Maqpie Business Associate Addendum
This Business Associate Addendum (the “Addendum”) supplements the underlying agreement, including the Terms of Service (collectively “Underlying Agreement”), between Auxilin, LLC. (“Auxilin”) and its client (“Client”), and is intended to and shall be interpreted to ensure the parties’ compliance with the Health Insurance Portability and Accountability Act and its implementing regulations, 45 C.F.R. Part 164 (collectively “HIPAA Rules”). The terms in the Underlying Agreement shall also apply to the parties’ performance under this Addendum to the extent not inconsistent with the terms of this Addendum.
1. Definitions. Terms used, but not otherwise defined in this Addendum, shall have the same meaning as those terms are used in the HIPAA Rules.
2. Obligations and Activities of Auxilin.
- Auxilin agrees to not use or disclose Protected Health Information other than as permitted or required by this Addendum, the Underlying Addendum or as Required By Law.
- Auxilin agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of the Protected Health Information other than as provided for by this Addendum.
- Auxilin agrees to report to Client any use or disclosure of the Protected Health Information not provided for by this Addendum of which it becomes aware, including breaches of Unsecured Protected Health Information as required by 45 C.F.R. §164.410. Auxilin also agrees to report to Client any security incident, including all data breaches, related to Protected Health Information of which Auxilin becomes aware; provided that the reporting requirement shall not apply to routine, unsuccessful security incidents such as port scans, pings, etc., that do not pose a material threat to the Protected Health Information.
- Auxilin agrees to ensure that any subcontractor, to whom it provides Protected Health Information received from, or created or received by Auxilin on behalf of, Client agrees to the same restrictions and conditions that apply through this Addendum to Auxilin with respect to such information.
- Auxilin agrees to provide access, at the request of Client and during normal business hours, to Protected Health Information in a Designated Record Set to Client or, as directed by Client, to an Individual in order to meet the requirements under 45 C.F.R. §164.524, provided that Client delivers to Auxilin a written notice at least five (5) business days in advance of requesting such access.
- Auxilin agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Client directs or agrees to pursuant to 45 C.F.R. §164.526, at the request of Client or an Individual.
- Unless otherwise protected or prohibited from discovery or disclosure by law, Auxilin agrees to make internal practices, books and records, relating to the use or disclosure of Protected Health Information received from, or created or received by Auxilin on behalf of, Client available to the Secretary for purposes of the Secretary determining Client’s compliance with the HIPAA Rules.
- Auxilin agrees to maintain and, on request of Client, provide to Client documentation necessary to permit Client to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. §164.528.
- To the extent Auxilin carries out one or more of Client’s obligations under Subpart E of 45 C.F.R. Part 164, Auxilin agrees to comply with the requirements of Subpart E that apply to Client in the performance of such obligations.
3. Permitted Uses and Disclosures by Auxilin.
- Except as otherwise limited by this Addendum, Auxilin may make any uses and disclosures of Protected Health Information necessary to perform the Services for and on behalf of Client in accordance with the terms of the Underlying Agreement and to otherwise meet its obligations under this Addendum, if such uses or disclosures would not violate the Privacy Rule if done by Client.
- Except as otherwise limited in this Addendum, Auxilin may use Protected Health Information for the proper management and administration of the Auxilin, including internal analytics for Auxilin’s own product development, or to carry out the legal responsibilities of the Auxilin.
- Except as otherwise limited in this Addendum, Auxilin may disclose Protected Health Information for the proper management and administration of the Auxilin or to carry out the legal responsibilities of Auxilin, provided the disclosures are Required By Law or Auxilin obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Auxilin of any instances of which it is aware in which the confidentiality of the information has been breached.
- Except as otherwise limited in this Addendum, Auxilin may use Protected Health Information: (i) to provide Data Aggregation services relating to the health care operations of Client as permitted by 45 C.F.R. §164.504(e)(2)(i)(B), and (ii) to de identify such Protected Health Information in accordance with 45 C.F.R. 164.514(a) – (c).
4. Obligations of Client.
- If and to the extent that Client has imposed or agreed to any limitation on the use or disclosure of Protected Health Information that is more restrictive than HIPAA, Client shall notify Auxilin of any such limitation(s) that Client has imposed.
- Client shall immediately notify Auxilin of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Auxilin’s use or disclosure of Protected Health Information.
- Client shall not request Auxilin to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Rules if done by the Client, except as permitted by Section 3.
5. Term and Termination.
- The Term of this Addendum shall be effective upon execution of the Underlying Agreement and shall remain in effect until (i) this Addendum is terminated, and (ii) all Protected Health Information is either returned or destroyed in accordance with this Section 5.
- This Addendum shall terminate: (i) upon termination of the Underlying Agreement; (ii) upon 30 days’ prior written notice to the breaching party if either party breaches a material term of this Addendum and the breaching party fails to cure the breach by the end of the 30-day notice period; or (iii) the HIPAA Rules are amended or Client agrees to restrictions on the use or disclosure of Protected Health Information such that Auxilin determines that performance of this Agreement may cause Auxilin to incur unanticipated costs to comply or face adverse regulatory action.
- Effect of Termination. Upon termination of this Addendum for any reason, Auxilin, with respect to Protected
Health Information received from Client or created, maintained, or received by Auxilin on behalf of Client, shall:
- Retain only that Protected Health Information which is necessary for Auxilin to continue its proper management and administration or to carry out its legal responsibilities;
- Return to Client or destroy the remaining Protected Health Information that Auxilin still maintains in any form; and
- If and to the extent that such return or destruction is impractical, continue to use appropriate safeguards and comply with the HIPAA Rules as to any Protected Health Information that Auxilin retains.