This Business Associate Agreement (the "Agreement") between Customer ("Covered Entity") and VisionWeb ("BUSINESS ASSOCIATE") will be in effect during any such time period that Covered Entity has subscribed to and is using VisionWeb's services and upon termination as set forth below.
WHEREAS, COVERED ENTITY will make available and/or transfer to BUSINESS ASSOCIATE certain information in conjunction with goods or services that are confidential and must be afforded special treatment and protection.
WHEREAS, BUSINESS ASSOCIATE will have access to and/or receive from COVERED ENTITY certain information, that can be used or disclosed only in accordance with this Agreement and the Department of Health and Human Services ("HHS") Privacy and Security Standards.
WHEREAS, Covered Entity has engaged BUSINESS ASSOCIATE to perform services or provide software, or both;
WHEREAS, Covered Entity possesses Individually Identifiable Health Information that is protected under HIPAA (as hereinafter defined), the HIPAA Privacy Regulations (as hereinafter defined), the HIPAA Security Regulations (as hereinafter defined), and the HITECH Standards (as hereinafter defined) and is permitted to use or disclose such information only in accordance with such laws and regulations;
WHEREAS, BUSINESS ASSOCIATE may receive such information from Covered Entity, or create and receive such information on behalf of Covered Entity, in order to perform certain of the services or provide certain of the goods, or both; and
WHEREAS, Covered Entity wishes to ensure that BUSINESS ASSOCIATE will appropriately safeguard Individually Identifiable Health Information;
NOW THEREFORE, the Parties agree as follows:
The parties agree that the following terms, when used in this Agreement, shall have the following meanings, provided that the terms set forth below shall be deemed to be modified to reflect any changes made to such terms from time to time as defined in the HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HITECH Standards (collectively the HIPAA Rules). Terms used in this agreement and not otherwise defined shall have the meaning of those terms in the HIPAA Rules.
"BUSINESS ASSOCIATE" shall have the same meaning as the definition for BUSINESS ASSOCIATE set forth in 45 CFR 160.103.
"Covered Entity" means a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by the HIPAA Privacy and HIPAA Security Regulations.
"Data Aggregation" means, with respect to PHI ("Protected Health Information") created or received by a BUSINESS ASSOCIATE in its capacity as the BUSINESS ASSOCIATE of a Covered Entity, the combining of such PHI by the BUSINESS ASSOCIATE with the PHI received by the BUSINESS ASSOCIATE in its capacity as a BUSINESS ASSOCIATE of another Covered Entity, to permit data analyses that relate to the health care operations of the respective Covered Entities.
"Electronic Protected Health Information" or "ePHI" means the Protected Health Information that is transmitted by or maintained in electronic media as defined in the HIPAA Security Regulations.
"End User License Agreement" or "EULA" is the agreement between VisionWeb and its customers and end users. The EULA dictates the subscription terms and conditions, service level agreements and payment terms.
"HIPAA" means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
"HIPAA Privacy Regulations" means the regulations promulgated under the HIPAA by the United States Department of Health and Human Services to protect the privacy of Protected Health Information, including but not limited to, 45 CFR § 160 and 45 CFR § 164, Subpart A and E.
"HIPAA Security Regulations" means the regulations promulgated under HIPAA by the United States Department of Health and Human Services to protect the security of Electronic Protected Health Information, including, but not limited to 45 CFR § 160 and 45 CFR § 164, Subpart A and C.
"HITECH Standards" means the privacy, security and security Breach notification provisions applicable to a BUSINESS ASSOCIATE under Subtitle D of the Health Information Technology for Economic and Clinical Health Act ("HITECH"), which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), and any regulations promulgated thereunder.
"Individual" means the same meaning as the term "individual" in 45 CFR § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
"Individually Identifiable Health Information" means information that is a subset of health information, including demographic information collected from an individual, and;
"Ownership of Data" is designated within the VisionWeb End User License Agreement ("EULA"). VisionWeb will maintain the customer's data containing ePHI for a reasonable period of time to allow the customer sufficient time to validate their data from the VisionWeb system.
"Protected Health Information" or "PHI" has the same meaning as the term "protected health information” in 45 CFR § 164.501, limited to the information created or received by BUSINESS ASSOCIATE from or on behalf of Covered Entity.
"Provider(s)" means any healthcare professional that provides billable services to patients whom is an employee, customer, or has an employment, contractor, or agent relationship with a customer, for which the Service organizes information and provides medical billing management.
"Required By Law" shall have the same meaning as the term "required by law" in 45 CFR § 164.501.
"Secretary" means the Secretary of the United States of America Department of Health and Human Services or his designee.
"Breach" shall mean the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under 45 CFR § 164, Subpart E (the "HIPAA Privacy Rule") "Breach" shall not include:
Except as otherwise limited in this Agreement:
BUSINESS ASSOCIATE hereby agrees to immediately report to COVERED ENTITY any and all breaches or improper uses or disclosures aside from those permitted in this Agreement or by the Health Insurance Portability and Accountability Act (HIPAA).
BUSINESS ASSOCIATE agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information in any manner other than as provided for by this Agreement and as required by the Health Insurance Portability and Accountability Act.
BUSINESS ASSOCIATE agrees to mitigate, to the maximum extent practicable, any harmful effect that is known to BUSINESS ASSOCIATE from use or disclosure of information in a manner contrary to terms of this Agreement or according to the Health Insurance Portability and Accountability Act.
BUSINESS ASSOCIATE hereby agrees that any and all information provided or made available to its subcontractors or agents is subject to the same terms, conditions, and restrictions on use and disclosure of information as agreed upon in this contract between COVERED ENTITY and BUSINESS ASSOCIATE.
Business Associate agrees to provide access, at the request of Covered Entity to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in a time and manner that allows Covered Entity to meet the requirements under 45 CFR § 164.524.
Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity, in a time and manner that allows a Covered Entity to meet the requirements of 45 CFR 164.526.
BUSINESS ASSOCIATE hereby agrees to make its internal practices (including policies and procedures), books, and records relating to use or disclosure of information gained or received under terms of this Agreement available to the Secretary of the Department of Health and Human Services or the Secretary's designee for purpose of determining compliance with Privacy and Security standards under the Health Insurance Portability and Accountability Act.
BUSINESS ASSOCIATE hereby agrees to make available and provide individuals the right to inspect and receive a copy of their protected health information in accordance with 45 CFR § 164.524.
BUSINESS ASSOCIATE agrees to cooperate in making protected health information available to individuals for amendment and agrees to document explicit modifications by the individual in accordance with 45 CFR § 164.526.
BUSINESS ASSOCIATE agrees to provide an account of protected health information disclosures to an individual in accordance with 45 CFR §. 164.528.
If BUSINESS ASSOCIATE conducts any HIPAA Standard Transaction for or on behalf of COVERED ENTITY, BUSINESS ASSOCIATE shall comply in accordance with 45 CFR § 162.
Shared information, including de-identified protected health information, shall be and remains property of COVERED ENTITY. BUSINESS ASSOCIATE agrees that it acquires no title or rights to an individual's protected health information as a result of this contract.
BUSINESS ASSOCIATE agrees that COVERED ENTITY has the right to immediately terminate this Agreement and seek relief under Disputes Article if COVERED ENTITY determines that BUSINESS ASSOCIATE has violated a material term of this Agreement.
Upon contract termination, BUSINESS ASSOCIATE hereby agrees to return or destroy all information received or created on behalf of COVERED ENTITY. BUSINESS ASSOCIATE agrees not to retain any copies of information after termination of contract. If return or destruction of the information is not feasible, BUSINESS ASSOCIATE agrees to extend protections outlined in this contract and agrees to limit all further use or disclosure agrees to provide COVERED ENTITY with written authorization for destroyed information.
BUSINESS ASSOCIATE acknowledges that by accepting the information from COVERED ENTITY, it becomes a holder of medical records information under the state Privacy laws and is subject to the provisions of that law. If the HIPAA Privacy or Security Rules and the state Privacy law conflict regarding the degree of protection provided for protected health information, BUSINESS ASSOCIATE shall comply with the more restrictive protection requirement.
Non-compliance by BUSINESS ASSOCIATE with any terms of this Agreement or the Health Insurance Portability and Accountability Act will automatically be considered grounds for breach.
The permitted uses and disclosures of the Business Associate, as required by the Health Insurance Portability and Accountability Act (HIPAA) and in regulations promulgated thereunder, are as follows:
Notwithstanding any rights or remedies provided for in this contract, COVERED ENTITY retains all rights to seek injunctive relief to prevent or stop unauthorized use or disclosure of information by BUSINESS ASSOCIATE or any agent, contractor, or third party that received information from BUSINESS ASSOCIATE.
Parties agree to exercise good faith in performance of this contract.
Both parties shall indemnify the other party and hold it harmless from and against any penalties, losses, claims, damages or liabilities (or actions in respect thereof) to which it may become subject insofar as such penalties, losses, claims, damages or liabilities (or actions in respect thereof) arise out of or are based upon any unauthorized use or disclosure of Protected Health Information.
Any controversy or claim arising from or relating to the terms defined under this contract are subject to settlement by compulsory arbitration in accordance with the Commercial Arbitration Rules of the American Arbitration Association, except for injunctive relief.
Each party agrees to bear its own legal expenses and any other cost incurred for actions or proceedings brought about by enforcement of this contract, or from an alleged dispute, breach, default, misrepresentation, or injunctive action associated with the provisions of this contract.
Neither party has the authority to reassign this agreement without the other's written consent.
The terms of this Agreement consist of this document and constitute the entire agreement between the stated parties.
Both Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for them to comply with the requirements of the Health Insurance Portability and Accountability Act.
Any ambiguity in this Agreement shall be resolved to permit COVERED ENTITY to comply with the Health Insurance Portability and Accountability Act.
6500 River Place Blvd, Bldg 3, Suite 100
Austin, TX 78730
Tom A. Loveless
CFO & VP Business Development
January 1, 2016