BUSINESS ASSOCIATE AGREEMENT
Effective April 14, 2003

The San Bernardino County Medical Society (Medical Society) is dedicated to maintaining quality medical care and improving physician-patient relationships. Toward these goals, it assists its members with their payment and health care operations activities. Many Medical Society members are covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Medical Society and these members (Physician Practices) are committed to complying with the federal privacy regulations enacted pursuant to HIPAA (HIPAA Privacy Rules). Medical Society hereby provides satisfactory assurances that it will appropriately safeguard all Protected Health Information (PHI) it discloses, or receives from or on behalf of Physician Practices as set forth below:

Article I. Definitions of Terms

1.01 Agreement means this Business Associate Agreement.

1.02 Business Associate shall have the meaning given to such term in 45 C.F.R. section 160.103.

1.03 C.F.R. shall mean the Code of Federal Regulations.

1.04 Designated Record Set shall have the meaning given to such term in 45 C.F.R. section 164.501.

1.05 Covered Entity shall have the meaning given to such term in 45 C.F.R. section 160.103.

1.06 Privacy Laws shall mean HIPAA, the HIPAA regulations and any other applicable state or federal laws or regulations affecting or regulating the privacy or security of health information.

1.07 Protected Health Information ("PHI") shall have the meaning given to such term in 45 C.F.R. section 164.501.

1.08 All references to the C.F.R. are to their then current version.

Article II. Obligations of Medical Society.

2.01 Permitted Uses and Disclosures. Medical Society may not use or disclose PHI received or created pursuant to this agreement except as permitted or required by this agreement or as required by law. Medical Society may use, disclose or request PHI on behalf of, or to provide services to Physician Practice or the following purposes, provided however, except as set forth in 2.02-2.03, Medical Society may not make any use, disclosure or request which, if made by Physician Practice would violate the Privacy Rule: to assist the Physician Practice obtain coverage of and payment for services rendered, and to advocate on Physician Practice's behalf with respect to other health care operations issues including, but not limited to, issues involving audits, health plan and IPA bankruptcies, coding and documentation, managed care and other contracts, practice management, credentialing, peer review and licensure. Medical Society further agrees not to disclose PHI except as specifically required or permitted by California law.

2.02 Medical Society may use PHI to provide data aggregation services to Physician Practice as permitted by the Privacy Rule.

2.03 Medical Society's Operations - Permitted Uses of PHI. Medical Society may use the PHI it obtains or creates in its capacity as a Business Associate for the proper management and administration of Medical Society or to carry out Medical Society's legal responsibilities.

2.04 Medical Society's Operations - Permitted Disclosures of PHI. Medical Society may disclose the PHI it obtains or creates in its capacity as a Business Associate if such disclosure is necessary for the Medical Society's proper management and administration or to carry out the Medical Society's legal responsibilities, and:

(a) The disclosure is required by law; or

(b) Medical Society obtains reasonable assurances from the recipient of the PHI that the PHI will be held confidentially and used or further disclosed only as required by law or with such further authorizations required by law, and any such disclosure shall be only for the purpose for which it was initially disclosed to the recipient;

(c) The recipient notifies the Medical Society (and Medical Society in turn notifies Physician Practice) of any instances of which it is aware in which the confidentiality of the PHI has been breached; and

(d) Except for treatment disclosures, the Medical Society and its agents disclose only the amount of PHI reasonably necessary to achieve the purpose of the disclosure.

2.05 Access to PHI by Individuals. Medical Society shall cooperate with Physician Practice to fulfill all requests by individuals for access to the individual's PHI that are approved by Physician Practice as required by 45 C.F.R. section 164.524 and California law. Because California law requires that copies of requested records be forwarded to patients within fifteen (15) days of their request, Medical Society agrees to forward any copies requested by Physician Practice for this purpose within 5 business days. If Medical Society receives a request from an individual for access to PHI, Medical Society immediately shall forward such request to Physician Practice. Physician Practice shall be solely responsible for determining the scope of PHI and Designated Record Set with respect to each request by an individual for access to PHI.

2.06 Access to Medical Society's Books and Records. Medical Society shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Medical Society on behalf of Physician Practice available to the Secretary of the Department of Health and Human Services for purposes of determining Physician Practice's compliance with the HIPAA laws and regulations.

2.07 Amendment of PHI. To the extent it possesses a Designated Record Set, Medical Society shall incorporate all amendments or addenda to PHI received from Physician Practice.

2.08. Disclosure Accounting. In the event that Medical Society makes any disclosures of PHI that are subject to the accounting requirements of 45 C.F.R. section 164.528, Medical Society promptly shall report to Physician Practice and maintain a record of each such disclosure, including the name of the individual, the date of the disclosure, the name and, if available, the address of the recipient of the PHI, a brief description of the PHI disclosed and a brief description of the purpose of the disclosure. Medical Society shall maintain this record for a period of six (6) years and make available to Physician Practice upon request in an electronic format so that Physician Practice may meet its disclosure accounting obligations under 45 C.F.R. section 164.528.

2.09 Security Safeguards. Medical Society shall use appropriate administrative, technical and physical safeguards designed to prevent the accidental or otherwise unauthorized use or disclosure of PHI.

2.10 Reporting and Mitigating Unauthorized Uses and Disclosures of PHI. Immediately upon notice to Medical Society, Medical Society shall report to Physician Practice any uses or disclosures of PHI not authorized by this Agreement. Medical Society shall use its best efforts to mitigate the deleterious effects of any use or disclosure of PHI not authorized by this Agreement. Further, in the notice provided to Physician Practice by Medical Society regarding unauthorized uses and/or disclosures of PHI, Medical Society shall describe the remedial or other actions undertaken or proposed to be undertaken regarding the unauthorized use or disclosure of PHI.

2.11 Agents. Medical Society shall require that any subcontractors or other agents to whom it provides PHI received from, or created or received by Medical Society on behalf of Physician Practice agree in writing to the same use, request and disclosure restrictions imposed on Medical Society by this Agreement.

2.12 Ownership of Information. All PHI shall be deemed owned by the Physician Practice unless otherwise agreed in writing. During the term of this Agreement, Medical Society and any authorized subcontractors or other agents shall have the right to use the PHI solely as specified by this Agreement. Medical Society and its agents shall have the right to de-identify the PHI at Medical Society's option, in accordance with 45 C.F.R. §164.514(b).

Article III. Obligations of Physician Practice

3.01 Physician Practice shall inform Medical Society of any of the following changes which affect Medical Society: changes to its Notice of Privacy Practices that affect Medical Society, new or changed authorizations, or restrictions on use of PHI agreed to by the Practice.

Article IV. Term and Termination.

4.01 Term. This Agreement shall remain in effect for so long as the Physician Practice is covered by HIPAA or is a member of the Medical Society, whichever is shorter.

4.02 Termination for Breach of Privacy. Physician Practice, at its sole option and without an opportunity to cure, immediately may terminate this Agreement without further liability if Physician Practice determines that Medical Society has violated a material term of this Agreement related to the privacy or security of the PHI.

4.03 Termination Without Cause. Either party to this Agreement may terminate the Agreement upon provision of [sixty (60)] days prior written notice.

4.04 Effects of Termination; Disposal of PHI. Upon termination of this Agreement, to the extent is it feasible to do so, Medical Society shall recover and destroy all PHI that is in its possession or the possession of its subcontractors or agents that Medical Society obtained or maintained pursuant to this Agreement on behalf of the Physician Practice. However, the parties agree that, because of the nature of Medical Society's advocacy activities, it may not be feasible for Medical Society to accomplish this. Therefore, Medical Society shall extend, and require that its subcontractors and agents agree to the extension of all protections, limitations and restrictions require by this Agreement until the PHI is destroyed. This section shall survive the termination of this Agreement.

Article V. Miscellaneous.

5.01 Notices. Any notice required to be given pursuant to the terms and provisions of this Agreement shall be in writing and may be either personally delivered or sent by registered or certified mail in the United States Postal Service, Return Receipt Requested, postage prepaid, addressed to each party at the addresses maintained by the Medical Society. Any such notice shall be deemed to have been given, if mailed as provided herein, as of the date mailed.

5.02 Change in Law. Medical Society agrees to amend this Agreement as necessary to comply with any subsequent changes or clarifications of the Privacy Laws.