CarePilot Legal

RECITALS

A. Business Associate will receive certain information from Customer, or from others on behalf of Customer, or will create, maintain, or transmit certain information on behalf of Customer, some of which may constitute Protected Health Information ("PHI") as defined in 45 C.F.R. § 160.103.

B. Customer and Business Associate intend to protect the privacy and provide for the security of PHI. This Addendum addresses the Business Associate requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (45 C.F.R. Parts 160 and 164), as may be modified or amended from time to time ("HIPAA") and other applicable laws.

C. HIPAA requires Customer to enter into a written contract containing specific requirements with Business Associate prior to the disclosure of PHI as set forth in, but not limited to, 45 C.F.R. §§ 164.502(e) and 164.504(e) and contained in this Addendum.

NOW THEREFORE, the parties agree as follows:

1. Definitions.

Capitalized terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in 45 C.F.R. Part 160 and Part 164, and 42 U.S.C. § 17921, as may be modified or amended from time to time.

2. Obligations and Activities of Business Associate.

(a) Business Associate agrees to restrict its use and disclosure of PHI solely for the purpose of performing Business Associate's obligations under the Underlying Agreement and as otherwise permitted or required by this Addendum or as Required by Law.

(b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as permitted by the Underlying Agreement and this Addendum.

(c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Addendum.

(d) Business Associate agrees to report to Customer any use or disclosure of PHI not provided for by this Addendum of which it becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, within five (5) business days of the discovery of the use or disclosure.

(e) Business Associate agrees, prior to disclosure of PHI to any Subcontractor, to require the Subcontractor to agree in writing to the same terms and restrictions that apply to Business Associate with respect to such PHI.

(f) Business Associate agrees to provide access, at the request of Customer, and in the time and manner determined by Customer, to PHI in a Designated Record Set, to Customer, or as directed by Customer, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. In the event an Individual requests a copy of PHI maintained electronically in one or more Designated Record Sets, Business Associate agrees to provide access, at the request of Customer, and in the time and manner determined by Customer, to such PHI, to Customer, or as directed by Customer, to the Individual in the electronic form and format requested by the Individual if readily producible or, if not readily producible, in a readable electronic form and format as agreed to by the Individual.

(g) Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set pursuant to 45 C.F.R. § 164.526 at the request of Customer, within ten (10) business days after request by Customer.

(h) Business Associate agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI created, received, maintained, or transmitted by Business Associate on behalf of Customer, available to the Secretary, as designated by the Secretary, for purposes of the Secretary determining compliance with HIPAA. If requested by Customer, Business Associate agrees to make such information available to Customer within ten (10) business days after request by Customer.

(i) Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.

(j) Business Associate shall promptly notify Customer upon receipt of a request by an Individual for an accounting of disclosures of PHI. Business Associate shall, within ten (10) business days and as directed by Customer, either provide an accounting of disclosures to an Individual requesting an accounting, or provide Customer with information documented in accordance with Section 2(i) of this Addendum to permit Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate shall provide an accounting of disclosures in accordance with this section and as required by 42 U.S.C. § 17935 if PHI is contained in an Electronic Health Record.

(k) Business Associate agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created, received, maintained, or transmitted by Business Associate on behalf of Customer, available to Customer, for auditing purposes within ten (10) business days of receipt of written notice from Customer.

(l) Business Associate will, to the extent Business Associate is to carry out a Customer obligation under the privacy regulations, comply with any and all privacy regulations that apply to Customer in the performance of such obligation.

(m) Business Associate will, following the discovery of a Breach of Unsecured Protected Health Information, notify Customer of the existence of the Breach within five (5) business days. Business Associate shall without unreasonable delay, but in no event more than thirty (30) calendar days after discovery of the Breach, provide Customer with the following documentation:

(i) A brief description of the Breach, including the date of the Breach and date of discovery of the Breach;

(ii) A description of the types of Unsecured Protected Health Information that were involved;

(iii) A description of what Business Associate is doing to investigate the Breach, to mitigate losses and to protect against further Breaches; and

(iv) To the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach.

(n) Business Associate shall limit its requests for, and its uses and disclosures of, PHI to the "minimum necessary" amount of PHI consistent with Customer's minimum necessary policies and procedures.

3. Prohibited Remuneration.

(a) Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI except as provided in 42 U.S.C. § 17935(d).

(b) Business Associate shall not directly or indirectly receive remuneration in exchange for a marketing communication, as defined in 45 C.F.R. § 164.501 except as permitted under 42 U.S.C. § 17936(a).

4. Permitted Uses and Disclosures by Business Associate- General Use and Disclosure Provision.

Except as otherwise limited in this Addendum, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Customer as specified in the Underlying Agreement, provided that such use or disclosure would not violate HIPAA if done by Customer and is in compliance with each applicable requirement of 45 C.F.R. § 164.504(e) and the privacy requirements referenced in HIPAA.

5. Specific Use and Disclosure Provisions.

(a) Except as otherwise limited in this Addendum, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

(b) Except as otherwise limited in this Addendum, Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that such disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that such PHI will remain confidential and be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.

(c) Except as otherwise limited in this Addendum, Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514.

(d) Except as otherwise limited in this Addendum, Business Associate may use PHI to provide Data Aggregation services to Customer as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

(e) Business Associate may use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).

6. Security Regulations.

6.1 Applicability. This Section 6 applies only if, and to the extent that, PHI is created, received, maintained, or transmitted by Business Associate in electronic format ("e-PHI"). This Section 6 will govern the terms and conditions under which e-PHI is created, received, maintained, and transmitted.

6.2 Security Requirements- Security Implementation by Business Associate. Business Associate agrees to comply with the security regulations and to:

(a) Implement administrative, physical, and technical safeguards as set forth in 45 C.F.R. §§ 164.308, 164.310 and 164.312 that reasonably and appropriately protect the confidentiality, integrity and availability of the e-PHI that Business Associate creates, receives, maintains, or transmits on behalf of Customer;

(b) Implement reasonable and appropriate policies and procedures as required by 45 C.F.R. § 164.316;

(c) Prior to disclosing e-PHI to any Subcontractor, ensure that any Subcontractor to whom Business Associate provides e-PHI agrees in writing to implement reasonable and appropriate safeguards to protect it;

(d) Report to Customer, within five (5) business days after discovery, any Security Incident of which Business Associate becomes aware; and

(e) Authorize termination of this Addendum and the Underlying Agreement if Customer determines that Business Associate has violated a material term of this Addendum.

7. Obligations of Customer- Provisions for Customer to Inform Business Associate of Privacy Practices and Restrictions.

(a) Customer shall make available on its web site the notice of privacy practices that Customer produces in accordance with 45 C.F.R. § 164.520, as well as any material changes to the notice.

(b) Customer shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's permitted or required uses and disclosures.

(c) Customer shall notify Business Associate of any restriction to the use or disclosure of PHI that Customer has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

8. Permissible Requests by Customer.

Customer shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer. An exception shall be if Business Associate will use or disclose PHI for Data Aggregation or management and administrative activities of Business Associate.

9. Term and Termination.

(a) The term of this Addendum shall be effective as of the Addendum Effective Date and shall terminate upon the earlier of termination of the Underlying Agreement or as provided in this Section 9, subject to Section 11(c).

(b) Upon Customer's knowledge of a material breach by Business Associate, Customer may immediately terminate this Addendum and immediately terminate the Underlying Agreement. Customer, in its sole discretion, may provide Business Associate an opportunity to cure the breach within the time specified by Customer. This provision shall be in addition to and shall not limit any rights of termination set forth in the Underlying Agreement.

(c) Effect of Termination.

(1) Except as provided in Section 9(c)(2) of this Addendum, upon termination of this Addendum, for any reason, Business Associate shall return or destroy, at Customer's direction, all PHI received from Customer, or created, received, maintained, or transmitted by Business Associate on behalf of Customer. This section shall apply to PHI that is in the possession of Subcontractors of Business Associate. Neither Business Associate, nor its Subcontractors, shall retain any copies of the PHI.

(2) In the event that Business Associate determines that returning or destroying PHI is infeasible, Business Associate shall provide to Customer notification of the conditions that make return or destruction infeasible. Upon the reasonable judgment of the parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Addendum to such PHI and, notwithstanding other permitted uses and disclosures set forth in this Addendum, Business Associate will limit further uses and disclosures of such PHI solely for those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

10. Indemnification.

(a) Business Associate shall be responsible for any reasonable costs associated with responding to and mitigating any Security Incident, Breach of Unsecured PHI or unauthorized use or disclosure of PHI as a result of the action or omission of Business Associate or its Subcontractors including, but not limited to, mailing costs, personnel costs, attorneys' fees, credit monitoring costs and other related expenses and costs. At Customer's sole discretion, mitigation may include credit monitoring or protection services for affected individuals for a reasonable length of time.

(b) Business Associate shall indemnify, defend, and hold Customer harmless against any and all claims, damages, losses, judgments, costs and expenses (including attorneys' fees) arising out of Business Associate's material breach of this Addendum.

11. Miscellaneous.

(a) A reference in this Addendum to a section in HIPAA means the section as in effect or as amended.

(b) The parties agree to take such action as is necessary to amend this Addendum from time to time as is necessary for Customer to comply with the requirements of HIPAA and other applicable laws relating to the security or confidentiality of PHI. Customer may terminate this Addendum and the Underlying Agreement upon thirty (30) calendar days written notice in the event that Business Associate does not promptly enter into negotiations to amend this Addendum when requested by Customer pursuant to this Section 11(b) or Business Associate does not enter into an amendment to this Addendum providing assurances regarding the safeguarding of PHI that Customer, in its sole discretion, deems sufficient to satisfy the standards and requirements of HIPAA and other applicable laws. This provision shall be in addition to and shall not limit any rights of termination set forth in the Underlying Agreement.

(c) The respective rights and obligations of Customer and Business Associate under Section 9(c) and Section 10 of this Addendum shall survive the termination of this Addendum.

(d) Any ambiguity in this Addendum shall be resolved to permit Customer to comply with HIPAA and other applicable laws.

(e) Nothing express or implied in this Addendum is intended to confer upon any person, other than the parties hereto, any rights, remedies, obligations, or liabilities whatsoever.

(f) In the event of any conflict or inconsistency between the provisions of this Addendum and the provisions of any other agreement between the parties or any part of the Underlying Agreement, the provisions of this Addendum shall control.