Version: September 1, 2023

This Business Associate Addendum (BAA) (“Addendum”) supplements the Terms of Service available at Terms of Service, and, in addition to the Terms of Service, governs the collection, processing, and use of any Protected Health Information (PHI) by Acxiom LLC (“Acxiom”) on behalf of and as instructed by the Acxiom client (“Client”) identified in the written or electronic order, schedule, statement of work, work order, quote, or other document (collectively, the “Order”) that incorporates this Addendum by reference when such Order has been executed by the parties to be bound thereto or otherwise formally approved by them in accordance with the process identified in the Order. The Order, the Terms of Service (including any other applicable addenda incorporated by reference therein), this Addendum, and any other terms or documentation incorporated by reference in the Order are collectively referred to as, the “Agreement”. Any claim brought under the terms of this Addendum will be subject to the applicable limitation of liability provision in the Terms of Service, including any applicable exceptions thereto. From time to time, Acxiom may modify this Addendum. Unless otherwise specified by Acxiom due to a change in law or other contingency beyond Acxiom’s conrtrol, changes will become effective for Client upon renewal of the then-current Order or upon the effective date of a new Order after the updated version of this Addendum goes into effect. Capitalized terms not defined herein shall have the meanings ascribed to them elsewhere in the Agreement.

The parties agree as follows:

1. Definitions. The following defined terms apply to this Addendum. All other capitalized terms not defined elsewhere in the Agreement are defined in the same way as in the Privacy Rule, Security Rule, HIPAA or HITECH, as applicable:
   1. “Breach” has the same meaning set forth in 45 CFR §164.402.
   2. “Data Aggregation” has the same meaning as the term “data aggregation” in 45 CFR §164.501.
   3. “Designated Record Set” has the same meaning as the term “designated record set” in 45 CFR §164.501.
   4. “Electronic Health Record” has the same meaning as the term in § 13400 of the HITECH Act.
   5. “Health Care Operations” has the same meaning as the term “health care operations” in 45 CFR §164.501.
   6. “HITECH” means The Health Information Technology for Economic and Clinical Health Act, part of the American Recovery and Reinvestment Act of 2009 (“ARRA” or “Stimulus Package”), specifically DIVISION A: TITLE XIII Subtitle D—Privacy, and its corresponding regulations as enacted under the authority of the Act.
   7. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191).
   8. “Individual” has the same meaning as the term “individual” in 45 CFR §160.103 and will include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
   9. “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
   10. “Protected Health Information” or “PHI” has the same meaning as the term “protected health information” in 45 CFR §160.103, limited to the information created, received, maintained or transmitted by Acxiom on behalf of Client.
   11. “Required By Law” has the same meaning as the term “required by law” in 45 CFR §164.103.
   12. “Secretary” means the Secretary of the Department of Health and Human Services or his or her designee.
   13. “Security Rule” means the Standards for Security of Electronic Protected Health Information at 45 CFR parts §160 and §164, Subparts A and C.
   14. “Unpermitted Use of PHI” means any use or disclose PHI other than as permitted or required by this Addendum, the Agreement, the Schedule to the Agreement under which PHI is received by Acxiom, or as Required By Law.
   15. “Unsecured Protected Health Information” or “Unsecured PHI” has the same meaning as the term “unsecured protected health information” in 45 CFR §164.402.
2. Obligations and Activities of Acxiom.
   1. In processing PHI on Client’s behalf, Acxiom will be acting as Business Associate. Acxiom will not make any Unpermitted Use of PHI. Acxiom will use appropriate safeguards to prevent the Unpermitted Use of PHI. Acxiom further agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic PHI, as provided for in the Security Rule and as mandated by § 13401 of HITECH.
   2. Acxiom will mitigate, to the extent practicable, any harmful effect that is known to Acxiom of an Unpermitted Use of PHI and will report to Client any Unpermitted Use of PHI of which it becomes aware, and in a manner as prescribed herein.
   3. Acxiom will, without unreasonable delay following discovery, report to Client any security incident, including all data Breaches or compromises, whether internal or external, related to PHI, whether the PHI is secured or unsecured, of which Acxiom becomes aware. If such Breach pertains to Unsecured PHI, then such notice must not exceed the timing requirements set forth in § 13402 of HITECH. Acxiom will, consistent with § 13402 of HITECH, provide Client with information necessary for Client to meet its obligations under § 13402 of HITECH, and in a manner and format reasonably requested or specified by Client.
   4. Acxiom will require any agent of Acxiom, including a subcontractor, to whom Acxiom provides PHI, to abide by the restrictions and conditions that apply through this Addendum to Acxiom with respect to such PHI. Acxiom will impose restrictions and conditions analogous to those contained in this Addendum on any agent or subcontractors of Acxiom via a written agreement, and that Acxiom will only provide such agents or subcontractors PHI consistent with § 13405(b) of HITECH. Acxiom will, within ten (10) business days from written request by Client, provide copies of the relevant portions of such written agreements to Client.
   5. Unless otherwise protected or prohibited from discovery or disclosure by law, Acxiom will make internal practices, books, and records, including policies and procedures (collectively “Compliance Information”), relating to the use or disclosure of PHI, available to Client or to the Secretary for purposes of the Secretary determining Client’s compliance with the Privacy Rule, Security Rule, and HITECH. Acxiom will, at the request of Client, provide Client with demonstrable evidence that its Compliance Information ensures Acxiom’s compliance with this Addendum over time. Acxiom will have a reasonable time within which to comply with requests for such access and/or demonstrable evidence. In no case will access, or demonstrable evidence, be required in less than ten (10) business days after Acxiom’s receipt of such request, unless otherwise designated by the Secretary.
   6. Acxiom will maintain reasonable and appropriate documentation of disclosures of PHI as would be required for Client to respond to a request by an Individual for an accounting of such disclosures, in accordance with 45 CFR §164.528.
   7. Upon written request from Client, Acxiom will provide to Client documentation made in accordance with this Addendum to permit Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR§164.528. Acxiom will provide such documentation in a manner and format reasonably requested by Client. Acxiom will have a reasonable time within which to comply with such a request from Client and in no event will Acxiom be required to provide such documentation in less than ten (10) business days after Acxiom’s receipt of such request. Client will manage all requests for accounting of disclosures received from an Individual. If Acxiom receives any such directly from the Individual, Acxiom will redirect the Individual to Client.
3. Permitted Uses and Disclosures by Acxiom. Except as otherwise limited by this Addendum:
   1. Acxiom may make any uses and disclosures of PHI necessary to perform its services to Client and otherwise meet its obligations under this Addendum, if such use or disclosure would not violate the Privacy Rule, or the privacy provisions of HITECH, if done by Client. All other uses or disclosures by Acxiom not authorized by this Addendum or by specific instruction of Client are prohibited.
   2. Acxiom may use and disclose PHI for the proper management and administration of Acxiom or to carry out the legal responsibilities of Acxiom, provided that disclosures are Required By Law, or Acxiom obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used, or further disclosed, only as Required By Law, or for the purpose for which it was disclosed to the person, and the person notifies Acxiom of any instances of which it is aware in which the confidentiality of the PHI has been breached.
   3. Acxiom may use PHI to provide Data Aggregation services to Client as permitted by 45 CFR §164.504(e)(2)(i)(B). Data Aggregation services will be provided to Client only when such services relate to Health Care Operations. Data Aggregation services will not be provided in a manner that would result in Unpermitted Use of PHI, including disclosure of PHI to another Client who was not the originator or lawful possessor of such PHI.
   4. Acxiom may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
4. Obligations and Activities of Client.
   1. In providing Acxiom with PHI for processing, Client will be acting as a Covered Entity. Client will notify Acxiom of: (i) the provisions and any limitations in any notice of privacy practices of either Client or any other Covered Entity from whom the PHI was obtained in accordance with 45 CFR §164.520; (ii) any changes in, or revocation of, permission by an Individual to use or disclose PHI; (iii) any restriction to the use or disclosure of PHI that Client has agreed to in accordance with 45 CFR §164.522; (iv) any restrictions that must be honored under § 13405(a) of HITECH; (v) modifications to accounting disclosures of PHI under 45 CFR §164.528, made applicable under § 13405(c) of the HITECH Act. Such notices are required only to the extent Acxiom’s use or disclosure of PHI are affected.
   2. Unless Client will provide Acxiom with specific procedures for delivery of notices and information required to be provided by Acxiom pursuant to this Addendum, such notices and information will be delivered to Client in accordance with notice procedures set forth in the Terms of Service. Client reserves the right to modify the manner and format in which information and notices required by this Addendum are provided to Client, as long as the requested modifications are reasonably required by Client to comply with the Privacy Rule or HITECH, and Acxiom is provided sixty (60) business days’ notice before the requested modification takes effect.
   3. Any file, record, or other information sent to Acxiom containing PHI must either be conspicuously identified as PHI or Acxiom must be informed in advance that PHI is being transmitted. Client must encrypt any PHI, using industry standard encryption measures, before transferring PHI to Acxiom over a public network or on physical media.
   4. Client warrants that it will not disclose PHI to Acxiom: (i) unless such disclosure falls under a HIPAA permitted use that does not require Individual authorization, or it has obtained from each Individual authorization in accordance with 45 CFR §164.508 that permits Acxiom to use the PHI within the applicable solution, application, process or other Service provided by Acxiom pursuant to the Order; (ii) unless each Individual to whom such PHI relates has been provided adequate notice under 45 CFR §164.520 and, if required under 45 CFR §164.514(f)(1), the ability to opt out of the disclosures of PHI that may be made by Client to Acxiom, and of the use Acxiom may make of such PHI; and (iii) in violation of any restriction on the use or disclosure of PHI requested by an Individual in accordance with 45 CFR 164.522. In addition, Client will limit disclosure of PHI to Acxiom to the minimum necessary to accomplish the intended purpose of the disclosure. Upon written request, Client will provide an officer’s written certification of its compliance with these warranties.
   5. If Client sends Acxiom any PHI to Acxiom in violation of this Addendum, Client will immediately notify Acxiom of the date, time and other pertinent information related to the transfer so Acxiom may take the appropriate steps necessary to remove the PHI from its systems.
   6. Unless the parties agree otherwise in the Order, Client will not provide Acxiom PHI from a Designated Record Set. Client will be solely responsible for complying with access and amendment requirements under 45 CFR §§ 164.524 and 164.526 and any verification requirements under 45 CFR § 164.514(h)(1). If Acxiom receives any such requests directly from an Individual, Acxiom will redirect the Individual to Client. 
5. Termination, Survival, Destruction, and Retention.
   1. Any material default by either party of any of the provisions of this Addendum will be considered a material default of the Agreement, which will give rise to a right to terminate the Agreement by the non-defaulting party in accordance with the termination for cause provisions of the Terms of Service. However, if a material default of the provisions of this Addendum is not curable, the non-defaulting party may exercise such right to terminate immediately without need to provide the cure period set forth in the Terms of Service. If neither termination nor cure is feasible, the non-defaulting party will report the violation to the Secretary.
   2. The protections of this Addendum will survive any termination of the Agreement for so long as Acxiom maintains possession of any PHI provided by Client to Acxiom or created or received by Acxiom on behalf of Client.
   3. Upon termination of the Agreement, Acxiom will destroy or return all PHI received from, or created or received by Acxiom on behalf of Client, including any PHI that is in the possession of subcontractors or agents of Acxiom. Acxiom will retain no copies of the PHI.
   4. If Acxiom reasonably determines that returning or destroying PHI is infeasible, Acxiom will provide to Client notification of the conditions that make return or destruction infeasible, and Acxiom must limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible.
6. Amendment. The parties agree to take such actions necessary to amend this Addendum from time to time for Client to comply with the requirements of the Privacy Rule, Security Rule, HIPAA, and HITECH, and their corresponding regulations. Any reference in this Addendum to any section or provision within the Privacy Rule, Security Rule, HITECH or HIPAA means such section or provisions currently in effect or as subsequently amended.
7. Interpretation. Any ambiguity in the provisions of this Addendum will be resolved to permit the parties to comply with the Privacy Rule, Security Rule, HIPAA, and HITECH Act, and their corresponding regulations. To the extent there is any conflict between this Addendum and the rest of the Agreement, the terms of this exhibit will control and resolve the conflict with respect to the subject-matter hereof.