HIPAA BUSINESS ASSOCIATE ADDENDUM
Health Care Provider
(Privacy of Protected Health Information)

This HIPAA Business Associate Addendum, ("Agreement"), executed as of _____________, 20__ ("Effective Date"), is entered into by and between ______________________ (“Covered Entity”), with offices at __________________________ and ZirMed, Inc., a Delaware corporation (“Business Associate”), with offices at 626 West Main Street, Sixth Floor, Louisville, Kentucky 40202. (Covered Entity and Business Associate may be referred to collectively herein as the “Parties” and individually as a “Party.”)

RECITALS

  1. The purpose of this Agreement is to comply with the regulations on Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, (the “Privacy Regulation”), under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), as amended through the date of this Agreement.

  2. The Parties have entered into an agreement, dated as of ____________ (the “Service Contract”), under which Business Associate regularly uses and/or discloses Protected Health Information in performance of its services for the Covered Entity. This Agreement supplements the Service Contract, concentrating on its purpose in regard to HIPAA’s, and similar state laws and regulations’, requirements involving the privacy and security of protected health information used and disclosed during Business Associates rendition of contracted services. Business Associate’s services to Covered Entity place it within the HIPAA definition of a “Health Care Clearinghouse” and Covered Entity’s operations and services fall within the HIPAA definition of a “Health Care Provider,” while for some purposes both Parties may be defined as “Covered Entities” by HIPAA. and in all such capacities they are subject to HIPAA’s rules and regulations.

  3. This Agreement sets forth the terms and conditions pursuant to which Protected Health Information (defined below) that is provided by, or created or received by the Business Associate from or on behalf of the Covered Entity pursuant to the terms of the Service Contract will be handled by the two Parties, their employees and agents, and their third party associates, if any, during the term of the Service Contract so as to protect the privacy and security of said information.

NOW, THEREFORE, in consideration of the foregoing and of the mutual covenants and agreements hereinafter addressed, the Parties agree as follows:
  1. DEFINITIONS

    1. Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR 164.501, as follows: “the person who is the subject of protected health information.” The term Individual, as referred to herein, shall include a person or entity which qualifies as a personal representative of an Individual in accordance with 45 CFR 164.502(g).

    2. Protected Health Information. “Protected Health Information” or “PHI” as used herein takes its definition from 45 CFR 164.501, et seq., which can be summarized as: Individually identifiable health information” that is:(i)Transmitted or maintained by electronic media or in any other form or medium, (ii) Maintained in any medium described in the definition of electronic media at Section 162.103 of HIPAA, but excepting (iii) employment records kept by the Covered Entity in its capacity as employer. [The PHI referred to herein shall be limited to the information created, used, disclosed, or received by Business Associate from or on behalf of Covered Entity under the terms of the Service Contract.]

    Other Terms. Any other terms used, but not otherwise defined, in this Agreement shall have the same meaning assigned in 45 CFR §§ 160.103 and 164.501, if defined therein.

  2. AUTHORIZED USES AND DISCLOSURES OF PHI

    1. Except as otherwise specified herein, the Business Associate may make any and all uses of PHI necessary to perform its obligations as set forth in the Service Contract between the Parties, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.

    2. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

    3. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

    4. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B).

  3. RESPONSIBILITIES OF BUSINESS ASSOCIATE With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following:

    1. Not use or further disclose Protected Health Information other than as permitted or required by the Agreement or as Required by Law.

    2. Report to the designated privacy officer of Covered Entity, in writing within fifteen (15) days of discovery of any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware.

    3. Use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.

    4. Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.

    5. Require all of its employees, representatives, subcontractors and agents that receive, use or have access to the PHI in provision of services under this Agreement or the Service Contract to agree, in writing, to adhere to the same restrictions and conditions on the use and/or disclosure of the PHI that apply herein to Business Associate, including the obligation to return or destroy the PHI as provided in Section 5.d. of this Agreement.

    6. Make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of the PHI subject to this Agreement and the Service Contract to the U.S. Secretary of HHS for purposes of determining the Covered Entity’s compliance with the Privacy Regulation, subject to attorney-client and other applicable legal privileges.

    7. Upon 15 days prior written notice, make available, during normal business hours at Business Associate’s offices, all records, books, agreements, policies and procedures related to Business Associate’s use and/or disclosure of the PHI pursuant to the terms of the Service Contract, to the Covered Entity, for the purpose of enabling the Covered Entity to determine the Business Associate's compliance with the terms of this Agreement.

    8. Provide access at the request of the Covered Entity, at Business Associate’s offices during normal business hours and upon at least 15 days prior written notice, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements of 45 C.F.R. § 164.524.

    9. Make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual, within thirty (30) days after receipt of written direction from the Covered Entity.

    10. Document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.

    11. Provide Covered Entity or an Individual, within forty-five (45) days of written request from the Covered Entity, information collected under section III.J., above, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.

  4. RESPONSIBILITIES OF COVERED ENTITY With regard to the use and/or disclosure of PHI by the Business Associate, the Covered Entity hereby agrees to do the following:

    1. Inform Business Associate of any changes in the notice of privacy practices that the Covered Entity provides to Individuals pursuant to 45 CFR 164.520 and provide the Business Associate a copy of the notice currently in use.

    2. Inform Business Associate of any changes in, or withdrawal or revocation of, the acknowledgment or authorization provided to Covered Entity by Individual(s) whose PHI may be used and/or disclosed by Business Associate under this Agreement and/or the Contract, pursuant to 45 C.F.R. §164.506 or §164.508.

    3. Notify Business Associate, in writing and in a timely manner, of any restriction to or special arrangements concerning the use and/or disclosure of PHI agreed to by the Covered Entity as provided in 45 C.F.R. §164.522 (additional privacy protection).

    4. Not request Business Associate to use and/or disclose PHI in any manner that would not be permissible under the Privacy Regulation if done by Covered Entity, except as may appear in this Agreement or the Service Contract in regard to agreed data aggregation services and Business Associate’s right of use regarding its management and administrative activities.

  5. TERM AND TERMINATION

    1. Term. This Agreement shall become effective on the later of the Effective Date or the date on which compliance with the Privacy Regulations is required for Covered Entity and shall continue in effect until all obligations of the Parties under this Agreement and the Service Agreement have been met, unless terminated as provided herein or by mutual agreement of the Parties.

    2. Termination by Covered Entity. Upon learning of a material breach by Business Associate of a material term of this Agreement, Covered Entity may give notice of such breach in accordance with the provisions of the Service Contract with respect to similar breaches of the terms of the Service Contract. If Business Associate fails to cure such breach within the time period allowed by the Service Contract for cure of material breaches of its terms, Covered Entity may terminate this Agreement and the Service Contract. If Covered Entity determines that termination is not feasible, Covered Entity shall report the breach to the Secretary of HHS.

    3. Automatic Termination. This Agreement will automatically terminate without any action by the Parties upon the termination or expiration of the Service Contract.

    4. Effect of Termination. Upon an event of termination of this Agreement pursuant to this Section, Business Associate agrees to return or destroy all PHI received from or on behalf of, or created for, Covered Entity if it is feasible to do so, pursuant to 45 C.F.R 164.504(e)(2)(ii)(1). Prior to doing so, Business Associate further agrees to recover any such PHI in possession of its subcontractors or agents. If it is not feasible for Business Associate to return or destroy said PHI, Business Associate will notify Covered Entity in writing of said fact, including the specific reasons for such determination. Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to the PHI that it so retains after termination of this Agreement, and shall limit any further uses or disclosures to the purposes that make the return or destruction of the PHI infeasible, for as long as Business Associate maintains such PHI.

  6. CHANGE OF LAW

    1. The parties acknowledge that further regulations under HIPAA are expected, particularly in the area of security of PHI, that the Department of Health and Human Services may further modify the Privacy Regulations from time to time. Therefore, it may be necessary to add, delete, or change requirements under this Agreement to meet such new or changed regulations. Further, the parties acknowledge that pricing under the Service Contract is based on legal requirements in effect and as to which compliance is required as of the date of the Service Contract only, and that compliance with additional or different legal requirements may result in changes of scope and pricing under the Service Contract.

    2. Covered Entity retains primary responsibility for its own compliance with HIPAA and other new or changed laws or regulations and for identifying to Business Associate those changes in the manner in which services are provided under the Service Agreement that are required for Covered Entity's compliance with HIPAA or other new or changed laws or regulations. However, Business Associate shall not be obligated to make a change in the manner in which services are delivered under the Service Contract until and unless an amendment to this Agreement and/or the Service Contract covering such changes is mutually agreed upon and executed by Business Associate and the Covered Entity.

    3. In the event of new or changed requirements, Covered Entity shall specify in writing to Business Associate the particular functional requirements needed for its compliance with HIPAA, or other new or changed law or regulation, which it desires the Business Associate to address. Business Associate shall use all commercially reasonable efforts to propose a solution in that achieves the functional requirements defined in Covered Entity’s notice and shall provide such proposal, including the additional costs, if any, to the Covered Entity within a reasonable time. The parties shall then negotiate in good faith any necessary amendment to this Agreement and/or the Service Contract to effect a solution. Should the parties fail to reach agreement on such an amendment within ninety days after commencement of negotiations, either party may terminate this Agreement and the Service Contract by written notice to the other, effective sixty days after such notice is given.

  7. MISCELLANEOUS

    1. Survival. The obligation to maintain confidentiality of PHI and any other obligations of the parties which by their nature should continue after termination of this Agreement survive termination of this Agreement indefinitely.

    2. Amendments; Waiver. Any modifications or waivers to this Agreement must be in writing and executed by both Parties.

    3. No Third Party Beneficiaries. Nothing express or implied in this Agreement or the Contract is intended to confer, nor shall anything herein so confer, upon any person other than the Parties hereto any rights, remedies, obligations, or liabilities whatsoever.

    4. Notices. Any notices to be given hereunder shall be made via U.S. mail or express courier, or hand delivery to the other Party’s address set forth above, unless subsequent instructions are received.

    5. Dispute Resolution. If any controversy, dispute or claim arises between the Parties with respect to this Agreement, the Parties shall make good faith efforts to resolve such matters informally.

    6. Law of the Contract. This Agreement shall be governed by the laws of the Commonwealth of Kentucky without reference to conflict of laws principles.

IN WITNESS WHEREOF, each of the undersigned Parties has caused this Agreement to be duly executed in its name and on its behalf as of the Effective Date.

COVERED ENTITY: BUSINESS ASSOCIATE:
___________________________________ ZirMed, Inc.
By: ________________________________ By: ________________________________
Print Name: _________________________ Print Name: _________________________
Title: _______________________________ Title: _______________________________