This Business Associate Addendum (“Addendum”), is entered into by and between the Licensee, as defined in the Master Subscription Agreement and applicable Services Order Form(s) (herein referred to as “Covered Entity”), and RepeatMD, Inc. (herein referred to as “Business Associate”), as part of that certain Master Subscription Agreement (the “MSA”) to which this addendum is attached and incorporated. This Addendum is effective as of the date of the MSA and applicable Services Order Form(s) (the “Subscription Start Date”). Covered Entity and Business Associate may be referred to herein collectively as the “Parties” or individually as “Party.”
WHEREAS, pursuant to the MSA, Business Associate may provide services to or for Covered Entity that require Business Associate to access, create, transmit and/or use protected health information (PHI) that is protected by state and/or federal law;
WHEREAS, pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the U.S. Department of Health & Human Services (HHS) promulgated the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Standards”), at 45 C.F.R. Parts 160 and 164, requiring certain individuals and entities subject to the Privacy Standards to protect the privacy of certain individually identifiable health information, and has issued the Security Standards (the “Security Standards”), at 45 C.F.R. Parts 160, 162 and 164, for the protection of electronic protected health information (“EPHI”), as amended by applicable provisions of the Health Information Technology for Economic and Clinical Health Act (Title XIII, Subtitle D) and its implementing regulations (the “HITECH Act”) (collectively, the “HIPAA Regulations”);
WHEREAS, in order to protect the privacy and security of PHI, including EPHI, HIPAA, the HITECH Act and the HIPAA Regulations require covered entities and business associates to enter into a “business associate agreement” with certain individuals and entities providing services for or on behalf of the covered entity or business associate if such services require the use or disclosure of PHI or EPHI; and
WHEREAS, Business Associate and Covered Entity desire to enter into this Addendum and agree to be bound by the following terms and conditions.
NOW THEREFORE, in consideration of the mutual promises set forth in this Addendum and the MSA, and other good and valuable consideration, the sufficiency and receipt of which are hereby severally acknowledged, the parties agree as follows:
1. Defined Terms
1.1 All capitalized terms used but not otherwise defined in this Addendum shall have the meanings set forth in HIPAA, the HITECH Act and the HIPAA Regulations, as applicable, and as amended from time to time. Notwithstanding the foregoing, any reference to PHI is limited when used herein to the PHI accessed, created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity. A reference in this Addendum to a section in HIPAA, the HITECH Act, or the HIPAA Regulations means the section in effect or as amended. All capitalized terms not otherwise defined in this Addendum or HIPAA, the HITECH Act or the HIPAA Regulations shall have the meanings set forth in the MSA.
2. Business Associate Obligations.
2.1 Use and Disclosure. Business Associate shall not use or further disclose PHI other than as permitted or required by this Addendum, the MSA, or as Required by Law. Business Associate shall comply with the provisions of this Addendum relating to privacy and security of PHI and all present and future provisions of HIPAA that relate to the privacy and security of PHI and that are applicable to Covered Entity and/or Business Associate.
2.2 Appropriate Safeguards. Business Associate shall use appropriate safeguards, and comply, where applicable, with the Security Standards with respect to EPHI, to prevent the use or disclosure of PHI other than as expressly permitted under this Addendum or as Required by Law. Business Associate will:
2.2.1 Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the EPHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, as required by the HIPAA Security Rule;
2.2.2 Not use or disclose PHI in a manner that would violate the requirements of HIPAA, the HITECH Act or the HIPAA Regulations if the PHI were used or disclosed by Covered Entity in the same manner, except as otherwise set forth herein; To the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Standards, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations; and
2.2.3 Ensure that any of Business Associate’s subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same (or more restrictive) restrictions and conditions that apply to the Business Associate with respect to such PHI under this Addendum, in accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2).
2.3 Reporting. Business Associate agrees to the following reporting procedures for Security Incidents that result in unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations (“Successful Security Incidents”); and for Security Incidents that do not result in unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations, including pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above (“Unsuccessful Security Incidents”).
2.3.1 Business Associate will promptly, without unreasonable delay, and at most within ten (10) business days, report to Covered Entity any Successful Security Incident of which it becomes aware. With respect to Unsuccessful Security Incidents, the Parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents, and, therefore, no further reporting on such incidents is required.
2.3.2 Business Associate shall report to Covered Entity any Breach of Unsecured PHI of which it becomes aware, as required by 45 C.F.R. § 164.410, without unreasonable delay, and in no event later than ten (10) business days after Business Associate, or any of its employees or agents, discovered the Breach. This report shall include, to the extent possible, the identification of each Individual who has been or is reasonably believed to have been affected by the Breach, along with any other information available to Business Associate about the Breach that is required to be included in the notification of Breach provided to the Individual, in accordance with 45 CFR 164.404(c).
A Breach of Unsecured PHI shall be treated as “discovered” as of the first day on which such Breach is known to Business Associate, or should have been known to Business Associate, other than the individual committing the Breach, by exercising reasonable diligence.
2.4 Mitigation. Business Associate agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity in writing, any harmful effect that is known to Business Associate and is the result of a use or disclosure of PHI by Business Associate or its employees, officers, Subcontractors, or agents in violation of this Addendum (including, without limitation, any Security Incident or Breach of Unsecured PHI), or HIPAA, the HITECH Act or the HIPAA Regulations. This includes coverage of reasonable fees associated with mitigating the breach.
2.5 Reports and Notices. Business Associate shall also reasonably cooperate and coordinate with Covered Entity in the preparation of any reports or notices to the Individual, a regulatory body or any third party required to be made under HIPAA, the HITECH Act, the HIPAA Regulations, or any other Federal or State laws, rules or regulations, provided that any such reports or notices shall be subject to the prior written approval of Covered Entity.
3. Permitted Uses and Disclosures by Business Associate.
3.1 Master Subscription Agreement. Except as otherwise permitted herein or Required by Law, Business Associate shall use PHI only for the purpose of performing services for Covered Entity as such services are described in the MSA, provided that such use would not violate HIPAA, the HITECH Act or the HIPAA Regulations if done by Covered Entity, or violate the minimum necessary policies and procedures of the Covered Entity.
3.2 Use for Administration of Business Associate. Except as otherwise limited by this Addendum, Business Associate may use PHI as necessary for the proper management and administration of the Business Associate or to carry out its legal responsibilities, provided that such uses are permitted under federal and state law.
3.3 Disclosure for Administration of Business Associate. Subject to any limitations in this Addendum, Business Associate may disclose PHI to any third-party person or entity as necessary to perform its obligations under the MSA and as permitted or required by applicable federal or state law. Further, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that (i) such disclosures are Required by Law, or (ii) Business Associate (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the third party; and (b) requires the third party to agree to notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
3.4 Data Aggregation and De-Identified Data. Except as otherwise limited in this Addendum, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B) and in compliance with state law where Covered Entity performs its services. Where permissible by federal and state law, Business Associate may De-Identify any and all PHI, provided that the De-Identification conforms to the requirements of the Privacy Standards. Any such De-Identified information does not constitute PHI and is not subject to the terms of this Addendum once de-identified.
4. Access and Amendments to Designated Record Sets. Business Associate will not possesses or maintain PHI in a Designated Record Set on behalf of the Covered Entity.
5. Accounting of Disclosures. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an Accounting of Disclosures of PHI in accordance with HIPAA. Business Associate agrees to provide to Covered Entity or an Individual, within twenty (20) days of a request by Covered Entity, information collected disclosed in accordance with Section 2.1 of this Addendum, to permit Covered Entity to respond to a request by an Individual for an Accounting of Disclosures of PHI in accordance with HIPAA, the HITECH Act and the HIPAA Regulations. If an Individual makes a request for an Accounting directly to Business Associate, Business Associate shall notify Covered Entity of the request within three (3) business days of such request and will cooperate with Covered Entity regarding the response to the request.
6. Records and Audit. Business Associate shall make available to Covered Entity and to the Department of Health and Human Services (“HHS”) or its agents, its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity for the purpose of determining Covered Entity’s compliance with HIPAA, the HITECH Act, and the HIPAA Regulations, in a time and manner designated by the Secretary of HHS.
7. Minimum Necessary. Business Associate agrees to limit its requests for and uses and disclosures of Covered Entity’s PHI to the minimum necessary and comply with any minimum necessary policies and procedures that Covered Entity provides to Business Associate.
8. Obligations of Covered Entity.
8.1 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would violate this Addendum or HIPAA, the HITECH Act or the HIPAA Regulations.
8.2 Covered Entity shall notify Business Associate of any limitation(s) in its Notice of Privacy Practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
8.3 Covered Entity hereby agrees to promptly notify Business Associate, in writing and in a timely manner, of any arrangements permitted by or required of Covered Entity under the Privacy Standards that may impact in any manner the use or disclosure of PHI by Business Associate under this Addendum or the MSA, including without limitation restrictions on the use or disclosure of PHI agreed to by Covered Entity, as provided for in 45 C.F.R. § 164.522 as amended by the HITECH Act.
9. Term and Termination.
9.1 Term. This Addendum shall commence on the Effective Date and shall remain in effect until terminated in accordance with the terms of this Section 10; provided, however, that any termination shall not affect the respective obligations or rights of the Parties arising under this Addendum prior to the effective date of termination, all of which shall continue in accordance with their terms.
9.2 Termination for Cause. If Covered Entity determines that Business Associate has violated a material term of this Addendum, Covered Entity shall either: (i) provide written notice to Business Associate and provide an opportunity for Business Associate to cure the breach or end the violation within the time specified by Covered Entity, and terminate this Addendum and/or the MSA if Business Associate does not cure the breach or end the violation within such time, or (ii) immediately terminate this Addendum and/or the MSA if cure is not possible.
9.3 Termination of the MSA. Upon the termination of the MSA, either Party may terminate this Addendum by providing written notice to the other Party.
9.4 Effect of Termination. Upon termination of this Addendum for any reason, Business Associate agrees either to return to Covered Entity, or to destroy, all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that is in the possession or control of Business Associate, its subcontractors or agents. In the case of PHI that Business Associate determines is not feasible to “return or destroy,” Business Associate shall extend the protections of this Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. The obligations under this Section 9.4 shall survive termination of this Addendum and shall continue as long as Business Associate maintains such PHI.
10. Miscellaneous
10.1 Notice. Except as otherwise expressly permitted herein, all notices required or permitted to be given hereunder shall be in writing and shall be deemed effective when personally delivered; when received by telegraphic or other electronic means (including facsimile); when delivered by overnight courier; or three (3) days after being deposited in the United States mail, with postage prepaid thereon, certified or registered mail, return receipt requested, at the address listed in the Services Order Form for the relevant Party, or to such other address, and to the attention of such other person or officer, as any Party may designate, at any time, in writing in conformity with these notice provisions.
10.2 Waiver. No provision of this Addendum or any breach thereof shall be deemed waived unless such waiver is in writing and signed by the Party claimed to have waived such provision or breach. No waiver of a breach shall constitute a waiver of or excuse any different or subsequent breach.
10.3 Assignment. Neither Party may assign (whether by operation or law or otherwise) any of its rights, or delegate or subcontract any of its obligations under this Addendum without the prior written consent of the other Party. Notwithstanding the foregoing, any assignment permitted under the MSA shall be permissible hereunder.
10.4 Severability. Any provision of this Addendum that is determined to be invalid or unenforceable will be ineffective to the extent of such determination without invalidating the remaining provisions of this Addendum or affecting the validity or enforceability of such remaining provisions.
10.5 Entire Agreement. This Addendum constitutes the complete agreement between Business Associate and Covered Entity relating to the matters specified in this Addendum, and supersedes all prior representations or agreements, whether oral or written, with respect to such matters. In the event of any conflict between the terms of this Addendum and the terms of the MSA or any such later agreement(s), the terms of this Addendum shall control, unless the terms of the MSA are stricter with respect to PHI and comply with HIPAA, the HITECH Act and the HIPAA Regulations, or the Parties specifically otherwise agree in writing. No oral modification or waiver of any of the provisions of this Addendum shall be binding on either Party. This Addendum is for the benefit of, and shall be binding upon, the Parties, their affiliates and respective successors and permitted assigns. No third party shall be considered a third-party beneficiary under this Addendum, nor shall any third party have any rights as a result of this Addendum.
10.6 Governing Law. This Addendum shall be governed by and interpreted in accordance with the laws of the State of Texas. Each Party hereby irrevocably and unconditionally agrees that the exclusive venue for any litigation arising out of or relating this Addendum shall be the state or federal court located in the City of Houston, Texas (the “Houston Courts”), and each Party hereby waives any objection to the laying of venue of any such litigation in the Houston Courts and agrees not to plead or claim in any Houston Court that such litigation brought therein has been brought in an inconvenient forum.
10.7 Nature of Addendum. None of the provisions of this Addendum are intended to create, nor shall be deemed or construed to create, any relationship between the Parties hereto other than that of Independent Contractors. Neither Business Associate nor any of its employees, Subcontractors, or other agents shall be deemed to be an “agent,” “employee,” “servant,” or “joint employee” of Covered Entity.
10.8 Modifications to Comply with Standards. In the event that additional regulations are promulgated under HIPAA, or any existing HIPAA Regulations are amended, and a Party determines in good faith that any such regulation adopted or amended after the Effective Date shall cause any paragraph or provision of this Addendum to be invalid, void, or in any manner unlawful, or subject either Party to penalty, then the Parties agree to negotiate in good faith to modify and amend this Addendum in a manner that would eliminate any such risk.
