Business Associate Addendum

By registering as a supplier with the Rector and Visitors of the University of Virginia or accepting a University-issued Purchase Order, the supplier acknowledges that the following ‘Business Associate Addendum’ is subject to change without prior notice. It is the suppliers' responsibility to review the BAA terms and conditions each time a Purchase Order is issued, and periodically for any updates or modifications. Last updated: August 26, 2024

This is an addendum to the Purchasing Terms and Conditions. This Addendum is applicable only in those situations where the Vendor providing goods or services under a purchase order will receive or create Protected Health Information as defined in 45 C.F.R. § 164.501 (e.g., individually identifiable health information of patients of the University of Virginia Health System or employees covered by the University of Virginia Health Plan.)

This Business Associate Addendum (“Addendum” or the “BAA”) becomes effective when the Vendor accepts the Purchasing Terms and Conditions.  It is entered into by the Vendor (the “Business Associate”) and The Rector and Visitors of the University of Virginia on behalf of its Medical Center, (the “Covered Entity”) (each a “Party” and collectively the “Parties”). 

WHEREAS, the Parties have entered into an agreement or arrangement, (the “Underlying Agreement”) under which the Covered Entity may disclose Protected Health Information or “PHI” (as defined in 45 C.F.R. §160.103) to the Business Associate and Business Associate may receive, use and disclose Protected Health Information in its performance of the Parties’ respective obligations pursuant to the Underlying Agreement; and


WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of Protected Health Information disclosed, collected or created by Business Associate in connection with the Underlying Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) Subtitle D of Title XIII of Division A of the American Recovery and Reinvestment Act of 2009, Public Law 111-5 (“HITECH”) and the regulations promulgated under HIPAA and HITECH, including, without limitation, the Standards for Privacy of Individually Identifiable Health Information, C.F.R. at Title 45, Parts 160 and 164 (the “Privacy Rule”) and the Standards for the Security of Electronic Protected Health Information, C.F.R. at Title 45, Parts 160 and 164 (the “Security Rule”) (the Privacy Rule and Security Rule, collectively, the “HIPAA Regulations”); 


WHEREAS, HIPAA and HITECH require Covered Entity and Business Associate to enter into an agreement containing certain requirements with respect to the use and disclosure of Protected Health Information and which are contained in this Business Associate Addendum.  


NOW, THEREFORE, the Parties agree as follows:


1.    DEFINITIONS.  Terms used, but not otherwise defined, in this Addendum shall have the same meanings as those terms in HIPAA and HITECH, except that the terms “Protected Health Information” and “Electronic Protected Health Information” shall have the same meaning as set forth in 45 C.F.R. §160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity in connection with the Underlying Agreement.  


2.    PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION.


2.1.    Services.  Pursuant to the Underlying Agreement, the Business Associate provides services or goods for the Covered Entity that involves the use and disclosure of Protected Health Information.  Except as otherwise specified herein, Business Associate may make any and all uses and/or disclosures of Protected Health Information as necessary to perform its obligations under the Underlying Agreement, this Addendum or as Required by Law.  All other uses not authorized by this Addendum are prohibited.  Moreover, Business Associate may disclose Protected Health Information for the purposes authorized by this Addendum only, (i) to its employees, subcontractors and agents (to the extent consistent with the terms of the Underlying Agreement), in accordance with Section 3.1(f) hereof, (ii) as directed by the Covered Entity, or (iii) as otherwise permitted by the terms of this Addendum including, but not limited to, Section 2.2(b) below.


2.2.    Business Activities of the Business Associate.  Unless otherwise limited herein, the Business Associate may:
(a)    Use the Protected Health Information in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of the Business Associate provided that such uses are permitted under state and federal confidentiality laws;
(b)    Disclose the Protected Health Information in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of the Business Associate, if (i) the disclosures are Required by Law; or (ii) the Business Associate has received from the third party reasonable assurances regarding its confidential handling of such Protected Health Information as required under 45 C.F.R. §164.504(e)(4).


2.3.    Additional Activities of Business Associate. In addition to the foregoing, Business Associate also may:
(a)    Aggregate the Protected Health Information in its possession with the Protected Health Information of other covered entities that the Business Associate has in its possession through its capacity as a business associate to said other covered entities provided that the purpose of such aggregation is to provide the Covered Entity with data analyses relating to the Health Care Operations of the Covered Entity; provided, however, that under no circumstances may the Business Associate disclose Protected Health Information of one Covered Entity to another non-affiliated covered entity absent the explicit authorization of the Covered Entity;
(b)    Unless otherwise expressly set forth in the Underlying Agreement or otherwise agreed in writing by Covered Entity, any data created from de identifying PHI or from Data Aggregation by or on behalf of Business Associate, whether or not created in accordance with the terms of this Addendum, shall be and remain exclusively the property of Covered Entity.  Unless otherwise expressly set forth in the Underlying Agreement or otherwise agreed in writing by Covered Entity, Business Associate assigns to Covered Entity all of Business Associate’s right, title, and interest in and to any such data, if any, and Business Associate shall neither use any such data for any purpose other than to provide the Services nor disclose such data to any third party except with the prior written consent of Covered Entity or as otherwise required by applicable law or upon the order of a court of competent jurisdiction.
(c)    Use and/or disclose PHI to report violations of law to appropriate federal and State authorities, consistent with 45 C.F.R. §164.502(j)(1).

 

3.    RESPONSIBILITIES WITH RESPECT TO PROTECTED HEALTH INFORMATION.


3.1.    Privacy Responsibilities of the Business Associate.  With regard to its use and/or disclosure of Protected Health Information, the Business Associate hereby agrees to do the following:
(a)    request from the Covered Entity, access, and disclose to its subcontractors, agents or other third parties, only the minimum amount of Protected Health Information necessary to perform or fulfill a specific function required or permitted under this Addendum and/or the Underlying Agreement in accordance with 45 C.F.R. §164.502(b);
(b)    use and/or disclose the Protected Health Information only as permitted or required by this Addendum or as otherwise permitted or Required by Law;
(c)    report to the designated Privacy Officer of the Covered Entity, in writing, any use and/or disclosure of the Protected Health Information that is not permitted or required by this Addendum, including Breaches of Unsecured Protected Health Information and Security Incidents, of which Business Associate becomes aware within five (5) days of the Business Associate’s discovery of such unauthorized use and/or disclosure;
(d)    Establish procedures to mitigate, to the extent practicable, any harmful effects from any improper use and/or disclosure of the Protected Health Information that Business Associate reports to Covered Entity pursuant to this Addendum;
(e)    Comply with 45 CFR Part 164, subpart C as applicable to Business Associate with respect to electronic Protected Health Information, including the implementation of appropriate physical, administrative and technical safeguards that (i) reasonably and appropriately protect the confidentiality, integrity, and availability of Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity, and (ii) prevent the use, disclosure of, or access to the Protected Health Information other than as provided for by this Addendum;
(f)    Require that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees:  (i) to substantially similar restrictions and conditions that apply through this Addendum to Business Associate with respect to such information; and (ii) otherwise comply with HIPAA and HITECH as applicable to such agents or subcontractors; 
(g)    make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Secretary of HHS, in a time and manner designated by the Secretary, for purposes of determining the Covered Entity’s compliance with the Privacy Regulation, subject to attorney-client and other applicable legal privileges;
(h)    upon prior written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Covered Entity within fifteen (15) days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Addendum;
(i)    within five (5) days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is necessary to facilitate the Covered Entity’s satisfaction of its obligations in connection with a request by an individual for an accounting of the disclosures of the individual's Protected Health Information in accordance with 45 C.F.R. §164.528;
(j)    within five (5) days of receiving a written request from the Covered Entity, provide to Covered Entity that certain information necessary to facilitate Covered Entity’s satisfaction of its obligations in connection with a request by an individual for an accounting of disclosures in accordance with 45 C.F.R. §164.528; and 
(k)    to the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
(l)    Business Associate represents and warrants that it has implemented and at all times will maintain (i) written policies and procedures in accordance with HIPAA, and (ii) training of all members of its workforce in accordance with HIPAA.
(m) Business Associate at all times shall maintain administrative, physical, and technical safeguards that reasonable and appropriately protect the confidentiality, availability, and integrity of Electronic PHI  that it creates, receives, maintain, or transmits in accordance with the regulations set forth in 45 CFR § 164.308, 45 CFR § 164.310, and 45 CFR § 164.312 and shall maintain policies and procedures and other documentation in accordance with the regulations set forth at 45 CFR § 164.316.  Business Associate acknowledges that such provisions apply to Business Associate in the same manner that they apply to Covered Entities.

3.2.    Security Responsibilities of the Business Associate.  
(a)    Business Associate will comply with the standards and implementation specifications for security safeguards as set forth at 45 C.F.R. §§164.308, 164.310, 164.312 and 164.316, with respect to Electronic PHI, to prevent use or disclosure of Electronic PHI other than as provided for by this BAA,  and will ensure that any agent, including a subcontractor, to whom it provides Protected Health Information agrees in writing to implement reasonable and appropriate safeguards consistent with such standards and implementation specifications.
(b)    Any disclosure of PHI to a Subcontractor or Agent of Business Associate shall, upon request of Covered Entity, be pursuant to a written agreement between Business Associate and such Subcontractor or Agent containing the same restrictions and conditions on the use and disclosure of PHI as set forth in this Addendum. Upon request, Business Associate shall deliver to Covered Entity a copy of any such agreement with a Subcontractor or Agent of Business Associate. 
(c)    Business Associate shall take reasonable steps to ensure that the acts or omissions of its Subcontractors or agents would not breach the terms of this Addendum if done by Business Associate, including without limitation making reasonable inquiry of such Subcontractors or agents regarding their ability to comply with the agreement described in Section 3.2 and taking reasonable steps to monitor such compliance.
(d)    Business Associate agrees to report to Covered Entity any Security Incident of which it becomes aware of that involves the Confidentiality, Integrity or Availability of the Electronic PHI that it creates, receives, maintains, or transmits for or on behalf of the Covered Entity; provided, however, that Business Associate shall not be required to report pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, any combination of the above, and any other attempts to penetrate such computer networks or systems so long as no such incident results in the unauthorized access, use or disclosure of Electronic Protected Health Information (an “Unsuccessful Security Incident”); and (ii) any use or disclosure of the Protected Health Information not provided for by this Addendum, of which it becomes aware.  Such report shall be made without undue delay and no later than five (5) business days after Business Associate’s discovery of the Security Incident (other than an Unsuccessful Security Incident) or inconsistent use or disclosure, including incident or improper use or disclosure by an agent or subcontractor of Business Associate.  To the extent Business Associate accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses Unsecured Protected Health Information, Business Associate shall notify Covered Entity in accordance with 45 C.F.R. §164.410 of any Breach of Unsecured Protected Health Information.  Such notification shall be made without undue delay and no later than Five (5) business days after the Breach is discovered by Business Associate.  The notification of Breach shall be provided in writing and shall include, to the extent possible, the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach.   Business Associate shall also provide Covered Entity any other information that the Covered Entity is required to include in notification to the individual under 45 C.F.R. §164.404(c)at the time of the notification, or as promptly thereafter as such information becomes available. 
(e)    Business Associate acknowledges and agrees that the final determination of whether any event is a Breach of PHI that is Unsecured Protected Health Information, and any decision as to notifications to be made to affected individuals, government agencies, or the media shall be made by Covered Entity in its sole discretion. Business Associate shall cooperate fully with, and provide such assistance and access to personnel, systems, data, facilities, and information as reasonably requested by Covered Entity in any investigation or evaluation by or on behalf of Covered Entity of such actual or suspected event.
(f)    Business Associate shall reasonably cooperate with the Covered Entity’s efforts to further investigate and evaluate any Security Incident or Breach of Unsecured PHI that Business Associate reports to Covered Entity.or of which the Business Associate has become aware and, in the event of impermissible use or disclosure by the Business Associate or any subcontractor of unsecured Protected Health Information that constitutes, in the reasonable judgment of the Covered Entity a breach requiring notification under applicable provisions of the HITECH Act and implementing regulations, at the discretion of the Covered Entity either the Business Associate or the Covered Entity will notify in writing all affected individuals as required by the HITECH Act and implementing regulations. The Business Associate will be responsible for all costs associated with such notification, including any costs of credit monitoring services that the Covered Entity and Business Associate reasonably agree should be offered to affected individuals. For purposes of this paragraph, unsecured PHI means PHI which is not encrypted or destroyed.  Breach means the acquisition, access, use or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule or this contract which compromises the security or privacy of the PHI by posing a significant risk of financial, reputational, or other harm to the individual, as reasonably determined by the Covered Entity.
(g)    Except as otherwise expressly approved in writing by Covered Entity in its sole discretion, to the extent Business Associate transmits any Electronic PHI, whether by any electronic communication (such as email) or by shipment of electronic media or devices (such as CDs, DVDs, USB drives, or external hard drives), Business Associate shall encrypt all such Electronic PHI either by utilizing encrypted electronic communication (such as TLS for email) or by encrypting all files containing Electronic PHI or encrypting such electronic media or devices.  Such encryption shall render all such Electronic PHI unusable, unreadable, or indecipherable using an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key that complies with the requirements of Federal Information Processing Standards (FIPS) 140 2, Security Requirements for Cryptographic Modules, including, as appropriate, standards described in NIST Special Publication 800 52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations, NIST Special Publication 800 77, Guide to IPsec VPNs, NIST Special Publication 800 113, Guide to SSL VPNs, or other standards that are FIPS 140 2 validated; provided, however, that if such standards no longer are in effect or if industry best practices call for a stronger encryption standard, Business Associate shall follow the encryption standard of current industry best practices.
(h)    Except as otherwise expressly approved in writing by Covered Entity in its sole discretion, to the extent Business Associate maintains or stores any Electronic PHI, (i) Business Associate shall encrypt all such Electronic PHI that is maintained or stored on a laptop computer, removable electronic media, external hard drive, or other medium or device that is not a computer server or workstation located in a physically secure area, and (ii) unless commercially infeasible (in which case Business Associate shall notify Covered Entity thereof promptly in writing), Business Associate shall encrypt all such Electronic PHI that is maintained or stored on a computer server or workstation located in a physically secure area.  Such encryption shall render all such Electronic PHI unusable, unreadable, or indecipherable using an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key that is consistent with the National Institute of Standards and Technology (NIST) Special Publication 800 111, Guide to Storage Encryption Technologies for End User Devices; provided, however, that if such standards no longer are in effect or if industry best practices call for a stronger encryption standard, Business Associate shall follow the encryption standard of current industry best practices.
(i)    To the extent Business Associate maintains or transmits any PHI, when required under this Addendum and when any PHI is no longer needed by Business Associate to perform the Services and its obligations pursuant to this Addendum and no longer required to be maintained pursuant to HIPAA, Electronic PHI shall be deleted from storage media in a secure fashion such that the PHI cannot be retrieved or the media on which the PHI is stored or recorded shall be destroyed as follows (and, in any case, any destruction of such media shall be in accordance with the following): (i) paper, film, or other hard copy media shall be shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed, and (ii) electronic media shall be cleared, purged, or destroyed consistent with NIST Special Publication 800 88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.
(j)    To the extent Business Associate maintains or transmits any PHI, when required under this Addendum and when any PHI is no longer needed by Business Associate to perform the Services and its obligations pursuant to this Addendum and no longer required to be maintained pursuant to HIPAA, Electronic PHI shall be deleted from storage media in a secure fashion such that the PHI cannot be retrieved or the media on which the PHI is stored or recorded shall be destroyed as follows (and, in any case, any destruction of such media shall be in accordance with the following): (i) paper, film, or other hard copy media shall be shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed, and (ii) electronic media shall be cleared, purged, or destroyed consistent with NIST Special Publication 800 88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.
(k)    Covered Entity follows the Virginia document retention/destruction statute requirements under the Code of Virginia, Section 42.1-85 and Business Associate shall comply with any request from Covered Entity to comply with such state requirements regarding PHI retention or destruction.

 

4.    ADDITIONAL RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION. 


4.1.    Responsibilities of the Business Associate with Respect to Handling of Designated Record Set.  In the event that the Parties mutually agree in writing that the Protected Health Information constitutes a Designated Record Set, the Business Associate hereby agrees to do the following, at the written request of, the Covered Entity:
(a)    within five (5) days of receiving a written request from the Covered Entity provide the Protected Health Information to the Covered Entity to meet its obligations under 45 C.F.R. §164.524, for as long as Business Associate maintains such PHI in a Designated Record Set on behalf of Covered Entity; and
(b)    within five (5) days of receiving a written request from the Covered Entity make any amendment(s) to the Protected Health Information that the Covered Entity directs in writing pursuant to 45 C.F.R. § 164.526, for as long as Business Associate maintains such PHI in a Designated Record Set on behalf of Covered Entity.


4.2.    Responsibilities of the Covered Entity with Respect to the Handling of the Designated Record Set.  In the event that the Parties mutually agree in writing that the Protected Health Information constitutes a Designated Record Set, the Covered Entity hereby agrees to do the following:
(a)    Promptly notify the Business Associate, in writing, of any Protected Health Information that Covered Entity seeks to make available to an individual pursuant to 45 C.F.R. § 164.524; and
(b)    Promptly notify the Business Associate, in writing, of any amendment(s) to the Protected Health Information in the possession of the Business Associate that the Business Associate will make.


5.    TERMS AND TERMINATION.


5.1.    Term.  This Addendum will become effective on the Effective Date and will continue in effect until all obligations of the Parties have been met, unless terminated as provided in this Section.  In addition, certain provisions and requirements of this Addendum will survive its expiration or other termination in accordance with Section 5.1 herein.


5.2.    Termination for Cause.  Either Party may immediately terminate this Addendum if  a Party makes the determination that the other Party  has breached a material term of this Addendum; provided that  the non-breaching party provides the breaching party with prompt written notice of the existence of an alleged material breach and  affords the breaching party  a reasonable opportunity to cure said alleged material breach.  Failure to cure in the manner set forth in this paragraph is grounds for the immediate termination of this Addendum upon written notice from the non-breaching party.


5.3.    Automatic Termination. This Addendum will automatically terminate without any further action of the Parties upon the termination or expiration of the Underlying Agreement. 


5.4.    Effect of Termination.  Upon the event of termination pursuant to this Section, the Business Associate agrees to return or destroy all Protected Health Information pursuant to 45 C.F.R. §164.504(e)(2)(ii)(J), if it is feasible to do so.  Prior to doing so, the Business Associate further agrees to recover any Protected Health Information in the possession of its subcontractors or agents (to the extent such disclosure is permitted pursuant to the Underlying Agreement) if it is feasible to do so.  If it is not feasible for the Business Associate to return or destroy said Protected Health Information in its possession, the Business Associate will, upon receipt of written request by Covered Entity: (i) notify the Covered Entity in writing that the Business Associate has determined that it is infeasible to return or destroy the Protected Health Information in its possession, and (ii) provide an explanation for such determination.  The Business Associate further agrees to extend any and all protections, limitations and restrictions contained in this Addendum to the Business Associate’s use and/or disclosure of any Protected Health Information retained after the termination of this Addendum or the Underlying Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the Protected Health Information infeasible.  If it is infeasible for the Business Associate to obtain, from a subcontractor or agent any Protected Health Information in the possession of the subcontractor or agent, the Business Associate will, upon receipt of written request by Covered Entity, provide a written explanation to the Covered Entity and require the subcontractors and agents to agree to extend any and all protections, limitations and restrictions contained in this Addendum to the subcontractors’ and/or agents’ use and/or disclosure of any Protected Health Information retained after the termination of this Addendum, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the Protected Health Information infeasible. 


6.    INSURANCE; INDEMNITY; LIMITATIONS ON LIABILITY.


6.1.    Insurance.  Business Associate shall obtain and maintain at all times HIPAA Breach and Cyber Liability Insurance coverage with coverage limits of at least Five Million Dollars ($5,000,000) per occurrence or claim and Ten Million Dollars ($10,000,000) in the annual aggregate with Ten Million Dollars ($10,000,000) of excess coverage.


6.2.    Indemnification by Business Associate.  Business Associate covenants and agrees to indemnify, defend and hold harmless Covered Entity, and the directors, members, officers, employees and agents of Covered Entity, from any and all demands, claims, actions or causes of action, costs, expenses, losses, damages and liabilities incurred or suffered, directly or indirectly, by any of them (including reasonable legal fees and expenses) resulting from or attributable to (i) the breach of any of the covenants of Business Associate under this Addendum; (ii) any and all obligations, debts or other liabilities of Business Associate arising pursuant to this Addendum; or (iii) the negligence, gross negligence or intentional conduct of partners, directors, members, officers, employees and agents of Business Associate in the performance of Business Associate’s responsibilities pursuant to this Addendum.


6.3.    Limitations on Liability.  The limitations on liability, if any, set forth in the Underlying Agreement shall not apply to any losses, claims, damages or other costs incurred by Covered Entity in connection with a breach of this Addendum by Business Associate.


7.    MISCELLANEOUS.


7.1.    Survival.  The respective rights and obligations of the Business Associate and Covered Entity under the provisions of Sections 3.1, 3.2, 5.4, and 7.4, solely with respect to Protected Health Information that the Business Associate retains in accordance with Section 5.4 because it is not feasible to return or destroy such Protected Health Information, will survive termination of this Addendum for as long as such Protected Health Information is retained.  


7.2.    Amendments; Waiver.  This Addendum may not be modified, nor will any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties; provided, however, that except as otherwise limited in this Business Associate Addendum, the parties agree to take such action as is necessary to amend this Business Associate Addendum from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA and HITECH.  In the event that any provision not contained in this Addendum as of the Addendum Effective Date is required to be included in this Addendum, or if any provision contained in this Addendum as of the Addendum Effective Date is required to be amended or deleted, in order to comply with changes to the HIPAA or HITECH, then the Parties shall, following written notice from Covered Entity or Business Associate to the other describing the applicable change(s) requiring the amending of this Addendum, negotiate in good faith for a period of thirty (30) days following such notice a mutually agreeable amendment to this Addendum as may be necessary to comply with such change(s). If the Parties are unable to mutually agree upon any such amendment during the respective 30-day negotiation period, then Covered Entity or Business Associate may terminate this Addendum upon written notice to the other.  A waiver with respect to one event will not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.  


7.3.    No Third Party Beneficiaries.  Nothing express or implied in this Addendum is intended to confer, nor will anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.


7.4.    Notices.  All notices required or permitted under this Business Associate Addendum shall be in writing, except as otherwise provided, and sent to the other party as directed in the Underlying Agreement or as otherwise directed by either party, from time to time, by written notice to the other.  All such notices shall be deemed validly given upon receipt of such notice by certified mail, postage prepaid, or personal or courier delivery.


Notices to: 
Procurement and Supplier Diversity Services, UVAFinance
1001 North Emmet Street
Charlottesville, Virginia, 22904

with a copy to:  [email protected]


7.5.    Interpretation. Any ambiguity in this Addendum and the Underlying Agreement will be resolved to permit the Parties to comply with the Privacy and Security Rules and the HITECH Act and applicable regulations and guidance documents. 


7.6.    Counterparts; Facsimiles.  This Addendum may be executed electronically, in any number of counterparts, each of which will be deemed an original.  Facsimile copies hereof will be deemed to be originals.


7.7.    Governing Law.  This Business Associate Addendum shall be construed in accordance with the laws of the Commonwealth of Virginia without regard to conflicts of law provisions.