EPITOMYZE BUSINESS ASSOCIATE ADDENDUM (BAA)
This Business Associate Addendum (“Addendum”) is an addendum to the Terms of Service (“Terms”) between you (hereinafter referred to as “Covered Entity”) and Epitomyze, Inc. (hereinafter referred to as “Epitomyze” or “Business Associate”) for the medical imaging service provided by Epitomyze (“Service”). This Addendum applies to all users of the Service that are Covered Entities, as defined in the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). Unless otherwise agreed by the parties in writing, if you are a Covered Entity or otherwise are covered by the HIPAA Rules, you are deemed to agree to the terms of this Addendum if you access the Service. This Addendum is incorporated into the Terms by reference and is effective as of the effective date of the Terms.
- BACKGROUND AND PURPOSE. The Parties have entered into, and may in the future enter into, one or more written agreements, that require Epitomyze to create, receive, maintain and/or transmit “protected health information” (together with the Terms, the “Underlying Contract(s)”), as the term is defined under 45 CFR §160.103 but is limited to the protected health information Epitomyze creates, receives, maintains, or transmits from or on behalf of the Covered Entity as the Covered Entity’s “Business Associate” as defined at 45 CFR §160.103 (“PHI”). Such PHI is subject to protection under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), Title XIII, Subtitle D, of the American Recovery and Reinvestment Act of 2009 (P.L. 111-5), known as the Health Information Technology for Economic and Clinical Health Act, as amended (the “HITECH Act”), and the implementing regulations for HIPAA and the HITECH Act, including, without limitation, the Standards for Privacy of Individually Identifiable Health Information, set forth at 45 CFR Part 160 and Part 164 (Subparts A and E)(the “Privacy Rule”), Security Standards for the Protection of Electronic Protected Health Information, set forth at 45 CFR Part 160 and Part 164 (Subparts A and C) (the “Security Rule”), the Standards for Electronic Transactions, set forth at 45 CFR Parts 160 and 162 (the “Electronic Transactions Rule”), and the Breach Notification for Unsecured Protected Health Information, set forth at 45 CFR Parts 160 and 164 (Subpart D) (the “Breach Notification Rule”), as such implementing regulations may have been or may in the future be amended from time to time (the Privacy Rule, the Security Rule, the Electronic Transactions Rule and the Breach Notification Rule, as amended from time to time, are referred to collectively as the “Rules”) (HIPAA, the HITECH Act, and the Rules, collectively, the “HIPAA Laws”). This BAA shall supplement and/or amend each of the Underlying Contract(s) only with respect to Epitomyze’s Use, Disclosure, and creation of PHI under the Underlying Contract(s) to allow Covered Entity to comply with the HIPAA Laws. Except as so supplemented and/or amended, the terms of the Underlying Contract(s) shall continue unchanged and shall apply with full force and effect to govern the matters addressed in this BAA and in each of the Underlying Contract(s).
- DEFINITIONS. Unless otherwise defined in this BAA, all capitalized terms used in this BAA have the meanings ascribed in the HIPAA Laws; provided that “Administrative Safeguards” shall have the same meaning as the term “administrative safeguards” in 45 CFR §164.304, with the exception that it shall apply to the management of the conduct of Epitomyze’s workforce, not Covered Entity’s workforce, in relation to the protection of that information.
- OBLIGATIONS OF THE PARTIES WITH RESPECT TO PHI.(a) Permitted Uses and Disclosures of PHI. Except as otherwise specified in this BAA or in any relevant consent, Epitomyze may make any and all Uses and Disclosures of PHI necessary to perform its obligations under the Underlying Contract(s), or as Required by Law. Epitomyze may, as a Business Associate of Covered Entity:1) Provide Data Aggregation services relating to the Health Care operations of the Covered Entity. [§194.504(e)(2)(i)(B)]2) Use or Disclose PHI as Required by Law.3) De-identify any and all PHI obtained by Epitomyze under this BAA and the Underlying Contracts, and use such de-
identified data, all in accordance with the de-identification requirements of the Privacy Rule guidance issued by the
Secretary from time to time. [§164.502(d)(l)]
4) Use or Disclose PHI for the proper management and administration of Epitomyze or to carry out the legal responsibilities
of Epitomyze, pursuant to 45 CFR §164.504(e)(4), provided that (i) such Use or Disclosure is Required by Law, (ii) Epitomyze obtains reasonable assurances from the person or entity which does not qualify as a subcontractor that is a business associate under the Rules and to which Epitomyze discloses PHI for such purposes permitted under this Section 3.1 that such PHI will be held confidentially, Used or further Disclosed only as required by law or the purpose for which it was disclosed to such person or entity, and that such third party shall notify Epitomyze of any instances of which the third party is aware in which the confidentiality of the PHI received pursuant to this provision has been or third party reasonably believes has been breached. [§164.502(e)(2)(i)(A); §164.504(e)(4)(i) and (ii)]
5) Under no circumstances may Epitomyze Use or further Disclose PHI in a manner that would violate the HIPAA Laws.
(b) Obligations of Epitomyze. With regard to its Use and/or Disclosure of PHI, Epitomyze agrees to:
1) Use or Disclose PHI in accordance with the HIPAA Laws. [§164.502(b)]
2) Not Use or Disclose PHI other than as permitted or required by this BAA, by any relevant consent or as Required By Law.
[§164.504(e)(2)(ii )(A )]
3) Use appropriate safeguards and with respect to PHI transmitted by or maintained in Electronic Media comply with subpart
C of 45 CFR Part 164 regarding provisions of the Security Rule applicable to such information, to prevent the Use or Disclosure of PHI other than as provided for by this BAA, including, without limitation, adequate training and education of Epitomyze’s employees, Staff or agents regarding such safeguards as implemented by Epitomyze. [§164.504(e)(2)(ii)(B)]
4) Report to Covered Entity any Use or Disclosure of PHI not provided for by this BAA of which Epitomyze becomes aware, including, without limitation, Breaches of Unsecured PHI as required by 45 CFR §164.410. [§164.504(e)(2)(ii)(C)]
5) Ensure that any subcontractor that is a business associate, as included in the definition of Business Associate at 45 CFR 160.103, (each, a “Subcontractor”) enters into an agreement or similar arrangement which complies with the HIPAA Laws requirements for agreements between “Business Associates” and “Covered Entities”, as each term is used under the HIPAA Laws, and subject to the same restrictions and limitations imposed upon Epitomyze in this BAA regarding the Use and Disclosure of PHI transmitted, received, created, or maintained by Subcontractor on behalf of Epitomyze in its capacity as Business Associate of Covered Entity. [§164.504(e)(2)(ii)(D)] [§164.314(a)(2)(i)(B)]
6) Within twenty (20) days of receiving a written request from Covered Entity, make available to the Covered Entity such PHI necessary for Covered Entity to comply with its obligations under 45 CFR §164.524 in responding to an Individual’s request for access to his or her PHI where Epitomyze maintains PHI in a Designated Record Set. [§164.504(e)(2)(ii)(E)] In the event any individual requests access to PHI directly from Epitomyze, Epitomyze shall within five (5) business days forward such request to Covered Entity. Any denials of access to the PHI requested shall be the exclusive responsibility of the Covered Entity. Any provision of information shall be subject to reasonable compensation to Epitomyze or as otherwise agreed with Epitomyze.
7) Within thirty (30) days of receiving a written request from Covered Entity, make available to the Covered Entity such PHI necessary for Covered Entity to comply with its obligations under 45 CFR §164.526 in responding to an Individual’s request for amendment and Epitomyze shall incorporate any amendments to the PHI as directed or instructed by Covered Entity in accordance with 45 CFR §164.526 where Epitomyze maintains PHI in the Designated Record Set. [§164.504(e)(2)(ii)(F)] In the event any Individual requests an amendment to PHI directly from Epitomyze, Epitomyze shall within (5) business day forward such request to Covered Entity. Any provision of information shall be subject to reasonable compensation to Epitomyze or as otherwise agreed with Epitomyze.
8) Within thirty (30) days of receiving a written request from Covered Entity, make available to the Covered Entity the information required for the Covered Entity to provide an accounting of disclosures of PHI as required by the Privacy Rule. Epitomyze shall provide the Covered Entity with the following information: (i) the date of the disclosure, (ii) the name of the entity or person who received the PHI, and if known, the address of such entity or person, (iii) a brief description of the PHI disclosed, and (iv) one of the following, as applicable: (a) a brief statement of the purpose of such disclosure which includes an explanation that reasonably informs the individual of the basis for such disclosure or in lieu of such statement, (b) a copy of a written request from the Secretary of Health and Human Services (the “Secretary”) to investigate or determine compliance with HIPAA; (c) a copy of a written request for a disclosure for which an authorization or opportunity to agree or object is not required in accordance with 45 CFR §164.512, if any; or (d) a copy of the individual’s request for an accounting. In the event the request for an accounting is delivered directly to Epitomyze, Epitomyze shall within seven (7) business days forward such request to the Covered Entity. [§164.504(e)(2)(ii)(G)]. Epitomyze shall retain its records regarding Uses and Disclosures of PHI for no less than six (6) years following the termination of this BAA. Any provision of information shall be subject to reasonable compensation to Epitomyze or as otherwise agreed with Epitomyze.
9) To the extent that Epitomyze carries out Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, Epitomyze shall comply with the HIPAA Laws that apply to the Covered Entity in performance of such obligation(s), as required under 45 CFR §164.504(e)(2)(H).
10) Notify the Covered Entity within five (5) business days of Epitomyze’s receipt of any request for production or subpoena of PHI, in connection with any governmental investigation or governmental or civil proceeding. If the Covered Entity decides to challenge the validity of or assume responsibility for responding to such request or subpoena, Epitomyze shall cooperate fully with the Covered Entity in connection therewith. Any provision of information shall be subject to reasonable compensation to Epitomyze or as otherwise agreed with Epitomyze.
11) Make its internal practices, books and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Laws. [§164.504(e)(2)(ii)(I)]
12) Use reasonable commercial efforts to mitigate any harmful effect that is known to Epitomyze of a Use or Disclosure of PHI by Epitomyze in violation of the requirements of this BAA.
13) Epitomyze agrees to use appropriate safeguards to prevent any unauthorized or unlawful Use, access or Disclosure of the PHI, including but not limited to any Use, access or Disclosure not provided for by this BAA. Epitomyze shall implement administrative, physical and technical safeguards and comply with the policies, procedures and documentation requirements of the Security Rule. [§164.314(a)(2)(i)(A)]
14) Report promptly and without unreasonable delay to Covered Entity any Use or Disclosure of PHI not provided for or permitted by this BAA and any Security Incident, including, without limitation, Breaches of Unsecured PHI, of which Epitomyze becomes aware. [§164.314(a)(2)(i)(C)]
15) Make policies, procedures and documentation required by the Security Rule relating to the Safeguards available to the Secretary for purposes of determining Covered Entity’s compliance with the Security Rule. [68 Fed. Reg. 8334, 8359]
16) Following the Discovery of a Breach, Epitomyze shall notify Covered Entity without unreasonable delay but in no event more than ten (10) business days after discovery of such Breach. Such notification shall include the following information which shall be supplemented as such information becomes available (i) the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Epitomyze to have been accessed, acquired, used or disclosed during the Breach; [§164.410(c)(i)] and (ii) each of the elements of a required notification to the Individual as set forth under Section 45 CFR §164.404(c). [§164.410(c)(ii)]
17) Where Epitomyze performs a Risk Assessment in accordance with § 45 CFR §164.502 and determines a Breach has not occurred because of the low probability the PHI has been compromised, Epitomyze will maintain sufficient documentation supporting this determination and make such documentation available to Covered Entity upon reasonable request. Epitomyze shall retain such documentation for a period of six (6) years following the termination of this BAA.
- OBLIGATIONS OF COVERED ENTITY. Covered Entity agrees to timely notify Epitomyze, in writing, of any arrangements between Covered Entity and the Individual that is the subject of PHI that may impact in any manner the Use and/or Disclosure of that PHI by Epitomyze under this BAA. Covered Entity further agrees not to request Epitomyze to Use or Disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by the Covered Entity. [§164.504(e)(2)(i)]
- TERM. This BAA shall commence as of the Effective Date and expire, unless earlier terminated pursuant to Section 6 hereof, at such time as the Underlying Agreement(s) is terminated or expires and Epitomyze returns or destroys PHI in accordance with the terms of this BAA.
- TERMINATION BY COVERED ENTITY. Should Covered Entity become aware of a material breach of this BAA, including, without limitation, a pattern of activity or practice that constitutes a material breach of a material term of this BAA by Epitomyze the Covered Entity shall provide Epitomyze with written notice of such breach in sufficient detail to enable Epitomyze to understand the specific nature of the breach. Covered Entity shall be entitled to immediately terminate this BAA and the Underlying Contract associated with such breach if, after Covered Entity provides such notice of breach to Epitomyze, Epitomyze fails to cure the breach within a reasonable time period not to exceed thirty (30) days from Epitomyze’s receipt of such notice; provided that Covered Entity shall have the discretion to agree to such longer cure period based on the nature of the breach involved and subject to the HIPAA Laws. [§164.504(e)(l)(ii)]
- RETURN OR DESTRUCTION OF PHI. Upon the expiration or termination of this BAA and/or the Underlying Contract(s), Epitomyze, with respect to PHI received from Covered Entity, or created, maintained or received by Epitomyze on behalf of Covered Entity, including any and all PHI in the possession of Epitomyze’s Subcontractors and such third parties permitted to receive such PHI under and in accordance with the terms of this BAA and the HIPAA Laws, shall:(a) retain only that PHI which is necessary for Epitomyze to continue its proper management and administration or to carry out its legal responsibilities;(b) return to Covered Entity or destroy, as agreed to by Covered Entity, the remaining PHI that Epitomyze still maintains in any form;(c) continue to use appropriate safeguards and comply with the Security Rule with respect to PHI transmitted by or maintained in Electronic Media to prevent Use or Disclosure of the PHI, other than as provided for in this Section, for as long as Epitomyze retains the PHI;(d) not Use or Disclose the PHI retained by Epitomyze other than for the purposes for which such PHI was retained and subject to the same conditions set forth in Section 3 hereof which applied prior to termination;
(e) return to Covered Entity or destroy, as agreed to by Covered Entity, the PHI retained by Epitomyze when it is no longer needed by Epitomyze for its proper management and administration or to carry out its legal responsibilities [§164.504(e)(2)(ii)(J)]; and
(f) where the return or destruction of PHI is infeasible Epitomyze shall notify Covered Entity in a writing of sufficient specificity of the circumstances which make such return or destruction infeasible, and Epitomyze shall continue to extend the protections of this Agreement to such PHI and limit further use or disclosure of PHI to those purposes which make the return or destruction infeasible, for as long as Epitomyze retains the PHI. [§164.504(e)(2)(ii)(J)]
Any provision of information shall be subject to reasonable compensation to Epitomyze or as otherwise agreed with Epitomyze.
(a) Survival. The respective rights and obligations of Epitomyze and Covered Entity under this BAA which by their nature shall survive this BAA shall survive the expiration or termination of this BAA indefinitely, including, without limitation, Section 3(b)(8) and (14), Section 7 and this Section.(b) Interpretation. The terms of this BAA shall prevail in the case of any conflict with the terms of any Underlying Contract to the extent necessary to allow Covered Entity to comply with the HIPAA Laws. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Laws. The bracketed citations to the HIPAA Laws in several paragraphs of this BAA are for reference only and shall not be relevant in interpreting any provision of this BAA.(c) No Third Party Beneficiaries. Nothing in this BAA shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.(d) Amendment. This BAA constitutes the entire agreement between the Parties with respect to PHI, and may not be modified, nor will any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties.(e) Waiver. A waiver with respect to one event will not be construed as continuing, or as a bar or waiver of any right or remedy as to subsequent events.
(f) Changes in the HIPAA Laws. To the extent that any relevant provision of the HIPAA Laws is materially amended in a manner that changes the obligations of Business Associates or Covered Entities, the Parties agree to negotiate in good faith appropriate amendment(s) to this BAA to give effect to those revised obligations.
(g) Governing Law. The Parties hereby agree that this BAA shall be governed by, and in construed in accordance with, the laws of the governing State, New York, without giving effect to its conflicts of laws principles and hereby submit themselves to the jurisdiction and venue of the federal and state courts of New York, located in the Borough of Manhattan.
(h) Waiver of Jury Trial. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EACH OF THE PARTIES HERETO HEREBY IRREVOCABLY WAIVES ALL RIGHT OF TRIAL BY JURY IN ANY ACTION, PROCEEDING OR COUNTERCLAIM ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR ANY MATTER ARISING HEREUNDER.
(i) Consequential Damages. Anything in this Agreement to the contrary notwithstanding, in no event shall any of the parties hereto be liable under or in connection with this Agreement for indirect, special, incidental, punitive or consequential losses or damages of any kind whatsoever, including but not limited to lost profits, whether or not foreseeable, even if such party has been advised of the possibility thereof and regardless of the form of action in which such damages are sought.
(j) Successors & Assigns. All covenants, agreements, representations and warranties in this Agreement by each party hereto shall bind, and to the extent permitted hereby, shall inure to the benefit of and be enforceable by their respective successors and assigns, whether so expressed or not.
HIPAA GLOSSARY ADDITIONS
“Electronic format” is a format from which a government agency is able to generate an accurate and complete paper copy that is both legible (“human readable”) and suitable for inspection, review and copying. The Food and Drug Administration (FDA) advises that documents submitted in electronic format should: ·
- Enable the user to easily view a clear and legible copy of the information
- Enable the user to print each document page by page, as it would have been provided in paper, maintaining foots, special orientations, table formats and page numbers
- Include a well-structured table of contents and allow the user to navigate easily through the submission Allow the user to copy text and images electronically into common word processing documents
The FDA suggests that electronic documents required to be submitted in electronic format in be submitted in Portable Document Format (PDF). PDF is an open, published format created by Adobe Systems Incorporated (http://www.adobe.com). PDF has been accepted as a standard for providing documents in electronic format by the International Conference on Harmonisation (ICH).
“Limited Data Set (LDS)” is a set of data that lacks 16 of the 18 identifiers itemized by the Privacy Rule. Specifically, a LDS does NOT include the following identifiers: Name; Postal address information, other than town or city, State, and zip codes; Telephone numbers; Fax numbers; Electronic mail addresses; Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints; and Full face photographic images and any comparable images. An LDS may contain, for example: Dates of birth, Dates of death, Dates of service, Town or city, State, Zip code. A Covered Entity may use or disclose a LDS only for the purposes of research, public health, or health care operations (45 CFR §164.514(e)(3)(i)). Disclosure of a LDS is an exception to the Privacy Rule requirement to obtain an authorization from the patient (subject) for research use of protected health information.
“Personal Health Record” or “PHR” is an electronic record of identifiable health information about an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual by a PHR vendor.
“PHR identifiable health information” is PHI held by a PHR vendor or third party service provider.
“PHI” is protected health information.
“Sale of PHI” is the “direct or indirect” receipt of remuneration in exchange for any PHI of an individual.
“Third party service provider” is an entity that provides services to the PHR vendor in connection with the offering or maintenance of a PHR or a related product or service and that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured PHR identifiable health information in such a record as a result of such services.”
“Unsecured PHI (HITECH)” is protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals. HHS guidance released April 17, 2009 identifies two methods by which PHI can be “secured”: encryption or destruction.
- Encryption: Whether or not PHI is properly encrypted depends on the strength of the encryption algorithm and the security of the decryption key or process. HHS released a list of the only acceptable encryption methodologies. Methods not specified in the guidance will not be considered sufficient to render PHI “secured”.
- Destruction: Hard copies of PHI will only be considered destroyed if they are unreadable and cannot be reconstructed. Electronic media must be cleared, purged or destroyed consistent with standards described in publications issued by the National Institute of Standards and Technology .