MEZMO, INC. BUSINESS ASSOCIATE ADDENDUM
ThisBusiness Associate Addendum (“Addendum”)is entered into as of the last date executed below by and between Mezmo, Inc., a Delaware corporation with a business address at 2059 Camden Ave #297, San Jose, CA 95124 (“Business Associate”)and the “Customer”(aka, “CoveredEntity”) as defined below.
THIS BAA APPLIES BETWEEN THE PARTIES WHERE COVERED ENTITY CLICKS A BOXINDICATING ACCEPTANCE, TRANSFERS PHI TO BUSINESS ASSOCIATE FOR PROCESSING BY MEANS OF THE SERVICES, OR OTHERWISE AFFIRMATIVELYINDICATES ACCEPTANCE OF THIS BAA. BY DOING SO, YOU: (A) AGREE TO THIS BAA EITHER ON BEHALF OF YOURSELF, OR THE ORGANIZATION, COMPANY, OROTHER LEGAL ENTITY FOR WHICH YOU ACT (EACH, A “CUSTOMER”AND A “COVERED ENTITY”); AND (B) REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND COVERED ENTITYAND ITS AFFILIATES TO THIS BAA. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS BAA, YOU MAY NOT DIRECTLY OR INDIRECTLY TRANSFER PHI TO MEZMO. MEZMO RESERVES THE RIGHT TO MODIFY OR UPDATETHE TERMS OF THIS BAA IN ITS DISCRETION, THE EFFECTIVE DATE OF WHICHWILL BE THE EARLIER OF (I) 30 DAYS FROM THE DATE OF SUCH UPDATE OR MODIFICATION AND (II) COVERED ENTITY’S CONTINUED TRANSFER OF PHI TO MEZMO.
This Addendum applies to the extent Customer is licensed to use the Mezmo Services (as defined in the Agreement) and transmits any PHI (defined below) to Mezmo.
This Addendum defines the rights and responsibilities of each party with respect to Protected Health Information as defined in the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, including the HITECH Act and Omnibus Rule, as each may be amended from time to time (collectively, “HIPAA”).
NOW THEREFORE, in consideration of mutual promises below and the exchange of information pursuant to this Agreement, the parties agree as follows:
For the purposes of this Addendum, capitalized terms shall have the following meanings:
“Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Mezmo, Inc.
“Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Customer.
All other terms and phrases in this Addendum shall have the same meanings as defined by HIPAA and if not otherwise defined therein, shall have their ordinary and customary meaning.
B. Privacy of PHI
1. Permitted Uses and Disclosures. BUSINESS ASSOCIATE is permitted or required to use or disclose PHI it creates or receives for or from Customer only as follows:
a) Functions and Activities on COMPANY’s Behalf. BUSINESS ASSOCIATE is permitted to use and disclose PHI it creates or receives for or from Customer for the purpose of providing the Mezmo Services under the Agreement.
b) BUSINESS ASSOCIATE’s Operations. BUSINESS ASSOCIATE may use PHI it creates or receives for or from Customer as necessary for BUSINESS ASSOCIATE’s proper management and administration or to carry out BUSINESS ASSOCIATE’s legal responsibilities. BUSINESS ASSOCIATE may disclose such PHI as necessary for BUSINESS ASSOCIATE’s proper management and administration or to carry out BUSINESS ASSOCIATE’s legal responsibilities only if:
(i) The disclosure is Required by Law; or
(ii) BUSINESS ASSOCIATE obtains reasonable assurance, evidenced by written contract, from any person or organization to which BUSINESS ASSOCIATE will disclose such PHI that the person or organization will:
a. Hold such PHI in confidence and use or further disclose it only for the purpose for which BUSINESS ASSOCIATE disclosed it to the person or organization or as Required by Law;
b. Use or further Disclose PHI only for authorized purposes of as otherwise Required by Law; and
c. Notify BUSINESS ASSOCIATE (who will in turn promptly notify Customer) of any instance of which the person or organization becomes aware in which the confidentiality of such PHI was breached. Business Associate may provide Data Aggregation services relating to the Health Care Operations of the Covered Entity, to the extent that Business Associate’s services may be deemed Health Care Operations. Business Associate may de-identify the PHI in accordance with section 164.502(d) of the HIPAA Rules and use, modify and disclose such de-identified data for any legal purpose.
2. Prohibition or Unauthorized Use or Disclosure. BUSINESS ASSOCIATE will neither use nor disclose PHI it creates or receives for or from Customer, except as permitted or required by this Addendum or as permitted and/or Required by Law or as otherwise permitted in writing by Customer. This Addendum does not authorize BUSINESS ASSOCIATE to use or disclose PHI in a manner that would violate the Privacy Standards or Security Standards if done by Customer.
3. Contractors, Sub-Contractors and Agents. BUSINESS ASSOCIATE shall obtain from any agent, contractor, or subcontractor, to whom it provides PHI, reasonable assurance that it will adhere to restrictions and conditions that are at least as protective of the PHI provided by Covered Entity as the restriction and conditions that apply to BUSINESS ASSOCIATE under this Addendum with respect to such information.
C. Compliance with Security of Protected Health Information
BUSINESS ASSOCIATE will establish and maintain appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic protected health information. BUSINESS ASSOCIATE will follow generally accepted system security principles and the requirements of the final HIPAA rule, as amended.
1. Security Incidents. BUSINESS ASSOCIATE will report any: (i) security incident (ii) the Breach of unsecured PHI (as defined in 45 CFR §164.402), or (iii) an access, acquisition, use or disclosure of PHI in violation of this Addendum of which it becomes aware to Customer, including those reported to BUSINESS ASSOCIATE by its contractors, subcontractors, vendors and agents. For purposes of this Addendum, a “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations. This does not include trivial incidents that occur on a daily basis, such as scans, “pings”, or unsuccessful attempts to penetrate computer networks or servers maintained by BUSINESS ASSOCIATE. The timing of other reporting will be made consistent with BUSINESS ASSOCIATE’S and Customer’s legal obligations.
D. Compliance with Standard Transactions
If BUSINESS ASSOCIATE conducts in whole or part Standard Transactions for or on behalf of Customer, BUSINESS ASSOCIATE will comply, and will require any contract, subcontractor or agent involved with the conduct of such Standard Transactions to comply, with each applicable requirement of HIPAA. BUSINESS ASSOCIATE will not enter into, or permit its contractors, subcontractors, vendors or agents to enter into, any trading partner agreement in connection with the conduct of Standard Transactions for or on behalf of Customer that:
1. Changes the definition, data condition, or use of a data element or segment in a Standard Transaction;
2. Adds any data elements or segments to the maximum defined data set;
3. Uses any code or data element that is marked “not used” in the Standard Transaction’s implementation specification or is not in the Standard Transaction’s implementation specification; or
4. Changes the meaning or intent of the Standard Transaction’s implementation specification.
E. PHI Access, Amendment and Disclosure Accounting
1. Access. BUSINESS ASSOCIATE will upon Customer’s request, make available to Customer or at Customer’s direction to the Individual (or the Individual’s personal representative) for inspection and obtaining copies any PHI about the Individual which BUSINESS ASSOCIATE created or received for or from Customer and that is in BUSINESS ASSOCIATE’s custody or control, so that Customer may meet its access obligations under 45 Code of Federal Regulations § 164.524.
2. Amendment. BUSINESS ASSOCIATE will, upon receipt of notice from Customer, promptly amend or permit Customer access to amend any portion of the PHI which BUSINESS ASSOCIATE created or received for or from Customer, so that Customer may meet its amendment obligations under 45 Code of Federal Regulations § 164.526.
3. Disclosure Accounting. Customer acknowledges that Business Associate is not required by this Addendum to make disclosures PHI to Individuals or any person other than Customer, and that Business Associate does not, therefore, expect to maintain documentation of such disclosure as described in 45 CFR § 164.528. In the event that Business Associate does make such disclosure, it shall document the disclosure as would be required for Customer to respond to a request by an Individual for an accounting of disclosures in accordance with 45 CFR §164.504(e)(2)(ii)(G) and §164.528, and shall provide such documentation to Customer promptly on its request. In the event that a request for an accounting is made directly to Business Associate, Business Associate shall, within five (5) Business Days, forward such request to Customer.
4. Inspection of Books and Records. BUSINESS ASSOCIATE will make its internal practices, policies and procedures, books, and records, relating to its use and disclosure of the PHI available to the U.S. Department of Health and Human Services to determine Customer’s compliance with 45 Code of Federal Regulations Parts 160-164; provided, however, that time incurred by Business Associate in complying with any such request that exceeds its normal customer service parameters shall be charged to Customer at Business Associate’s then current standard hourly rate for services.
F. Customer’s Obligations
1. Customer shall notify Business Associate of any limitation(s) in Customer’s notice of privacy practices under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI. Customer agrees that any reports, notifications or other notice by Business Associate pursuant to this Addendum may be made electronically. Customer will provide Business Associate with contact information and will ensure that Customer’s contact information remains up to date during the term of this Addendum. Contact information must include the name(s) of individual(s) to be contacted, title of individual(s) to be contacted, e-mail address of individual(s) to be contacted, and name of the Customer.
2. Customer shall notify Business Associate of:
(b) any limitations(s) in Customer’s notice of privacy practices in accordance with 45 CFR § 164.520 to the extent that such changes may affect Business Associate’s use or disclosure of PHI; (c) any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI; and
(d) any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
(a) shall be responsible for implementing appropriate privacy and security safeguards to protect its PHI in compliance with its obligations under HIPAA. Without limitation, it is Customer’s responsibility to implement privacy and security safeguards in the systems, applications and software the Customer controls, configures, or otherwise makes accessible in connection with the Agreement and uploads to the Mezmo Services.
(b) warrants that it has obtained any necessary authorizations, consents, and other permissions that may be required under applicable law prior to placing the PHI, on the Answerbook Services. (c) agrees that it will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity; provided, however, that this provision shall not be interpreted to restrict Business Associate from using PHI for Data Aggregation or management and administration and legal responsibilities of Business Associate, as permitted by this Addendum.
G. Termination of Agreement
(a) Term; Right to Terminate for Breach. The term of this Addendum shall continue for the term of the Agreement to which this Addendum is incorporated by reference, and following termination of such Agreement until all PHI is destroyed or returned to Customer or its designee. If Business Associate materially breaches the terms of this Addendum, then Covered Entity may terminate any related Agreement(s) and Business Associate has not cured the breach or ended the violation within the time specified by Covered Entity; or if termination is not feasible, Covered Entity shall report the violation to the Secretary.
(b) Obligations upon Termination.
(i) Return or Destruction. Upon termination, cancellation, expiration or other conclusion of the Agreement, BUSINESS ASSOCIATE will, if feasible, return to Customer or destroy all PHI, in whatever form or medium (including in any electronic medium under BUSINESS ASSOCIATE’s custody or control), that BUSINESS ASSOCIATE created or received for or from Customer, including all copies of and any such data. BUSINESS ASSOCIATE will complete such return or destruction as promptly as possible, but not later than 30 days after the effective date of the termination, cancellation, expiration or other conclusion of Agreement. In the event that Business Associate determines that destroying the PHI is infeasible, BUSINESS ASSOCIATE will provide Customer notification of the condition that make destruction infeasible, and will limit its further use or disclosure of that PHI to those purposes that make return or destruction of that PHI infeasible. Upon Customer’s request, BUSINESS ASSOCIATE will certify in writing to Customer that such return or destruction has been completed, or will deliver to Customer the identification of any PHI for which return or destruction is infeasible and, for that PHI, will certify that it will only use or disclose such PHI for those purposes that make return or destruction infeasible.
(ii) Continuing Privacy Obligation. BUSINESS ASSOCIATE’s obligation to protect the privacy of the PHI it created or received for or from Customer will be continuous and survive termination, cancellation, expiration or other conclusion of Agreement.
For the avoidance of doubt, Business Associate’s obligations to return and/or destroy the PHI as set forth in this Section shall not apply to any PHI which has been de-identified in accordance with the requirements of the HIPAA Rules and Customer acknowledges and agrees that Business Associate shall be free to continue to use de-identified data without restriction after the termination or expiration of this Addendum.
H. General Provisions
1. Amendment to Agreement. Upon the effective date of any final federal or state regulation or amendment to final regulations promulgated by the U.S. Department of Health and Human Services with respect to PHI or Standard Transactions, this Addendum will automatically amend such that the obligations they impose on BUSINESS ASSOCIATE remain in compliance with these regulations; provided, however, that if such an amendment would materially increase the cost of Business Associate providing service under the Agreement, Business Associate shall have the option to terminate the Agreement on thirty (30) days advance notice.
2. Integration; Conflicts. The Agreement and this Addendum constitute the entire and complete understanding of the Customer and Business Associate regarding its subject matter, and supersedes all written agreements and understandings between the parties regarding its subject matter. The terms and conditions of this Addendum will override and control any conflicting term or condition of the Agreement between BUSINESS ASSOCIATE and Customer. Any ambiguity in the Agreement shall be resolved to permit Customer to comply with HIPAA and the Privacy Rule. Each Party’s respective rights and obligations under this Addendum shall survive the termination of the Agreement.