- UNDERLYING FACTS/RECITALS
1.1 This Internet Services Agreement (“Agreement”) relates to the internet marketing services performed thereunder by Firm Media, Inc. (“Company”), and related services for Client. In connection with the provision of such services by Company under this Agreement, Client discloses to Company or Company creates or receives on behalf of Client certain Protected Health Information (“PHI”) and Electronic Protected Health Information (“EPHI”) that is subject to protection under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C.A. Sections 1320d-1320d-7, 45 C.F.R., Parts 142 and 160 through 164, as amended (“HIPAA”). For purposes of this Agreement, all references to PHI shall mean and include both PHI and EPHI.
1.2 Client may be a “Covered Entity,” as that term is defined in HIPAA. If Client is a Covered Entity, Company, as recipient of PHI from Client, is a “Business Associate” of Client, as that term is defined in HIPAA.
1.3 Pursuant to HIPAA, all business associates of Client, as a condition of doing business with Client, must agree in writing to certain mandatory provisions regarding, among other things, the use and disclosure of PHI.
1.4 The purpose of this addendum is to satisfy the requirements of the HIPAA Privacy Rule and Security Rule, 45 C.F.R. Parts 160 and 164, as amended by Title XIII of Division A of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), as incorporated in the American Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued by the Secretary of the Department of Health and Human Services (the ”Secretary”) at Federal Register, Vol. 78, No. 17, Page 5566, Friday, January 25, 2013 (the HITECH Omnibus Final Rule), as may be amended from time to time.
Unless otherwise defined in this addendum, capitalized terms shall have the meanings set forth in HIPAA and the HITECH ACT, as amended.
As used in this addendum, PHI means and includes (i) Individually Identifiable Health Information created or received by Company for or on behalf of Client; (ii) Individually Identifiable Health Information disclosed to Company by Client; and (iii) Individually Identifiable Health Information disclosed to Company to enable Company to perform services for Client pursuant to the Services Agreement. PHI does not include, and this addendum is not applicable to Individually Identifiable Health Information created or received by or disclosed to Company in connection with services rendered by Company outside the scope of the Services Agreement.
- USE AND DISCLOSURE OF PHI BY COMPANY
4.1 Permitted Uses. Company shall not use or disclose PHI for any purpose other than:
(a) as permitted or required by this addendum or the Services Agreement;
(b) for the proper management and administration of Company or to carry out the legal responsibilities of Company, if (i) the disclosure is required by law; or (ii) Company obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Contractor of any instances of which it is aware in which the confidentiality of the PHI has been breached;
(c) as required or allowed under HIPAA and the HITECH Act; or
(d) as otherwise Required by Law.
In no event shall Company use or disclose PHI in a manner that violates or would violate HIPAA if such activity were engaged in by Client. Further, Company shall use and disclose PHI only if such use or disclosure is in compliance with each applicable requirement of 45 C.F.R. Section 164.504(e) (i.e., the HIPAA standard with respect to business associate contracts).
4.2 Minimum Necessary Limitation. Company shall request from Client and disclose to its affiliates, subsidiaries, agents and subcontractors or third parties only the minimum amount of PHI necessary to perform or fulfill a specific function required or permitted under the Services Agreement.
- SAFEGUARDS FOR THE PROTECTION OF PHI
Company shall implement and maintain such administrative, operational, technical and technological safeguards as are necessary to ensure that PHI disclosed to or created or received by Company is not used or disclosed by Company, or by any subcontractors, affiliates, or business associates of Company, except as provided in the Services Agreement and/or this addendum, and in so doing Company shall comply with all terms, conditions, and requirements of the HIPAA Privacy Rule and HIPAA Security Rule applicable to Company.
- REPORTING OF UNAUTHORIZED USES OR DISCLOSURES
Company shall promptly report to Client any use or disclosure of PHI of which Company becomes aware that is not provided for or permitted in the Services Agreement, this addendum or HIPAA. Company shall permit Client to investigate any such report in accordance with the provisions of paragraph 14 of this addendum. Company shall ensure that any agents to whom Company provides PHI received from, or created or received by Company on behalf of, Client agree to the same restrictions and conditions that apply to Company with respect to such PHI.
Company shall use commercially reasonable efforts to mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI of which Company becomes aware that is not provided for or permitted in the Services Agreement, this addendum, or HIPAA.
- USE OF SUBCONTRACTORS
Company shall ensure that each subcontractor to whom Company provides access to PHI that is received from Client or that is created or received on behalf of Client enters into a HIPAA-compliant Business Associate Agreement with Company that contains, at a minimum, all of the requirements set forth in this addendum that are applicable to Company. Such agreement shall require that the subcontractor and each downstream subcontractor of the subcontractor comply with the terms of this paragraph 8 with respect to their subcontractors.
- AUTHORIZED ACCESS TO PHI
At the request of Client and in the time and manner reasonably designated by Client, including in electronic form, Company shall provide to Client PHI in a Designated Record Set so that Client can provide access to the PHI contained in the Designated Record Set to the individual who is the subject of the PHI in accordance with 45 C.F.R. Section 164.524.
- AMENDMENT OF PHI
At the request of Client and in the time and manner reasonably designated by Client, Company shall provide to Client PHI in a Designated Record Set so that Client can amend the PHI in the Designated Record Set in accordance with 45 C.F.R. Section 164.526.
- ACCOUNTING OF DISCLOSURES OF PHI
Company shall document in writing and provide to Client all information necessary to enable Client to provide an accounting of disclosures in accordance with 45 C.F.R. Section 164.528 (“Disclosure Accounting”), as required by 45 C.F.R. Section 164.504(e)(2)(ii)(G), upon Company’s making of a disclosure for which an accounting is required under 45 C.F.R. Section 164.528 and upon request. Company shall provide such information as is necessary to provide an accounting within ten (10) days of Client’s request. Such accounting must be provided without cost to the individual or to Client if it is the first accounting requested by an individual within any twelve (12) month period; however, a reasonable, cost-based fee may be charged for subsequent accountings if Company informs Client and Client informs the individual in advance of the fee, and the individual is afforded an opportunity to withdraw or modify the request. Such accounting obligations shall survive termination of this agreement and shall continue as long as Company maintains PHI.
At a minimum, the Disclosure Accounting shall contain:
(a) the date of the disclosure;
(b) the name of the entity or person to whom or which the PHI was provided and, if known, the address of such entity or person;
(c) a brief description of the PHI disclosed; and
(d) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure or, in lieu of such statement, a copy of the Individual’s written authorization or request for disclosure pursuant to HIPAA.
Company shall maintain a copy of the Disclosure Accounting for a period of at least 6 years from the date of the disclosure.
- AGREEMENT TO RESTRICT DISCLOSURES
If Client is required to comply with a restriction on the Disclosure of PHI pursuant to Section 13405 of the HITECH Act, then Client shall, to the extent necessary to comply with such restriction, provide written notice to Company of the name of the individual requesting the restriction and the PHI affected thereby. Company shall, upon receipt of such notification, not Disclose the identified PHI to any health plan for the purposes of carrying out Payment or Health Care Operations, except as otherwise required by law. Client shall also notify Company of any other restriction to the Use or Disclosure of PHI that Client has agreed to in accordance with 45 C.F.R Section 164.52
With respect to EPHI, Company shall:
(a) comply with the provisions of 45 C.F.R. Sections 164.308, 164.310, 164.312, 164.314 and 164.316 to the extent such provisions are applicable to Company pursuant to Section 13401(a) of Title XIII of Division A of the HITECH Act;
(b) comply with all requirements of the HITECH Act that relate to security and are applicable to Client and Company;
(c) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the EPHI that Company creates, receives, maintains and/or transmits on behalf of Client, as required by the HIPAA Security Rule, 45 CFR Part 164, Subpart C;
(d) ensure that any agent, including a subcontractor, to whom Company provides EPHI agrees to implement reasonable and appropriate safeguards to protect the EPHI; and
(e) subject to attached Schedule 13, report to Client any Security Incident of which Company becomes aware.
- NOTIFICATION OF BREACH OF UNSECURED PHI
To the extent Company accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses Unsecured PHI, Company shall, following the Discovery of a Breach of such PHI, notify Client of such Breach. Such notice shall include detailed information about the breach and the name and contact information of each individual whose Unsecured PHI has been, or is reasonably believed by Company to have been, accessed, acquired or disclosed during such Breach. A notification required pursuant to this paragraph shall be promptly, but in any case no later than fifteen (15) calendar days after the discovery of a Breach by Company. A Breach shall be treated as discovered by Company as of the first day on which such Breach is known to Company or the first day on which such Breach would have been known to Company had Company exercised reasonable diligence. Company shall be deemed to have knowledge of a Breach if the Breach is known or should have been known by the exercise of reasonable diligence to any person, other than the person committing the breach, who is an employee, officer, or other agent of Company (determined in accordance with the Federal common law of agency).
- STATE PRIVACY LAWS
Company shall comply with state privacy laws to the extent such laws are not preempted by HIPAA or the HITECH Act.
- RIGHT TO AUDIT
Company shall make its practices, books and records related to PHI available to the Secretary and to Client for the purpose of determining Company’s compliance with this addendum and HIPAA, and Company shall cooperate with the Secretary if the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of Company to determine whether Company is complying with the applicable administrative simplification provisions of HIPAA. If any information required of Company under this paragraph is in the exclusive possession of any other agency, institution, or person and the other agency, institution, or person fails or refuses to furnish the information, Company shall certify and describe the efforts Company has made to obtain the information. If it is determined that Company’s conduct would result in violation of HIPAA by Client or is in violation of this addendum, Company shall promptly remedy any such violation and shall certify the same in writing to Client.
- STANDARD TRANSACTIONS
If Company conducts any Standard Transactions on behalf of Client, Company shall comply with the applicable requirements of 45 C.F.R. Part 162.
- OBLIGATIONS OF CLIENT
Client shall notify Company of:
(a) any limitations in its notice of privacy practices, to the extent such limitations may affect Company’s use or disclosure of PHI;
(b) any changes in, or revocation of, permission by the Individual who is the subject of the PHI, to the extent such changes may affect Company’s use or disclosure of PHI; and
(c) any restriction to the use or disclosure of PHI Client has agreed to in accordance with 45 C.F.R. Section 164.522, to the extent such restriction may affect Company’s use or disclosure of PHI.
- TERM AND TERMINATION
19.1 Term. The term of this addendum shall commence on the date Client accepts the terms and conditions of the Services Agreement by clicking “Yes” below and shall terminate when all of the PHI provided by Client to Company or created or received by Company on behalf of Client is destroyed or returned to Client pursuant to paragraph 19.3.
19.2 Termination Upon Breach. Upon knowledge by one party (the “Nonbreaching Party”) of the breach of a material provision of this addendum by the other party (the “Breaching Party”), the Nonbreaching Party shall:
(a) if cure of the breach is possible, provide the Breaching Party written notice of such breach and a reasonable opportunity to cure such breach. If the Breaching Party does not cure the breach within a reasonable period of time designated by the Nonbreaching Party, the Nonbreaching Party may terminate the Services Agreement immediately, with termination effective as of the date the Nonbreaching Party gives notice of termination to the Breaching Party;
(b) if cure of the breach is not possible in the reasonable determination of the Nonbreaching Party, the Nonbreaching Party may terminate the Services Agreement immediately, with termination effective as of the date the Nonbreaching Party gives written notice of termination to the Breaching Party; and
(c) if cure of the breach and termination of the Services Agreement are not possible in the reasonable determination of the Breaching Party, the Services Agreement shall not be terminated, but further uses and disclosures of PHI shall be limited to those purposes making termination of the Services Agreement not possible.
19.3 Protection of PHI After Expiration or Termination. Upon termination of the Services Agreement for any reason, Company shall, at Client’s expense, return to Client or, at Client’s direction, delete, purge and destroy, all PHI in any form, recorded on any medium, or stored in any storage system. Client or Company may, in their reasonable discretion, determine that return or destruction of the PHI is infeasible, in which event Company shall extend the protections of this addendum to the information and shall limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible. Company shall remain bound by the provisions of this addendum after termination of the Services Agreement until such time as all PHI has been returned or otherwise destroyed as provided in this paragraph.
- GENERAL PROVISIONS
20.1 Amendment. The parties acknowledge that state and federal laws related to privacy of PHI are rapidly evolving and that amendment of this addendum may be required to comply with applicable laws. The parties shall negotiate in good faith to amend this addendum when and as necessary to comply with applicable laws. If either party does not agree to so amend this addendum within 30 days after receiving a request for amendment from the other, either party may terminate the Services Agreement upon written notice. To the extent an amendment to this addendum is required by law and this addendum has not been so amended to comply with the applicable law in a timely manner, the amendment required by law shall be deemed to be incorporated into this addendum automatically and without further action required by either of the parties.
20.2 Severability. Each provision of this addendum is independent, separate and divisible, and in the event any provision shall be held to be invalid or unenforceable, the remaining provisions shall continue to be in full force and effect.
20.3 Construction. This addendum shall be construed to implement and comply with HIPAA, as applicable to Client and Company. Any ambiguity in this addendum shall be resolved in favor of a meaning that complies with HIPAA.
20.4 Effect of Addendum. The sole purpose of this addendum is to ensure compliance with HIPAA and the HITECH Act. This addendum is not intended to, nor shall it be construed to, reduce or diminish any of Company’s or Client’s rights or obligations under the Services Agreement. If there is any conflict between the provisions of the Services Agreement and this addendum, the terms and conditions of this addendum shall control.
REPORTING OF ATTEMPTED SECURITY INCIDENTS
The parties understand and agree the reporting of all routine, minor and unsuccessful attempts to access, use, disclose, modify or destroy PHI in Company’s possession or control or to interfere with system operations in Company’s information system would create an undue and unnecessary burden on both Client and Company.
Company hereby notifies Client that Company is subject to the following ongoing types of unsuccessful attempts to access, use, disclose, modify or destroy information or to interfere with system operations in Company’s information systems:
- pings on Company’s firewall;
- port scans;
- attempts to log on to a system or enter a database with an invalid user name or password;
- denial-of-service attacks that do not result in a server being taken off-line;
- malware, such as worms or viruses, that do not penetrate Company’s perimeter and protection systems.
If Company experiences routine attacks that are generally thwarted by its security systems and are not identified above, the parties shall amend this Schedule 12 to identify such additional attacks.
Company shall not be required to notify Client of each unsuccessful attempt described above, but Company shall maintain an internal record (electronic or otherwise) of such attempts and shall make such internal record available to Client and the Secretary of the Department of Health and Human Services upon request. Records of unsuccessful attempts shall be maintained by Company for at least 6 years.
Notwithstanding the foregoing, if an attempt is of sufficient severity that Company’s system must be taken off-line or PHI is at substantial risk of disclosure, Company shall promptly notify Client of the attempt.