|
DocuSign Envelope ID:5217DEC1-2EF1-4A49-AD1 F-F6CBCC3F8A9E
<br /> EXHIBIT C
<br /> HIPAA BUSINESS ASSOCIATE ADDENDUM
<br /> Customer and ESO Solutions,Inc.("Business Associate")agree that(1)this HIPAA Business Associate Addendum is entered into for
<br /> the benefit of Customer,which is a covered entity under the Privacy Standards("Covered Entity").
<br /> Pursuant to the Agreement,Business Associate may perform functions or activities involving the use and/or disclosure of PHI on
<br /> behalf of the Covered Entity,and therefore,Business Associate may function as a business associate.Business Associate,therefore,agrees to the
<br /> following terms and conditions set forth in this HIPAA Business Associate Addendum("Addendum").
<br /> 1. Scope. This Addendum applies to and is hereby automatically incorporated into all present and future agreements and relationships,
<br /> whether written,oral or implied,between Covered Entity and Business Associate,pursuant to which PHI is created,maintained,received or
<br /> transmitted by Business Associate from or on behalf of Covered Entity in any form or medium whatsoever.
<br /> 2. Definitions.For purposes of this Addendum,the terms used herein,unless otherwise defined,shall have the same meanings as used in the
<br /> Health Insurance Portability and Accountability Act of 1996("HIPAA"),or the Health Information Technology for Economic and Clinical
<br /> Health Act("HITECH"),and any amendments or implementing regulations,(collectively"HIPAA Rules").
<br /> 3. Compliance with Applicable Law.The parties acknowledge and agree that,beginning with the relevant effective date,Business Associate
<br /> shall comply with its obligations under this Addendum and with all obligations of a business associate under HIPAA,HITECH,the HIPAA
<br /> Rules,and other applicable laws and regulations,as they exist at the time this Addendum is executed and as they are amended,for so long
<br /> as this Addendum is in place.
<br /> 4. Permissible Use and Disclosure of PHI.Business Associate may use and disclose PHI as necessary to carry out its duties to a Covered
<br /> Entity pursuant to the terms of the Agreement and as required by law.Business Associate may also use and disclose PHI(i)for its own
<br /> proper management and administration,and(ii)to carry out its legal responsibilities.If Business Associate discloses Protected Health
<br /> Information to a third party for either above reason,prior to making any such disclosure,Business Associate must obtain:(i)reasonable
<br /> assurances from the receiving party that such PHI will be held confidential and be disclosed only as required by law or for the purposes for
<br /> which it was disclosed to such receiving party;and(ii)an agreement from such receiving party to immediately notify Business Associate of
<br /> any known breaches of the confidentiality of the PHI.
<br /> 5. Limitations on Use and Disclosure of PHI.Business Associate shall not,and shall ensure that its directors,officers,employees,
<br /> subcontractors,and agents do not,use or disclose PHI in any manner that is not permitted by the Agreement or that would violate Subpart E
<br /> of 45 C.F.R.164("Privacy Rule")if done by a Covered Entity.All uses and disclosures of,and requests by,Business Associate for PHI are
<br /> subject to the minimum necessary rule of the Privacy Rule.
<br /> 6. Required Safeguards to Protect PHI.Business Associate shall use appropriate safeguards,and comply with Subpart C of 45 C.F.R.Part 164
<br /> ("Security Rule")with respect to electronic PHI,to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of
<br /> this Addendum.
<br /> 7. Reporting to Covered Entity.Business Associate shall report to the affected Covered Entity without unreasonable delay:(a)any use or
<br /> disclosure of PHI not provided for by the Agreement of which it becomes aware;(b)any breach of unsecured PHI in accordance with 45
<br /> C.F.R.Subpart D of 45 C.F.R. 164("Breach Notification Rule");and(c)any security incident of which it becomes aware. With regard to
<br /> Security Incidents caused by or occurring to Business Associate,Business Associate shall cooperate with the Covered Entity's investigation,
<br /> analysis,notification and mitigation activities,and except for Security Incidents caused by Covered Entity,shall be responsible for
<br /> reasonable costs incurred by the Covered Entity for those activities.Notwithstanding the foregoing,Covered Entity acknowledges and shall
<br /> be deemed to have received advanced notice from Business Associate that there are routine occurrences of:(i)unsuccessful attempts to
<br /> penetrate computer networks or services maintained by Business Associate;and(ii)immaterial incidents such as"pinging"or"denial of
<br /> services"attacks.
<br /> 8. Mitigation of Harmful Effects.Business Associate agrees to mitigate,to the extent practicable,any harmful effect of a use or disclosure of
<br /> PHI by Business Associate in violation of the requirements of the Agreement,including,but not limited to,compliance with any state law
<br /> or contractual data breach requirements.
<br /> 9. Agreements by Third Parties.Business Associate shall enter into an agreement with any subcontractor of Business Associate that creates,
<br /> receives,maintains or transmits PHI on behalf of Business Associate.Pursuant to such agreement,the subcontractor shall agree to be bound
<br /> by the same or greater restrictions,conditions,and requirements that apply to Business Associate under this Addendum with respect to such
<br /> PHI.
<br /> 10. Access to PHI.Within five(5)business days of a request by a Covered Entity for access to PHI about an individual contained in a
<br /> Designated Record Set,Business Associate shall make available to the Covered Entity such PHI for so long as such information is
<br /> maintained by Business Associate in the Designated Record Set,as required by 45 C.F.R. 164.524.In the event any individual delivers
<br /> directly to Business Associate a request for access to PHI,Business Associate shall within five(5)business days forward such request to the
<br /> Covered Entity.
<br /> 11. Amendment of PHI.Within five(5)business days of receipt of a request from a Covered Entity for the amendment of an individual's PHI or
<br /> a record regarding an individual contained in a Designated Record Set(for so long as the PHI is maintained in the Designated Record Set),
<br />
|