Business Associate Addendum
Customer is a “Covered Entity” under the Health Insurance Portability and Accountability Act of 1996 and associated agency regulations promulgated thereunder (together, “HIPAA”). Pursuant to an underlying agreement (the “Agreement”) between Customer and eMDs, Inc. and affiliates (“Company”), Company provides certain services to Customer and in providing those services may use, disclose, receive, create, maintain or transmit Protected Health Information (“PHI”) for or on behalf of Customer, as described in the Agreement, Addendum or Applicable Law. When providing services to Customer that involve the use, disclosure, receipt, creation, maintenance or transmission to PHI for or on behalf of Customer, Company is Customer’s “Business Associate” under HIPAA. In accordance with HIPAA (or “Applicable Law”), the parties have agreed to the provisions of this Addendum to protect PHI to which Company may handle in the performance of its duties for Customer.
1. Defined Terms.
Unless otherwise indicated below or elsewhere in this Addendum, all capitalized terms shall have the meanings provided in the Agreement or HIPAA.
a. “Privacy Rule” means 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E, Standards for Privacy of Individually Identifiable Health Information.
b. “Protected Health Information” or “PHI” means individually identifiable health information as defined in 45 C.F.R § 160.103, limited to the information Company receives from, or creates, maintains, transmits, or receives on behalf of, Customer.
c. “Security Rule” means 45 C.F.R. Part 164, Subpart C, Security Standards for the Protection of Electronic Protected Health Information.
d. “Security Incident” means (a) any unauthorized action by a known or unknown person that constitutes an attack, penetration, disclosure of confidential customer or other sensitive information, misuse of system access, unauthorized access or intrusion (hacking), virus intrusion, or scan of Business Associate’s systems or networks, all to the extent they compromise the security, confidentiality, or integrity of the Covered Entity’s protected health information accessed, received, stored, processed, or maintained by Business Associate.
e. “Breach” has the meaning assigned by HIPAA, 45 C.F.R. Section 164.402.
f. Any otherwise undefined terms in the Agreement shall have the meaning provided by HIPAA, if any.
2. Obligations of Company.
a. Compliance with Privacy and Security Obligations. Company agrees that the privacy and security requirements of HIPAA applicable to Business Associates apply to Company in this Addendum.
b. Limits on Use and Disclosure. Except as otherwise limited in this Addendum, Company may only use, disclose, create, maintain or transmit PHI to perform functions, activities, or services for, or on behalf of Customer as specified in the Agreement, this Addendum and as permitted or required by Applicable Law. Except as otherwise limited in this Addendum, Company may also:
i. Use PHI for the proper management and administration of Company or to carry out the legal responsibilities of Company under the laws of the United States; to de-identify such information in accordance with 45 C.F.R. § 164.514(b) for Company’s own business purposes or in connection with the Services; or to provide Data Aggregation services to Customer as permitted by 45 C.F.R. 164.504(e)(2)(i)(b); and
ii. Disclose PHI for the proper management and administration of Company, provided that disclosures are Required by Law, or Company obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and that the person will notify Company of any instances of which it is aware in which the confidentiality of the information may have been Breached.
c. Minimum Necessary. Any use, disclosure, creation, maintenance or transmission PHI will be limited to the minimum PHI necessary for the permitted purpose of the Agreement, this Addendum or Applicable Law.
d. Safeguards. Company will implement and maintain reasonable and appropriate administrative, physical and technical safeguards to protect the availability, integrity and confidentiality of the PHI as permitted and/or required by HIPAA.
e. Reports of Unauthorized Access, Use or Disclosure. Company shall report in writing to Customer, without unreasonable delay any use or disclosure of PHI that is not authorized by this Addendum or the Agreement including any Breach of Unsecured PHI, as defined by HIPAA or Security Incident as defined by this Addendum. Company shall deliver such notice no later than thirty (30) calendar days after the date on which Company (or any member of Company’s workforce or agent of Company except the person(s) responsible for the breach) became aware, or in the exercise of reasonable diligence should have become aware, of such unauthorized use, disclosure or Breach. Notice of any unauthorized use, disclosure or Breach shall, if known, provide a description of the following information to the extent it is reasonably available at the time of notice: (i) the event resulting in an unauthorized use, disclosure or Breach; (ii) the types of PHI that were involved in the unauthorized use, disclosure or Breach; and (iii) what Company is doing to investigate and remediate the event and mitigate against any similar, future unauthorized use, disclosure or Breach. The Parties acknowledge and agree that this Section deems notice to have been provided for the ongoing existence or occurrence of attempted but unsuccessful security risks such as unsuccessful network pings, attack on Company’s firewall, port scans, log-on attempts, denials of service or any combination of the above, so long as no such attempt results in unauthorized use, disclosure or Breach of electronic PHI, for which no additional notice to Customer shall be required.
f. Mitigation Procedures. In the event of any unauthorized use, disclosure or Breach of PHI, Company shall work, and where practicable Customer shall work cooperatively with Company, to implement procedures for investigating and mitigating the harmful effects of such improper use and/or disclosure.
g. Access to Information. Company will make available to Customer the PHI in a Designated Record Set, in a time and manner mutually agreed upon by the parties, as necessary to satisfy Customer’s obligations under 45 C.F.R. § 164.524.
h. Availability of Protected Health Information for Amendment. Upon receipt of a request from Customer for the amendment of an individual’s PHI or a record regarding an individual contained in a Designated Record Set (for so long as the PHI is maintained in a Designated Record Set), Company agrees to provide such information to Customer for amendment and incorporate any such amendment as may be required by 45 C.F.R. § 164.526. In the event any individual requests an amendment to PHI directly from Company, Company shall forward such request to Customer. Any review and consideration of a requested amendment shall be the responsibility of Customer.
i. Accounting of Disclosures. In accordance with 45 C.F.R. § 164.528, Company agrees to produce, and maintain for at least six (6) years, a record of any disclosure of the PHI, which record will include, for each disclosure, the date of disclosure, the name and address of the recipient, a description of the PHI disclosed (if known), the name of the individual who is the subject of the PHI (if known) and the reason for disclosure. Upon request from Customer, Company will make its record of disclosure available to Customer within the time frame and in the manner permitted and/or required by Applicable Law or as otherwise agreed by the Parties in writing. In the event the request for an accounting is delivered by an individual directly to Company, Company shall forward such request to Customer. Customer shall have the responsibility to respond to the request.
j. Subcontractors. Company shall ensure that any subcontractor to whom it provides PHI agrees to the same restrictions and conditions that apply through this Addendum to Company.
k. Availability of Books and Records. Company agrees to make its internal practices, books and records relating to its uses or disclosures of the PHI available to Customer, or, if directed in writing, the Secretary for purposes of determining compliance with Applicable Law, subject to attorney-client and other applicable privileges.
l. Company’s Performance of Customer’s Obligations. To the extent Company is to carry out one or more of Customer’s obligations under the Privacy Rule, at Subpart E of 45 C.F.R. Part 164, Company will comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligations.
m. PHI Sale or Marketing. Company will not directly or indirectly receive remuneration for any PHI without a valid authorization from the Individual except in compliance with 45 CFR § 164.502 (a)(5)(ii). Company will not engage in any communication which might be deemed to be “marketing” under the HIPAA Rules without approval of Customer.
3. Obligations of Customer.
a. Notice to Company. Customer will notify Company of any of the following to the extent that they affect Company’s use or disclosure of PHI or its rights and obligations with respect to PHI (i) any limitation in its notice of privacy practices in accordance with 45 C.F.R. § 164.520; (ii) any changes in, or revocation of, permission by an Individual to use or disclose the PHI; and (iii) any restriction on the use or disclosure of PHI that Customer has agreed to in accordance with 45 C.F.R. §164.522.
b. Minimum Necessary. Customer will make reasonable efforts to disclose to, provide to, or request from, Company only the minimum necessary PHI for Company to perform or fulfill a specific function required or permitted under the Agreement, as required by HIPAA.
c. Mitigation. Customer will take immediate steps to notify Company and to mitigate an impermissible use or disclosure of PHI whether from Company to the Customer or from the Customer to Company, including the Customer’s staff, employees and agents who disclose and receive PHI to and from Company in the course and scope of their employment, such as obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means between the Customer and its staff, employees and agents) or will be destroyed.
d. No Violation of Law. Customer will not request, direct or cause Company to use, disclose, create, maintain or transmit PHI in a manner that would violate Applicable Law.
4. Term and Termination. This Addendum shall become effective on the Effective Date of the Agreement, unless the Parties otherwise mutually agree in writing to an alternative effective date. This Addendum will automatically terminate upon the termination or expiration of the Agreement. Notwithstanding any provisions in this Addendum or the Agreement to the contrary, either Party may terminate this Addendum and the Agreement if it determines that the other Party has breached a material term of this Addendum and has not cured such breach with thirty (30) days of receiving notice of the breach from the other Party. Upon termination of the Agreement or this Addendum, if feasible, Company will return or destroy the PHI received from, or created or received by Company on behalf of Customer that Company still maintains in any form and retain no copies of such PHI, unless required otherwise by Applicable Law. If return or destruction of the PHI is not feasible, Company will extend the protections of this Addendum until the PHI can be returned or destroyed. These obligations shall survive termination of the Addendum.
5. Miscellaneous Terms.
a. Entirety of the Contract. This Addendum supersedes all prior understandings and agreements, written or oral, between the Parties with respect to its subject matter. This Addendum is incorporated into the Agreement. The section titles used in this Addendum are provided for convenience only and are not intended to affect the interpretation of any provision. Any and all references in this Addendum to a statute or regulation mean the section as in effect or as amended. This Addendum may only be amended by a written instrument signed by the Parties. Nothing in this Addendum is to be construed as conferring any right, remedy or claim on any person or entity other than the Parties and their respective successors and assigns. This Addendum may only be assigned by a Party in accordance with the assignment provision of the Agreement. This Addendum will be governed by the governing law set forth in the Agreement and any action brought under this Addendum will be brought in accordance the Agreement. Any notice to be provided under this Addendum will be provided in accordance with the notice provisions of the Agreement. The unenforceability of any provision in this Addendum will not affect the enforceability of any other provision. The waiver of any right or obligation under this Addendum will not be deemed to be a continuing waiver or the waiver of another right or obligation. All waivers must be in writing signed by both Parties.
c. Fees and Costs. Except as otherwise specified in the Agreement or this Addendum, if any legal action or other proceeding is brought for the enforcement of this Addendum, or because of an alleged dispute, contract violation, Event, Breach, default, misrepresentation, or injunctive action, in connection with any of the provisions of this Addendum, each party will bear their own legal expenses and the other cost incurred in that action or proceeding.
d. HIPAA Amendment and Interpretation. Upon the effective date of any amendment or issuance of additional regulations (“change”) to HIPAA, or any other law applicable to this Addendum, the Addendum will automatically be amended so that the obligations imposed on a Party or the Parties remain in compliance with such requirements, unless the cost for Company to comply with the change to HIPAA is unreasonable. If the cost to Company to comply with the change is unreasonable, the Parties shall negotiate Company fees or charges which will permit Company to comply. If the Parties cannot agree to new fees or charges, Company may terminate this Business Associate Agreement and any underlying agreement for which this Business Associate Agreement is made a part.
e. Ambiguity. Except as otherwise provided in this section 5.d, any ambiguity in this Addendum related to amended or additional regulations will be resolved in favor of a meaning that permits a Party or the Parties to comply with HIPAA or any other law applicable to this Addendum. The parties further agree that the language of this Addendum shall not be construed presumptively against the drafter or any of the Parties to this Addendum.
f. IN NO EVENT SHALL COMPANY OR ANY PROVIDER OF THIRD PARTY ITEMS BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR ANY ACT OR OMISSION THAT DOES NOT RISE TO THE LEVEL OF WILLFUL MISCONDUCT OR GROSS NEGLIGENCE, OR FOR ANY INCIDENTAL, CONSEQUENTIAL, PUNITIVE, SPECIAL, EXEMPLARY OR OTHER INDIRECT DAMAGES OF ANY KIND OR NATURE INCLUDING, BUT NOT LIMITED TO, LOSS OF PROFITS, LOSS OF DATA, LOSS OF BUSINESS, WHETHER A CLAIM FOR ANY SUCH LIABILITY OR DAMAGES IS PREMISED UPON BREACH OF CONTRACT, INDEMNITY, BREACH OF WARRANTY, NEGLIGENCE, STRICT LIABILITY, OR ANY OTHER THEORIES OF LIABILITY, EVEN IF COMPANY HAS BEEN APPRISED OF THE POSSIBILITY OR LIKELIHOOD OF SUCH DAMAGES OCCURRING. Notwithstanding anything in this Addendum to the contrary, in no event shall Company’s or its licensors’ total liability arising from or relating to this Addendum exceed an amount equal to amounts paid by CUSTOMER to Company for the service giving rise to the claim in the three (3) months prior to the event giving rise to the claim, whether a claim for any such liability or damages is premised upon breach of contract, indemnity, breach of warranty, negligence, strict liability, or any other theories of liability, even if Company has been apprised of the possibility or likelihood of such damages occurring.