These Standard HIPAA Business Associate Agreement Terms and Conditions ("HIPAA Addendum") shall be incorporated into the Service Agreement for Customers that are Covered Entities (as defined below) and that provide Protected Health Information ("PHI")(as defined below) to PatientPop in connection with the services they have purchased. These terms supplement and are made part of the purchase agreement between PatientPop and Customers ("Underlying Agreement") in order to comply with the federal Standards for Privacy of Individually Identifiable Health Information, located at 45 C.F.R. Part 160 and Part 164, Subparts A through E ("Privacy Rule") and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (the "HITECH Act").
WHEREAS, in order to ensure that Covered Entity and Business Associate remain in compliance with the HIPAA Rules and other applicable federal and state laws and regulations regarding the disclosure of PHI to Business Associate, the parties have agreed to enter into this Agreement.
NOW THEREFORE, Covered Entity and Business Associate agree as follows:
Capitalized terms used in this Agreement and not otherwise defined herein shall have that meaning given to them in the HIPAA Rules.
"Breach" when capitalized, shall have the meaning set forth in 45 CFR § 164.402 (including all of its subsections); with respect to all other uses of the word "breach" in this Agreement, the word shall have its ordinary contract meaning.
"Electronic Protected Health Information" or "EPHI" shall have the same meaning as the term "electronic protected health information" in 45 CFR § 160.103, limited to information that Business Associate creates, accesses or receives from or on behalf of Covered Entity.
"Individually Identifiable Health Information" means information that is a subset of health information, including demographic information collected from an individual, and;
is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for provision of health care to an individual; and
"Protected Health Information" or "PHI" shall have the meaning set forth in the Privacy Rule, limited to information that Business Associate creates, accesses or receives from or on behalf of Covered Entity. PHI includes EPHI.
"Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information, codified at 45 CFR parts 160 and 164, Subparts A, D and E, as currently in effect.
"Security Incident" shall have the same meaning as the term "security incident" at 45 CFR 164.304.
"Security Rule" means the Standards for Security for the Protection of Electronic Protected Health Information, codified at 45 CFR parts 160 and 164, Subpart C, as currently in effect.
"Unsecured Protected Health Information" or "Unsecured PHI" shall have the same meaning as the term "unsecured protected health information" in 45 CFR § 164.402, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
Business Associate shall be permitted to use and disclose PHI as follows:
Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in this Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted under 45 CFR § 164.504(e)(2)(i)(B).
Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).
Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.