HIPAA COMPLIANCE AGREEMENT:
PROVIDER / BUSINESS ASSOCIATE CHAIN OF TRUST
THIS AGREEMENT is made effective on date agreed upon (“EFFECTIVE DATE”) by and between MediMobile Messaging user (“PROVIDER-COVERED ENTITY”) and JPG Technologies, Inc. (“BUSINESS ASSOCIATE”). The purpose of this Agreement is to satisfy certain obligations of Business Associate under the Health Insurance Portability and Accountability Act of 1997 and implement regulations (45 C.F.R. Parts 160-1640) (“HIPAA”) to ensure the integrity and confidentiality of Protected Health Information (PHI).
In consideration of the foregoing and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Provider and Business Associate agree as follows:
- Definitions: Capitalized terms used, but not otherwise defined, in this Agreement shall have the meanings given them in the HIPAA Rules. For convenience of reference, the definitions of “Individually Identifiable Health Information” “Protected Health Information” and “HIPAA Rules” as of the Effective Date are as follows:
- 1.1 “Individually Identifiable Health Information” hereafter called IIHI, means information that is a subset of health information, including demographic information collected from an individual, and (i) is created or received by a healthcare provider, health plan, employer, or healthcare clearing house; and (ii) relates to past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and (a) that identifies the individual, or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
- 1.2 “Protected Health Information” hereafter called PHI, means IIHI that Provider receives from Business Associate or from another Provider of Business Associate or which Provider creates for Business Associate, which is transmitted or maintained in any form or medium. PHI shall not include education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. §1232g, or records described in 20 U.S.C. §1232g(a)(4)(B)(iv), or employment records held by Business Associate in its role as employer.
- 1.3 “HIPAA Rules” shall mean the Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Part 160 and Part 164.
Applicability of Terms – Conflicts: This Agreement applies to all past, present, and future contracts and relationships between Provider and Business Associate, written and unwritten, formal or informal, in which Provider provides PHI to Business Associate in any form whatsoever. As of the Effective Date, this agreement automatically amends all existing agreements between Provider and Business Associate involving the use or disclosure of PHI. This Agreement shall automatically be incorporated in all subsequent agreements between Provider and Business Associate involving the use or disclosure of PHI whether or not specifically referenced therein. In the event of any conflict or inconsistency between a provision of this Agreement and a provision of any other agreement between Provider and Business Associate, the provision of this agreement shall control unless: (i) Provider specifically agrees to the contrary in writing, or (ii) the provision in such other agreements establishes additional rights for the Provider or additional duties for or restrictions on Business Associate with respect to PHI, in which case the provision of such or agreement will control.
Obligation and Activities of Business Associate:
- 3.1 Non-disclosure: Business Associate shall not use or disclose other than as permitted or required by this Addendum or as Required by Law or as otherwise authorized by Provider.
- 3.2 Safeguards: Business Associate shall use appropriate safeguards to prevent use or disclosure of the PHI other than as provided by this Addendum. Business Associate shall develop, implement, maintain and use appropriate administrative, technical and physical safeguards to preserve the integrity and confidentiality of and prevent non-permitted or violating use or disclosure of PHI whether transmitted electronically or physically transported. Business Associate shall document and keep these safeguards current.
- 3.3 Mitigation: Provider shall mitigate, to the extent practicable, any harmful effect that is known to the Provider of a use or disclosure of PHI by Business Associate in violation of the requirements of this addendum.
- 3.4 Reporting: Business Associate shall report to the Privacy Officer of the Provider, in writing, any use and/or disclosure of PHI that is not permitted or required by this addendum of which the Business Associate becomes aware. Such report shall be made as soon as reasonably possible, but in no event more than five (5) business days after discovery by Business Associate of such unauthorized use or disclosure. This reporting obligation shall include breaches by Business Associate, its employees, subcontractors or agents. Each such report of a breach will: (i) identify the nature of the non-permitted or violating use or disclosure; (ii) identify the PHI use or disclosure; (iv) identify who received the non-permitted or violating use or disclosure; (v) identify what corrective action Business Associate took or shall take to prevent further non-permitted or violating uses or disclosures; (vi) identify what Business Associate did or shall do to mitigate any deleterious effect of the non-permitted or violating use or disclosure; and (vii) provide such other information as Provider may reasonably request.
- 3.5 Agents and Subcontractors: Business Associate shall ensure that any agent, including a subcontractor, to whom it provides PHI received from or created or received by the Business Associate on behalf of, Provider agrees to the same restrictions and conditions that apply through this Addendum to Business Associate with respect to such information.
- 3.6 Access: Business Associate shall provide access, within five (5) business days of receiving a written or verbally documented request from the Provider, to a Designated Record Set of Provider, to Provider (or as directed by Provider, to an individual) in order to meet the requirements under 45 C.F.R. § 164.524. This provision does not apply if Business Associate and its employees, subcontractors and agents have no PHI from a Designated Record Set of the Provider.
- 3.7 Amendments: Business Associate shall make, upon written or verbally documented request from Provider, and amendment(s) to PHI in a Designated Record Set of Provider that Provider directs or agrees pursuant to 45 C.F.R. §64.526. This provision does not apply if Business Associate and its employees, subcontractors and agents have no PHI from a Designated Record Set of the Provider.
- 3.8 Records: Business Associate shall make internal practices, books and records that may or may not include policies and procedures and PHI, relating to use and disclosure of PHI received from, or created by Business Associate on behalf of Provider. Records of the Business Associate shall be available within (5) working days of written or verbally documented request, or sooner if requested by the Secretary of Health and Human Services to determine whether the Business Associate is complying with HIPAA.
- 3.9 Accounting for Disclosures: Business Associate shall make notations in records of any disclosure of PHI to anyone other than Provider while tracking completed tasks involving IIHI or PHI. Accounting for any notations of such disclosures of PHI in accordance with 45 C.F.R. §164.528 shall be made available within (5) working days of written or verbally documented request. This will provide information should a patient request an accounting of disclosures of their PHI.
Permitted Uses and Disclosures by Business Associate
- 4.1 Business Associate may only use or disclose PHI in the following scenarios:
- (a) Business Associate may use or disclose PHI as necessary to perform the services set forth in the Service Agreement.
- (b) Business Associate may use or disclose PHI as required by law.
Term and Termination:
- 5.1 Term: Will commence as of the Effective Date, and shall terminate when all PHI provided by the Provider to the Business Associate or created or received by the Business Associate on behalf of the Provider is returned to the Provider.
5.2 Termination for Cause: As provided in HIPAA, including 45 C.F.R. §164.504(e)(2)(iii), upon Provider’s reasonable determination that Business Associate has breached a material term of this Agreement, or 45 C.F.R. §164.504(e)(1)(ii), in the event the Provider knows of a “pattern of activity or practice” on the part of Business Associate that constitutes a material breach of this agreement, the Provider shall be entitled to do any one or more of the following:
- (a) Give Business Associate written notice of the existence of such breach and give Business Associate an opportunity to cure upon mutually agreeable terms. If Business Associate does not cure the breach or end the violation according to such terms, or if Provider and Business Associate are unable to agree upon such terms, Provider may immediately terminate any agreement between Provider and Business Associate, which is the subject of such breach.
- (b) Immediately terminate any agreement between Provider and Business Associate, which is the subject of such breach.
- (c) Immediately stop all further disclosures of PHI to Business Associate pursuant to each agreement between Business Associate and Provider, which is the subject of such breach.
5.3 Effect of Termination: Upon receipt of written demand from Provider, Business Associate agrees to immediately return, except to the extent infeasible, all PHI demanded by the Provider, including all such PHI which Business Associate has disclosed to its employees, subcontractors and/or agents. Destruction shall include destroying all copies including backup disks and other electronic backup medium. In the event the return of some or all such PHI is infeasible, PHI not returned pursuant to this paragraph shall be used or disclosed only for those purposes that make the return infeasible.
5.4 Continuing Privacy Obligation: Business Associate’s obligation to protect the privacy of PHI is continuous and survives any termination, cancellation, expiration, or other conclusion of this Agreement or any other agreement between Business Associate and Provider.
Notices: All notices pursuant to this Agreement must be given in writing and shall be effective when received if hand-delivered or upon dispatch if sent by reputable overnight delivery service, facsimile or U.S. Mail to the appropriate address or facsimile number as set forth at the end of this agreement.
Miscellaneous: Business Associate and Provider agree that individuals who are subject to PHI are not third-party beneficiaries of this Agreement. This Agreement may not be amended, altered or modified except by written agreement signed by Business Associate and Provider. A waiver of any term or provision shall not be construed as a waiver of any other term or provision. Nothing in Section 3 of this Agreement shall be deemed a waiver of any legally recognized claim of privilege available to Business Associate. The persons below have the right and authority to execute this Agreement for their respective entities and no further approvals are necessary to create a binding Agreement.