Background
A. The use and disclosure of patient health information is governed by the Federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the HIPAA Privacy and Security Regulations at Parts 160, 162 and 164 of Title 45 of the Code of Federal Regulations, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH") enacted as a part of the American Recovery and Reinvestment Act of 2009, as well as applicable state privacy and confidentiality of medical information laws (collectively, all of the foregoing are referred to as "Applicable Privacy Laws").
B. You ("Covered Entity") have agreed to the terms of service (the "Terms") for the services and website, including the Postwire service, (the "Services") of VisibleGains, Inc. ("Business Associate") under which the provision of services to Covered Entity may involve the use and disclosure of patient health information that is Protected Health Information under Applicable Privacy Laws.
C. Covered Entity and Business Associate agree to comply with Applicable Privacy Laws and any other applicable Federal and state laws and regulations governing the use and disclosure of Protected Health Information.
In consideration of the terms, conditions, covenants, agreements and obligations herein stated, the parties agree and covenant to abide by the terms hereto regarding the handling of Protected Health Information during Covered Entity's use of the Services and after its termination, as follows:
1. Definitions and Application
1.1 "Breach" means the unauthorized acquisition, access, use, or disclosure of Protected Health Information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. The term "Breach" does not include:
(A) any unintentional acquisition, access, or use of Protected Health Information by an employee or individual acting under the authority of Covered Entity or Business Associate if:
(1) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with Covered Entity or Business Associate; and
(2) such information is not further acquired, accessed, used, or disclosed by any person; or
(B) any inadvertent disclosure from an individual who is otherwise authorized to access Protected Health Information at a facility operated by Covered Entity or Business Associate to another similarly situated individual at same facility; and any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.
1.2 "Data Aggregation Services" means the combining by Business Associate of the Protected Health Information of Covered Entity's patients with Protected Health Information received by Business Associate in its capacity as a business associate of another covered entity to permit data analyses that relate to the health care operations of Covered Entity or other covered entities.
1.3 To "De-identify" Protected Health Information means that the Protected Health Information is rendered no longer individually identifiable in accordance with a methodology permitted under the HIPAA Standards for Privacy of Individually Identifiable Health Information at 45 CFR section 164.514, including removal of all identifiers of the individual or of relatives, employees, or household members of the individual, as those identifiers are listed in the Standards for Privacy, and so long as, after such removal, Business Associate does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
1.4 "Protected Health Information" and "Electronic Protected Health Information" shall have the same meaning given to each term in 45 C.F.R. § 160.103, limited to the information received from or created or received by Business Associate on behalf of Covered Entity.
1.5 "Required by Law" means a mandate contained in law that compels Business Associate or Covered Entity to make a use or disclosure of Protected Health Information and that is enforceable in a court of law. Required by Law includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
1.6 "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
1.7 "Security Rule" means the regulations found at 45 CFR Parts 160 and 164, Subpart C, as amended by the HITECH Act and as may otherwise be amended from time to time.
1.8 "Secretary" means the Secretary of the United States Department of Health and Human Services.
1.9 "Unsecured Protected Health Information" means Protected Health Information that is not secured through the use of a technology or methodology specified by the Secretary in published guidance.
1.10 Unless otherwise defined in this Agreement, capitalized terms have the meanings ascribed to them under the Terms or the Applicable Privacy Laws. Terms used herein, but not otherwise defined, shall have meaning ascribed by 45 C.F.R. parts 160, 162, and 164. Should any term set forth in 45 C.F.R Parts 160, 162 or 164 conflict with any defined term herein, the definition found herein or 45 C.F.R. Parts 160, 162 and 164 shall prevail, with the regulatory definition controlling.
1.11 Business Associate's obligations under the Business Associate Terms apply only to Protected Health Information created or received by Business Associate from or on behalf of Covered Entity, and the term Protected Health Information refers only to Protected Health Information created or received by Business Associate from or on behalf of Covered Entity.
1.12 The Business Associate Terms apply solely to the provision of services by Business Associate to Covered Entity under the Terms.
2. Protected Health Information
2.1 Ownership of Protected Health Information. All right, title and interest in and to any Protected Health Information that becomes known to Business Associate under the Agreement vests solely and exclusively in Covered Entity or in the individual to whom such Protected Health Information relates. Business Associate will not derive or assert any title or interest in or to such Protected Health Information. Notwithstanding the foregoing, Business Associate may De-identify such Protected Health Information in accordance with the requirements of HIPAA and will own the De-identified information and any derivative works of, or including, such De-identified information.
2.2 Use and Disclosure of Protected Health Information.
(A) Unless otherwise specifically permitted in the Business Associate Terms or as Required by Law, Business Associate may use or disclose Protected Health Information only if the use or disclosure:
(1) is necessary to perform functions, activities or services for, or on behalf of, Covered Entity under the Business Associate Terms;
(2) would not violate HIPAA if done by Covered Entity; and
(3) is no more than the minimum necessary amount of Protected Health Information required for the performance of Business Associate's services under the Agreement, and Business Associate complies with the guidance on Minimum Necessary to be issued by the Secretary.
(B) Business Associate may:
(1) use Protected Health Information if necessary for the proper management and administration of Business Associate or to carry out its legal responsibilities related to the Terms;
(2) disclose Protected Health Information if necessary for the proper management and administration of Business Associate or to carry out its legal responsibilities under the Business Associate Terms, but only if:
(a) the disclosure is Required by Law; or
(b) Business Associate has obtained reasonable assurances from the third party that the Protected Health Information will be held confidentially and further used or disclosed only as Required by Law or for the purpose for which it is disclosed to the third party, and that the third party will immediately notify Business Associate of any instances of which the third party is aware in which the confidentiality of the Protected Health Information has been breached;
(3) use Protected Health Information to provide Data Aggregation Services;
(4) De-identify Protected Health Information (as provided in 45 CFR section 164.514(a)) and subsequently use De-identified health information; and
(5) use Protected Health Information to report violations of law or professional or clinical standards to appropriate Federal and state authorities, consistent with 45 CFR section 164.502(j).
2.3 Safeguards Against Misuse of Information. Business Associate will implement administrative, physical and technical safeguards through policies and procedures that reasonably and appropriately protect the confidentiality, integrity, and availability of all Protected Health Information and as required under HIPAA and with the provisions of the Security Rule directing the implementation of Administrative, Physical and Technical Safeguards for Electronic Protected Health Information and the development and enforcement of related policies, procedures, and documentation standards and will use such safeguards to prevent uses or disclosures of Protected Health Information (in whatever format), other than as permitted by the Business Associate Terms, the Terms, and regulations at 42 CFR Part 425, as amended from time to time. Business Associate agrees to be liable to Covered Entity for any acts, failures or omissions of a subcontractor in providing the services as if they were Business Associate's own acts, failures or omissions, to the extent permitted by law, and expressly warrants that its agents or subcontractors will be specifically advised of, and will comply in all respects with, the applicable terms of the Business Associate Terms.
2.4 Reporting.
(A) Business Associate will report the following occurrences within five (5) business days of when Business Associate discovers the occurrence, whether the occurrence is done or caused by Business Associate, its officers, directors, employees, contractors or agents or by a third party to which Business Associate disclosed Protected Health Information:
(1) Any use or disclosure of Protected Health Information in violation of the Business Associate Terms, the Terms, or the regulations at 42 CFR 425;
(2) Any Security Incident of which the Business Associate becomes aware; and
(3) Any Breach involving Unsecured Protected Health Information.
(B) To the extent possible, in any notice to the Covered Entity regarding a Breach involving Unsecured Protected Health Information, Business Associate shall include:
(1) The identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach; and
(2) Any other available information that Covered Entity may be required to include in a notification to the individual whose Unsecured Protected Health Information was accessed, acquired, or disclosed during such Breach. Business Associate may supplement its initial notice to Covered Entity as the facts in (C)(1) and (C)(2) reasonably become available.
2.5 Agreements with Third parties. Business Associate will enter into a written agreement with any agent or subcontractor that will have access to Protected Health Information currently shared. The agreement must include a provision binding the agent or subcontractor to the same restrictions, terms and conditions that apply to Business Associate pursuant to the Business Associate Terms, including the implementation of reasonable and appropriate safeguards to protect Electronic Protected Health Information.
2.6 Access to and Amendment of Protected Health Information.
(A) Business Associate will make Protected Health Information maintained in a Designated Record Set available to Covered Entity as reasonably necessary for Covered Entity to respond to a request for access to or amendment of Protected Health Information for purposes of providing the services, but in no case later than ten (10) days from Covered Entity's notice to Business Associate of the request.
(B) Business Associate will, within five (5) business days of receipt, forward to Covered Entity any requests for access to or amendment of Protected Health Information received directly by Business Associate. Covered Entity will be solely responsible for approving or disapproving the requests and Business Associate will comply with Covered Entity's directions regarding the requests. In the case of an amendment, Business Associate will incorporate any approved amendments into the Protected Health Information.
2.7 Accounting of Disclosures.
(A) Business Associate will make available to Covered Entity any information in its possession reasonably necessary for Covered Entity to respond to a request for an accounting of disclosures, in no case later than twenty (20) business days from Covered Entity's notice to Business Associate of the request.
(B) Business Associate will, within five (5) business days of receipt, forward to Covered Entity any request for an accounting of disclosures received directly by Business Associate. Covered Entity will be solely responsible for approving or disapproving the request and for preparing and delivering the accounting in response to the request. Business Associate will comply with Covered Entity's directions regarding the request to the extent practicable.
(C) Business Associate will implement an appropriate record-keeping process to enable it to comply with the requirements of this paragraph.
2.8 Availability of Books and Records. Business Associate will make its internal practices, books, and records relating to the use and disclosure of Protected Health Information available to the Secretary for purposes of determining Covered Entity's compliance with HIPAA.
3. Obligations of Covered Entity
3.1 Notice of Limitations. Covered Entity will notify Business Associate of the following if and to the extent it may affect Business Associate's use or disclosure of Protected Health Information:
(A) any limitation in Covered Entity's privacy policy in accordance with 45 CFR section 164.520;
(B) any changes in, or revocation of, permission by an individual to use Protected Health Information, including any restriction on health plan disclosures related to items or services paid for in full out-of-pocket by an individual; and
(C) any restriction to the use or disclosure of Protected Health Information Covered Entity has agreed to in accordance with 45 CFR section 164.522.
3.2 Permissible Requests by Covered Entity. Covered Entity will not request that Business Associate use or disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by Covered Entity.
4. Termination
4.1 Termination upon Breach.
(A) If Covered Entity determines Business Associate has breached a material term of the Business Associate Terms, Covered Entity shall provide Business Associate with written notice of the breach and afford Business Associate an opportunity to cure. Business Associate must cure the breach to the reasonable satisfaction of Covered Entity within 30 calendar days of receipt of notice, unless other terms of cure are mutually agreed to. Failure to cure within 30 days (or as otherwise agreed to) is grounds for immediate termination of the Business Associate Terms, the Terms and the services.
(B) If Covered Entity's relief under (A) is, in Covered Entity's sole discretion, not feasible, Covered Entity may report the problem to the Secretary to the extent required by law.
(C) Business Associate has the same rights and obligations as set forth above as to any breach of a material term of the Business Associate Terms by Covered Entity.
4.2 Automatic Termination. The Business Associate Terms will automatically terminate without any further action of the Parties upon the termination or expiration of the Terms or use of the Services.
4.3 Disposition of Protected Health Information.
(A) Subject to (B), upon termination of the Business Associate Terms, the Terms or the use of the Services, Business Associate will either return or destroy all Protected Health Information Business Associate maintains in any form, including Protected Health Information in the possession of subcontractors or agents of Business Associate. Business Associate will not retain any copies of such Protected Health Information.
(B) If it is not feasible to return or destroy Protected Health Information, then:
(1) The terms and provisions of this Agreement shall be extended; and
(2) Business Associate's use and disclosure of Protected Health Information shall be limited to those purposes that make return or destruction infeasible.
4.4 Effect of Termination. Termination of the Business Associate Terms, the Terms and the use of the Services shall not affect any claims or rights that arise based on the acts or omissions of the Parties prior to the effective date of termination.
5. General
5.1 Notice Regarding Compelled Disclosure. If Business Associate is requested pursuant to, or believes it is Required by Law to disclose any Protected Health Information, Business Associate will provide Covered Entity with prompt written notice of such request(s) to enable Covered Entity to seek a protective order or to pursue other procedures challenging the attempt to compel disclosure. Business Associate will cooperate with Covered Entity in its efforts to challenge such compelled disclosure.
5.2 Amendment. The parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of the Business Associate Terms may be required to ensure compliance with such developments. We may revise these Business Associate Terms from time to time and the most current version will always be posted on our website. If a revision, in our sole discretion, is material we will notify you (for example via email to the email address associated with your account). Other changes may be posted to our blog or terms page, so please check those pages regularly. By continuing to access or use the Services after revisions become effective, you agree to be bound by the revised Business Associate Terms. If you do not agree to the new terms, please stop using the Services.
6. Miscellaneous.
6.1 Applicable Laws. The Parties recognize and agree that the Business Associate Terms and their activities hereunder are governed by federal, state, and local laws, including the Social Security Act; regulations, rules, and policies of the U.S. Department of Health and Human Services; various state laws; among others, and including but not limited to Applicable Privacy Laws.
6.2 No Third Party Beneficiaries. Nothing express or implied in the Business Associate Terms is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
6.3 Enforcement Costs. If any legal action or other proceeding, including arbitration, is brought for the enforcement of the Business Associate Terms or because of an alleged dispute, breach, default or misrepresentation in connection with any provision of this Agreement, the successful or prevailing Party shall be entitled to recover reasonable attorneys' fees, court costs and all expenses incurred in that action or proceeding, including all appeals, in addition to any other relief to which such Party may be entitled.
6.4 Notice. All notices and other communications under the Business Associate Terms shall be in writing and shall be deemed received when delivered personally or when deposited in the U.S. mail, postage prepaid, sent registered or certified mail, return receipt requested or sent via a nationally recognized and receipted overnight courier service, to the Parties at their respective principal office of record as designated in writing from time to time.
6.5 Severability. If any provision of the Business Associate Terms, or the application thereof to any person or circumstance, shall to any extent be invalid or unenforceable, the remainder of the Business Associate Terms, or the application of such affected provision to persons or circumstances other than those to which it is held invalid or unenforceable, shall not be affected thereby, and each provision of the Business Associate Terms shall be valid and shall be enforced to the fullest extent permitted by law. It is further the intention of the Parties that if any provisions of the Business Associate Terms are capable of two constructions, one of which would render the provision void and the other one which would render the provision valid, then the provision shall have the meaning which renders it valid.
6.6 Successors and Assigns. The Business Associate Terms shall be binding upon, and shall inure to the benefit of the Parties hereto, their respective successors and assigns.
6.7 Waiver of Breach. No failure by a Party to insist upon the strict performance of any covenant, agreement, term or condition of the Business Associate Terms, shall constitute a waiver of any such breach of such covenant, agreement, term or condition. Either Party may waive compliance by the other Party with any of the provisions of this Agreement if done so in writing. No waiver of any provision shall be construed as a waiver of any other provision or any subsequent waiver of the same provision.
6.8 Entire Agreement. The Terms, the Business Associate Terms and modifications thereto shall constitute the entire understanding between the Parties as to the rights, obligations, duties and services to be performed thereunder.
Last Modified: February 4, 2013