This Business Associate Agreement (“Agreement”) is entered into by and between CollaborateMD, Inc. (“CollaborateMD”) and the Covered Entity (“Customer”). It will be in effect during any such time period that Customer has subscribed to and is using CollaborateMD’s services and upon termination as set forth in Section 5 of this Agreement. CollaborateMD and Customer may be individually referred to as a “Party” and, collectively, the “Parties” in this Agreement.
A. CollaborateMD is providing services to Customer under an existing agreement (the “Underlying Agreement”), and Customer wishes to disclose certain information to CollaborateMD pursuant to the terms of such Underlying Agreement, some of which may constitute Protected Health Information (“PHI”) (defined below).
B. Customer and CollaborateMD intend to protect the privacy and provide for the security of PHI disclosed to CollaborateMD pursuant to the Underlying Agreement in compliance with (i) the Health Insurance Portability and Accountability Act of 1996, Public Law No. 104-191 (“HIPAA”); (ii) Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), also known as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Public Law No. 111-005; and (iii) regulations promulgated thereunder by the U.S. Department of Health and Human Services, including the HIPAA Omnibus Final Rule, which amended the HIPAA Privacy and Security Rules (as those terms are defined below) and implemented a number of provisions of the HITECH Act (the “HIPAA Final Rule”), extending certain HIPAA obligations to CollaborateMD and their subcontractors.
C. The purpose of this Agreement is to satisfy certain standards and requirements of HIPAA, the Privacy Rule and the Security Rule (as those terms are defined below), and the HITECH Act, including, but not limited to, Title 45, §§ 164.314(a)(2)(i), 164.502(e) and 164.504(e) of the Code of Federal Regulations (“C.F.R.”).
SECTION 1: DEFINITIONS
“Breach” will have the same meaning given to such term in 45 C.F.R. § 164.402.
“Designated Record Set” will have the same meaning as the term “designated record set” in 45 C.F.R. § 164.501.
“Electronic Protected Health Information” or “Electronic PHI” will have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. § 160.103, as applied to the information that CollaborateMD creates, receives, maintains or transmits from or on behalf of Customer.
“Individual” will have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and will include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
“Privacy Rule” will mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
“Protected Health Information” or “PHI” will have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, as applied to the information created, received, maintained or transmitted by CollaborateMD from or on behalf of Customer.
“Required by Law” will have the same meaning as the term “required by law” in 45 C.F.R. § 164.103.
“Secretary” will mean the Secretary of the Department of Health and Human Services or his or her designee.
“Security Incident” will have the meaning given to such term in 45 C.F.R. § 164.304.
“Security Rule” will mean the Security Standards at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
“Unsecured PHI” will have the same meaning given to such term under 45 C.F.R. § 164.402, and guidance promulgated thereunder.
Capitalized Terms. Capitalized terms used in this Agreement and not otherwise defined herein will have the meanings set forth in the Privacy Rule, the Security Rule, and the HIPAA Final Rule, which definitions are incorporated in this Agreement by reference.
SECTION 2: PERMITTED USES AND DISCLOSURES OF PHI
2.1 Uses and Disclosures of PHI Pursuant to the Underlying Agreement. Except as otherwise limited in this Agreement, CollaborateMD may use or disclose PHI to perform functions, activities or services for, or on behalf of, Customer as specified in the Underlying Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Customer.
2.2 Permitted Uses of PHI by CollaborateMD. Except as otherwise limited in this Agreement, CollaborateMD may use PHI for the proper management and administration of CollaborateMD or to carry out the legal responsibilities of CollaborateMD.
2.3 Permitted Disclosures of PHI by CollaborateMD. Except as otherwise limited in this Agreement, CollaborateMD may disclose PHI for the proper management and administration of CollaborateMD, provided that the disclosures are Required by Law, or CollaborateMD obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed upon CollaborateMD pursuant to this Agreement), and that the person agrees to notify CollaborateMD of any instances of which it is aware in which the confidentiality of the information has been breached. CollaborateMD may disclose PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
2.4 Data Aggregation. Except as otherwise limited in this Agreement, CollaborateMD may use PHI to provide Data Aggregation services for the Health Care Operations of the Customer as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
2.5 De-identified Data. CollaborateMD may de-identify PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and may use or disclose such de-identified data unless prohibited by applicable law.
SECTION 3: OBLIGATIONS OF COLLABORATEMD
3.1 Appropriate Safeguards. CollaborateMD will use appropriate safeguards and will, after the compliance date of the HIPAA Final Rule, comply with the Security Rule with respect to Electronic PHI, to prevent use or disclosure of such information other than as provided for by the Underlying Agreement and this Agreement. Except as expressly provided in the Underlying Agreement or this Agreement, CollaborateMD will not assume any obligations of Customer under the Privacy Rule. To the extent that CollaborateMD is to carry out any of Customer’s obligations under the Privacy Rule as expressly provided in the Underlying Agreement or this Agreement, CollaborateMD will comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligations.
3.2 Reporting of Improper Use or Disclosure, Security Incident or Breach. CollaborateMD will report to Customer any use or disclosure of PHI not permitted under this Agreement, Breach of Unsecured PHI or any Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by CollaborateMD to Customer of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below). “Unsuccessful Security Incidents” will include, but not be limited to, pings and other broadcast attacks on CollaborateMD’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. CollaborateMD’s notification to Customer of a Breach will include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by CollaborateMD to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Customer would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.
3.3 CollaborateMD’s Agents. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. §164.308(b)(2), as applicable, CollaborateMD will enter into a written agreement with any agent or subcontractor that creates, receives, maintains or transmits PHI on behalf of CollaborateMD for services provided to Customer, providing that the agent agrees to restrictions and conditions that are substantially similar to those that apply through this Agreement to CollaborateMD with respect to such PHI.
3.4 Access to PHI. The Parties do not intend for CollaborateMD to maintain any PHI in a Designated Record Set for Customer. To the extent CollaborateMD possesses PHI in a Designated Record Set, CollaborateMD agrees to make such information available to Customer pursuant to 45 C.F.R. § 164.524, within ten (10) business days of CollaborateMD’s receipt of a written request from Customer; provided, however, that CollaborateMD is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Customer. If an Individual makes a request for access pursuant to 45 C.F.R. §164.524 directly to CollaborateMD, or inquires about his or her right to access, CollaborateMD will either forward such request to Customer or direct the Individual to Customer.
3.5 Amendment of PHI. The Parties do not intend for CollaborateMD to maintain any PHI in a Designated Record Set for Customer. To the extent CollaborateMD possesses PHI in a Designated Record Set, CollaborateMD agrees to make such information available to Customer for amendment pursuant to 45 C.F.R. § 164.526 within twenty (20) business days of CollaborateMD’s receipt of a written request from Customer. If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to CollaborateMD, or inquires about his or her right to amendment, CollaborateMD will either forward such request to Customer or direct the Individual to Customer.
3.6 Documentation of Disclosures. CollaborateMD agrees to document such disclosures of PHI and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. CollaborateMD will document, at a minimum, the following information (“Disclosure Information”): (a) the date of the disclosure; (b) the name and, if known, the address of the recipient of the PHI; (c) a brief description of the PHI disclosed; (d) the purpose of the disclosure that includes an explanation of the basis for such disclosure; and (e) any additional information required under the HITECH Act and any implementing regulations.
3.7 Accounting of Disclosures. CollaborateMD agrees to provide to Customer, within twenty (20) business days of CollaborateMD’s receipt of a written request from Customer, information collected in accordance with Section 3.6 of this Agreement, to permit Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. If an Individual submits a written request for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528 directly to CollaborateMD, or inquires about his or her right to an accounting, CollaborateMD will direct the Individual to Customer.
3.8 Governmental Access to Records. CollaborateMD will make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by CollaborateMD on behalf of, Customer available to the Secretary for purposes of the Secretary determining Customer’s compliance with the Privacy Rule and the Security Rule.
3.9 Mitigation. To the extent practicable, CollaborateMD will cooperate with Customer’s efforts to mitigate a harmful effect that is known to CollaborateMD of a use or disclosure of PHI by CollaborateMD that is not permitted by this Agreement.
3.10 Minimum Necessary. CollaborateMD will request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure, in accordance with 45 C.F.R. § 164.514(d), and any amendments thereto.
3.11 HIPAA Final Rule Applicability. CollaborateMD acknowledges that enactment of the HITECH Act, as implemented by the HIPAA Final Rule, amended certain provisions of HIPAA in ways that now directly regulate, or will on future dates directly regulate, CollaborateMD under the Privacy Rule and Security Rule. CollaborateMD agrees, as of the compliance date of the HIPAA Final Rule, to comply with applicable requirements imposed under the HIPAAFinal Rule, including any amendments thereto.
SECTION 4: OBLIGATIONS OF CUSTOMER
4.1 Notice of Privacy Practices. Customer will notify CollaborateMD of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect CollaborateMD’s use or disclosure of PHI. Customer will provide such notice no later than fifteen (15) days prior to the effective date of the limitation.
4.2 Notification of Changes Regarding Individual Permission. Customer will obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing CollaborateMD with PHI. Customer will notify CollaborateMD of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect CollaborateMD’s use or disclosure of PHI. Customer will provide such notice no later than fifteen (15) days prior to the effective date of the change.
4.3 Notification of Restrictions to Use or Disclosure of PHI. Customer will notify CollaborateMD of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect CollaborateMD’s use or disclosure of PHI. Customer will provide such notice no later than fifteen (15) days prior to the effective date of the restriction. If CollaborateMD reasonably believes that any restriction agreed to by Customer pursuant to this Section may materially impair CollaborateMD’s ability to perform its obligations under the Underlying Agreement or this Agreement, the Parties will mutually agree upon any necessary modification of CollaborateMD’s obligations under such agreements.
4.4 Permissible Requests by Customer. Customer will not request CollaborateMD to use or disclose PHI in any manner that would not be permissible under the Privacy Rule, the Security Rule or the HITECH Act if done by Customer, except as permitted pursuant to the provisions of Sections 2.2, 2.3, 2.4 and 2.5 of this Agreement.
SECTION 5: TERM AND TERMINATION
5.1 Term. The term of this Agreement will commence as of the Effective Date, and will terminate when all of the PHI provided by Customer to CollaborateMD, or created or received by CollaborateMD on behalf of Customer, is de-identified or returned to Customer. If it is infeasible to return, CollaborateMD will extend the protections to such information, in accordance with Section 5.3.
5.2 Termination for Cause. Upon either Party’s knowledge of a material breach by the other Party of this Agreement, such Party may terminate this Agreement immediately if cure is not possible. Otherwise, the non-breaching party will provide written notice to the breaching Party detailing the nature of the breach and providing an opportunity to cure the breach within thirty (30) business days. Upon the expiration of such thirty (30) day cure period, the non-breaching Party may terminate this Agreement if the breaching party does not cure the breach or if cure is not possible. If termination is not feasible, the non-breaching party may report the breach or violation to the Secretary.
5.3 Effect of Termination.
5.3.1 If it is infeasible for CollaborateMD to return the PHI upon termination of the Underlying Agreement or this Agreement, CollaborateMD will: (a) extend the protections of this Agreement to such PHI and (b) limit further uses and disclosures of such PHI to those purposes that make the return infeasible, for so long as CollaborateMD maintains such PHI.
SECTION 6: COOPERATION IN INVESTIGATIONS
The Parties acknowledge that certain breaches or violations of this Agreement may result in litigation or investigations pursued by federal or state governmental authorities of the United States resulting in civil liability or criminal penalties. Each Party will cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry.
SECTION 7: SURVIVAL
The respective rights and obligations of CollaborateMD under Section 5.3 of this Agreement will survive the termination of this Agreement and the Underlying Agreement.
SECTION 8: AGREEMENT
This Agreement may be modified, or any rights under it waived, only by a written document executed by the authorized representatives of both Parties. In addition, if any relevant provision of the Privacy Rule, the Security Rule or the HIPAA Final Rule is amended in a manner that changes the obligations of CollaborateMD or Customer that are embodied in terms of this Agreement, then the Parties agree to negotiate in good faith appropriate non-financial terms or amendments to this Agreement to give effect to such revised obligations.
SECTION 9: EFFECT OF AGREEMENT
In the event of any inconsistency between the provisions of this Agreement and the Underlying Agreement, the provisions of this Agreement will control. In the event that a court or regulatory agency with authority over CollaborateMD or Customer interprets the mandatory provisions of the Privacy Rule, the Security Rule or the HIPAA Final Rule, in a way that is inconsistent with the provisions of this Agreement, such interpretation will control. Where provisions of this Agreement are different from those mandated in the Privacy Rule, the Security Rule, or the HIPAA Final Rule, but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this Agreement will control.
SECTION 10: GENERAL
This Agreement is governed by, and will be construed in accordance with, the laws of the Florida. Any action relating to this Agreement must be commenced within one year after the date upon which the cause of action accrued. Customer will not assign this Agreement without the prior written consent of CollaborateMD, which will not be unreasonably withheld. If any part of a provision of this Agreement is found illegal or unenforceable, it will be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this Agreement will not be affected. All notices relating to the Parties’ legal rights and remedies under this Agreement will be provided in writing to a Party, will be sent to its address set forth in the Underlying Agreement, or to such other address as may be designated by that Party by notice to the sending Party, and will reference this Agreement. Nothing in this Agreement will confer any right, remedy, or obligation upon anyone other than Customer and CollaborateMD.
This Agreement is the complete and exclusive agreement between the Parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications, and understandings (written and oral) regarding its subject matter.
The Parties have caused this Agreement to be executed in their names by their duly authorized representatives per their acknowledgement of this Agreement.
Last Modified January 15, 2015.