UPDATED: MAY 15, 2019
- In accordance with the provisions of the Health Insurance Portability and Accountability Act of 1996, and the regulations promulgated thereunder, including the Privacy Rule and Security, as amended (“HIPAA”), you agree to follow and abide to the following standards (all undefined terms in Sections 18 and 19 have their meaning defined by the HIPAA regulations):
- You will ensure that your use of the Services complies with applicable law, including but not limited to laws relating to maintenance of privacy, security, and confidentiality of patient and other health information.
- You agree to implement and maintain appropriate administrative, physical and technical safeguards to protect information within the Services. Such safeguards must comply with federal, state, and local requirements, including the Privacy Rule and the Security Rule.
- You will maintain appropriate security with regard to all personnel, systems, and administrative processes used by you or members of your workforce to transmit, store and process electronic health information through the use of the Services.
- By using the Service, you consent to the terms of the Business Associate Agreement set forth below and you agree to protect any information received through such communication services in accordance with the terms of such business associate agreement.
- the Company applies the standards of the Privacy Rule in permitting access to the Service.
- You acknowledge that other federal and state laws impose additional restrictions on the use and disclosure of certain types of health information, or health information pertaining to certain classes of individuals.
- You agree that you are solely responsible for ensuring that personal health information is subject to the restrictions of the Privacy Rule and applicable law. In particular, you will:
- not make available to other users through the Service any information in violation of any restriction on use or disclosure (whether arising from your agreement with such users or under law);
- obtain all necessary consents, authorizations or releases from individuals required for making their personal health information available to the Company; and
- include such statements (if any) in your notice of privacy practices as may be required.
- the Company is committed to maintaining the confidentiality of information entrusted to us, especially individually identifiable personal and health information. the Company follows its HIPAA policies and procedures. You are responsible for determining if the Service meets your compliance standards.
USE OF PROTECTED HEALTH INFORMATION
The Service may include use of your patients’ Protected Health Information that you or your personnel input or upload onto the Service or that the Company receives on your behalf from your authorized service providers or our third-party partners (“Your Health Information”). You retain all rights with regard to Your Health Information, and the Company will only use such information as expressly permitted in this Agreement or our Business Associate Agreement. You authorize the Company, as your business associate, to use and disclose Your Health Information as follows:
- the Company will permit access to Your Health Information by business associates to whom you have consented to provide access to the Services and who have otherwise agreed to integrate with our systems pursuant to appropriate assurances. You acknowledge that once the Company has granted access rights to another provider or covered entity (or their respective business associates), the Company has no control over the uses and disclosures that the business associate makes of Your Health Information, and the recipient may be subject to its own legal or regulatory obligations (including HIPAA) to retain such information and make such information available to patients, governmental authorities and others as required by applicable law or regulation.
- the Company may “De-Identify” (means health information that has been de-identified in accordance with the provisions of the Privacy Rule) Your Health Information and use and disclose de-identified information.
- the Company may create limited data sets from Your Health Information, and disclose them for any purpose for which you may disclose a limited data set; and you hereby authorize the Company to enter into data use agreements on your behalf for the use of limited data sets, in accordance with applicable law and regulation.
- the Company may use Your Health Information in order to prepare analyses and reports, such as activity or quality-metrics reports, or any other reports the Service makes available, in order to render these reports to you. Preparation of such analyses and reports may include the use of data aggregation services relating to your treatment and health care operations, which the Company may perform using Your Health Information. Such reporting will be done in a manner that does not make any disclosure of Your Health Information that you would not be permitted to make.
- the Company may use Your Health Information for the proper management and administration of the Service and our business, and also as required to carry out its legal responsibilities. the Company may also disclose Your Health Information for such purposes if the disclosure is required by law, or the Company obtains reasonable assurances from the recipient that it will be held confidentially and used or further disclosed only (i) as required by law (as such term is defined in 45 CFR §164.103), or (ii) for the purpose for which it was disclosed to the recipient, and the recipient notifies the Company of any instances of which it is aware in which the confidentiality of the information has been breached. Without limiting the foregoing, the Company may permit access to the system by our contracted system developers under appropriate confidentiality agreements.
- From time to time the Company may incorporate information it receives from your authorized service providers; (including any third-party product or services)or our third-party partners into the Service provided to you. Such information may include, without limitation, clinical information such as lab results, imaging results, eligibility information, and prescription history; and shall, upon incorporation into the Service, be treated as “Your Health Information” for all purposes hereunder. You hereby authorize the Company to request and receive such information on your behalf from such authorized service providers or the Company’s third party partners.
- You are solely responsible for affording individuals their rights with respect to relevant portions of Your Health Information, such as the rights of access and amendment. You will not undertake to afford an individual any rights with respect to any information in the Service other than Your Health Information.
In consideration of the Company’s provision of the Service, you hereby transfer and assign to the Company all right, title and interest in and to all De-Identified Information that the Company makes from Your Health Information as outlined herein. You agree that the Company may use, disclose, market, license and sell such De-Identified Information for any purpose without restriction, and that you have no interest in such information, or in the proceeds of any sale, use, license, or other commercialization thereof. You acknowledge that the rights conferred by this Section are a major consideration for the provision of the Service, and absent these provisions, the Company would not enter into this Agreement and agree to provide the Services.
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (this “BAA”) is entered into by and between the Company and you (“Healthcare Provider”) who entered into the Agreement for the Service. This BAA applies with respect to any and all Protected Health Information (PHI) that may be collected, accessed, used, processed or disclosed pursuant to the Company’s performance and Healthcare Provider’s receipt of services under the Agreement. Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as updated and amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), the Company may from time to time act as a business associate in the performance of services for Healthcare Provider under the Agreement. In such event, the Healthcare Provider is a covered entity. Pursuant to this BAA, the Company and Healthcare Provider agree to access, use, process and disclose any such PHI in compliance with the requirements of HIPAA and the HITECH Act, and their implementing rules and regulations. By accepting the terms of the Agreement or by using any service made available under the terms of the Agreement, Healthcare Provider accepts the term and conditions of this BAA. Please note that the Company reserves the right, at our sole discretion, to change this BAA from time to time. Healthcare Provider’s continued use of the services provided under the Agreement after any such change takes effect will be deemed to constitute Healthcare Provider’s acceptance of and agreement to the revisions to this Agreement.
- Definitions. Capitalized terms not defined in this BAA will be defined as provided in HIPAA, the HITECH ACT and their implementing rules.
- Uses and Disclosures of PHI.
- Healthcare Provider may from time to time disclose PHI in conjunction with Healthcare Provider’s receipt of services under the Agreement. For purposes of this BAA, “Protected Health Information” (PHI) is limited to PHI, as defined in HIPAA, HITECH and their implementing rules, that is accessed, used, processed or disclosed pursuant to the Agreement.
- Neither party will access, use, process or disclose such PHI for any purpose other than as permitted under this BAA and applicable law. Each party may access, use, process and disclose the PHI it receives for the proper management and administration of such party, to perform its obligations under and receive the benefits of the service delivered under the Agreement and to otherwise carry out its legal responsibilities; provided, however, that in all cases such use is permitted under applicable law. Either party may disclose PHI if the disclosure is required by law. Either party may also disclose PHI for the proper management and administration of the business of such party, provided it obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law and for the purpose for which it was disclosed.
- Each party will maintain appropriate safeguards including, but not limited to, administrative, organizational, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the PHI.
- If either party becomes aware of any unauthorized access to or use, processing or disclosure of unsecured PHI, it will so notify the other party. Such notice will contain: (i) the date of discovery of the unauthorized access, use, processing or disclosure; (ii) a listing of the identification of individuals and/or classes of individuals who are subject to the unauthorized access, use, processing or disclosure; and (iii) a general description of the nature of the unauthorized access, use, processing or disclosure. The party responsible for such unauthorized access, use, processing or disclosure will perform an appropriate risk assessment to determine whether the PHI has been compromised. In performing the risk assessment, such party will consider a combination of factors such as: (i) the nature and extent of the PHI affected, (ii) the unauthorized person who impermissibly used the PHI or to whom the PHI was impermissibly disclosed; (iii) whether PHI was acquired or viewed and (iv) the extent to which the risk to the PHI has been mitigated. The results of such risk assessment will be provided to the other party. the Company is not responsible for monitoring Healthcare Provider’s own access to or use, processing or disclosure of PHI.
- In the event of an unauthorized access to or use, processing or disclosure of unsecured PHI, the party responsible for such unauthorized access to or use, processing or disclosure of unsecured PHI will use reasonable efforts to mitigate, to the extent practicable, any harmful effect arising from such unauthorized access to or use, processing or disclosure of unsecured PHI.
- The parties will cooperate with respect to any required notifications that must be made to the individuals or the media with respect to any unauthorized access to or use, processing or disclosure of unsecured PHI.
- With respect to any subcontractor or agent to whom either party provides PHI, the disclosing party will first contractually obligate such subcontractor or agent to agree to protect such PHI pursuant to terms and conditions at least as protective as the terms of this Business Associate Agreement.
- the Company may de-identify any and all PHI that is in its possession or control provided that the Company implements de-identification criteria in accord with applicable law. De-identified information does not constitute PHI and is not subject to the terms of this BAA.
- Compliance with Law
- Each party is responsible for its own compliance with any and all existing or subsequent laws, whether by statute, regulation, common law, or otherwise, related to its access to or use, processing or disclosure of PHI. Healthcare Provider agrees that it will have and maintain appropriate consents from data subjects, as may be necessary, for the Company to access, use, process and disclose PHI in accordance with its delivery of services under the Agreement and as otherwise permitted under this BAA.
- The parties will provide each other only the minimum amount of PHI necessary for us to perform the Service described in the Agreement.
- Upon request by the Department of Health and Human Services (“HHS”), each party will make available to HHS the internal practices, books, and records of such party relating to the use and disclosure of PHI for purposes of ensuring compliance with the provisions of HIPAA and the HITECH Act.
- In the event that the Company receives an inquiry from an individual for access to or the right to amend PHI, it will advise Healthcare Provider of that communication and the request. The parties will cooperate in making PHI available to the individual and in making the requested amendment of PHI. The Healthcare Provider will retain and make available on request information required to provide an accounting of disclosures in accordance with the provisions of HIPAA and the HITECH Act.
- Termination and Destruction of PHI
- In the event that either party reasonably determines that the other has accessed, used, processed or disclosed unsecured PHI in a manner inconsistent with a material term of this Agreement, it will provide written notice of such breach to the other party and specify in reasonable detail any such breach. Upon receipt of such written notice, the receiving party will have 30 days to achieve compliance with this BAA or to establish a reasonable schedule for compliance with this BAA. In the event that a party fails or refuses to comply with this obligation, the other party may terminate this BAA upon written notice. If either party reasonably determines that the other party has accessed, used, processed or disclosed PHI in a manner inconsistent with this BAA following written notice of a prior breach, the non-breaching party may immediately terminate the Agreement.
- Within thirty (30) days of termination of this BAA, the Company will return to Healthcare Provider, or destroy, the PHI made available to the Company by the Healthcare Provide that is in its control and take reasonable steps to ensure that the Company has no means of identifying or reidentifying individuals who are the subject of such PHI. the Company will also obligate any subcontractor to return to the Company, or destroy, any such PHI in the subcontractor’s control.
- In the event that the Company is unable to return or destroy the PHI in its control, the Company will continue to protect such PHI from further disclosure.
- Limitation of Liability.UNDER NO CIRCUMSTANCES WILL MESASIX OR ITS AFFILIATES, OR ANY OF ITS OR THEIR RESPECTIVE DIRECTORS, OFFICERS, SHAREHOLDERS, PROPRIETORS, PARTNERS, EMPLOYEES, AGENTS, REPRESENTATIVES, SERVANTS, ATTORNEYS, PREDECESSORS, SUCCESSORS OR ASSIGNS, BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, LOST PROFITS AND DAMAGES THAT RESULT FROM INCONVENIENCE, DELAY, OR LOSS OF USE) ARISING OUT OF ITS ACCESS TO OR USE, PROCESSING OR DISCLOSURE OF PHI, EVEN IF IT OR THEY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages; thus, this limitation may not be applicable.
- Indemnification. Healthcare Provider will defend, indemnify, and hold harmless the Company and its affiliates, and its and their respective directors, officers, shareholders, proprietors, partners, employees, agents, representatives, servants, attorneys, predecessors, successors and assigns, from and against any and all claims, proceedings, damages, injuries, liabilities, losses, costs and expenses (including reasonable attorneys’ fees and litigation expenses), relating to or arising from Healthcare Provider’s (i) unauthorized access to or use, processing or disclosure of PHI, (ii) breach of this Agreement or (iii) violation of applicable law.
- Notices. All notices and other communications required or permitted to be given by the Company to you under this Agreement will be deemed to be properly given on the date when sent by email to the email address for you last recorded by the Company or sent by postal mail or private courier to the postal address for you last recorded by the Company. All notices and other communications required or permitted to be given by you to us under this BAA will be deemed to be properly given on the date when sent by postal mail or private courier to 2430 Victory Park Lane, Suite 2601, Dallas, Texas 75219 USA, Attention: Legal.
This BAA contains the final and entire agreement regarding the subject matter hereof and supersedes all previous and contemporaneous oral or written agreements. The failure by either party to enforce any right or provision of this BAA will not constitute a waiver of that provision or of any other provision of this BAA. If any provision of this BAA is determined to be invalid or unenforceable by a court, such provision will be deemed severable and the remainder of this Agreement will remain in full force and effect. This BAA may not be assigned by you. Both parties agree that this BAA, as well as any and all claims arising from this BAA will be governed by and construed in accordance with federal law and the laws of the State of Texas, without reference to its conflicts of law rules, and the parties irrevocably submit to the exclusive jurisdiction and venue of the courts of Dallas, County, Texas. The parties are independent contractors and this BAA does not create an agency, partnership or joint venture.