ICS Software, Ltd.
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”), effective _____________ (“Effective Date”), is entered into by and between ICS Software, Ltd., with principal place of business at 3720 Oceanside Road West, Oceanside, NY 11572 (“Business Associate”) and _______________________, with principal place of business at ______________________________ (“Covered Entity”) (each a “Party” and collectively the “Parties”).
Business Associate (which, for the purposes of this Business Associate agreement, includes its directors, officers, employees, and third party workforce) is a Software provider, and Covered Entity is a Medical Office. If the covered entity is represented by or utilizing a Billing Service, the Billing Service must sign this form along with the Covered Entity. The Parties have a software agreement (the “Software Agreement”) under which Business Associate regularly uses, has access to, or discloses Protected Health Information (“PHI”) in its performance of the Services described below. Both Parties are committed to complying with the Standards for Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (hereinafter, the “HIPAA Regulations”). Citations to the Code of Federal Regulations refer to the HIPAA Privacy Regulations published on December 28, 2000 and amended on August 14, 2002 and the HIPAA Security Regulations published on February 20, 2003, and shall include all subsequent, updated, amended or revised provisions relating thereto. Terms not otherwise defined herein shall have the meanings ascribed to them in the HIPAA Regulations, including but not limited to 45 C.F.R. §§ 160.103, 164.103, 164.304, & 164.501. Unless otherwise noted, all references to PHI in this Agreement are to PHI that Business Associate, or its subcontractors or agents, receives from, creates for, or maintains or transmits on behalf of Covered Entity.
The Parties agree as follows:
1. PERMITTED USES AND DISCLOSURES OF PHI
1.1 Services. Pursuant to the Software Agreement, Business Associate provides services (“Services”) for Covered Entity that involve the use and disclosure of PHI.
1.2 Permitted Uses and Disclosures by Business Associate. Except as otherwise specified herein, Business Associate may make any and all uses and disclosures of PHI necessary to perform its obligations under the Software Agreement, provided that such uses or disclosures would not violate the HIPAA Regulations if made by Covered Entity, which may include disclosure of PHI (i) to its employees, subcontractors and agents, as set forth below, (ii) as directed by Covered Entity, or (iii) as otherwise permitted by the terms of this Agreement. All other uses and disclosures of PHI are prohibited. Unless otherwise limited herein, Business Associate may use PHI of Covered Entity for the following purposes:
a. Disclosure for Management, Administration. Business Associate may use or disclose PHI for proper management and administration of Business Associate as set forth in 45 C.F.R. § 164.504(e)(4). Business Associate shall take appropriate corrective action in the event any employee or workforce member uses or discloses PHI in contravention of this Agreement.
b. Disclosure to Third Parties for Performance of Agreement. Business Associate may use or disclose the PHI in its possession to third parties for the purpose of performing its duties under the Software Agreement and this Agreement. The third party shall provide written assurances of its confidential handling of such PHI, which shall include the same restrictions and conditions on use and disclosure as apply to Business Associate herein.
c. As Required by Law/Legal Process. Business Associate may use or disclose PHI to fulfill any present or future legal responsibilities of Business Associate, provided that the disclosures are (i) required by law, as defined in 45 C.F.R. § 164.103, or (ii) required to carry out the legal responsibilities of Business Associate, as provided in 45 C.F.R. § 164.504(e)(4)(i)(B).
d. Aggregation of Data. Business Associate may aggregate the PHI in its possession with the PHI of other covered entities and provide Covered Entity with data analyses relating to the Health Care Operations of Covered Entity in accordance with 45 C.F.R. § 164.504(e)(2)(i)(B). Under no circumstances may Business Associate disclose PHI of Covered Entity to any other party or covered entity without the explicit authorization of Covered Entity.
e. Use of De-identified Data. Business Associate may de-identify PHI and utilize deidentified PHI for purposes other than research, provided that Business Associate (i) de-identifies the PHI pursuant to the HIPAA requirements set out in 45 C.F.R. § 164.514(b) and (ii) provides Covered Entity with appropriate documentation if required by 45 C.F.R. § 164.514 (b)(1)(ii). De-identified information does not constitute PHI and, with the exception of section 1.2(f) below, is not subject to the terms of this Agreement.
f. Use of Data for Research Purposes. Business Associate agrees that it will obtain prior approval by Covered Entity for the use or disclosure of PHI or de-identified PHI for research purposes. Use or disclosure for research purposes that has not been approved by Covered Entity is strictly prohibited.
2. RESPONSIBILITIES OF THE PARTIESWITH RESPECT TO PHI
2.1 Responsibilities of the Business Associate. With regard to the uses or disclosures of PHI permitted by this Agreement, Business Associate hereby agrees to the following:
PROTECTION OF PHI
a. Report Unauthorized Use. Business Associate agrees to report to Covered Entity any unauthorized use or disclosure of PHI by Business Associate or its third party agents of which Business Associate becomes aware, and any remedial action to be taken by Business Associate with respect to such unauthorized use or disclosure. Business Associate shall make said report to the designated Privacy Officer of Covered Entity, in writing, within 5 days of having been made aware of the unauthorized use or disclosure.
b. Safeguard PHI. Business Associate agrees to use commercially reasonable efforts to maintain the confidentiality and security of PHI regardless of media (including written, oral, and electronic) and to prevent unauthorized use or disclosure of such PHI by implementing and maintaining appropriate protection policies and procedures.
c. Mitigate. Business Associate agrees to mitigate, to the extent possible, any deleterious effects from any unauthorized use or disclosure of PHI by Business Associate or its third party agents.
d. Bind Subcontractors and Agents. Business Associate agrees to require all of its subcontractors and agents that receive, use, or have access to PHI under this Agreement to agree, in writing, to adhere to the same restrictions and conditions on the use or disclosure of PHI that apply to Business Associate pursuant to this Agreement.
e. Minimum Necessary Disclosure. Business Associate agrees to disclose to its subcontractors, agents, or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder.
f. Return or Destroy. Subject to Section 3.4 below, within 30 days of the termination of this Agreement, Business Associate agrees to return to Covered Entity or destroy the PHI in its possession and retain no copies (which for purposes of this Agreement shall mean destruction of all backup tapes or other media).
g. Implement Safeguards. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity.
h. Bind Subcontractors and Agents. Business Associate agrees to require all of its subcontractors and agents to which it provides electronic PHI to agree, in writing, to implement reasonable and appropriate safeguards to protect such PHI.
i. Report Security Incident. Business Associate agrees to report to Covered Entity any security incident involving PHI experienced by Business Associate or its subcontractors and agents of which Business Associate becomes aware, and any remedial or other action to be taken by Business Associate with respect to such incident. Business Associate shall make said report to the designated Privacy Officer of Covered Entity, in writing, within 5 days of having been made aware of the security incident.
ACCESS AND AVAILABILITY OF PHI
j. Access for Viewing, Inspection, and Copying by Individual Subject of PHI. Business Associate agrees to make PHI maintained by Business Associate in a Designated Record Set available to Covered Entity for subsequent inspection and copying by the Individual subject thereof in accordance with applicable law (including, but not limited to, the HIPAA Regulations, 45 C.F.R. § 164.524).
k. Amendment by Subject of PHI. Upon 10 days’ written notice by Covered Entity, Business Associate agrees to make PHI maintained by Business Associate in a Designated Record Set available to Covered Entity for subsequent amendment by the Individual subject thereof and incorporate any amendments to PHI in accordance with applicable law (including, but not limited to, the HIPAA Regulations, 45 C.F.R. § 164.526). Business Associate shall create a process to permit and document such amendments.
l. Access by the U.S. Department of Health and Human Services (HHS). Subject to attorney-client and any other applicable legal privileges, and pursuant to 45 C.F.R. § 164.504(e)(2) (ii)(H), Business Associate agrees to make available to the Secretary of HHS all records, books, agreements, policies, and procedures relating to the use or disclosure of PHI so that HHS may determine Covered Entity’s compliance with the HIPAA Regulations. Business Associate shall immediately notify Covered Entity upon receipt of any request for access by HHS and shall provide Covered Entity with a copy of the HHS request for access and all materials to be disclosed pursuant thereto.
m. Access for Accounting Purposes. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI. Business Associate agrees to provide to Covered Entity, within 10 days of receiving a request in writing therefrom, such information as is requested by Covered Entity to permit Covered Entity to respond to a request by an Individual for an accounting of the disclosures of the Individual’s PHI in accordance with 45 C.F.R. § 164.528.
2.2 Responsibilities of the Covered Entity. With regard to the use or disclosure of PHI by Business Associate, Covered Entity hereby agrees as follows:
a. Inform Business Associate of Changes in Privacy Notice. Upon request, Covered Entity agrees to furnish Business Associate with a copy of the Notice of Privacy Practices that Covered Entity provides to Individuals pursuant to 45 C.F.R. § 164.520 and to inform Business Associate of any subsequent changes thereto, if such changes affect Business Associate’s permitted or required uses and disclosures of PHI.
b. Inform Business Associate of Changes in Authorizations. Covered Entity agrees to inform Business Associate of any changes in, or withdrawal of, any authorizations provided to Covered Entity by Individuals in accordance with 45 C.F.R. §164.508 and pursuant to which Covered Entity has disclosed PHI to Business Associate, if such changes affect Business Associate’s permitted or required uses and disclosures of PHI.
c. Inform Business Associate of Opt-out Election. Covered Entity agrees to inform Business Associate of any opt-outs exercised by any Individual from marketing or fundraising activities of Covered Entity pursuant to 45 C.F.R. § 164.514(f), if such opt-outs affect Business Associate’s permitted or required uses or disclosures of PHI.
d. Notify Business Associate of Additional Limitations. Covered Entity agrees to notify Business Associate, in writing and in a timely manner, of any arrangements permitted or required of Covered Entity under 45 C.F.R. parts 160 and 164 that may affect in any manner the use or disclosure of PHI by Business Associate under this Agreement, including, but not limited to, restrictions on use or disclosure of PHI agreed to by Covered Entity as provided for in 45 C.F.R. § 164.522.
3. TERM AND TERMINATION
3.1 Term. This Agreement shall become effective on the Effective Date and shall continue in effect until all obligations of the Parties have been met, unless terminated as provided in this Section 3. In addition, certain provisions and requirements of this Agreement shall survive its expiration or other termination in accordance with Section 5.1 herein.
3.2 Termination by the Covered Entity. Business Associate hereby acknowledges and agrees that in the event Covered Entity receives a complaint that includes, or Covered Entity otherwise has or obtains, substantial and credible evidence that Business Associate has violated a material term of this Agreement, Covered Entity shall have the right to investigate such violation, and Business Associate shall cooperate fully with Covered Entity with respect to such investigation. As provided for under 45 C.F.R. §§ 164.314 (a)(2)(i)(D) & 164.504(e)(2)(iii), Covered Entity may immediately terminate this Agreement and any related agreements without penalty or recourse to Covered Entity if Covered Entity determines that Business Associate has breached a material term of this Agreement. Alternatively, Covered Entity may choose to: (i) provide Business Associate with written notice of the existence of a material breach; and (ii) afford Business Associate an opportunity to cure said material breach, to the satisfaction of Covered Entity, within 30 days of receipt of Covered Entity’s written notice. Failure to cure is grounds for the immediate termination of this Agreement. Business Associate further acknowledges that where Covered Entity determines in its sole discretion that Business Associate has violated any material term of this Agreement and that it is not feasible to terminate this Agreement, Covered Entity will report such violation to HHS and to any other governmental agency as may be required by applicable law. Termination of this Agreement by Covered Entity under either alternative shall be in writing.
3.3 Automatic Termination. This Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of the Software Agreement.
3.4 Effect of Termination. Upon the event of termination pursuant to this Section 3, Business Associate agrees to return or destroy all PHI pursuant to 45 C.F.R. § 164.504(e)(2)(ii), if it is feasible to do so. Prior to doing so, Business Associate further agrees to recover any PHI in the possession of its subcontractors or agents. If it is not feasible for Business Associate to return or destroy said PHI, Business Associate will notify Covered Entity in writing within 10 days of the termination of this Agreement. Said notification shall include: (i) a statement that Business Associate has determined that it is infeasible to return or destroy the PHI in its possession, and (ii) the specific reasons for such determination. Business Associate further agrees to extend any and all protections, limitations, and restrictions contained in this Agreement to Business Associate’s use or disclosure of any PHI retained after the termination of this Agreement, and to limit any further uses or disclosures to the purposes that make the return or destruction of the PHI infeasible. If it is not feasible for Business Associate to obtain from subcontractors or agents any PHI in the possession of subcontractors or agents, Business Associate shall provide a written explanation to Covered Entity and require subcontractors and agents to agree to extend any and all protections, limitations, and restrictions contained in this Agreement to subcontractors’ or agents’ use or disclosure of any PHI retained after termination of this Agreement, and to limit any further uses or disclosures to the purposes that make return or destruction of the PHI infeasible.
4.1 Indemnification. Business Associate agrees to indemnify, defend, and hold harmless Covered Entity and Covered Entity’s employees, directors, trustees, officers, subcontractors, agents or other members of its workforce (each of the foregoing hereinafter referred to as “indemnified party”) against all losses suffered by the indemnified party and all liability to third parties arising from or in connection with any material breach of this Agreement by Business Associate or its employees, directors, officers, subcontractors, agents, or other members of its workforce. Accordingly, on demand, Business Associate shall reimburse the indemnified party for any and all losses, liabilities, fines, penalties, costs, or expenses (including reasonable attorneys’ fees) that may for any reason be imposed upon indemnified party by reason of any suit, claim, action, proceeding, or demand by any third party which results from such breach hereunder. Business Associate and its subcontractors or agents shall not be liable to Covered Entity under this Agreement for any special, incidental, indirect, punitive, or consequential damages, whether based on breach of contract, warranty, tort, or product liability, and whether or not Business Associate has been advised of the possibility of such damage. Business Associate’s obligation to indemnify Covered Entity/indemnified party shall survive the expiration or termination of this Agreement for any reason.
5.1 Survival. The respective rights and obligations of Business Associate and Covered Entity under the provisions of Sections 3.4 (Effect of Termination), 4.1 (Indemnification), 5.3 (No Third Party Beneficiaries), and Section 2.1 (Responsibilities of the Business Associate, solely with respect to PHI Business Associate retains in accordance with Section 3.4 where it is not feasible to return or destroy such PHI), shall survive termination of this Agreement indefinitely.
5.2 Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. Notwithstanding the foregoing, in order to ensure that this Agreement at all times remains consistent with applicable law regarding use and disclosure of PHI (including, but not limited to, the HIPAA Regulations), Business Associate agrees that this Agreement may be amended from time to time upon written notice from Covered Entity to Business Associate, and with the agreement of Business Associate, as to the revisions required to make this Agreement consistent with applicable law.
5.3 No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
5.4 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Regulations.
5.5 Notices. Any notices to be given hereunder to a Party shall be made via U.S. Mail or overnight courier to such Party’s address given below, or via facsimile to the facsimile telephone numbers listed below. Notice shall be deemed given 3 business days after depositing into U.S. Mail postage prepaid, the next business day if sent by overnight courier, and the same day if sent by facsimile.
Terms of Service Agreement
Privacy - Period!
This is probably one of the few places in the world that will discuss how this information exchanged between you and us is to be used and how it is exchanged via high speed internet connections. The data that leaves your computer is encrypted. In the unlikely event that someone “hijacks” the data in the less than 1 second it takes to get from you to us, they would not be able to read or decipher the data. After we verify who is sending us data, we decrypt it and place it in the proper format to go to the Medicare database. That journey and back takes place along a “secure” connection as required by CMS. Once the information is returned to us, we place it into a format that you can read, encrypt it and send it on to you. Your computer screen shows it in human readable form. You should not discuss the information with anyone other than the patient and others in your office who are allowed to by you. You must take the necessary precautions to safeguard this information. We will consider your use of the Service, including the content of your communications, to be private. However, to the extent permitted by law, we may be requested by CMS or their agents to give them information about you, including contents of transactions to: (1) conform to legal requirements or respond to legal process; (2) ensure your compliance with this contract; or (3) protect the rights, property, or interests of ICS Software, Ltd., its employees, its customers, persons whose identity is contained within the submission, or the public.
You Are Responsible For Your Account.
You are responsible for all activity under your account. You may authorize other persons working directly for you or your office to use your account, and you are responsible for keeping confidential any password for your account. We may allow you to have additional member accounts associated to your account. We refer to these as "associated accounts." We may limit who may use any associated accounts. You must tell us right away about anyone using any of your accounts or associated accounts without your consent, or any security breach that relates to the Service.
We may provide you with software. If you receive software from us, your use of that software is under the terms of the license that is presented to you for acceptance for that software. If there is no license presented to you, then we grant you the right to use the software only for the authorized use. Copyright and other intellectual property laws and treaties protect such software and content. We reserve all other rights to the software. ICS Software, Ltd. owns the title, copyright, and other intellectual property rights in such software.
We may automatically check your version of the software. We may automatically download upgrades to such software to your computer to update, enhance and further develop the Service. Your license will end on the date your Service ends. Your license will also end if we modify the Service in a way that no longer supports such software. Promptly after the date your Service ends, you shall uninstall such software. We may disable such software after the date the Service ends.
You will not disassemble, decompile, or reverse engineer any software or any machine included in the Service, except and only to the extent that the law expressly permits such activity.
The software is subject to United States HIPAA privacy laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations, end users and end use.
Performance and Usage Information.
We may automatically upload performance and usage data for evaluating the Service and the software associated with the Service. Such data will not personally identify you. You may opt out of the automatic uploading of your usage data (but not performance data) as indicated in software associated with the Service.
How We May Change the Contract.
If we change this contract, then we will tell you at least 30 days before the change is in force. We will tell you of the change by e-mail or online posting. We may also use other ways that we believe will reach you. If you do not agree to such changes, then you must cancel and stop using the Service before the changes are in force. If you do not stop using the Service, then your use of the Service will continue under the changed contract.
WE MAKE NO WARRANTY.
We provide the software "as-is," "with all faults" and "as available." The software is designed for commercial use. The ICS Parties give no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws that this contract cannot change. To the extent permitted by law, we exclude the implied warranties of merchantability, fitness for a particular purpose, workmanlike effort and non-infringement.
LIABILITY LIMITATION; YOUR EXCLUSIVE REMEDY.
You can recover from the ICS Parties only direct damages up to an amount equal to your Service fee for one month. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
This limitation applies to
· any matter related to the Service,
· any matter related to content (including code) on third party Internet sites, third party programs or third party conduct,
· any matter related to viruses or other disabling features that affect your access to or use of the Service,
· any matter related to incompatibility between the Service and other services, software and hardware,
· any matter related to delays or failures you may have in initiating, conducting or completing any transmissions or transactions in connection with the Service in an accurate or timely manner, and
· claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if
· this remedy does not fully compensate you for any losses, or fails of its essential purpose; or
· ICS Software, Ltd. knew or should have known about the possibility of the damages.
Some states do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to you. They also may not apply to you because your province or country may not allow the exclusion or limitation of incidental, consequential or other damages.
Changes to the Software; Our Cancellation of Service.
We may change the software or delete features at any time and for any reason. We may cancel or suspend your Service at any time. Our cancellation or suspension may be without cause and/or without notice. Upon Service cancellation, your right to use the Service stops right away. Once the Service is cancelled or suspended, any data you have stored on the Service may not be retrieved later. Our cancellation of the Service will not alter your obligation to pay all charges made to your Billing Account. If we cancel the Service in its entirety without cause, then we will refund to you, on a pro-rata basis the amount of your payment corresponding to the portion of your Service remaining right before such cancellation.
Choice of Law and Location for Resolving Disputes.
If this contract is with ICS Software, Ltd., then claims for breach of this contract will be subject to the laws of the State of New York, without reference to conflict of laws principles. All other claims, including claims regarding consumer protection laws, unfair competition laws, and in tort, will be subject to the laws of your state of residence in the United States.
If this contract is with ICS Software, Ltd., you consent to the exclusive jurisdiction and venue of state or federal courts in Nassau County, New York, USA for all disputes relating to this contract or the Service. You cannot revoke this consent.
Interpreting the Contract.
All parts of this contract apply to the maximum extent permitted by law. A court may hold that we cannot enforce a part of this contract as written. If this happens, then we will replace that part with terms that most closely match the intent of the part that we cannot enforce. The rest of this contract will not change. This is the entire contract between us regarding your use of the Service. It supersedes any prior contract or statements regarding your use of the Service. If you have confidentiality obligations related to the Service, those obligations remain in force (for example, you may have been a beta tester). The section titles in the contract do not limit the other terms of this contract.
We may assign this contract, in whole or in part, at any time with or without notice to you. You may not assign this contract, or any part of it, to any other party. Any attempt by you to do so is void. Instead, you may cancel your Service. The other party may then establish a Service account and enter into a contract with us.
Claim Must Be Filed Within One Month.
Any claim related to this contract or the Service must be brought within one month. The one-month period begins on the date when the claim first could be filed. If it is not filed, then that claim is permanently barred. This applies to you and your successors. It also applies to us and our successors and assigns.
If to Business Associate, to:
ICS Software, Ltd.
3720 Oceanside Road West
Oceanside, NY 11572
Phone: 877-624-3250 Fax: 516-763-1017
If to Covered Entity, to:
Each Party named above may change its address and that of its representative for notice by the giving of notice thereof in the manner hereinabove provided.
5.6 Counterparts; Facsimiles. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.
Understanding that my submitter number and password constitute my verification that the transactions moving to and from companies with whom I transact EDI transactions, I hereby employ ICS Software, Ltd. (its staff and divisions, i.e., MedXpress, CheckMedicare.com) to act in my behalf for moving claims and reports between my EDI partners, and setting and resetting passwords with such EDI partners in order to accomplish their tasks. In addition, I am aware that if needed because of limitations in my existing billing software, I authorize the MedXpress program to alter my submitter number so my claims are accepted into the new NGS gateway.
IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be duly executed in its name and on its behalf:
Print name: _____________________ ICS SOFTWARE, LTD
Sign name: ______________________ By: ___________________
Billing Service Representative Signature