BUSINESS ASSOCIATE ADDENDUM

     This Business Associate Addendum (the “Addendum”) is an Addendum to the Terms and Conditions of Use (the “Terms”) between the User and Treatment24seven, LLC, a Texas limited liability Company and such Addendum is hereby incorporated into the Terms.  Treatment24seven, LLC shall be referred to herein as the “Business Associate” and the User, as the “Covered Entity” (each entity individually, a “Party” and collectively, the “Parties).  Any terms not defined herein shall have the meanings ascribed to them in the Terms.

COVERED ENTITY REPRESENTS AND WARRANTS THAT: (I) IT HAS FULL LEGAL AUTHORITY TO ENTER INTO THIS ADDENDUM, (II) IT HAS READ AND UNDERSTAND THIS ADDENDUM AND THE TERMS, AND (III) IT AGREES TO THE TERMS OF THIS ADDENDUM. IF YOU DO NOT HAVE LEGAL AUTHORITY TO ENTER INTO OR DO NOT AGREE TO THESE TERMS, DO NOT ACCEPT THE TERMS OF THIS ADDENDUM.

 

WITNESSETH:

      WHEREAS, Sections 261 through 264 of the United States Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, known as “the Administrative Simplification Provisions,” direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information; and

     WHEREAS, pursuant to the Administrative Simplification Provisions, the Secretary of Health and Human Services issued regulations modifying 45 CFR Parts 160 and 164 (the “HIPAA Security and Privacy Rule”); and

     WHEREAS, the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), pursuant to Title XIII of Division A and Title IV of Division B, called the “Health Information Technology for Economic and Clinical Health” (“HITECH”) Act, provides modifications to the HIPAA Security and Privacy Rule (hereinafter, all references to the “HIPAA Security and Privacy Rule” are deemed to include all amendments to such rule contained in the HITECH Act and any accompanying regulations, and any other subsequently adopted amendments or regulations); and

     WHEREAS, Covered Entity has entered into an agreement with Business Associate or a third party in which Covered Entity will be granted a limited license to use the Application (as such term is defined in the Terms), and by the granting of such a license, Business Associate may be considered a “business associate” of Covered Entity as defined in the HIPAA Security and Privacy Rule; and

     WHEREAS, Business Associate may have access to Protected Health Information (as defined below) through Covered Entity’s use of the Application.

     THEREFORE, in consideration of the Parties’ continuing obligations under the existing agreements, compliance with the HIPAA Security and Privacy Rule, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, and intending to be legally bound, the Parties agree to the provisions of this Addendum in order to address the requirements of the HIPAA Security and Privacy Rule and to protect the interests of both Parties.

  1. DEFINITIONS. Except as otherwise defined herein, any and all capitalized terms in this Section shall have the definitions set forth in the HIPAA Security and Privacy Rule. In the event of an inconsistency between the provisions of this Addendum and mandatory provisions of the HIPAA Security and Privacy Rule, as amended, the HIPAA Security and Privacy Rule shall control. Where provisions of this Addendum are different than those mandated in the HIPAA Security and Privacy Rule, but are nonetheless permitted by the HIPAA Security and Privacy Rule, the provisions of this Addendum shall control.

    1. “Protected Health Information” means individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. “Protected Health Information” includes without limitation “Electronic Protected Health Information” as defined below.

    2. “Electronic Protected Health Information” means Protected Health Information which is transmitted by Electronic Media (as defined in the HIPAA Security and Privacy Rule) or maintained in Electronic Media. Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity’s behalf shall be subject to this Addendum; however, Business Associate has no need to take possession of any Electronic Protected Health Information and such possession shall only be tangential to any services provided by Business Associate to Covered Entity.  

  2. CONFIDENTIALITY AND SECURITY REQUIREMENTS.

    1. Business Associate agrees: (i) to use or disclose any Protected Health Information solely: (1) for meeting its obligations as set forth in this Addendum or the Terms, or (2) as required by applicable law, rule or regulation, or by an accrediting or credentialing organization to whom Covered Entity is required to disclose such information or as otherwise permitted under this Addendum and as would be permitted by the HIPAA Security and Privacy Rule if such use or disclosure were made by Covered Entity. All such uses and disclosures shall be subject to the limits set forth in 45 CFR § 164.514 regarding limited data sets and 45 CFR § 164.502(b) regarding the minimum necessary requirements; (ii) at termination of this Addendum, or any similar documentation of the business relationship of the Parties, or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return or destroy all Protected Health Information received from or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form and retain no copies of such information, or if such return or destruction is not feasible, Business Associate will extend the protections of this Addendum to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible; (iii) to ensure its agents, including a subcontractor, to whom it provides Protected Health Information received from or created by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply to Business Associate with respect to such information, and agrees to implement reasonable and appropriate safeguards to protect any of such information which is Electronic Protected Health Information. In addition, Business Associate agrees to take reasonable steps to ensure its employees’ actions or omissions do not cause Business Associate to breach the terms of this Addendum; (iv) Business Associate shall, following the discovery of an actual breach of unsecured Protected Health Information, as defined in the HITECH Act or accompanying regulations, notify the Covered Entity of such breach pursuant to the terms of 45 CFR § 164.410 and cooperate in Covered Entity’s breach analysis procedures, including risk assessment, if requested. A breach shall be treated as discovered by Business Associate as of the first day on which such breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate will provide such notification to Covered Entity without unreasonable delay and in no event later than five (5) calendar days after discovery of the breach. Such notification will contain the elements required in 45 CFR § 164.410; (v) Notice of a breach shall include, at a minimum: (a) the identification of each individual whose Protected Health Information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the breach, (b) the date of the breach, if known, (c) the scope of the breach, and (d) a description of the Business Associate’s response to the breach. In the event of a breach, Business Associate shall, in consultation with Covered Entity, mitigate, to the extent practicable, any harmful effect of such breach that is known to Business Associate; and (vi) Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all additional applicable requirements of the HIPAA Security and Privacy Rule, including those contained in 45 CFR §§ 164.502(e) and 164.504(e)(1)(ii), at such time as the requirements are applicable to Business Associate. Business Associate will not directly or indirectly receive remuneration in exchange for any Protected Health Information, subject to the exceptions contained in the HITECH Act, without a valid authorization from the applicable individual. Business Associate will not engage in any communication which might be deemed to be “marketing” under the HITECH Act. In addition, Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all applicable requirements of the HIPAA Security and Privacy Rule, contained in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316, at such time as the requirements are applicable to Business Associate.

    2. Notwithstanding the prohibitions set forth in this Addendum, Business Associate may use and disclose Protected Health Information as follows: (i) if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, the following requirements are met: (A) the disclosure is required by law; or (B) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; (ii) for data aggregation services, if to be provided by Business Associate for the health care operations of Covered Entity pursuant to any Addendums between the Parties evidencing their business relationship. For purposes of this Addendum, “data aggregation services” means the combining of Protected Health Information by Business Associate with the Protected Health Information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities, or (iii) Business Associate may de-identify Protected Health Information in accordance with 45 C.F.R. §164.514 and use and disclose such de-identified data for its business purposes, including to provide reporting and other services to Covered Entity.

    3. Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Addendum. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule subject to restrictions placed by Covered Entity.

    4. The Secretary of Health and Human Services shall have the right to audit Business Associate’s records and practices related to use and disclosure of Protected Health Information to ensure Covered Entity’s compliance with the terms of the HIPAA Security and Privacy Rule. Covered Entity waives any right to impede or interfere with such audit.

    5. Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information which is not in compliance with the terms of this Addendum of which it becomes aware.  Business Associate shall report to Covered Entity any Security Incident (as defined below) of which it becomes aware; provided, however, continuing notice is hereby deemed provided, and no further notice will be provided, for Unsuccessful Security Incidents (as defined below). For purposes of this Addendum, “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Addendum. For purposes of this Addendum, “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on a firewall, unsuccessful login attempts, denial of service attacks, port scans, and any combination of the above, provided that no such incident results in an unauthorized access, use, or disclosure of Electronic Protected Health Information. Business Associate’s obligation to report under this Section 2(e) is not and will not be construed as an acknowledgement by Business Associate of any fault or liability with respect to any use, disclosure, or breach. 

    6. Covered Entity acknowledges that use of Business Associate’s Application extracts data to provide Covered Entity analytics to run its business.  Business Associate does not control Covered Entity’s computer system and cannot control nor monitor disclosures of Electronic Protected Health Information from such systems.  Further, Business Associate does not control third party systems and cannot protect nor actively monitor such systems for unauthorized disclosures. Should Business Associate discover a verifiable Security Incident, Business Associate shall properly report to the Covered Entity the discovery of the Security Incident. Covered Entity shall indemnify and hold Business Associate harmless from any claim, fine, cause of action or administrative action caused by Business Associate reporting a Security Incident in good faith. 

  3. AVAILABILITY OF PROTECTED HEALTH INFORMATION. Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by Section 164.524 of the HIPAA Security and Privacy Rule. If Business Associate maintains Protected Health Information electronically, it agrees to make such Protected Health Information electronically available to the applicable individual. Business Associate agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule and Section 13405(c)(3) of the HITECH Act. Business Associate and Covered Entity shall cooperate in providing any accounting required on a timely basis.

  4. TERMINATION. Notwithstanding anything in this Addendum to the contrary, Covered Entity shall have the right to suspend Covered Entity’s use of the Application immediately if Covered Entity determines that Business Associate has violated any material term of this Addendum. If Covered Entity reasonably believes Business Associate will violate a material term of this Addendum and, where practicable, Covered Entity gives written notice to Business Associate of such belief within a reasonable time after forming such belief, and Business Associate fails to provide adequate written assurances to Covered Entity that it will not breach the cited term of this Addendum within a reasonable period of time given the specific circumstances, but in any event, before the threatened breach is to occur, then Covered Entity shall have the right to suspend Covered Entity’s use of the Software immediately. Sections II(f), V, and VI shall survive termination.

  5. INDEMNIFICATION AND INSURANCE. Business Associate shall indemnify, defend and hold harmless Covered Entity and its directors, officers, subcontractors, employees, affiliates, agents, and representatives from and against any and all third party liabilities, costs, claims, suits, actions, proceedings, demands, losses and liabilities of any kind (including court costs and reasonable attorneys’ fees) brought by a third party, arising from or relating to the intentional acts or sole negligence of Business Associate or any of its directors, officers, subcontractors, employees, affiliates, agents, and representatives in connection with the Business Associate’s performance under this Addendum or the Terms, without regard to any limitation or exclusion of damages provision otherwise set forth in the Addendum. Covered Entity shall indemnify Business Associate and its employees, officers, directors, subcontractors and agents from any and all  third party liabilities, costs, claims, suits, actions, proceedings, demands, losses and liabilities of any kind (including court costs and reasonable attorneys’ fees) brought by a third party, arising from or caused by the intentional act or negligence of Covered Entity, its employees, subcontractors, vendors or agents. In addition, Covered Entity shall indemnify and hold harmless Business Associate for any act caused by the joint, but not sole negligence of Business Associate.

  6. MISCELLANEOUS. Except as expressly stated herein or the HIPAA Security and Privacy Rule, the Parties to this Addendum do not intend to create any rights in any third parties. The obligations of the Parties under this Section shall survive the expiration, termination, or cancellation of this Addendum, or the business relationship of the Parties, and shall continue to bind Covered Entity, Business Associate, their agents, employees, contractors, successors, and assigns as set forth herein. This Addendum may be amended or modified only in a writing signed by the Parties. No Party may assign its respective rights and obligations under this Addendum without the prior written consent of the other Party. None of the provisions of this Addendum are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Addendum and any other agreements between the Parties evidencing their business relationship. This Addendum will be governed by the laws of the State of Texas.  No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. The Parties agree that, in the event that any documentation of the arrangement pursuant to which Business Associate provides services to Covered Entity contains provisions relating to the use or disclosure of Protected Health Information which are more restrictive than the provisions of this Addendum, the provisions of the more restrictive documentation will control. The provisions of this Addendum are intended to establish the minimum requirements regarding Business Associate’s use and disclosure of Protected Health Information. In the event any provision of this Addendum is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Addendum will remain in full force and effect. In addition, in the event a Party believes in good faith that any provision of this Addendum fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, including any then-current requirements of the HITECH Act or its regulations, such Party shall notify the other Party in writing. For a period of up to thirty days, the Parties shall address in good faith such concern and amend the terms of this Addendum, if necessary to bring it into compliance. If, after such thirty-day period, the Addendum fails to comply with the HIPAA Security and Privacy Rule, including the HITECH Act, then either Party has the right to terminate upon written notice to the other Party. Any claim brought pursuant to this Addendum shall be brought exclusively in Bexar County, Texas. Both Parties hereby waive their right to a jury. The prevailing party in any litigation shall have the right to the award of attorney’s fees and costs.