Skip to content

Business Associate Agreement

This agreement (including any addendum attached hereto, this “Agreement”) is made and entered into by and between [Subscriber Business/Practice Name] (“Covered Entity”) and Engage Technologies Group, Inc. (“Vendor”). By entering into and performing their respective obligations under this Agreement, the parties intend to comply with the requirements of Subtitle F of Title II of the Health Insurance Portability and Accountability Act of 1996 and all regulations adopted thereunder, including the Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164 (“Privacy Rule”), the Security Standards for the Protection of Electronic Protected Health Information, 45 CFR Parts 160 and 164 (“Security Rule”) as now or hereafter adopted or amended, (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act, Public Law 111-0005, and regulations adopted thereunder by the U.S. Department of Health and Human Services and as may be amended from time to time (the “HITECH Act”), and other applicable laws.  By entering into and performing their respective obligations under this Agreement, the parties intend to comply with the requirements of the Identity Theft Red Flags Rules, promulgated under the Fair and Accurate Credit Transactions Act of 2003 (“Red Flags Rules”), 16 C.F.R. Part 681, which obligate Covered Entity to oversee its arrangements with its service providers in connection with the Red Flags Rules.

APPLICABILITY AND DEFINITIONS.

 

  1. Applicability of HIPAA. Covered Entity and Vendor acknowledge and agree that: (i) Covered Entity is a “health care provider” under HIPAA; (ii) in connection with the provision of services under an applicable agreement (each, a “Service Agreement”), Covered Entity discloses to Vendor or Vendor creates or receives on behalf of Covered Entity certain Protected Health Information (“PHI”), and Electronic Protected Health Information (“EPHI”), as those terms are defined under HIPAA (“PHI”); and (iii) as a recipient of Covered Entity PHI and EPHI, Vendor is a Business Associate of Covered Entity, as that term is defined under HIPAA and the HITECH Act, including but not limited to, 42 U.S.C. Section 17938 and 45 C.F.R. Section 160.103.

 

  1. Definitions. The following are key terms in this Agreement. The capitalized terms used, but not otherwise defined, in this Agreement shall have the meanings assigned those terms in HIPAA and the HITECH Act, as amended from time to time.

 

            (a)        “Breach” shall have the meaning given to such term under the HITECH Act, and regulations and guidance promulgated or issued thereto, as amended, and shall include any incident constituting a suspected, unconfirmed Breach, as well as any unlawful or unauthorized access to, or use or disclosure of patient medical information under California law.

 

            (b)       “Discovers” and “Discovered” shall have the meaning set forth in the HITECH Act, and regulations and guidance promulgated or issued thereto, as amended.

 

            (c)        “Minimum Necessary” shall have the meaning set forth in HIPAA, as amended by the HITECH Act, and regulations and guidance promulgated or issued thereto, as amended.

 

            (d)       “Red Flag” and “Red Flags” mean a pattern, practice, or specific activity that indicates the possible existence of identity theft.

 

            (e)        “Unsecured Protected Health Information” and “Unsecured PHI” have the meaning set forth in the HITECH Act, and regulations and guidance promulgated or issued thereto, as amended and shall apply to PHI or EPHI.

 

 

PERMITTED USES AND DISCLOSURES

 

  1. Use and Disclosure Related to Services for Covered Entity. Vendor shall not use or disclose PHI in any manner that would constitute a violation of HIPAA or the HITECH Act. Vendor shall only use and disclose PHI if the use and disclosure complies with each applicable requirement of 45 CFR § 164.504(e), and Vendor shall comply with all applicable provisions of 45 CFR § 164.504(e).  Vendor agrees to only use, disclose and request the Minimum Necessary amount of PHI to perform the functions, activities, or services on behalf of Covered Entity as specified in the Agreement.  However, except as otherwise limited in this Agreement or Service Agreement, Vendor may create, use and disclose PHI and EPHI to:

 

(a)        perform functions, activities, or services on behalf of Covered Entity, as specified in the applicable Service Agreement, provided that such creation, use or disclosure would not violate the Privacy Rule if done by Covered Entity itself; or

 

(b)       provide Data Aggregation services relating to the Health Care Operations of Covered Entity, but only if such services are required under the applicable Service Agreement.

 

  1. Permissible Uses. Except as otherwise limited in this Agreement or the applicable Service Agreement, Vendor may use PHI and EPHI if necessary for its proper management and administration or to carry out its legal responsibilities, provided that such use is not otherwise prohibited by law.

 

  1. Permissible Disclosures. Except as otherwise limited in this Agreement or the applicable Service Agreement, Vendor may disclose PHI and EPHI if necessary for its proper management and administration or to carry out its legal responsibilities, only if Vendor obtains reasonable assurances from the recipient that the recipient will hold all such PHI and EPHI confidentially and shall use or further disclose PHI and EPHI only as required by law or for the purpose for which it was disclosed to the recipient, and the recipient agrees to notify Vendor of any instances of a breach of confidentiality.

 

Vendor may also disclose PHI and EPHI (i) if Required by Law, in accordance with 45 CFR § 164.512, or (ii) to report violations of law to appropriate federal or state authorities, consistent with 45 CFR § 164.502(j)(1).

 

  1. Assurances of Vendor. Vendor acknowledges that any violation by Vendor or its agents of the Privacy Rule, the Security Rule, or the provisions of this Agreement may result in enforcement action by the Secretary of the Department of Health and Human Services (“Secretary”) or any other enforcement agency as provided by HIPAA and the HITECH Act, and that such violations may result in the imposition of civil and/or criminal penalties on Vendor. Except as provided in this Agreement, Vendor shall not otherwise create, use or disclose PHI and EPHI. Vendor shall not, and shall ensure that its directors, officers, employees, subcontractors and agents do not, use or disclose PHI and EPHI in violation of HIPAA and the HITECH Act. Vendor hereby acknowledges that all such PHI and EPHI is and shall remain the property of Covered Entity. 

 

OBLIGATIONS OF VENDOR WITH RESPECT TO PHI

           

  1. Obligations of Vendor. With regard to its use and/or disclosure of PHI and EPHI, Vendor shall:

 

(a)        Use appropriate safeguards to prevent any use or disclosure of PHI and EPHI that is not permitted under this Agreement, the applicable Services Agreement or the Privacy Rule.  Vendor agrees to limit access to PHI to only those members of its workforce or classes of workforce who need such PHI to carry out Vendor’s activities under this Agreement and the applicable Service Agreement, to train its workforce regarding the appropriate use and disclosure of PHI as provided by this Agreement, and to sanction workforce members, as appropriate, in the event such workforce members use or disclose PHI in violation of the provisions of or this Agreement.

 

            (b)       Vendor shall report to Covered Entity each use or disclosure that is made by Vendor, its employees, representatives, agents or subcontractors that is not specifically permitted by this Agreement.  In addition, Vendor shall report to Covered Entity each Security Incident or Breach of Unsecured PHI of which it becomes aware or Discovers has occurred to Vendor or its agents or subcontractors. 

 

                  (i)        Reports of Non-Permitted Uses or Disclosures; Security Incidents.  The initial report of any non-permitted use or disclosure or Security Incident shall be made by telephone call to Covered Entity no later than forty-eight (48) hours from the time that Vendor becomes aware of the non-permitted use or disclosure or Security Incident, followed by a written report to Covered Entity no later than five (5) days from the date that Vendor becomes aware of the non-permitted use or disclosure or Security Incident. 

 

                  (ii)       Reports of Breaches of Unsecured PHI.  The initial report of a Breach of Unsecured PHI shall be made by telephone call to Covered Entity no later than twenty-four (24) hours from the time that Vendor Discovers a Breach, followed by a written report to Covered Entity no later than two (2) days from the date that Vendor Discovers such Breach.  The written report of the Breach shall include:

                       

                                    (A)      Date the Breach occurred and date the Breach was                           Discovered by Vendor;

 

                                    (B)       Description of the Breach;

 

                                    (C)       Number of individuals affected by the Breach, and, to the    extent possible, the identification of each individual whose Unsecured PHI has been, or is       reasonably believed by Vendor to have been, accessed, acquired, used or disclosed during             the Breach, including the state or jurisdiction in which such individuals are located;

 

                                    (D)      Type of Unsecured PHI involved in the Breach; and

 

                                    (E)      Description of steps Vendor has taken to investigate the       Breach, mitigate potential harm to the affected individuals, and prevent further Breaches,     including without limitation, recommended steps that affected individuals should take to protect themselves against potential harm resulting from the Breach, or any other              information that must be included in the notification to individuals under the HITECH           Act.

 

Vendor shall promptly supplement the written report with additional information regarding the Breach as it obtains such information, including without limitation its assessment as to whether a Breach is a reportable under the HITECH Act, or State law.

 

(c)        Reporting Red Flag Incident.  Vendor shall report to Covered Entity any Red Flag incident of which it becomes aware.  Such reports shall be made initially by telephone call to Covered Entity within forty-eight (48) hours from the time Vendor becomes aware of the Red Flag incident, followed by a written report to Covered Entity no later than five (5) days from the date that Vendor becomes aware of the Red Flag incident.  Such written report by Vendor shall include:  (i) a description of the Red Flag incident; (ii) a description of any threat of identity theft that may occur as a result of such incident; and (iii) the steps it has taken to mitigate any potential harm resulting from such incident.

 

(d)       Mitigate, to the extent feasible, any harmful effect that is known to Vendor of a use or disclosure of PHI and EPHI by Vendor that is not permitted under this Agreement.

 

(e)        Require all subcontractors and agents to whom Vendor has disclosed or will disclose PHI and EPHI under the applicable Service Agreement to agree, in writing, before disclosure to the same restrictions and conditions that apply to Vendor with respect to Covered Entity’s PHI and EPHI under the applicable Service Agreement and this Agreement. Vendor shall impose appropriate sanctions against any such agents or subcontractors in the event such agent or subcontractor violates any restrictions and conditions that apply to Vendor through this Agreement.

 

(f)        At Covered Entity’s  request, provide Covered Entity access to Covered Entity’s PHI and EPHI about an individual contained in a Designated Record Set (for so long as such information is maintained in the Designated Record Set) in the time and manner designated by Covered Entity, including in an electronic format if so requested by Covered Entity, in order to respond to a request by an individual under 45 CFR § 164.524, as amended by the HITECH Act.  (Vendor shall forward any request by an individual for access to his or her PHI and EPHI to Covered Entity within three (3) business days).

 

(g)       At Covered Entity’s request, and in the time and manner designated by Covered Entity, make available PHI and EPHI about an individual contained in a Designated Record Set (for so long as such information is maintained in the Designated Record Set) for amendment and incorporate any such amendments in the PHI and EPHI, in accordance with 45 CFR § 164.526.

 

(h)       Document any disclosures of PHI and EPHI and all information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI and EPHI, in accordance with 45 CFR § 164.528 as amended by the HITECH Act, and upon the effective date of such amendment,  

 

(i)        Within ten (10) business days of receiving written notice from Covered Entity, Vendor shall make available to Covered Entity, all information in Vendor’s possession required for Covered Entity to make the accounting required by 45 CFR § 164.528, as amended by the HITECH Act.    Vendor shall forward any request for an accounting of PHI and EPHI received from an individual to Covered Entity within three (3) business days).

 

(j)        Make its internal practices, books and records relating to the use and disclosure of PHI and EPHI available to Covered Entity or the Secretary in the time and manner designated by Covered Entity or the Secretary, for purposes of determining Covered Entity’s  and Vendor’s compliance with HIPAA.   Vendor shall immediately notify Covered Entity of any such requests made by the Secretary and, upon Covered Entity’s  request, provide Covered Entity any copies of such documents Vendor provided to the Secretary.

 

(k)       Implement and maintain a comprehensive, written privacy and security program protecting the confidentiality, integrity and availability of PHI and EPHI that Vendor creates, receives, maintains or transmits on behalf of Covered Entity that includes administrative, technical and physical safeguards appropriate to the size and complexity of Vendor’s operations and the nature and scope of its activities, that protect against the unauthorized acquisition, access, use, disclosure, destruction, loss or alteration of PHI and EPHI in the possession or control of Vendor, in accordance with  HIPAA the HITECH Act and the HIPAA Regulations.  Without limiting the foregoing, no later than the effective date set forth in the HITECH Act, Vendor shall: (a) have implemented and shall maintain administrative safeguards as required by 45 CFR § 164.308, physical safeguards as required by 45 CFR § 164.310 and technical safeguards as required by 45 CFR § 164.312; (b) have implemented and documented reasonable and appropriate policies and procedures as required by 45 CFR § 164.316; and (c) be in compliance with all requirements of the HITECH Act related to security and applicable to Covered Entity.  The safeguards shall not be less rigorous than those maintained by Vendor for its own information of a similar nature and shall appropriately protect the confidentiality, integrity and availability of PHI.  Vendor shall use best efforts to implement and maintain technologies and methodologies that render PHI and EPHI unusable, unreadable or indecipherable to unauthorized individuals as specified in the HITECH Act and its implementing regulations and guidance issued by the Secretary and as amended from time to time.  Notwithstanding the foregoing, all Internet-based applications containing PHI, EPHI or personal information (i.e., last name, first name or initial, in combination with an SSN) must be encrypted, including file transfers and application functionality, to render such PHI, EPHI or personal information, as the case may be, unusable, unreadable, or indecipherable to unauthorized individuals, in compliance with the Department of Health and Human Services Guidance, 74 Fed. Reg. 19006, 19009-10 (April 27, 2009) and in accordance with applicable requirements, including without limitation, the requirements of Federal Information Processing Standards (FIPS) 140-2.

 

(l)        Vendor shall provide Covered Entity or its third party designee, upon request and reasonable notice, with access to its premises and environment to perform an audit of Vendor’s practices, procedures and mechanisms for protecting the privacy and security of PHI and EPHI.  Notwithstanding the foregoing, Covered Entity is not obligated to conduct any audits of Vendor.  Neither the lack of audit by Covered Entity, nor the failure by Covered Entity to detect or notify Vendor of unsatisfactory practices, relieves Vendor of its obligations to comply with this Agreement, HIPAA and the HITECH Act, or constitutes Covered Entity’s acceptance of such practices or a waiver of Covered Entity’s rights under this Agreement. For Services Agreements involving EPHI, Vendor shall have an independent review, by qualified internal or external auditors with suitable education, training, experience and skill of administrative, physical and technical policies and procedures and technological mechanisms comprising its security risk management program no less than annually, in accordance with industry standards.  Corrective action plans, as necessary and appropriate, shall be promptly implemented.

 

 

(m)      Vendor shall be and remain in compliance with all requirements of the HITECH Act related to privacy and applicable to Covered Entity no later than the applicable effective dates set forth in the HITECH Act.  Vendor shall develop and implement policies, procedures, processes and documentation requirements to put into practice all applicable requirements of the HITECH Act no later than the applicable effective dates set forth in the HITECH Act. 

 

(n)       Vendor shall ensure that its activities for Covered Entity are conducted in accordance with reasonable policies and procedures, as specified in the Red Flags Rules, which are designed to detect, prevent and mitigate the risk of identity theft and to detect relevant Red Flags that may arise in the performance of services on behalf of Covered Entity.

 

(o)       Service Agreements involving the use and disclosure of EPHI, are required to implement the following security controls:

 

  • Vendor shall guard (including, without limitation, through physical, administrative, technical and logical controls) against the unauthorized acquisition, access, use, disclosure, alteration or destruction of hardware, software, PHI and EPHI. Such measures shall include, without limitation, the implementation, installation (if applicable) and use of hardware, software and/or procedural mechanisms which:  (a) require all users to enter a unique user identification and password prior to gaining access to the information systems, which user identification and password would allow Vendor to identify, authenticate and track each user’s identity; (b) control and track the addition and deletion of users; (c) control and track user access to areas and features of the information systems; and (d) terminate an electronic session after a predetermined time of inactivity.

 

  • Vendor shall restrict and limit access permissions to its physical facilities and environments and electronic networks, applications and media to users as necessary for users to perform their jobs. Access permissions and authentication to electronic networks, applications and media shall be reviewed and modified/removed as appropriate no less than annually, and in any event, promptly upon any change of user job function, user termination from employment, job assignment.

 

  • Vendor shall implement and maintain adequate physical controls, policies and procedures requiring the use of identification badges, keys, card access systems or guards to prevent unauthorized physical access, tampering and theft, and manage access to sensitive floors, data centers, telecommunications closets, server rooms, media libraries and equipment. Physical security access controls shall be reviewed regularly and modified as necessary at least annually.

 

  • Vendor shall install and configure current anti-virus software and scan for viral signatures at least daily and shall regularly install new virus signature updates.

 

  • Vendor shall use an intrusion detection service provider, or install their own intrusion detection hardware and software, to, among other things, corroborate that PHI and EPHI have not been altered or destroyed in an unauthorized manner.

 

  • To the extent that Vendor operates electronic networks or applications that are accessible through the Internet, Vendor shall implement technical security measures to guard against unauthorized access or improper modification to PHI and EPHI that is being transmitted over an electronic network, conduct periodic penetration tests, and, as necessary, implement in an expedient manner, corrective actions to mitigate potential vulnerabilities.

 

  • Vendor shall promptly apply available security patches on operating systems, applications and other software.

 

  • Vendor shall utilize Internet firewalls with adequate security controls to regulate the flow of traffic between computer networks of different trust levels.

 

  • Vendor shall ensure that PHI and EPHI are not accessible by unauthorized persons on portable electronic and telecommunications devices such as laptop computers; removable media, such as cartridges, CD-Roms, diskettes, and reels/tapes; and portable devices such as personal digital assistants (PDAs) and Blackberries, through (a) installing and activating adequate encryption software on such portable electronic and telecommunications devices and portable devices, and encrypting any PHI and EPHI stored on such removable media prior to distribution, to render such PHI or EPHI, as the case may be, unusable, unreadable or indecipherable to unauthorized individuals, in compliance with the Department of Health and Human Services Guidance, 74 Fed. Reg. 19006, 19009-10 (April 27, 2009) and consistent with the National Institute of Standards and Technology Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, and (b) implementing and enforcing policies that prohibit saving PHI to the local drive, except as may be authorized in advance and in writing by Covered Entity.

 

  • Vendor shall develop and maintain an adequate and industry-standard Disaster Recovery Plan and Business Resumption Plan, which are tested annually and revised at a minimum quarterly. These Plans shall include, without limitation, a written file / database back-up and recovery strategy, including, without limitation, procedures that create, restore and maintain retrievable exact copies of PHI and EPHI, as appropriate or necessary for resumption of Covered Entity’s business operations.

 

  • Vendor shall establish procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports and maintain audit trails of its physical facilities and environments and electronic networks, applications and media electronic consistent to adequately maintain and protect the privacy, security and integrity of PHI.

 

  • Vendor shall have an independent review, by qualified internal or external auditors with suitable education, training, experience and skill, of administrative, physical and technical policies and procedures and technological mechanisms comprising its security risk management program no less than annually, in accordance with industry standards. Corrective action plans, as necessary and appropriate, shall be promptly implemented.

 

  • Vendor shall identify the security official who is responsible for the development and implementation of the security controls set forth herein, and shall use commercially reasonable efforts to implement a security awareness program for all members of the Vendor’s workforce regarding, among other things, (a) periodic security updates; (b) procedures for guarding against, detecting and reporting malicious software; (c) procedures for monitoring log-in attempts and reporting discrepancies; and (d) procedures for creating, changing and safeguarding passwords.

 

 

OBLIGATIONS OF COVERED ENTITY WITH RESPECT TO COVERED ENTITY PHI

 

  1. Notice of Privacy Practices. Covered Entity shall notify Vendor of any limitation in its notice of privacy practices that Covered Entity provides to individuals, in accordance with 45 CFR § 164.520, if such limitation affects Vendor’s use or disclosure of Covered Entity’s PHI and EPHI.

 

  1. Notification of Changes to Individual’s Permission. Covered Entity shall notify Vendor of any change in, or revocation of, any permission provided by an individual to Covered Entity to use or disclose PHI and EPHI, in accordance with 45 CFR §§ 164.506 or 164.508, if such change affects Vendor’s use or disclosure of PHI and EPHI.

 

  1. Notification of Restrictions. Covered Entity shall notify Vendor of any restriction on the use or disclosure of PHI and EPHI to which Covered Entity has agreed to in accordance with 45 CFR § 164.522, or with which Covered Entity must comply pursuant to Section 13405 of the HITECH Act (“Required Restriction”), if such restriction affects Vendor’s use or disclosure of PHI. In such event, Covered Entity shall, to the extent needed to comply with such restriction, provide written notice to Vendor of the name of the individual requesting the restriction and the PHI affected thereby.  Vendor shall, upon receipt of such notification, comply with such restriction.  In the event Vendor receives notice from Covered Entity of a Required Restriction, then Vendor shall not disclose the identified PHI to any health plan for the purposes of carrying out Payment or Health Care Operations, except as otherwise required by law. 

 

TERM AND TERMINATION

 

  1. Term. The term of this Agreement shall be effective as of the effective date of the applicable Service Agreement, or when Vendor first has access to PHI and EPHI in connection with its services under the applicable Service Agreement, whichever occurs first. This Agreement shall terminate when the applicable Service Agreement terminates and all Covered Entity PHI and EPHI is destroyed or returned to Covered Entity. If return or destruction is infeasible, the terms and provisions of this Agreement shall survive as provided in Section 13.

 

  1. Termination.

 

            (a)        Upon learning of a material breach of this Agreement by Vendor (including its directors, officers, employees, agents, or subcontractors), Covered Entity, at its option, may:

 

            (i)        provide Vendor with written notice of the existence of a material    breach and an opportunity to cure the breach upon terms acceptable to Covered Entity;

 

            (ii)       at the expense of Vendor and with Vendor’s full cooperation,          attempt to cure or assist in curing the breach;

 

            (iii)      immediately terminate this Agreement and the applicable Service Agreement; and/or

 

            (iv)      notify of the Secretary of such breach as permitted by HIPAA.

 

Covered Entity may elect to provide Vendor an opportunity to cure and/or attempt to cure the breach itself before electing to terminate this Agreement and the applicable Service Agreement. For purposes of this section, continuing or repeated violations of this Agreement, regardless of the materiality of each violation, may be considered a “material breach.”

 

(b)      If either party knows of a pattern of activity or practice of the other party that constitutes a material breach or violation of such party’s obligations under this Agreement, then the party shall promptly notify the other party.  If the breaching party fails to cure the breach or end the violation, or if such steps are not possible, and termination of this Agreement is not feasible, then prior to reporting such breach or violation to the Secretary, the non-breaching party shall notify the breaching party that a report will be made to the Secretary. 

 

  1. Return or Destruction of Covered Entity PHI and EPHI. Upon expiration or termination of the applicable Service Agreement or this Agreement, Vendor shall first recover any PHI and EPHI in the possession of its agents or subcontractors and then either return or destroy all PHI and EPHI received. Vendor shall not retain any copies of PHI and EPHI. If Vendor determines that retrieving, returning or destroying PHI and EPHI is infeasible, Vendor shall provide to Covered Entity in writing the reasons return or destruction is infeasible. If Covered Entity agrees that return or destruction of PHI and EPHI is infeasible, the terms and provisions of this Agreement shall survive termination of this Agreement and the applicable Service Agreement and be extended to the PHI and EPHI that could not be returned or destroyed, provided that such PHI and EPHI shall be used or disclosed solely for the purpose or purposes which prevented the return or destruction of such PHI and EPHI.

 

  1. Injunction. Vendor hereby agrees that Covered Entity will suffer irreparable damage upon Vendor’s breach of this Agreement and that such damage will be difficult to quantify. Vendor hereby agrees that Covered Entity may file an action for an injunction to enforce the terms of this Agreement against Vendor, in addition to any other remedy Covered Entity may have.

 

  1. Transition Assistance. In the event the applicable Service Agreement and this Agreement is terminated as provided in Section 12, Vendor shall provide transition services at the contracted rate for the benefit of Covered Entity, including continuing to provide services required under the Agreement until the date an alternative provider of services takes over the provision of such services and receives the transfer of PHI and EPHI and other data held by Vendor (including its agents or subcontractors).

 

INSURANCE AND INDEMNIFICATION

 

  1. Insurance. Vendor shall obtain and maintain during the term of this Agreement liability insurance covering claims based on a violation of this Agreement or any applicable state law or regulation concerning the privacy of patient information and claims in an amount not less than $1,000,000 per claim. Such insurance shall be on a claims made basis with tail coverage and shall name Covered Entity as an additional named insured. A copy of such policy or a certificate evidencing the policy shall be provided to Covered Entity upon written request.

 

  1. Indemnification. Vendor shall indemnify and hold Covered Entity and its directors, officers, employees, agents, subcontractors, or members of its workforce, harmless from and against any and all liability and costs, including attorney’s fees, arising from or in connection with a breach of this Agreement by Vendor, its directors, officers, employees, agents, subcontractors, or workforce without regard to any limitation or exclusion of damages provision otherwise set forth in the applicable Service Agreement. Vendor’s obligation to indemnify Covered Entity shall survive the expiration or termination of this Agreement.

 

  1. Costs and Expenses of Breach Notification. In the event of any Breach of Unsecured PHI by Vendor or its agents or subcontractors that requires notification to affected individuals and others under the HITECH Act and its implementing regulations and guidance issued by the Secretary, or under State law, Covered Entity shall have sole control over the timing and method of providing such notification and Vendor shall reimburse Covered Entity for its costs and expenses in providing the notification, including, but not limited to, any administrative costs associated with providing notice, print and mailing costs, and costs of obtaining credit monitoring services and identity theft insurance for affected individuals whose PHI or EPHI has or may have been compromised as a result of the Breach.  These obligations shall be in addition to, and shall in no way limit Vendor’s indemnification obligations set forth above.

 

MISCELLANEOUS PROVISIONS

 

  1. No Third Party Beneficiaries. Nothing in this Agreement or the applicable Service Agreement is intended to, or does, confer upon any person or entity other than the parties hereto, any rights, responsibilities, obligations or liabilities.

 

  1. Notice of Subpoena or Request for PHI and EPHI. Vendor agrees to notify Covered Entity within five (5) business days of Vendor’s receipt of any request or subpoena for Covered Entity PHI and EPHI, unless such notice is prohibited by law. If Covered Entity decides to assume responsibility for responding to or challenging the validity of such request, Vendor agrees to cooperate fully with Covered Entity.

 

  1. Governing Law. The terms of this Agreement shall be governed by the laws of the state of California excluding any principle relating to choice of laws.

 

  1. Conflicting Terms. The terms and provisions of this Agreement shall supersede any conflicting or inconsistent terms of the applicable Service Agreement (which includes all exhibits or documents incorporated therein by reference).

 

  1. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with HIPAA and the HITECH Act, as well as the Red Flags Rule.

 

  1. Amendments. No amendment to this Agreement shall be effective unless in writing and signed and dated by the Parties hereto.

 

  1. No Waiver. Failure of a Party to insist on the strict performance of any provision of this Agreement or to exercise any right or remedy in a particular circumstance shall not be a waiver of the right to insist on strict performance or to exercise such right or remedy in the future. No such waiver granted by a party shall be deemed to be an amendment of this Agreement.

 

  1. No Offshore Work. In providing the services under the Agreement, Vendor shall not transmit or make available any PHI or EPHI to any entity or individual outside the United States.

 

  1. Compliance with State and Other Law. Vendor acknowledges and agrees that PHI and EPHI may be protected by other federal or state laws, including without limitation, privacy, consumer protection and data security laws and regulations, whether in effect now or in the future (“Other Applicable Laws”).  Vendor represents and warrants that it will use, disclose, maintain and safeguard such PHI in compliance with Other Applicable Laws.  In the event that Other Applicable Laws are more stringent than HIPAA and afford a greater degree protection to such PHI, then Vendor shall comply with Other Applicable Laws.

 

  1. Notices. Any notice permitted or required by this Agreement shall be delivered by overnight courier or by registered or certified mail, postage prepaid, and addressed as set forth below, or to such other address as either party may request in writing. Any such notices shall be deemed to have been delivered (i) if by overnight courier, one day after such notice is sent; or (ii) if by registered or certified mail, the date indicated on such receipt or by the records of the United States Postal Service.