Business Associate Addendum
Last updated: March 2022
This Business Associate Addendum (this “Addendum“), is made and entered into as of the last signature hereto, by and between Pax8, Inc., a Delaware corporation (“Pax8”), and the party identified as the Partner on the signature page hereto (“Partner”). In this Addendum, Pax8 and Partner are each a “Party” and collectively, the “Parties.”
1. Background and Purpose.
1.1. Pax8 has entered into distribution and other agreements with various vendors (each, a “Vendor”) allowing Pax8 to distribute each Vendor’s products and services (collectively, the “Vendor Agreements”) and in connection therewith, Pax8 may be deemed a “business associate” of a covered entity as such is defined in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the regulated regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, Pax8 may be required to comply with HIPAA’s provisions regarding the confidentiality and privacy of PHI (as defined below).
1.2. Pax8 and Partner have entered into a MSP Partner Agreement dated as of the date set forth on the signature page hereto. pursuant to which Partner may be a reseller of a Vendor’s products and services (the “MSP Agreement”) under which Partner has the indirect right through Pax8 to market, demonstrate, distribute and sell designated products and services (as set forth in the MSP Agreement, collectively, the “Services”).
1.3. By providing the Services pursuant to the MSP Agreement, Partner may become a “business associate” of a Covered Entity (as defined below).
1.4. Each of Pax8 and Partner are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including without limitation, the Privacy Rule (as defined below); and
1.5. Each of Pax8 and Partner intend to protect the privacy and provide for the security of PHI disclosed to Pax8, Partner and/or a Vendor pursuant to the terms of this Addendum, HIPAA and other applicable laws.
For purposes of this Addendum, the Parties give the following meaning to each of the terms in this Section 2 below. Any capitalized term used in this Addendum, but not otherwise defined, has the meaning given to that term in the Privacy Rule or other pertinent law
2.1. “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromise the security or privacy of the PHI.
2.2. “Business Associate” means a person or entity, which: (a) on behalf of a Covered Entity, creates, receives, maintains, or transmits PHI for a function or activity regulated by HIPAA, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing; or
(b) provides legal, actuarial, accounting, consulting, Data Aggregation, management, administrative, accreditation or financial services to or for a Covered Entity, where the provision of the service involves the disclosure of PHI.
2.3. “Covered Entity” means: (a) a health plan; (b) a health care clearinghouse; (c) a health care provider who transmits any health information in electronic form in connection with a transaction covered by the Privacy Rule. A Business Associate of another Covered Entity is itself a Covered Entity for purposes of this Addendum.
2.4. “Data Aggregation” means, with respect to PHI created or received by a Business Associate, the combining of such PHI by the Business Associate with the PHI received by such Busines Associate in its capacity as a business associate of one or more other “covered entities” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this Addendum shall be consistent with the meaning given to that term in the Privacy Rule.
2.5. “Designated Record Set” means a group of records maintained by or for a covered entity that is: (a) the medical records and billing records about individuals maintained by or for a covered health care provider; (b) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (c) used, in whole or in part, by or for the covered entity to make decisions about individuals.
2.6. “Electronic PHI” means any PHI maintained or transmitted by electronic media.
2.7. “Health Care Operations” has the meaning given to that term in the Privacy Rule.
2.8. “HHS” means the U.S. Department of Health and Human Services.
2.9. “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
2.10. “Individual” has the same meaning given to that term in the Privacy Rule, and includes a person who qualifies as a personal representative in accordance with the Privacy Rule.
2.11. “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
2.12. “PHI” has the meaning given to the term “protected health information” in the Privacy Rule, limited to the information created or received by a Business Associate from or on behalf of a Covered Entity.
2.13. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
2.14. “Unsecured PHI” means any PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act.
3. Use and Disclosure of PHI
3.1. Except as otherwise provided in this Addendum, Pax8, as a Business Associate to Partner, may use or disclose PHI as reasonably necessary to provide the Services, and to undertake other activities permitted or required of Pax8 as a Business Associate by this Addendum or as required by law.
3.2. Except as otherwise limited by this Addendum or federal or state law, Partner authorizes Pax8 to use the PHI in its possession for the proper management and administration of Pax8’s business and to carry out its legal responsibilities. Pax8 may disclose PHI for its property management and administration, provided that (a) the disclosures are required by law; or (b) Pax8 obtains, in writing, prior to making any disclosure to a third party (i) reasonable assurances from this third party that the PHI will be held confidential as provided under this Addendum and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party, and (ii) an agreement from this third party to notify Pax8 immediately of any Breach, to the extent it has knowledge of the Breach.
3.3. Pax8 will not use or disclose PHI in a manner other than as provided in this Addendum, as permitted under the Privacy Rule, or as required by law. Pax8 will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with the HITECH Act, and any of the implementing regulations adopted by HHS, for each use or disclosure of PHI.
3.4. Upon request, Pax8 will make available to Partner any of Partner’s PHI that Pax8 or any of its agents or subcontractors have in their possession.
3.5. Pax8 may use PHI to report violations of law to appropriate Federal and State authorities, consistent with the Privacy Rule.
4. Safeguards Against Misuse of PHI.
Pax8 will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the MSP Agreement or this Addendum and Pax8 agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Partner. Pax8 agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this Addendum and to ensure that the actions or omissions of its employees or agents do not cause Pax8 to breach the terms of this Addendum.
5. Reporting Disclosures of PHI and Security Incidents.
Pax8 will report to Partner in writing any use or disclosure of PHI not provided for by this Addendum of which it becomes aware and Pax8 agrees to report to Partner any Security Incident affecting the Electronic PHI of Partner of which it becomes aware. Pax8 agrees to report any such event within five business days of becoming aware of the event.
6. Reporting Breaches of Unsecured PHI.
Pax8 will notify Partner in writing promptly upon the discover of any Breach of Unsecured PHI in accordance with the requirements set forth in HIPAA, but in no case later than 30 calendar days after discovery of a Breach. Pax8 will reimburse Partner for any costs incurred by it in complying with the requirements of HIPAA that are imposed on Partner as a result of a Breach committed by Pax8.
7. Mitigation of Disclosures of PHI
Pax8 will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Pax8 of any use or disclosure of PHI by Pax8 or its agents or subcontractors in violation of the requirements of this Addendum.
8. Agreements with Agents or Subcontractors.
Pax8 will ensure that any of its agents or subcontractors that have access to, or to which Pax8 provides, PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this Addendum and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Pax8 or, through Pax8, Partner. Pax8 shall ensure that all subcontracts and agreements provide the same level of privacy and security as this Addendum.
9. Access to PHI by Individuals
9.1. Upon request, Pax8 agrees to furnish Partner with copies of the PHI maintained by Pax8 in a Designated Record Set in the time and manner designated by Partner to enable Partner to respond to an individual’s request for access to PHI under HIPAA.
9.2. In the event that any Individual requests access to the Individual’s PHI directly from Pax8, Pax8 within ten business days, will forward that request to Partner. Any disclosure of, or decision not to disclose, the PHI requested by an Individual and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Partner.
10. Amendment of PHI.
10.1. Upon request and instruction from Partner, Pax8 will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Pax8 as directed by Partner in accordance with procedures established by HIPAA. Any request by Partner to amend such information will be completed by Pax8 within 15 business days of Partner’s request.
10.2. In the event that any Individual requests that Pax8 amend such Individual’s PHI or record in a Designated Record Set, Pax8 within ten business days will forward this request to Partner. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Partner.
11. Accounting of Disclosures
11.1. Pax8 will document any disclosures of PHI made by it to account for such disclosures as required by the Privacy Rule. Pax8 will also make available information related to such disclosures as would be required for Partner to respond to a request for an accounting of disclosures in accordance with the Privacy Rule. At a minimum, Pax8 will furnish Partner the following with respect to any covered disclosures by Pax8: (a) the date of disclosure of PHI; (b) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.
11.2. Pax8 will furnish to Partner information collected in accordance with this Section 11, within ten business days after written request by Partner, to permit Partner to make an accounting of disclosures as required by the Privacy Rule, or in the event that Partner elects to provide an Individual with a list of its business associates, Pax8 will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act.
11.3. In the event an Individual delivers the initial request for an accounting directly to Pax8, Pax8 will within ten business days forward such request to Partner.
12. Availability of Books and Records.
Pax8 will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Partner’s and Pax8’s compliance with HIPAA and this Addendum.
13. Responsibilities of Partner
With regard to the use and/or disclosure of PHI by Pax8, Partner agrees to:
13.1. Notify Pax8 of any limitation(s) in its notice of privacy practices in accordance with the Privacy Rule, to the extent that such limitation may affect Pax8’s use or disclosure of PHI.
13.2. Notify Pax8 of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Pax8’s use or disclosure of PHI.
13.3. Notify Pax8 of any restriction to the use or disclosure of PHI that Partner has agreed to in accordance with the Privacy Rule, to the extent that such restriction may affect Pax8’s use or disclosure of PHI.
13.4. Except for Data Aggregation or management and administrative activities of Pax8, Partner shall not request Pas8 to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Partner.
14. Term and Termination.
14.1. This Addendum will become effective on the date first written above, and will continue in effect until all obligations of the Parties have been met under the MSP Agreement and under this Addendum.
14.2. Partner may terminate immediately this Addendum, the MSP Agreement, and any other related agreements if Partner makes a determination that Pax8 has breached a material term of this Addendum and Pax8 has failed to cure that material breach, to Partner’s reasonable satisfaction, within 30 days after written notice from Partner. Partner may report the problem to the Secretary of HHS if termination is not feasible.
14.3. If Pax8 determines that Partner has breached a material term of this Addendum, then Pax8 will provide Partner with written notice of the existence of the breach and shall provide Partner with 30 days to cure the breach. Partner’s failure to cure the breach within the 30-day period will be grounds for immediate termination of the MSP Agreement and this Addendum by Pax8. Pax8 may report the breach to HHS.
14.4. Upon termination of the MSP Agreement or this Addendum for any reason, all PHI maintained by Pax8 will be returned to Partner or destroyed by Pax8. Pax8 will not retain any copies of such information. This provision will apply to PHI in the possession of Pax8’s agents and subcontractors. If return or destruction of the PHI is not feasible, in Pax8’s reasonable judgment, Pax8 will furnish Partner with notification, in writing, of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Pax8 will extend the protection of this Addendum to such information for as long as Pax8 retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Section 14.4 will survive any termination of this Addendum.
15. Effect of Addendum.
15.1. This Addendum is a part of and subject to the terms of the MSP Agreement, except that to the extent any terms of this Addendum conflict with any term of the MSP Agreement, the terms of this Addendum will govern.
15.2. Except as expressly stated in this Addendum or as provided by law, this Addendum will not create any rights in favor of any third party.
16. Regulatory References.
A reference in this Addendum to a section in HIPAA means the section as in effect or as amended at the time.
All notices, requests and demands or other communications to be given under this Addendum to a Party hereto will be made via either first class mail, registered or certified or express carrier, or electronic mail to the Party’s address given below the signatures hereto.
18. Amendment and Waiver.
This Addendum may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
19. HITECH Act Compliance.
The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to modify this Addendum as reasonably necessary to comply with the HITECH Act and its regulations as they become effective, but, in the event that the Parties hereto are unable to reach agreement on such a modification, either Party will have the right to terminate this Addendum upon 30- days’ prior written notice to the other Party.
IN WITNESS WHEREOF, each of the undersigned has caused this Addendum to be executed in its name and on its behalf by its duly authorized representative.
Date of MSP Agreement between Pax8 and Partner: