Business Associate Agreement

Effective Date: March 9th, 2018

 

GENERAL PROVISIONS
Status of Parties Under HIPAA. This Business Associate Agreement (this “Addendum”) is made and entered into by and between Regroup Therapy, Inc. and its affiliates (“Company”), and you, as the Provider, as of the date the Provider electronically accepted the Terms of Use, to which this addendum is incorporated. This Addendum applies to the extent Provider is acting as a Covered Entity or Business Associate to another Covered Entity (as those terms are defined by HIPAA), and where Company, as a result, is deemed under HIPAA to be acting as a Business Associate (or Downstream Business Associate) of Provider. Together with the Terms of Use, this Addendum governs each party’s respective obligations regarding Protected Health Information (defined below).

Effect.
To the extent that Company receives Protected Health Information from or on behalf of Provider (“PHI”) to perform Business Associate activities pursuant to the Terms of Use, the terms and provisions of this Addendum shall supersede any other conflicting or inconsistent terms and provisions in the Terms of Use to the extent of such conflict or inconsistency.

Defined Terms.
Capitalized terms used in the Terms of Use (including this Addendum) without definition shall have the respective meanings assigned to such terms by the Administrative Simplification section of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their implementing regulations as amended from time to time (collectively, “HIPAA”).

No Third Party Beneficiaries.
The parties have not created and do not intend to create by the Terms of Use any third party rights, including, but not limited to, third party rights for Provider’s patients.

HIPAA Amendments.
The parties acknowledge and agree that the Health Information Technology for Economic and Clinical Health Act and its implementing regulations impose requirements with respect to privacy, security and breach notification applicable to Business Associates (collectively, the “HITECH BA Provisions”). The HITECH BA Provisions and any other future amendments to HIPAA affecting Business Associate agreements are hereby incorporated by reference into the Terms of Use as if set forth in the Terms of Use in their entirety, effective on the later of the effective date of the Terms of Use or such subsequent date as may be specified by HIPAA.

Regulatory References.
A reference in this Addendum to a section in HIPAA means the section as it may be amended from time-to-time.

OBLIGATIONS OF THE COMPANYUse and Disclosure of PHI.
Company may use and disclose PHI as permitted or required under the Terms of Use (including this Addendum) or as Required by Law, but shall not otherwise use or disclose any PHI. Company shall not use or disclose PHI received from Provider in any manner that would constitute a violation of HIPAA if so used or disclosed by Provider (except as set forth in Sections 2.1(a), (b) and (c) of this Addendum). To the extent Company carries out any of Provider’s obligations under the HIPAA privacy standards, Company shall comply with the requirements of the HIPAA privacy standards that apply to Provider in the performance of such obligations. Without limiting the generality of the foregoing, Company is permitted to use or disclose PHI as set forth below:

a. Company may use PHI internally for Company’s proper management and administration or to carry out its legal responsibilities.
b. Company may disclose PHI to a third party for Company’s proper management and administration, provided that the disclosure is Required by Law or Company obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify Company of any instances of which the third party is aware in which the confidentiality of the PHI has been breached.
c. Company may use PHI to provide Data Aggregation services relating to the Health Care Operations of Provider if required or permitted under the Terms of Use.
Company may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Company may disclose de-identified health information for any purpose permitted by law.

Safeguards.
Company shall use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted or required by this Addendum. In addition, Company shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI transmitted or maintained in Electronic Media (“EPHI”) that it creates, receives, maintains or transmits on behalf of Provider. Company shall comply with the HIPAA Security Rule with respect to EPHI.

Minimum Necessary Standard.
To the extent required by the “minimum necessary” requirements of HIPAA, Company shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.

Mitigation.
Company shall take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Company) of a use or disclosure of PHI by Company in violation of this Addendum.
Subcontractors. Company shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits PHI on behalf of Company. Company shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Company under this Addendum.

Reporting Requirements.
If Company becomes aware of a use or disclosure of PHI in violation of the Terms of Use by Company or a third party to which Company disclosed PHI, Company shall report the use or disclosure to Provider without unreasonable delay.
Company shall report any Security Incident involving EPHI of which it becomes aware in the following manner: (a) any actual, successful Security Incident will be reported to Provider in writing without unreasonable delay, and (b) any attempted, unsuccessful Security Incident of which Company becomes aware will be reported to Provider orally or in writing on a reasonable basis, as requested by Provider. Notwithstanding the preceding, the parties acknowledge and agree that this section constitutes notice by Company to Provider of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Provider shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Company’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of EPHI.
Company shall, following the discovery of a Breach of Unsecured PHI, notify Provider of the Breach in accordance with 45 C.F.R. § 164.410 without unreasonable delay and in no case later than 60 days after discovery of the Breach.

Access to PHI.
Within 15 business days of a request by Provider for access to PHI about an Individual contained in any Designated Record Set of Provider maintained by Company, Company shall make available to Provider such PHI for so long as Company maintains such information in the Designated Record Set. If Company receives a request for access to PHI directly from an Individual, Company shall forward such request to Provider within ten business days. Provider shall have the sole responsibility to make decisions regarding whether to approve a request for access to PHI.

Availability of PHI for Amendment.
Within 15 business days of receipt of a request from Provider for the amendment of an Individual’s PHI contained in any Designated Record Set of Provider maintained by Company, Company shall provide such information to Provider for amendment and incorporate any such amendments in the PHI (for so long as Company maintain such information in the Designated Record Set) as required by 45 C.F.R. § 164.526. If Company receives a request for amendment to PHI directly from an Individual, Company shall forward such request to Provider within ten business days. Provider shall have the sole responsibility to make decisions regarding whether to approve a request for an amendment to PHI.

Accounting of Disclosures.
Within 15 business days of notice by Provider to Company that it has received a request for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies), Company shall make available to Provider such information as is in Company’s possession and is required for Provider to make the accounting required by 45 C.F.R. § 164.528. If Company receives a request for an accounting directly from an Individual, Company shall forward such request to Provider within ten business days. Provider shall have the sole responsibility to provide an accounting of disclosures to the Individual.

Availability of Books and Records.
Company shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Company on behalf of, Provider available to the Secretary for purposes of determining Provider’s and Company’s compliance with HIPAA.

Obligations of Provider
Permissible Requests.
Provider shall not request Company to use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by Provider (except as provided in Sections 2.1(a), (b) and (c) of this Addendum).

Minimum Necessary PHI.
When Provider discloses PHI to Company, Provider shall provide the minimum amount of PHI necessary for the accomplishment of Company’s purpose.

Permissions; Restrictions.
Provider warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Company. Provider shall notify Company of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Company’s use or disclosure of PHI. Provider shall not agree to any restriction on the use or disclosure of PHI under 45 CFR § 164.522 that restricts Company’s use or disclosure of PHI under the Terms of Use unless such restriction is Required By Law or Company grants its written consent, which consent shall not be unreasonably withheld.
Notice of Privacy Practices. Except as Required By Law, with Company’s consent or as set forth in the Terms of Use, Provider shall not include any limitation in the Provider’s notice of privacy practices that limits Company’s use or disclosure of PHI under the Terms of Use.

TERMINATION OF THE TERMS OF USETermination Upon Breach of this Addendum.
Any other provision of the Terms of Use notwithstanding, either party (the “Non-Breaching Party”) may terminate the Terms of Use upon 30 days advance written notice to the other party (the “Breaching Party”) in the event that the Breaching Party materially breaches this Addendum and such breach is not cured to the reasonable satisfaction of the Non-Breaching Party within such 30-day period.
Return or Destruction of PHI upon Termination. Upon expiration or earlier termination of the Terms of Use, Company shall either return or destroy all PHI received from Provider or created or received by Company on behalf of Provider and which Company still maintains in any form. Notwithstanding the foregoing, to the extent that Company reasonably determines that it is not feasible to return or destroy such PHI, the terms and provisions of this Addendum shall survive termination of the Terms of Use and such PHI shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI.

LIMITATION OF LIABILITY Limitation of Liability.
In no event shall Company’s and its present and former affiliates’, directors’, officers’, employees’, and agents’ aggregate liability arising out of or related to the Terms of Use, whether in contract, tort, or under any other theory of liability, exceed the amounts actually paid by and due from Provider under the Terms of Use to Company during the one year period immediately preceding the date the cause of action arose.

Exclusion of Consequential and Related Damages. In no event shall Company or its present and former affiliates, directors, officers, employees, or agents have any liability to Provider or any third party for any lost profits, loss of data, loss of use, costs of procurement of substitute good or services, or for any indirect, special, incidental, punitive, or consequential damages however caused and, whether in contract, tort, or under any other theory of liability whether or not Company has been advised of the possibility of such damage. Because some states or jurisdictions do not allow the exclusion or the limitation of liability for consequential or incidental damages, in such states or jurisdictions, Company’s and its present and former subsidiaries’, affiliates’, directors’, officers’, employees’, and agents’ liability shall be limited to the maximum extent permitted by law.
Survival. This Section 5 shall survive the expiration or earlier termination of the Terms of Use.