HEALTHMONIX
PRIVACY POLICY
Healthmonix (“we,” “our,” or “us”) respects and is committed to protecting your privacy. That is why we have adopted this Privacy Policy. This Privacy Policy lets you know how and for what purposes we are collecting, processing and using your Personal Information (as defined herein). We pledge that we will take reasonable steps to ensure that your Personal Information will only be used in ways that are in compliance with this Privacy Policy.
This Privacy Policy is in effect for any web page, third party social media site, generic information, and Personal Information collected and/or owned by us, no matter the method of collection (e.g., mail, facsimile, sign-up/sign-in page, survey, contest, promotion), including collection through this website and any online features, services and/or programs we offer (collectively, the “Web Properties”). Notwithstanding the foregoing, this Privacy Policy is not applicable to any other web page, mobile application, social media site, generic information or Personal Information collected and/or owned by any entity other than Healthmonix. Users of the foregoing resources of entities other than Healthmonix should refer to the Privacy Policy in effect for the applicable owner.
This Privacy Policy also applies to information collected by or for us through a means other than the Web Properties. If the same information is collected through the Web Properties and through a means other than the Web Properties, the terms of this Privacy Policy shall apply.
Your use of the Web Properties is also governed by the Terms and Conditions located at https://healthmonix.com/end-user-license-agreement-eula/.
Types of Information Collected
We may collect two types of information when you visit the Web Properties: Personal Information and Browsing Information.
Personal Information: In order to participate in certain features, services and/or programs of the Web Properties, we may require that you provide us with certain specific information, which we may collect including, among other similar types of information (collectively, “Personal Information”): (1) contact information (e.g., name, address, phone number, email address); (2) demographic information (e.g., date of birth, gender, marital status); (3) information specifying medical or health conditions and certain medical history and information; and (4) your physical location.
Browsing Information: We may obtain non-individualized, generic information about you when you visit the Web Properties. This may include your Internet Protocol (or IP) address, protocol and sequence information; browser language; browser type; domain name system requests; browsing history (including time spent at a domain, time and date of your visit); number of clicks; hypertext transfer protocol headers; application client and server banners; operating system fingerprinting data; and MAC address, device ID/UDID, or similar device-specific code used for tracking purposes (collectively, “Browsing Information”).
How Information Is Collected
We may collect Personal Information and/or Browsing Information about you from the following sources:
- information we receive from you as a result of your use of our services;
- information we receive from you, or on your behalf, through applications, surveys or other forms;
- information we receive from you through the Web Properties, such as when creating a user account for use in connection with the Web Properties (your “User Account”) or filling out the “Contact Us” form on this website;
- information we receive from your computer;
- information we receive from our partners or service providers; and
- information we receive from other sources, as permitted by applicable laws, rules and regulations (collectively, the “Law”).
Additional Ways that Information is Collected Through the Web Properties
Website Collected Information: We may collect or receive three types of information when you visit or use the Web Properties: contact information, provided information and usage information.
Contact Information. Contact information refers to the information that you intentionally provide to us when you submit a request to be contacted. This information may include Personal Information such as your name, address, phone number, and email address, as well as any other information that you may voluntarily provide through the Web Properties. We collect this information only for purposes of responding to requests for more information about Healthmonix and our offerings. When you submit contact information, you accept that this information will be shared with our content providers and other professionals, contractors and staff that may be able to assist you.
Provided Information. You may be asked or encouraged, or completely voluntarily, submit information through the Web Properties, including Personal Information. Whether you submit any Personal Information to us is entirely up to you. You are under no obligation to provide Personal Information. However, this information is essential for the provision and quality of some of the services we offer to you, so we cannot provide you with certain services if you choose to withhold requested information. Your submission of any Personal Information, and our and our agents’ use of your Personal Information that they receive from us, shall at all times be in compliance with this Privacy Policy.
Browsing Information. We may obtain non-individualized, generic information about you when you visit the Web Properties (as further defined above).
Browser Log Files: Our servers automatically log each visitor to the Web Properties and collect and record certain Browsing Information about each visitor. The Browsing Information reveals nothing personal about the user and includes only the generic information described in the definition of “Browsing Information.”
Cookies: From time to time, we and/or our advertisers or other third parties may send a “cookie” to your computer. A cookie is a small piece of data that is sent to your Internet browser from a web server and stored on your computer’s hard drive and that can be re-sent to the serving website on subsequent visits. A cookie, by itself, cannot read other data from your hard disk or read other cookie files already on your computer. A cookie, by itself, does not damage your system. We, our advertisers and other third parties may use cookies to identify and keep track of, among other things, those areas of the Web Properties and third party websites that you have visited in the past in order to enhance your next visit to the Web Properties. Our advertisers may also use cookies to ascertain how many times that you have seen an advertisement and obtain similar analytical information. You can choose whether or not to accept cookies by changing the settings of your Internet browser, but some functionality of the Web Properties may be impaired or not function as intended if you choose not to accept cookies. See the Third Party Opt Out section below.
Web Beacons: Some of our web pages and electronic communications may contain images, which may or may not be visible to you, known as Web Beacons (sometimes referred to as “clear gifs”). Web Beacons collect only limited information that includes a cookie number; time and date of a page view; and a description of the page on which the Web Beacon resides. We may also carry Web Beacons placed by third party advertisers. These Web Beacons do not carry any Personal Information and are only used to track usage of the Web Properties and activities associated with the Web Properties. See the Third Party Opt Out section below.
Unique Identifier: Although we do not presently do so, in the future we may assign you a unique internal identifier to help keep track of your future visits. We use this information to gather aggregate demographic information about our visitors, and we use it to personalize the information you see on the Web Properties and some of the electronic communications you receive from us. We keep this information for our internal use, and this information is not shared with others.
Third Party Opt Out: Although we do not presently do so, in the future we may allow third-party companies to serve advertisements and/or collect certain anonymous information when you visit the Web Properties. These companies may use non-personally identifiable information (including, but not limited to, click stream information, browser type, time and date, subject of advertisements clicked or scrolled over) during your visits to the Web Properties in order to provide advertisements about goods and services likely to be of greater interest to you. These companies typically use a cookie or third party Web Beacon to collect this information, as further described above. Through these technologies, the third party may have access to and use non-personalized information about your online usage activity.
You can opt out of certain online behavioral services through any one of the ways described below (you do not need to go to each opt-out site, one is sufficient). After you opt out, you may continue to receive advertisements, but those advertisements will no longer be as relevant to you.
- You can opt out via the Network Advertising Initiative industry opt-out at networkadvertising.org.
- You can opt out via the Consumer Choice Page at aboutads.info.
- You can opt out via the IAB UK’s industry opt-out at youronlinechoices.com.
- You can configure your web browser (Chrome, Firefox, Internet Explorer, Safari, etc.) to delete and/or control the use of cookies. More information can be found in the Help system of your browser. It is at your discretion whether you use the opt-out described above or manage cookies via the browser.
Note: If you opt out as described above, you should not delete your cookies. If you delete your cookies, you will need to opt out again.
Use of Personal Information
The Personal Information that we collect may be used for four main purposes:
- to enable the features of the Web Properties, including, but not limited to: (a) providing services to you, such as providing you information about the applicable health plans, PQRS Registry Reporting requirements and updates, Merit-Based Incentive Payment System (MIPS) requirements and updates, and information regarding Medicare reimbursement; and (b) setting up and managing your online account, including but not limited to our processing your requests for information, and/or providing support services to you.
- to improve the Web Properties by determining which of our products, features and services are most popular. We may analyze your information and usage information to enable us and our affiliates to provide services to you and develop new features, functionality, and services;
- to personalize your experience on the Web Properties; and
- to communicate with you and to inform you about Healthmonix’s and third parties’ products and services. When requested by you, we (and/or any of our third party service providers) may send you and keep you updated with information about existing and new services, products, and special offers, by email, telephone, mail or by means of any other contact details you provide to us or our affiliates, or to such third party service providers.
When Information Is Disclosed
In addition to the other times or occasions on which we might disclose Personal Information about you, we might also disclose Personal Information when required by Law or in the good-faith belief that such disclosure is necessary to: (1) comply with legal processes and applicable Law; (2) enforce this Privacy Policy; (3) respond to any claim that any material, document, image, graphic, logo, design, audio, video, and any other information provided to, from or on the Web Properties by you violates the rights of third parties; or (4) protect our rights, property, or safety or the rights, property, or personal safety of our visitors and the public.
We may share and use your Personal Information and non-personally identifiable information with one or more of our participating retailers to deliver coupons, offers, and otherwise promote our products to you.
We use reasonable precautions to keep the information that is disclosed to us secure. We may provide Personal Information and non-personally identifiable information to our subsidiaries, affiliated companies, and other businesses or persons for the purposes of processing such information on our behalf and promoting the goods and services of our trusted business partners, some or all of which may store some or all of your information on servers outside of the United States. We require that these parties agree to process such information in compliance with our Privacy Policy or in a similar, industry-standard manner, and we use reasonable efforts to limit their use of such information and to use other appropriate confidentiality and security measures. The use of your information by one of our trusted business partners may be subject to that party’s own Privacy Policy.
We may share non-personally identifiable information (such as anonymous user usage data, referring/exit pages and URLs, platform types, number of clicks, etc.) with third parties to demonstrate the usage patterns for advertisements, content, functionality, promotions, competitions, games, and/or services on the Web Properties and/or on third party websites.
We also reserve the right to disclose Personal Information and/or non-personally identifiable information in connection with the enforcement of our Terms, to take precautions against liability, to investigate and defend against any third-party claims or allegations, to assist government enforcement agencies, to protect the security or integrity of the Web Properties, and to protect our rights, property, or personal safety and that of our users or others.
We reserve the right to transfer your Personal Information, as well as any other information, in connection with the sale or other disposition of all or part of our business and/or assets. We also cannot make any representations regarding the use or transfer of your Personal Information or other information that we may have in the event of our bankruptcy, reorganization, insolvency, receivership, or an assignment for the benefit of creditors, and you expressly agree and consent to the use and/or transfer of your Personal Information or other information in connection with a sale or transfer of some or all of our assets in any of the above described proceedings. Furthermore, we cannot and will not be responsible for any breach of security by any third parties or for any actions of any third parties that receive any of the information that is disclosed to us.
We may also disclose your Personal Information with your permission.
User Account, Password, and Security
For certain features available through the Web Properties, we may require the use of encryption technologies provided for your protection and/or User Account. We use reasonable precautions to protect the privacy of your username, password and User Account information. You, however, are ultimately responsible for protecting your username, password and User Account information from disclosure to third parties, and you are not permitted to circumvent the use of required encryption technologies. You agree to: (a) immediately notify us of any unauthorized use of your username, password and/or User Account, and/or any other breach of security; and (b) ensure that you log out from your User Account at the end of each session. While we may provide certain encryption technologies and use other reasonable precautions to protect your confidential information and provide suitable security, we do not and cannot guarantee or warrant that any information transmitted through the internet is secure, or that such transmissions are free from delay, interruption, interception or error.
Information From Children
We do not collect Personal Information from any person that we know to be under the age of 13. Specifically, the Web Properties are not intended or designed to attract children under the age of 13. You affirm that you are more than 18 years of age, or an emancipated minor, or possess legal parental or guardian consent, and are fully able and competent to enter into the terms, conditions, obligations, affirmations, representations, and warranties set forth in this Privacy Policy, and to abide by and comply with this Privacy Policy. In any case, you affirm that you are over the age of 13, as THE WEB PROPERTIES ARE NOT INTENDED FOR CHILDREN UNDER 13 THAT ARE UNACCOMPANIED BY THEIR PARENT OR LEGAL GUARDIAN.
Parents and legal guardians should be aware that this Privacy Policy will govern our use of Personal Information, but also that information that is voluntarily given by children – or others – in email exchanges, bulletin boards, or the like may be used by other parties to generate unsolicited communications. We encourage all parents to instruct their children in the safe and responsible use of their Personal Information while using the Internet.
For the avoidance of confusion, we may collect Personal Information about children in connection with administering and operating our services, and nothing herein shall limit or otherwise restrict our ability or practices with respect to such collection from children.
Privacy Outside the Web Properties
Although we do not presently do so, in the future the Web Properties may contain various links to other websites, including, but not limited to, links to websites of various third party service providers. We are not and cannot be responsible for the privacy practices or the content of any of those other websites. Other than under agreements with certain reputable organizations and companies, and except for third party service providers (as described in this Privacy Policy), we do not share any of the Personal Information that you provide to us with any of the websites to which the Web Properties links, although we may share aggregate, non-personally identifiable information with those other third parties. Please check with those websites in order to determine their privacy policies and your rights under them.
European Union Users
If you are visiting us from the European Union, please note that we may collect, transfer, and continue to use your Personal Information outside the European Union for use for any of the purposes described in this Privacy Policy. By using the Web Properties and providing us with your Personal Information, you consent to our collection, transfer, and continued used of your Personal Information in accordance with this Privacy Policy.
Choices With Your Personal Information
Whether you submit any Personal Information to us is entirely up to you. You may choose to prevent us from disclosing or using your Personal Information under certain circumstances (“opt out”). You may opt out of any disclosure or use of your Personal Information for purposes that are incompatible with the purpose(s) for which it was originally collected or for which you subsequently gave authorization by notifying us by one of the methods at the end of this Privacy Policy, or by following the procedures set forth in an electronic communication from us, if applicable. Furthermore, even where your Personal Information is to be disclosed and used in accordance with the stated purposes in this Privacy Policy, you may elect to opt out of such disclosure to and use by a third party that is not acting as our agent. There are some uses from which you cannot opt out, such as our use of your Personal Information in connection with non-personally identifiable information or to provide products that you have requested from us.
To the extent applicable, you may opt out of online behavioral advertising by following the instructions set forth above under the above section “Additional Ways that Information is Collected Through the Web Properties,” subsection “Third Party Opt Out.”
Access and Correction
Please contact us in the manner specified at the end of this Privacy Policy to access your Personal Information in our possession and correct inaccuracies of that information in our records. We ask individuals to identify themselves and the information requested to be accessed and amended before processing such requests, and we may decline to process requests in limited circumstances as permitted by applicable privacy legislation.
Your California Privacy Rights
Under California’s “Shine the Light” law, California residents who provide certain personally identifiable information in connection with obtaining products or services for personal, family, or household use are entitled to request and obtain from us (once a calendar year) information about the customer information we shared (if any) with other businesses for their own direct marketing uses. If applicable, this information would include the categories of customer information and the names and addresses of those businesses with which we shared customer information for the immediately prior calendar year (e.g., requests made in 2017 will receive information regarding 2016 sharing activities, if any).
To obtain this information, please send an email message to info@hmximport.local with “Request for California Privacy Information” in the subject line and in the body of your message. We will provide the requested information to you at your email address in response.
Please be aware that not all information sharing is covered by the “Shine the Light” requirements, and only information on covered sharing will be included in our response.
Do Not Track Requests
Additionally, because we may collect your Personal Information from time to time, California’s Online Privacy Protection Act requires us to disclose how we respond to “do not track” requests and other similar mechanisms. Currently, our policy is that we do not recognize “do not track” requests from Internet browsers and similar devices.
HIPAA; Business Associate Agreement
Your disclosure to us of any “protected health information” (as defined pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)) shall be subject to the Business Associate Agreement appended to the end of this Privacy Policy. We make no representation or warranty that the Business Associate Agreement is necessary for the compliance by you with HIPAA or other applicable law or regulation regarding any such protected health information. You are fully responsible for your actions with respect to any such protected health information, and agree to indemnify, defend and hold harmless Healthmonix for and against any violations by you of HIPAA or any other applicable law or regulation regarding any such protected health information.
Governing Law
This Privacy Policy will be governed by the laws of the Commonwealth of Pennsylvania, without giving effect to any principles of conflicts of laws. By using or accessing the Web Properties, you agree that any action at law or in equity arising out of or relating to your use of the Web Properties or this Privacy Policy will be filed only in the state or federal courts in the Commonwealth of Pennsylvania, and you hereby consent and submit to the personal jurisdiction of such courts for the purpose of litigating any such action.
Your Consent To This Privacy Policy
By using the Web Properties, you consent to the collection and use of your information (including Personal Information) by us as specified above or as we otherwise see fit, in compliance with this Privacy Policy, unless you inform us otherwise by means of the procedure identified below. If we decide to change this Privacy Policy or some part of it, we will make an effort to post those changes on this web page so that you will always be able to understand what information we collect, how we use that information and under what circumstances we may disclose that information to others. Your use of the Web Properties following such publication of any amendment of this Privacy Policy will signify your assent to and acceptance of its revised terms for all previously collected information and information collected from you in the future. We may use comments, information or feedback that you may submit in any manner that we may choose without notice or compensation to you.
If you have additional questions or comments of any kind, or if you see anything on the Web Properties that you think is inappropriate or incorrect, please let us know by email or by sending your comments or requests to:
Healthmonix
72 Swedesford Road Suite #110
Malvern, Pennsylvania, 19355
Attn: Customer Care – Web Properties
Copyright © 2017. Healthmonix. All Rights Reserved.
Effective as of: January 25, 2017
Last updated: January 25, 2017
Business Associate Agreement
- The following capitalized terms, as used in this Business Associate Agreement (this “Agreement”), shall have the meanings set forth below. Terms used, but not otherwise defined in this Agreement shall have the same meaning as those terms in 45 C.F.R. §160.103, §164.304, and §164.501.
- “Administrative Safeguards” shall have the same meaning as the term “administrative safeguards” set forth in the Security Regulations.
- “Breach” shall have the meaning set forth in the Breach Notification Regulations.
- “Breach Notification Regulations” shall mean Subpart D of Part 164, entitled “Notification in the Case of Breach of Unsecured Protected Health Information.”
- “Business Associate” shall mean NetHealth Limited Liability Company d/b/a Healthmonix.
- “Covered Entity” shall have the meaning given to such term under the Privacy Rule and Security Rule, including, but not limited to, 45 C.F.R. § 160.103, and may include users of the website to which this Agreement.
- “Data Aggregation” shall have the same meaning as the term “data aggregation” set forth in the Privacy Rule.
- “Electronic Health Record” shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
- “Electronically Maintained” shall mean information stored by a computer or on any electronic medium from which information may be retrieved by a computer, such as electronic memory chips, magnetic tape, disk, or compact disc media.
- “Electronically Transmitted” shall mean information exchanged with a computer using electronic media, such as the movement of information from one location to another using magnetic tape, disk or compact disc media; transmissions over the Internet, Extranet, leased lines, dial-up lines, or private networks; but excluding information exchanged using paper-to-paper facsimiles, person-to-person telephone calls, video teleconferencing, voicemail messages, telephone voice response or “faxback” systems.
- “Individual” shall have the same meaning as the term “individual” in the Privacy Rule.
- “Physical Safeguards” shall have the meaning set forth in the Security Regulations.
- “Privacy Official” shall have the meaning set forth in the Privacy Regulations.
- “Privacy Regulations” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E, as such provisions are currently drafted and as they are subsequently amended or revised.
- “Protected Health Information” shall have the meaning set forth in the Privacy Regulations.
- “Required by Law” shall have the meaning set forth in the Privacy Regulations.
- “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
- “Security Incident” shall have the meaning set forth in the Security Regulations.
- “Security Regulations” shall mean the Security Standards at 45 C.F.R. part 160, part 162, and part 164, subparts A and C, as such provisions are currently drafted and as they are subsequently amended or revised.
- “Technical Safeguards” shall have the meaning set forth in the Security Regulations.
- “Unsecured Protected Health Information”, as used in Section 3.1(n), below, shall have the meaning set forth under §13404(h) of the HITECH Act, as such provision is currently drafted and as it is subsequently amended or revised.
- PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION.
- Services. Subject to the limitations of this Agreement and the Privacy Rule, Business Associate may use and disclose Protected Health Information as necessary to perform its obligations to Covered Entity. Business Associate may not use or disclose Protected Health Information in a manner that would violate the Privacy Regulation if done by Covered entity, except for those uses and disclosures set forth in Section 2.2 hereof. All other uses and disclosures not authorized by this Agreement are prohibited. Without limiting the generality of the foregoing Business Associate may disclose Protected Health Information for the purposes authorized by this Agreement only: (a) to its employees, subcontractors and agents, in accordance with Section 3.1(d), below, (b) as directed by Covered Entity, or (c) as otherwise permitted by the terms of this Agreement including, but not limited to, Section 2.2 below.
- Business and Other Activities of Business Associate. The Business Associate may:
(a) Use the Protected Health Information for the proper management and administration of Business Associate and to fulfill any present or future legal responsibilities of Business Associate provided that such uses are permitted under state and federal confidentiality law.
(b) Disclose the Protected Health Information to third parties for the proper management and administration of Business Associate or to fulfill any present or future legal responsibilities of Business Associate, provided that: (i) the disclosures are Required by Law, or (ii) Business Associate has received from the third party written assurances regarding the confidential treatment of such Protected Health Information as required under 45 C.F.R. §164.504(e)(4)(ii)(B)(1), and that the third party will notify Business Associate of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached.
(c) Use Protected Health Information to create de-identified information, as defined in the Privacy Regulation, for use by Covered Entity or Business Associate.
- OBLIGATIONS OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION.
- Obligations of Business Associate. With regard to the use and/or disclosure of Protected Health Information, Business Associate hereby agrees to do the following:
(a) Use and/or disclose the Protected Health Information only as permitted or required by this Agreement or as otherwise required by law.
(b) Report to the designated Privacy Official of Covered Entity any use and/or disclosure of the Protected Health Information that is not permitted or required by this Agreement of which Business Associate becomes aware. Oral reports shall be made within two (2) business days following discovery, and shall be followed promptly by a written report based on subsequently developed information.
(c) Use reasonable and appropriate safeguards to maintain the security of the Protected Health Information and to prevent unauthorized use and/or disclosure of such Protected Health Information.
(d) Require all of its subcontractors and agents that receive or use, or have access to, Protected Health Information under this Agreement to agree, in writing, to adhere to materially the same restrictions and conditions on the use and/or disclosure of Protected Health Information that apply to Business Associate pursuant to this Section 3.
(e) Make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to Covered Entity or the Secretary, in a time and manner designated by Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Regulations and the Security Regulations, subject to attorney-client and other applicable legal privileges.
(f) Within ten (10) calendar days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an Individual under 45 C.F.R. §164.524, which entitles Individuals access to their own Protected Health Information.
(g) Within ten (10) calendar days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an Individual for an amendment of the Individual’s Protected Health Information under 45 C.F.R. §164.526. Accordingly, Business Associate will promptly incorporate any amendment(s) to the Protected Health Information that Covered Entity directs or agrees to be made.
(h) Within ten (10) calendar days of receiving a written request from Covered Entity, provide to Covered Entity such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an Individual for an accounting of the disclosures of the Individual’s Protected Health Information in accordance with 45 C.F.R. §164.528.
(i) Except as otherwise provided in this Agreement, in the event Business Associate receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, with respect to Protected Health Information subject to this Agreement, Business Associate will promptly redirect the Individual to Covered Entity.
(j) Subject to Section 4.3, below, return to Covered Entity or destroy, within sixty (60) calendar days of the termination of this Agreement, the Protected Health Information in its possession and retain no copies (which for purposes of this Agreement shall include all backup tapes or files).
(k) Disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum Protected Health Information necessary to perform or fulfill a specific function permitted hereunder. Without limiting the foregoing, to the extent required by the HITECH Act, Business Associate shall limit its use, disclosure or request of Protected Health Information to the limited data set (as defined under HIPAA) or, if needed, to the minimum necessary to accomplish the intended use, disclosure or request, respectively. Effective as of the date the Secretary issues guidance on what constitutes “minimum necessary” for purposes of HIPAA, Business Associate shall limit its use, disclosure, or request of Protected Health Information to only the minimum necessary as set forth in such guidance.
(l) Establish procedures in order to mitigate, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of Protected Health Information by Business Associate.
(m) Report to the designated Privacy Official of Covered Entity, any Security Incident of which Business Associate becomes aware. Oral reports shall be made within five (5) business days following discovery, and shall be followed promptly by a written report based on subsequently developed information. Business Associate shall cooperate with Covered Entity with respect to disclosure of such incident in accordance with applicable law, including without limitation the applicable requirements of the HITECH Act.
(n) Report to Covered Entity any Breach of Unsecured Protected Health Information, including identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed during such Breach and any other information required under 45 C.F.R. § 164.410. Oral reports shall be made within five (5) business days if practicable, and shall be followed promptly by a written report based on subsequently developed information. Business Associate shall cooperate with Covered Entity with respect to disclosure of such Breach in accordance with applicable law, including without limitation the applicable requirements of the HITECH Act; provided, however, that Covered Entity shall have sole control over the timing and method of providing notification of such Breach to the affected individual(s) or others as required by the HITECH Act.
- Compliance with the Security Regulations. Business Associate will comply with all requirements of the Security Regulations. Without limiting the generality of the foregoing, with respect to all Protected Health Information that is Electronically Transmitted or Electronically Maintained, Business Associate shall implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronically Transmitted or Electronically Maintained Protected Health Information that the Business Associate creates, receives, maintains, or transmits on behalf of the Covered Entity, all as required by, and set forth more specifically in, the Security Regulations.
- Compliance with Certain Provisions of the HITECH Act.
(a) Business Associate shall not, directly or indirectly, receive remuneration in exchange for any Protected Health Information of an individual, except pursuant to a valid written authorization signed by or on behalf of such individual, or as otherwise permitted under the HITECH Act or such implementing regulations.
(b) Business Associate shall not use or disclose Protected Health Information for the purpose of making such a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless such communication: (1) complies with the requirements of subparagraph (i), (ii) or (iii) of paragraph (1) of the definition of marketing contained in 45 C.F.R. § 164.501; and (2) complies with the requirements of subparagraphs (A), (B) or (C) of Section 13406(a)(2) of the HITECH Act. Covered Entity shall cooperate with Business Associate to determine if the foregoing requirements are met with respect to any such marketing communication.
- Obligations of the Covered Entity. With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity hereby agrees to do the following:
(a) Provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. §164.520, as well as any changes to such notice.
(b) Inform Business Associate of any changes in, or revocation of, authorization provided to Covered Entity by an Individual to use or disclose Protected Health Information, if such changes affect Business Associate’s permitted uses and disclosures. If applicable to services provided to or on behalf of Covered Entity, inform Business Associate of any opt-outs exercised by any individual from fundraising activities of Covered Entity pursuant to 45 C.F.R. §514(f).
(c) Notify Business Associate of any arrangements permitted or required of Covered Entity under the Privacy Regulations that may impact in any manner the use and/or disclosure of Protected Health Information by Business Associate under this Agreement, including any restriction on the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. §164.522. Without limiting the foregoing, in the event that Covered Entity is required to comply with a restriction on the disclosure of Protected Health Information pursuant to §13405 of the HITECH Act, then Covered Entity shall, to the extent needed to comply with such restriction, provide written notice to Business Associate of the name of the individual requesting the restriction and the Protected Health Information affected thereby. Upon receipt of such notification, Business Associate shall not disclose the identified Protected Health Information to any health plan for the purposes of carrying out payment or health care operations, except as otherwise required by law.
- TERM AND TERMINATION.
- Term. This Agreement shall become effective on the Effective Date and shall continue in effect until all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information in accordance with the termination provisions in this Section 4. In addition, certain provisions and requirements of this Agreement shall survive its expiration or other termination in accordance with Section 4.3 herein.
- Termination for Cause. As provided in 45 C.F.R. §164.314(a)(2)(i)(D) and §164.504(e)(2)(iii), Covered Entity may immediately terminate this Agreement and any related agreements, if Covered Entity makes the determination that Business Associate has breached a material term of this Agreement. Covered Entity may choose to provide Business Associate with written notice of the alleged breach and afford Business Associate an opportunity to cure said breach to the satisfaction of Covered Entity within thirty (30) calendar days after Business Associate’s receipt of such notice. Failure to cure in the manner set forth in this Section is grounds for immediate termination of this Agreement and any related agreements.
- Effect of Termination.
(a) Except as provided in Section 4.3(b) below, upon termination of this Agreement for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
(b) In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible or inconsistent with the obligations of Business Associate to Covered Entity, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement between the Parties that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
- MISCELLANEOUS
- Relationship of Parties. Business Associate, in furnishing services pursuant to the Service Contract and other related documents thereunder, is acting as an independent contractor, and Business Associate has the sole right and obligation to supervise, manage, contract, direct, procure, perform or cause to be performed, all work to be performed by Business Associate under this Agreement. Business Associate is not an agent of Covered Entity, and has no authority to represent Covered Entity as to any matters, except as expressly authorized in this Agreement or in the Service Contract.
- Amendments; Waiver. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Parties to comply with the requirements of the Privacy Regulations, the Security Regulations, the HITECH Act, or applicable federal or state confidentiality laws or regulations. Notwithstanding anything herein to the contrary, this Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of both Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
- Interpretation; Regulatory References. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with the Privacy Regulations, the Security Regulations, the HITECH Act, or applicable federal or state confidentiality laws or regulations. Any reference in this Agreement to a section in the Privacy Regulations, the Security Regulations, or the HITECH Act means the section as in effect or as amended. Section titles in this Agreement are for convenience only, and shall not be used in interpreting this Agreement.
- Severability. If any provisions of this Agreement are unenforceable, invalid or violate applicable law, such provisions shall be deemed stricken and shall not affect the enforceability of any other provisions of this Agreement.
- Notices. Any notices to be given hereunder to a Party shall be made via certified mail, overnight mail, or via electronic mail with confirmed receipt to the other Party’s principal place of business or email address provided to the other Party.
- Counterparts; Facsimiles. For the convenience of the Parties, this Agreement may be executed in two or more identical counterparts, all of which together shall constitute one agreement. One or more counterparts of this Agreement may be delivered via facsimile, with the intention that they shall have the same effect as an original counterpart.