This Business Association Addendum (this "HIPAA Addendum") is by and between "you," the "Covered Entity" and ISEEM, LLC ("us," "we," the "Business Associate"). This HIPAA Addendum is an addendum to the Terms of Service (the "Agreement"), and together with the Terms of Service as amended by this HIPAA Addendum, (1) is intended by the parties as a final, complete and exclusive expression of the terms of their agreement; and (2) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof.
The Covered Entity and Business Associate enter into this HIPAA Addendum to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended, including the privacy, security, breach notification and enforcement rules at 45 CFR Part 160 and Part 164, as well as the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 ("HITECH"), as amended, (collectively referred to herein as the "HIPAA Rules").
I. Definitions
Capitalized terms used but not otherwise defined in this HIPAA Addendum shall have the same meaning as those terms in the HIPAA Rules, except that "Protected Health Information" (or "PHI") shall have the same meaning as set forth in the HIPAA Regulations at 45 CFR 160.103, but limited to the information received by Business Associate from or on behalf of Covered Entity in connection with the Service provided under the Terms of Service.
II. Applicability
This HIPAA Addendum applies to the extent you are acting as a Covered Entity, to create, receive, maintain or transmit PHI via the Service and where we, as a result, are deemed under the HIPAA Rules to be acting as your Business Associate, as set forth at 45 CFR 160.103.
III. Obligations of Business Associate
A. We agree not to use or disclose protected health information other than as permitted or required by this HIPAA Addendum or as required by law.
B. We agree to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the HIPAA Addendum or the Terms of Service.
C. We agree to report to you, within 30 days of our discovery: (1) any use or disclosure of protected health information not provided for by this HIPAA Addendum of which we become aware, including breaches of unsecured PHI as required at 45 CFR 164.410; and (2) any security incident of which we become aware, provided, however, that (i) both parties acknowledge that there are likely to be a significant number of unsuccessful attempts to access the Service and that real-time reporting of incidents such as, without limitation, port scans, unsuccessful log on attempts, network pings, and denial of service attacks, is impractical for both parties; and (ii) Business Associate undertakes no obligation to report network security related incidents that occur on our network but do not directly involve PHI created, received, transmitted, or maintained for or on behalf of you.
D. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, we agree to ensure that any subcontractors that create, receive, maintain, or transmit protected health information on our behalf agree to the same restrictions, conditions, and requirements that apply to us with respect to such information.
E. We agree that all PHI maintained by Business Associate for you will be available to you in a time and manner that reasonably allows you to comply with the requirements under 45 CFR 164.524. Business Associate shall not be obligated to provide any such information to any person other than you.
F. We agree that all PHI and other information maintained by Business Associate for you will be available to you in a time and manner that reasonably allows you to comply with the requirements under 45 CFR 164.526.
G. We agree to maintain and make available the information required to provide an accounting of disclosures to you as necessary to satisfy your obligations under 45 CFR 164.528.
H. We agree to comply with the requirements of Subpart E that apply to you in the performance of your obligations under Subpart E of 45 CFR Part 164, to the extent we are to carry out one or more of such obligations.
I. We agree to make our internal practices, books, and records relating to the use and disclosure of PHI promptly available to the Secretary of Health and Human Services (the "Secretary") or the Secretary's designee for the purposes of determining Covered Entity's compliance with the HIPAA Rules, except as to those records protected by the attorney-client privilege.
IV. Permitted Uses and Disclosures by Business Associate
A. We shall only use or disclose protected health information as necessary to perform the services set forth in the Terms of Service agreement between the parties.
B. We shall use or disclose protected health information as required by law.
C. We agree to make uses and disclosures and requests for protected health information consistent with your minimum necessary policies and procedures.
D. We shall not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by you, except for the specific uses and disclosures set forth below.
E. We may use protected health information for our own proper managerial and administrative duties, or to carry out our legal responsibilities.
F. We may disclose protected health information for our own proper managerial and administrative functions, or to carry out our legal responsibilities, provided the disclosures are required by law, or that we obtain reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and be used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and furthermore that the person shall notify us of any instance of which it becomes aware in which the confidentiality of the information has been breached.
G. We may provide data aggregation services relating to your health care operations.
V. Obligations of Covered Entity
A. You shall not request that we use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by you, except as specified in Section 3 of this HIPAA Addendum.
B. You acknowledge and understand that the Service may include the transmission of messages via email. While all messages transmitted through the Service are encrypted with TLS, you acknowledge that unencrypted email messages may be stored and disclosed by third parties, such as your email service provider, who have no obligations to Business Associate. You agree as part of your security obligations to implement and maintain appropriate safeguards as required for you to comply with the HIPAA Rules as applicable to you and your use of the Service, including, without limitation: (1) ensuring that messages transmitted through the Service are received and maintained by you in compliance with the HIPAA Rules; (2) taking steps to reasonably limit the amount or type of PHI disclosed through the Service; and (3) permitting individuals to utilize alternative secure electronic methods to send confidential communications to you.
VI. General Provisions
A. The term of this HIPAA Addendum shall continue for the term of your use of the Service and following termination of your use of the Service until all PHI is destroyed or returned to you.
B. Either party has the right to terminate this HIPAA Addendum for any reason upon 30 days prior written notice to the other party. A material breach of this HIPAA Addendum will be treated as a material breach of the Terms of Service.
C. Upon termination of this HIPAA Addendum, for any reason, Business Associate shall destroy all PHI which is in Business Associate's possession. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate as well as Business Associate itself. In the event that Business Associate determines that destroying the PHI is infeasible, Business Associate shall promptly provide you notification of the conditions that make destruction infeasible. Business Associate shall extend the protections of this HIPAA Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the destruction infeasible, for so long as Business Associate maintains such PHI.
D. Survival. The provisions of Section VI.C. of this agreement shall survive the termination of the HIPAA Addendum.
E. Amendment. The Parties agree to take such action as is necessary to amend this HIPAA Addendum from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
F. Interpretation. Any ambiguity in this HIPAA Addendum shall be resolved to permit you to comply with the HIPAA Rules.