|
A TRUE COPY
<br />CERTIFICATION ON LAST PAGE
<br />J.R. SMITH. CLERK
<br />EXHIBIT C
<br />HIPAA BUSINESS ASSOCIATE ADDENDUM
<br />Customer and ESO Solutions, Inc. ("Business Associate") agree that this HIPAA Business Associate Addendum is entered into for the benefit of Customer,
<br />which is a covered entity under the Privacy Standards ("Covered Entity").
<br />Pursuant to the Master Subscription and License Agreement (the "Agreement") into which this HIPAA Business Associate Addendum (this "Addendum") has
<br />been incorporated, Business Associate may perform functions or activities involving the use and/or disclosure of PHI on behalf of the Covered Entity, and
<br />therefore, Business Associate may function as a business associate. Business Associate, therefore, agrees to the following terms and conditions.
<br />1. Scope. This Addendum applies to and is hereby automatically incorporated into all present and future agreements and relationships, whether written, oral
<br />or implied, between Covered Entity and Business Associate, pursuant to which PHI is created, maintained, received or transmitted by Business Associate
<br />from or on behalf of Covered Entity in any form or medium whatsoever.
<br />2. Definitions. For purposes of this Addendum, the terms used herein, unless otherwise defined, shall have the same meanings as used in the Health
<br />Insurance Portability and Accountability Act of 1996 ("HIPAA"), or the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and
<br />any amendments or implementing regulations, (collectively "HIPAA Rules").
<br />3. Compliance with Applicable Law. The parties acknowledge and agree that, beginning with the relevant effective date, Business Associate shall comply with
<br />its obligations under this Addendum and with all obligations of a business associate under HIPAA, HITECH, the HIPAA Rules, and other applicable laws and
<br />regulations, as they exist at the time this Addendum is executed and as they are amended, for so long as this Addendum is in place.
<br />4. Permissible Use and Disclosure of PHI. Business Associate may use and disclose PHI as necessary to carry out its duties to a Covered Entity pursuant to the
<br />terms of the Agreement and as required by law. Business Associate may also use and disclose PHI (i) for its own proper management and administration,
<br />and (ii) to carry out its legal responsibilities. If Business Associate discloses Protected Health Information to a third party for either above reason, prior to
<br />making any such disclosure, Business Associate must obtain: (i) reasonable assurances from the receiving party that such PHI will be held confidential and
<br />be disclosed only as required by law or for the purposes for which it was disclosed to such receiving party; and (ii) an agreement from such receiving party tc
<br />immediately notify Business Associate of any known breaches of the confidentiality of the PHI.
<br />5. Limitations on Use and Disclosure of PHI. Business Associate shall not, and shall ensure that its directors, officers, employees, subcontractors, and agents
<br />do not, use or disclose PHI in any manner that is not permitted by the Agreement or that would violate Subpart E of 45 C.F.R. 164 ("Privacy Rule") if done by
<br />a Covered Entity. All uses and disclosures of, and requests by, Business Associate for PHI are subject to the minimum necessary rule of the Privacy Rule.
<br />6. Required Safeguards to Protect PHI. Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 ("Security Rule")
<br />with respect to electronic PHI, to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of this Addendum.
<br />7. Reporting to Covered Entity. Business Associate shall report to the affected Covered Entity without unreasonable delay: (a) any use or disclosure of PHI not
<br />provided for by the Agreement of which it becomes aware; (b) any breach of unsecured PHI in accordance with 45 C.F.R. Subpart D of 45 C.F.R. 164
<br />("Breach Notification Rule"); and (c) any security incident of which it becomes aware. With regard to Security Incidents caused by or occurring to Business
<br />Associate, Business Associate shall cooperate with the Covered Entity's investigation, analysis, notification and mitigation activities, and except for Security
<br />Incidents caused by Covered Entity, shall be responsible for reasonable costs incurred by the Covered Entity for those activities. Notwithstanding the
<br />foregoing, Covered Entity acknowledges and shall be deemed to have received advanced notice from Business Associate that there are routine occurrences
<br />of: (i) unsuccessful attempts to penetrate computer networks or services maintained by Business Associate; and (ii) immaterial incidents such as "pinging"
<br />or "denial of services" attacks.
<br />Mitigation of Harmful Effects. Business Associate agrees to mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Business
<br />Associate in violation of the requirements of the Agreement, including, but not limited to, compliance with any state law or contractual data breach
<br />requirements.
<br />9. Agreements by Third Parties. Business Associate shall enter into an agreement with any subcontractor of Business Associate that creates, receives,
<br />maintains or transmits PHI on behalf of Business Associate. Pursuant to such agreement, the subcontractor shall agree to be bound by the same or greater
<br />restrictions, conditions, and requirements that apply to Business Associate under this Addendum with respect to such PHI.
<br />10. Access to PHI. Within five business days of a request by a Covered Entity for access to PHI about an individual contained in a Designated Record Set,
<br />Business Associate shall make available to the Covered Entity such PHI for so long as such information is maintained by Business Associate in the
<br />Designated Record Set, as required by 45 C.F.R. 164.524. In the event any individual delivers directly to Business Associate a request for access to PHI,
<br />Business Associate shall within five (5) business days forward such request to the Covered Entity.
<br />11. Amendment of PHI. Within five business days of receipt of a request from a Covered Entity for the amendment of an individual's PHI or a record regarding an
<br />individual contained in a Designated Record Set (for so long as the PHI is maintained in the Designated Record Set), Business Associate shall provide such
<br />information to the Covered Entity for amendment and incorporate any such amendments in the PHI as required by 45 C.F.R. 164.526. In the event any
<br />individual delivers directly to Business Associate a request for amendment to PHI, Business Associate shall within five business days forward such request
<br />to the Covered Entity.
<br />12. Documentation of Disclosures. Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required
<br />for a Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528 and HITECH.
<br />=I
<br />tu
<br />
|