CommuniCare Technology, Inc. dba Pulsara
1. Definitions. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Disclosure, Health Care Operations, Individual, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured and Use.
a. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean Pulsara.
b. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean the Subscriber.
c. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
a. Performance of Services. Business Associate may use and disclose PHI in connection with the performance of the services as described in the Subscription Agreement (“Services”) if such use or disclosure of PHI would not violate HIPAA Rules, or such use or disclosure is expressly permitted hereunder.
b. Proper Management and Administration. Business Associate may use PHI for the proper management and administration of Business Associate in connection with the performance of Services described in the Subscription Agreement. Business Associate may disclose PHI for such proper management and administration of Business Associate. Any such disclosure of PHI shall only be made if the disclosure is required by law or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (1) the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and (2) Business Associate will be notified by such person of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.
c. Other Permitted Uses. Unless otherwise limited herein, the Business Associate may also: (1) perform Data Aggregation for the health care operations of Covered Entity; (2) may use, analyze, and disclose the PHI in its possession for the public health activities and purposes set forth at C.F.R. § 164.512(b); (3) de-identify any and all PHI provided that Business Associate implements de-identification criteria in accord with 45 C.F.R. §164.514(b); and (4) may otherwise use and disclose the PHI as authorized by Covered Entity pursuant to the Subscription Agreement.
d. Minimum Necessary. Covered Entity shall provide, and Business Associate shall request, Use and Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the definition of “minimum necessary” from time to time, and agree to stay informed of any relevant changes to the definition.
a. As Provided In Agreement. Business Associate shall not use or further disclose PHI except as permitted or required by this Agreement or as required by law.
4. Safeguards, Reporting, Mitigation and Enforcement.
a. Safeguards. Business Associate shall use appropriate safeguards to protect PHI, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of PHI not provided for by this Agreement.
b. Business Associate’s Agents. Business Associate shall ensure that any agents, including subcontractors, to whom it provides PHI agree in writing to be bound by the same restrictions and conditions that apply to Business Associate with respect to such PHI.
c. Reporting. Business Associate shall promptly report to Covered Entity any use or disclosure of PHI in violation of this Agreement or applicable law of which it becomes actually aware. Business Associate further agrees to promptly report to Covered Entity any Security Incident of which it becomes actually aware. In addition, Business Associate shall promptly report to Covered Entity any Breach of Unsecured PHI.
d. Mitigation. Business Associate shall have procedures in place to mitigate any deleterious effect from any use or disclosure of PHI in violation of this Agreement or applicable law.
e. Sanctions. Business Associate shall have and apply appropriate sanctions against any employee, subcontractor or agent who uses or discloses PHI in violation of this Agreement or applicable law.
f. United States Department of Health and Human Services. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Rules; provided, however, that Business Associate shall promptly notify Covered Entity upon receipt by Business Associate of any such request for access by the Secretary, and shall provide Covered Entity with a copy thereof as well as a copy of all materials disclosed pursuant thereto. The parties’ respective rights and obligations under this Section shall survive termination of this Agreement.
5. Obligation to Provide Access, Amendment and Accounting of PHI.
a. Access to PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to provide access to, and copies of, PHI in accordance with HIPAA Rules.
b. Amendment of PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to amend PHI in accordance with HIPAA Rules. In addition, Business Associate shall, as directed by Covered Entity, incorporate any amendments to Covered Entity’s PHI into copies of such information maintained by Business Associate.
c. Accounting of Disclosures of PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to provide an accounting of disclosures with respect to PHI in accordance with HIPAA Rules. Business Associate shall make this information available to Covered Entity upon Covered Entity’s request.
d. Forwarding Requests From Individual. In the event that any individual requests access to, amendment of, or accounting of PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. However, if forwarding the individual’s request to Covered Entity would cause Covered Entity or Business Associate to violate HIPAA Rules, Business Associate shall instead respond to the individual’s request as required by such law and notify Covered Entity of such response as soon as practicable.
6. Responsibilities of Covered Entity. Covered Entity will:
a. provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520 as well as any changes to such notice;
b. provide Business Associate with any changes in, or revocation of, permission by Individual to the use and/or disclosure of PHI, if such changes affect Business Associate’s permitted or required uses and/or disclosures;
c. notify Business Associate of any restriction to the use and/or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522; and
c. notify Business Associate, in writing, of any amendment(s) to the PHI in the possession of Business Associate that the Business Associate will make to the PHI and inform the Business Associate of the time, form and manner in which such amendment(s) will be made.
7. Limited Liability. Without limiting Covered Entity’s remedies under any other provision of this Agreement, in the event of a Breach involving Unsecured PHI maintained, used or disclosed by Business Associate that is the fault of Business Associate, Business Associate shall reimburse Covered Entity for reasonable cost of providing any legally required notice to affected individuals and the cost of credit monitoring for such individuals to the extent deemed necessary by Covered Entity in its reasonable discretion. Neither Party shall be liable to the other party for any incidental, consequential or punitive damages of any kind or nature, whether such liability is asserted on the basis of contract, tort (including negligence or strict liability), or otherwise, even if the other party has been advised of the possibility of such loss or damages.
8. Material Breach, Enforcement and Termination.
a. Term. This Agreement shall be effective as of the Effective Date, and shall continue until the earlier of when this Agreement is terminated in accordance with the provisions of this Section or the Subscription Agreement terminates.
1) If Covered Entity determines that Business Associate has breached or violated a material term of this Agreement, Covered Entities may, at its option, pursue any and all of the following remedies:
a) Take any reasonable steps that Covered Entity, in its sole discretion, shall deem necessary to cure such breach or end such violation; and/or b) Covered Entity may terminate this Agreement in the event of Business Associate’s uncured material breach of this Agreement following 30 days’ notice and opportunity to cure, if curable.
2) If Business Associate determines that Covered Entity has breached or violated a material term of this Agreement, Business Associate may, at its option, pursue any and all of the following remedies:
a) take any reasonable steps that Business Associate, in its sole discretion, shall deem necessary to cure such breach or end such violation; and/or
b) Business Associate may terminate this Agreement in the event of Covered Entity’s uncured material breach of this Agreement following 30 days’ notice and opportunity to cure, if curable.
c. Return or Destruction of Records. Upon termination of this Agreement for any reason, Business Associate shall return or destroy, as specified by Covered Entity, all PHI that Business Associate still maintains in any media, and shall retain no copies of such PHI. If Covered Entity, in its sole discretion, requires that Business Associate destroy any or all PHI in its possession, Business Associate shall certify to Covered Entity that the PHI has been destroyed. If return or destruction is not feasible, Business Associate shall inform Covered Entity of the reason it is not feasible and shall continue to extend the protections of this Agreement to such information and limit further use and disclosure of such PHI to those purposes that make the return or destruction of such PHI infeasible. The foregoing will not apply, however, to any PHI for which Business Associate has received from the applicable individual (with respect to whom the PHI pertains) authorization in accordance with HIPAA that Business Associate may retain such PHI for the purposes authorized by the individual. Business Associate’s obligations with respect to such PHI will become outside the scope of this Agreement and will be governed by HIPAA and the agreement between Business Associate and the individual.9. General Provisions.
a. State Law. Nothing in this Agreement shall be construed to require Business Associate to use or disclose PHI without a written authorization from an individual who is a subject of the PHI, or written authorization from any other person, where such authorization would be required under state law for such use or disclosure.
b. Amendment. Covered Entity and Business Associate agree that amendment of this Agreement may be required to ensure that Covered Entity and Business Associate comply with changes in state and federal laws and regulations relating to the privacy, security, and confidentiality of PHI, including, but not limited to, changes under the HIPAA Rules. This Agreement may not otherwise be amended except by written agreement between both parties.
c. Governing Law and Venue. This Agreement will be construed in accordance with and governed by the internal law of Subscriber’s state, without regard to the choice or conflicts of law provisions of any jurisdiction. In the event that either party institutes any action or proceeding arising out of or relating to this Agreement, exclusive jurisdiction will be in the state or federal court in the county where Subscriber is located.
d. Attorney’s Fees. The prevailing party in any action or proceeding to enforce any of the provisions of this Agreement shall be entitled to recover reasonable attorneys’ fees, costs and expenses incurred in connection with actions or proceedings.
e. Waiver. The failure of either party to enforce any right or provision in this Agreement shall not constitute a waiver of such right or provision unless acknowledged and agreed to by that party in writing.
f. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision(s) shall be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision(s), with all other provisions remaining in full force and effect.
g. Assignment. The rights and/or obligations contained in this Agreement may not be assigned, delegated or otherwise transferred by either party (except to a direct or indirect parent or subsidiary) without the prior written approval of the other party, not to be unreasonably withheld, provided, however that either party may assign this agreement in connection with a merger, consolidation or acquisition of a party resulting in a change of control or a transfer or sale of all or substantially all of the assets of either party. No assignment or delegation shall relieve either party of liability for its obligations hereunder.
h. Counterparts. This Agreement may be executed in one or more counterparts, each of which may be deemed an original, but all of which constitute one and the same instrument. Delivery of an executed counterpart of a signature page of this Agreement by facsimile or other electronic transmission shall be effective as delivery of a manually executed counterpart of this Agreement.
i. Notices. All notices, requests, or consents required or permitted under this Agreement will be in writing (including electronic form) and will be delivered to the address set forth by each party in this Agreement, or to such other party and/or address as any of such parties may designate in a written notice served upon the other party in the manner provided for below. Each notice, request, consent, or other communication will be given and will be effective: (1) if delivered by hand, when so delivered; (2) if delivered by nationally recognized overnight courier service or sent by United States Express Mail, upon confirmation of delivery; (3) if delivered by certified or registered mail, on the third following day after deposit with the United States Postal Service; or (4) if delivered by facsimile, upon confirmation of successful transmission.