HIPAA SERVICE PROVIDER AGREEMENT

This Agreement, dated as of February 21, 2019 (“Agreement”), is by and between you  (“Business Associate”) and Hey Healthcare, Inc. (“Service Provider”).

WHEREAS, Business Associate provides services for Covered Entities subject to the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and the associated regulations (collectively the “HIPAA Regulations”) pursuant to a business associate agreement with Covered Entities.

WHEREAS, Service Provider and Business Associate are parties to the Service Agreement in which Business Associate has delegated to Service Provider certain tasks under a business associate agreement that involve the creation, receipt, maintenance or transmission of  Protected Health Information, from or on behalf of a Covered Entity (as defined under HIPAA).

WHEREAS, in light of the foregoing and the requirements of HIPAA, the HITECH Act, and HIPAA Regulations, Business Associate and Service Provider agree to be bound by the following terms and conditions.

NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:

  1. Definitions.

  1. General. Terms used, but not otherwise defined, in this Agreement shall have the same meaning given to those terms by HIPAA, the HITECH Act and HIPAA Regulations as in effect or as amended from time to time.

  2. Specific.

  1. Breach. “Breach” shall have the same meaning as the term “breach” in the HITECH Act, Section 13400(1).

  2. Covered Entity.  “Covered Entity” shall have the same meaning as the term “covered entity” in 45 CFR 160.103, limited to the Covered Entities which are clients of Business Associate.

  3. Electronic Health Record. “Electronic Health Record” shall have the same meaning as the term “electronic health record” in the HITECH Act, Section 13400(5).

  4. Electronic Protected Health Information.  “Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to the information that Service Provider creates, receives, maintains, or transmits from or on behalf of Business Associate or a Covered Entity.

  5. Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).

  6. Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164.

  7. Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information created, received, transmitted or maintained by Service Provider from or on behalf of Business Associate or a Covered Entity.

  8. Required By Law.  “Required by Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.103.

  9. Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.

  10. Security Rule.  “Security Rule” shall mean the Security Standards at 45 Part 160 and Part 164.

  11. Service Agreement.  For purposes of this Agreement, “Service Agreement” shall refer to any present or future agreements, either written or oral, between Service Provider and Business Associate under which Service Provider provides services to Business Associate or its clients which involve the creation, receipt, maintenance or transmission of Protected Health Information.  The Service Agreement is amended by and incorporates the terms of this Agreement.

  12. Unsecured Protected Health Information. “Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in the HITECH Act, Section 13402(h)(1).

  1. Obligations and Activities of Service Provider.

  1. Use and Disclosure.  Service Provider agrees not to use or disclose Protected Health Information other than as permitted or required by the Service Agreement, this Agreement or as Required By Law.  Service Provider understands and agrees that under HIPAA, Service Provider’s creation, receipt, maintenance or transmission of protected health information on behalf of Business Associate likewise makes Service Provider a business associate.  Service Provider represents and warrants that it is familiar with and agrees to safeguard protected health information as required by the HIPAA Regulations.  

  2. Appropriate Safeguards. Service Provider agrees to use appropriate safeguards to prevent the use or disclosure of the Protected Health Information other than as permitted by this Agreement.  Without limiting the generality of the foregoing sentence, Service Provider agrees to:

  1. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information as required by the Security Rule;

  2. Ensure that any agent, including a subcontractor, to whom Service Provider provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect Electronic Protected Health Information; and

  3. Promptly report to Business Associate any successful Security Incident of which Service Provider becomes aware and to report unsuccessful Security Incidents as reasonably requested by Business Associate.  In addition, Service Provider agrees to promptly notify Business Associate following the discovery of a Breach of Unsecured Protected Health Information. A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Service Provider or any employee, officer or agent of Service Provider, other than the individual committing the Breach. Any notice of a Security Incident or Breach of Unsecured Protected Health Information shall include the identification of each Individual whose Protected Health Information has been, or is reasonably believed by Service Provider to have been, accessed, acquired, or disclosed during such Security Incident or Breach as well as any other relevant information regarding the Security Incident or Breach.

  1. Reporting. Service Provider agrees to promptly report to Business Associate any use or disclosure of Protected Health Information not provided for by this Agreement of which it becomes aware.

  2. Mitigation.  Service Provider agrees to mitigate, to the extent practicable, any harmful effect that is known to Service Provider of a use or disclosure of Protected Health Information by Service Provider or its employees, officers or agents in violation of the requirements of this Agreement (including, without limitation, any Security Incident or Breach of Unsecured Protected Health Information).  Service Provider agrees to reasonably cooperate and coordinate with Business Associate and the relevant Covered Entity in the investigation of any violation of the requirements of this Agreement and/or any Security Incident or Breach.  Service Provider shall also reasonably cooperate and coordinate with Business Associate and/or Covered Entity in the preparation of any reports or notices to the Individual, a regulatory body or any third party required to be made under HIPAA, HIPAA Regulations, the HITECH Act, or any other Federal or State laws, rules or regulations, provided that any such reports or notices shall be subject to the prior written approval of Business Associate and Covered Entity.

  3. Agents. Service Provider agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by, Service Provider on behalf of Business Associate or a Covered Entity agrees to the same terms and conditions that apply to Protected Health Information pursuant to this Agreement, including entering into a written agreement that incorporates the applicable restrictions, conditions and requirements that apply to Service Provider pursuant to this Agreement.

  4. Access to Designated Record Sets . To the extent that Service Provider possesses or maintains Protected Health Information in a Designated Record Set, Service Provider agrees to provide access, at the request of Business Associate and/or Covered Entity, and in the time and manner designated by the Business Associate and/or Covered Entity, to Protected Health Information in a Designated Record Set, to Business Associate and/or Covered Entity or, as directed by Business Associate and/or Covered Entity, to an Individual in order to meet the requirements under HIPAA Regulations.  If an Individual makes a request for access to Protected Health Information directly to Service Provider, Service Provider shall notify Business Associate and Covered Entity of the request within three (3) business days of such request and will cooperate with Business Associate and Covered Entity and allow Covered Entity to send the response to the Individual.

  5. Amendments to Designated Record Sets. To the extent that Service Provider possesses or maintains Protected Health Information in a Designated Record Set, Service Provider agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Business Associate or a Covered Entity directs or agrees to pursuant to 45 CFR 164.526, and in the time and manner designated by the Business Associate or a Covered Entity.  If an Individual makes a request for an amendment to Protected Health Information directly to Service Provider, Service Provider shall notify Business Associate and Covered Entity of the request within three (3) business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.

  6. Access to Books and Records. Service Provider agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Service Provider on behalf of Business Associate available to Business Associate or the Secretary, in a time and manner designated by the Business Associate or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.  The foregoing is not intended, and shall not be deemed, to be a waiver in whole or in part of the attorney-client privilege, the attorney work product privilege, or any other privilege, protection and/or immunity applicable under state or federal law.

  7. Accountings. Service Provider agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entities to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.

  8. Requests for Accountings. Service Provider agrees to provide to Business Associate, or at the direction of Business Associate, to a Covered Entity or an Individual, in the time and manner designated by the Business Associate, information collected in accordance with Section 2(h) of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with HIPAA, HIPAA Regulations and the HITECH Act.  If an Individual makes a request for an accounting directly to Service Provider, Service Provider shall notify Business Associate of the request within three (3) business days of such request and will cooperate with Business Associate and Covered Entity and allow Covered Entity to respond to the Individual.

  1. Permitted Uses and Disclosures by Service Provider.

  1. Service Agreement.  Except as otherwise limited in this Agreement, Service Provider may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, a Covered Entity or the Business Associate as specified in the Service Agreement, provided that such use or disclosure would not violate HIPAA, HIPAA Regulations or the HITECH Act if done by Covered Entity or the minimum necessary policies and procedures of the Business Associate and Covered Entity.

  2. Use for Administration of Service Provider. Except as otherwise limited in this Agreement, Service Provider may use Protected Health Information for the proper management and administration of the Service Provider or to carry out the legal responsibilities of the Service Provider.

  3. Disclosure for Administration of Service Provider. Except as otherwise limited in this Agreement, Service Provider may disclose Protected Health Information for the proper management and administration of the Service Provider, provided that (i) disclosures are Required by Law, or (ii) Service Provider obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Service Provider of any instances of which it is aware in which the confidentiality of the information has been breached.

  1. Permissible Requests by Business Associate.  Except as set forth in Section 3 of this Agreement, Business Associate shall not request Service Provider to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA, HIPAA Regulations, and HITECH Act if done by a Covered Entity.

  2. Term and Termination.

  1. Term. This Agreement shall be effective as of the date of this Agreement and shall terminate when all of the Protected Health Information provided by Business Associate or a Covered Entity to Service Provider, or created or received by Service Provider on behalf of Business Associate or a Covered Entity, is destroyed or returned to Business Associate, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.

  2. Termination for Cause. Upon Business Associate’s knowledge of a material breach by Service Provider of the terms of this Agreement, Business Associate shall either:

  1. Provide an opportunity for Service Provider to cure the breach or end the violation.  If Service Provider does not cure the breach or end the violation within the time specified by Business Associate and/or Covered Entity, Business Associate shall terminate: (A)  this Agreement; (B) all of the provisions of the Service Agreement that involve the use or disclosure of Protected Health Information; and (C) such other provisions, if any, of the Service Agreement as Business Associate designates in its sole discretion;

  2. If Service Provider has breached a material term of this Agreement and cure is not possible, immediately terminate: (A) this Agreement; (B) all of the provisions of the Service Agreement that involve the use or disclosure of Protected Health Information; and (C) such other provisions, if any, of the Service Agreement as Business Associate designates in its sole discretion.

  1. Effect of Termination.

  1. Except as provided in Section 5(c)(ii), upon termination of this Agreement or the Service Agreement, for any reason, Service Provider shall return to Business Associate or destroy all Protected Health Information received from Business Associate or a Covered Entity, or created or received by Service Provider on behalf of Business Associate or a Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Service Provider. Service Provider shall retain no copies of the Protected Health Information.

  2. In the event that Service Provider determines that returning or destroying the Protected Health Information is infeasible, Service Provider shall provide to Business Associate notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of Protected Health Information is infeasible, Service Provider shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Service Provider maintains such Protected Health Information.

  1. Indemnity.  Service Provider agrees to indemnify, defend and hold harmless Business Associate and its employees, directors/trustees, members, professional staff, representatives and agents (collectively, the “Indemnitees”) from and against any and all claims (whether in law or in equity), obligations, actions, causes of action, suits, debts, judgments, losses, fines, penalties, damages, expenses (including attorney’s fees), liabilities, lawsuits or costs incurred by the Indemnities which arise or result from a breach of the terms and conditions of this Agreement or a violation of HIPAA, the HITECH Act or HIPAA Regulations by Service Provider or its employees or agents.  Service Provider’s indemnification obligations hereunder shall not be subject to any limitations of liability or remedies in the Service Agreement and shall survive the expiration or termination of this Agreement.

  2. Compliance with HIPAA Transaction Standards.  When providing its services and/or products, Service Provider shall comply with all applicable HIPAA standards and requirements (including, without limitation, those specified in 45 CFR Part 162) with respect to the transmission of health information in electronic form in connection with any transaction for which the Secretary has adopted a standard under HIPAA (“Covered Transactions”).  Service Provider will make its services and/or products compliant with HIPAA’s standards and requirements no less than thirty (30) days prior to the applicable compliance dates under HIPAA.  Service Provider represents and warrants that it is aware of all current HIPAA standards and requirements regarding Covered Transactions, and Service Provider shall comply with any modifications to HIPAA standards and requirements which become effective from time to time.  Service Provider agrees that such compliance shall be at its sole cost and expense, which expense shall not be passed on to Business Associate in any form, including, but not limited to, increased fees.  Service Provider shall require all of its agents and subcontractors (if any) who assist Service Provider in providing its services and/or products to comply with the terms of this Section 7.

  3. Miscellaneous.

  1. Regulatory References. A reference in this Agreement to a section in HIPAA, HIPAA Regulations, or the HITECH Act means the section as in effect or as amended or modified from time to time, including any corresponding provisions of subsequent superseding laws or regulations.

  2. Amendment. The Parties agree to take such action as is necessary to amend the Service Agreement from time to time as is necessary for Business Associate or a Covered Entity to comply with the requirements of HIPAA, the HIPAA Regulations and the HITECH Act.

  3. Survival. The respective rights and obligations of Service Provider under Section 5(c) of this Agreement shall survive the termination of the Service Agreement or this Agreement.

  4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Business Associate’s clients to comply with HIPAA, HIPAA Regulations and the HITECH Act.

  5. Miscellaneous.  The terms of this Agreement are hereby incorporated into the Service Agreement.  Except as otherwise set forth in Section 8(d) of this Agreement, in the event of a conflict between the terms of this Agreement and the terms of the Service Agreement, the terms of this Agreement shall prevail.  The terms of the Service Agreement which are not modified by this Agreement shall remain in full force and effect in accordance with the terms thereof.  This Agreement shall be governed by, and construed in accordance with, the laws of California, exclusive of conflict of law rules.  Each party to this Agreement hereby agrees and consents that any legal action or proceeding with respect to this Agreement shall only be brought in the courts of California in San Francisco County.  The Service Agreement together with this Agreement constitutes the entire agreement between the parties with respect to the subject matter contained herein, and this Agreement supersedes and replaces any former business associate agreement or addendum entered into by the parties. No amendments or modifications to the Agreement shall be effected unless executed by both parties in writing.