Last modified: 9/7/17
ConfirmX, located at 16238 RR 620 N, Ste F #261, Austin, TX 78717 ("ConfirmX" or "Business Associate") acknowledges that both ConfirmX and its United States Customers ("Covered Entity" or "Covered Entities") are subject to and must comply with the provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law No. 104191, as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 1115), and regulations promulgated pursuant to authority granted therein as set forth at 45 CFR Part 160 and Part 164, Subparts A, C, D, and E. Further, ConfirmX acknowledges that for its Customers to achieve such compliance its Customers must document, by written contract or other written agreement or arrangement, certain satisfactory assurances that ConfirmX will appropriately safeguard certain Protected Health Information (as defined at 45 CFR Section 160.103) which it receives from its Customers. THEREFORE, it is agreed that:
1. Definitions Unless otherwise specified in this Business Associate Agreement ("Agreement"), all terms not otherwise defined shall have the meaning established for purposes of parts 160 through 164 of Title 45 of the CFR, as amended from time to time. Without limiting the foregoing, ConfirmX’s rights and obligations under this Business Associate Agreement shall only apply to PHI created, received, maintained or transmitted by ConfirmX ("Services") for the Covered Entity.
- "Breach" shall have the same meaning as the term “breach” at 45 CFR Section 164.402.
- "HITECH Policies and Standards" means the standards set forth for a Business Associate (as defined at 45 CFR Section 160.103) in regards to the privacy, security and Breach notification provisions as outlined in the HITECH Act, and any regulations promulgated thereunder.
- "Privacy Rule" means the standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
- "Security Rule" means the security standards for the protection of Electronic Protected Health Information as set forth in 45 CFR Part 160 and Part 164, Subparts A and C.
2. Obligations and Activities of ConfirmX
- ConfirmX shall not use or further disclose Protected Health Information other than as required permitted by Law, or as permitted under this Business Associate Agreement.
- ConfirmX shall use appropriate safeguards, and comply with Subpart C of the Security Rule with respect to Electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as provided for herein.
- ConfirmX shall immediately report to Customer any use or disclosure of Protected Health Information not provided for by this Business Associate Agreement of which it becomes aware. Oral reports shall be made within ten (10) business days following discovery, and shall be followed promptly by a written report based on subsequently developed information.
- ConfirmX will report to Customer any Security Incident of which it becomes aware. Oral reports shall be made within ten (10) business days following discovery, and shall be followed promptly by a written report based on subsequently developed information. ConfirmX shall cooperate with Customer with respect to disclosure of such incident in accordance with applicable law, including without limitation the applicable requirements of the HITECH Act.
- In accordance with 45 CFR Sections 164.308(b)(2) and 164.502(e)(1)(ii), ConfirmX shall ensure that any Subcontractor that creates, receives, maintains or transmits Protected Health Information on behalf of ConfirmX, agrees in writing to the same restrictions and conditions that apply through this Business Associate Agreement to ConfirmX with respect to such Protected Health Information. Further, ConfirmX will ensure that any agent, including a Subcontractor, to whom it provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect such information.
- ConfirmX shall make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by ConfirmX on behalf of, Customer available to the Secretary for the purposes of the Secretary determining Customer’s and ConfirmX’s compliance with the Privacy Rule.
- ConfirmX agrees to document such disclosures of Protected Health Information made by ConfirmX and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with the Privacy Rule and the HITECH Policies and Standards and specifically 45 CFR 164.528.
- In accordance with the HITECH Policies and Standards, following the discovery of a Breach of Unsecured Protected Health Information, ConfirmX shall notify Customer without unreasonable delay and no later than thirty (60) days following discovery of such Breach in accordance with the requirements of 45 CFR Part 164.410.
3. Term and Termination
- ConfirmX may use Protected Health Information (i) for the proper management and administration of ConfirmX, and (ii) to provide Data Aggregation Services relating to the Health Care Operations of Customer. ConfirmX may disclose Protected Health Information received from Customer for the proper management and administration of ConfirmX or to carry out legal responsibilities of ConfirmX, provided: (i) the disclosure is Required by Law; or (ii) ConfirmX obtains reasonable assurances from the person to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, the person will use appropriate safeguards to prevent use or disclosure of the Protected Health Information, and the person notifies ConfirmX of any instance of which it is aware in which the confidentiality of the Protected Health Information has been Breached.
- ConfirmX (and its Subcontractors) shall request, use and disclose only the minimum amount of Protected Health Information necessary to accomplish the purpose of the request, use or disclosure. ConfirmX understands and agrees that the definition of minimum necessary is in flux and shall keep itself informed of guidance issued by the Secretary with respect to what constitutes minimum necessary.
- ConfirmX may not use or disclose Protected Health Information in a manner that would violate Subpart E of 45 CFR Part 164 if done by Customer, except for the specific uses and disclosures set forth herein.
- ConfirmX shall not aggregate or de-identify Protected Health Information except as required for ConfirmX to provide Services and perform its obligations under this Agreement.
4. Other Permitted Uses and Disclosures by ConfirmX
- This Business Associate Agreement shall be effective as of the date of this Agreement.
- If Customer determines that ConfirmX has violated a material term of this Business Associate Agreement, then Customer shall provide ConfirmX written notice of the existence of the alleged violation and shall allow ConfirmX thirty (30) calendar days to cure the violation. If at the end of this 30day period ConfirmX has not cured the violation, then Customer shall have the option to terminate this Business Associate Agreement. Upon termination, if feasible, ConfirmX shall return or destroy all Protected Health Information received from, or created or received by ConfirmX on behalf of, Customer. This provision also shall apply to Protected Health Information that is in the possession of subcontractors or agents of ConfirmX and ConfirmX shall retain no copies of the Protected Health Information. In the event that ConfirmX determines that returning or destroying the Protected Health Information is infeasible, ConfirmX shall provide to Customer notification of the conditions that make return or destruction infeasible and ConfirmX shall extend the protections of this Business Associate Agreement to such Protected Health Information and limit further uses and disclosures thereof to those purposes that make the return or destruction infeasible.
- The obligations of ConfirmX under this Section 4 shall survive termination of this Business Associate Agreement.
- At no time will ConfirmX have possession and control of Customer’s original Designated Record Set or any copies thereof. Any Protected Health Information held by ConfirmX merely duplicates the information maintained by Customer. Consequently, 45 CFR Part 164.524 and 164.526 (and therefore 45 CFR Part 164.504 (e)(2)(ii) subparts (E) and (F)) are not applicable to ConfirmX.
- To the extent ConfirmX is to carry out any of Customer’s obligations under the Privacy Rule, ConfirmX shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of such delegated obligation(s). The Parties acknowledge that no such delegation has occurred under this Business Associate Agreement.