiality, use or safeguarding of health information. Business Associate is solely responsible for all decisions it makes regarding the use, disclosure or safeguarding of PHI.
. Both parties mutually agree to indemnify and hold each other harmless from and against all liability, losses, damages, claims, causes of action, cost or expenses (including reasonable attorneys’ fees) that directly or indirectly arise from the act, omission, breach, or default of
the indemnifying party, its agents, representatives, subcontractors, and/or employees.
. This BAA may be executed in multiple counterparts, each of which shall be deemed an original but all of which together shall constitute one and the same instrument. Facsimile or electronic (PDF) signatures shall be treated as original signatures. This BAA shall be binding
when one or more counterparts hereof, individually or taken together, shall bear the signatures of all of the parties reflected on this BAA as the signatories thereto.
j. Arbitration / Governing Law.
This Agreement shall be governed by, and interpreted and construed in accordance with, the substantive laws of the State of Missouri, conflicts of law excluded Both parties hereby irrevocably submit any disputes under this Agreement to the jurisdiction of the
State and Federal courts located in St. Louis County and St. Louis City, respectively.
9. Acceptance of Business Associate Agreement
***Please complete the Business Associate Agreement using our secure electronic version. Once completed, you will receive an executed version by Mediprocity after review.***
YES, I have read and agree
with the Business Associate and Account Restrictions Agreements.Mediprocity will send a copy of these counter-signed agreements.
IN WITNESS WHEREOF, the parties hereto have duly executed this BAA as of the Effective Date.