This Business Associate Agreement (the “Agreement”) by and between you (“Covered Entity”), and Unscripted Pharmacy, a California limited liability company (“Business Associate” and “Unscripted”) is made simultaneously when agreeing to the Terms of Service (the “Effective Date”).

 

WHEREAS, Covered Entity is a health care professional including, but not limited to, a nurse practitioner; pharmacist, medical doctor, or doctor of osteopathic medicine;

 

WHEREAS, Business Associate has a proprietary software which provides patients that have a certain level of treatment based upon prior medical history and pre-existing conditions the ability to be assigned to a personal health coach for remote monitoring as well as to have access to group educational classes focused on behavioral and lifestyle modification through its website www.unscriptedpharmacist.com and its mobile based application (the “Services”) to or on behalf of Covered Entity. In the course of obtaining the Services from Business Associate, it is necessary for Covered Entity, from time to time, to provide Protected Health Information (“PHI”), as such term is subsequently defined herein, to Business Associate;

 

WHEREAS, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”), and their associated regulations, specifically, 45 C.F.R. §§ 160, 162 and 164, Standards for Privacy of Individually Identifiable Health Information, Final Rule (the “Privacy Rule”) and Health Insurance Reform: Security Standards, Final Rule (the “Security Rule”) (collectively referred to as “HIPAA/HITECH”), require Covered Entity to ensure that Business Associate will appropriately safeguard PHI and use, and, if necessary, disclose PHI only as necessary to provide the Services for Covered Entity, consistent with its engagement by Covered Entity and applicable law; and

 

WHEREAS, Business Associate is directly subject to the Final Security Rule to the same extent as Covered Entity, and may use and disclose PHI only in compliance with the terms of this Agreement, and is subject to the privacy subtitle of the HITECH Act to the same extent as Covered Entity by operation of this Agreement.

 

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein, the worth and sufficiency of which as legal consideration are hereby acknowledged, the parties hereto, intending to be legally bound hereby, agree as follows:

 

1. Definitions. For the purposes of this Agreement, all capitalized terms not defined herein shall have the meanings defined in the HIPAA Rules, as may be amended from time to time.

(i)“Business Associate” shall generally have the same meaning as the term “business associate” at 45 C.F.R. § 160.103, and in reference to this Agreement, shall mean Unscripted.

(ii)“Breach” shall mean the unauthorized acquisition, access, use, or disclosure of Unsecured PHI that compromises the security or privacy of such information. A Breach shall not include: (1) any unintentional acquisition, access, or use of PHI by a member of the Workforce (as defined below) or person acting under the authority of Covered Entity or Business Associate if such acquisition, access, or use was made in good faith and within the scope of authority, and the PHI was not further acquired, accessed, used, or disclosed; (2) any inadvertent disclosure by a person who is authorized to access PHI at Covered Entity or Business Associate to another person authorized to access PHI at the same entity, or at an organized health care arrangement in which Covered Entity participates, and the information received as a result of such disclosure is not further acquired, accessed, used, or disclosed; or (3) a disclosure of PHI where Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

(iii)“Electronic Protected Health Information” (“EPHI”) is PHI that is maintained in electronic media or transmitted by electronic media. EPHI is a subset of PHI.

(iv)“HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. §§ 160, 162 and 164.

(v)“Information System” shall mean an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

(vi)“Protected Health Information” (“PHI”) shall have the meaning given to such term in 45 C.F.R. § 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

(vii)“Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

(viii)“Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HITECH Act.

(ix) “Workforce” shall mean employees, volunteers, trainees, and other persons whose conduct, in the performance of work for Covered Entity or Business Associate, is under the direct control of such entity, whether or not they are paid by Covered Entity or Business Associate.

 

1. Term and Termination.

The Term of this Agreement shall be effective as of the Effective Date and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions herein.  Business Associate authorizes termination of this Agreement by Covered Entity upon Covered Entity’s knowledge of a material breach by Business Associate. Upon violation of a material term of this Agreement by Business Associate, Covered Entity may either:

Provide a fifteen (15) day opportunity for Business Associate to cure the material breach or end the violation and, if Business Associate does not cure the material breach or end the violation within the fifteen (15) day period, Covered Entity may terminate this Agreement and any other agreement between Covered Entity and Business Associate pursuant to which Business Associate provides the Services to Covered Entity;

If Business Associate has breached a material term of this Agreement and cure is not, in Covered Entity’s reasonable determination, possible, Covered Entity may immediately terminate this Agreement and the agreement between Covered Entity and Business Associate pursuant to which Business Associate provides the Services to Covered Entity; or

If neither termination nor cure are, in Covered Entity’s sole determination, feasible, Covered Entity shall report the violation to the Secretary of the U.S. Department of Health and Human Services (“Secretary”).Except as provided below, upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Business Associate. Neither Business Associate nor any subcontractor or agent of Business Associate shall retain copies of the PHI. If Business Associate reasonably determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon Covered Entity’s written confirmation that return or destruction of PHI is infeasible, Business Associate may retain the PHI that is not feasible to return for so long as it remains infeasible to return such PHI. In such event, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. The provisions herein shall survive termination of this Agreement.

 

1. Obligations of Business Associate.

   1. Business Associate shall comply with the use and disclosure provisions of the Privacy Rule in performing its obligations under any agreement for Services with Covered Entity and to not use or disclose PHI other than as permitted or required under this Agreement or as Required by Law.

   2. Business Associate shall implement and use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement.

   3. Business Associate shall implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, and to otherwise comply with the Security Rule in performing Business Associate’s obligations under this Agreement.

   4. Business Associate shall use best efforts to secure PHI to make it unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in its annual guidance issued under section 13402(h) of the HITECH Act, codified at 42 U.S.C. § 17932(h).

   5. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.

   6. Business Associate shall, as soon as reasonably practicable and in no event later than two (2) days of discovery of the same, report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including, but not limited to, any Security Incident and any unauthorized acquisition, access, use, or disclosure of PHI.

   7. Business Associate shall develop policies and procedures to both detect and report Breaches of PHI to the Covered Entity. Copies of such policies and procedures shall be made available to the Covered Entity upon the Covered Entity’s request.

   8. Business Associate shall, following the discovery of a Breach or potential Breach of PHI, notify Covered Entity of such Breach.

Business Associate shall provide initial notice of the Breach as soon as reasonably practicable and in no event later than two (2) days after the discovery of the Breach. A Breach shall be treated as discovered as of the first day on which the Breach is known to the Business Associate.

The initial notice shall include, to the extent possible, the identification of each individual whose PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach. Business Associate shall make best efforts to collect and provide to Covered Entity as soon as possible any such information that Business Associate is unable to provide in the initial notice.

1. Business Associate shall, following notification to Covered Entity of a Breach of PHI, cooperate with Covered Entity in providing any and all information required for Covered Entity to comply with the breach notification provisions of section 13402 of the HITECH Act and the implementing regulations set forth in Subpart D of the Privacy Rule (45 C.F.R. § 164.400 et seq.) and any other applicable breach notification laws and regulations of which Business Associate is informed of by Covered Entity.

2. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by the Covered Entity.

3. At the request of Covered Entity, Business Associate shall provide prompt access to PHI to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet the Individual’s right of access requirements under HIPAA.

4. Business Associate shall enter into legally binding agreements with each of its subcontractors and agents to ensure that any subcontractor agent to whom Business Associate provides PHI received from, or created or received by, Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.

5. Business Associate agrees to provide access to Covered Entity, in the time and manner designated by the Covered Entity, to PHI in a Designated Record Set, or, as directed by Covered Entity, to an Individual in order to meet the requirements of 45 C.F.R. § 164.524.

6. Business Associate shall make any amendment to PHI that Covered Entity directs, or to which Covered Entity agrees pursuant to an Individual’s right to request amendment to his or her PHI under HIPAA.

7. For purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule and Security Rule, Business Associate shall make available to the Secretary, in a time and manner designated by the Secretary, its internal practices, books, and records (including policies and procedures), relating to the use and disclosure of PHI received from, or created or received by, Business Associate on behalf of Covered Entity.

8. Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the Individual’s right to receive such accounting under HIPAA.

9. Business Associate shall provide to Covered Entity or an Individual, information collected in accordance with Section 3.P of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the Individual’s right to receive such accounting under HIPAA.

10. Business Associate is required to comply with an Individual’s restriction request, except as otherwise required by law, if it is to a health plan for payment or health care operations and pertains to a health care item or service for which the health care provider was paid in full “out of pocket” by the Individual.

11. Business Associate and its agent(s) and subcontractor(s) are prohibited from directly or indirectly receiving any remuneration in exchange for an individual’s PHI unless the Individual provides a valid authorization.

 

 

 

1. Obligations of Covered Entity.

   1. In addition to any other obligation set forth in this Agreement, Covered Entity agrees that it will: (i) not make any disclosure of PHI to Business Associate if such disclosure would violate HIPAA, the HITECH Act or any applicable federal or state law or regulation; and (ii) not request Business Associate to use or make any disclosure of PHI in any manner that would not be permissible under HIPAA, the HITECH Act or any applicable federal or state law or regulation if such use or disclosure were done by Covered Entity.

   2. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity’s notice of privacy practices, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

   3. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of such PHI.

   4. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI to which Covered Entity has agreed and thus Business Associate is bound, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

2. Permitted Uses and Disclosures by Business Associate.

   1. Except as otherwise limited by this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

   2. Except as otherwise limited by this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

   3. Except as otherwise limited by this Agreement, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R.§164.504(e)(2)(i)(B).

   4. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

3. Notice.

Whenever, under the terms of this Agreement, written notice is required or permitted to be given by one Party to the other Party, such notice shall  be given via electronic mail to Business Associate. Such Notice shall also be followed by overnight delivery of written Notice.

1. Indemnification.

Each party will indemnify and hold harmless the other party to this Agreement from and against any and all claims, losses, liabilities, costs and other expenses resulting from, or relating to: any misrepresentation, breach of warranty or non-fulfillment of any undertaking on the part of the party under this Agreement; and any claims, demands, awards, judgments, actions and proceedings made by an person, governmental entity or organization arising out of or in any way connected with the party’s performance under this Agreement. The parties’ respective rights and obligations herein shall survive termination of the Agreement.

1. Miscellaneous.

   1. This Agreement sets forth the entire understanding and agreement between the parties relating to the use and disclosure of PHI and shall be binding upon the parties and their respective successors, heirs and assigns. All prior negotiations, agreements, and understandings regarding the use and disclosure of PHI are superseded hereby.

   2. This Agreement may not be amended or revised except with the written consent of the parties. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the parties to comply with the requirements of HIPAA/HITECH, as may be amended from time to time.

(iii)This Agreement shall be automatically assigned to and assumed by any legal successor or affiliate of the assignor who or which assumes responsibility for assignor’s obligations under any agreement between the parties concerning the services provided by Business Associate for or on behalf of Covered Entity.

(iv)This Agreement shall be construed and enforced pursuant to the laws of Georgia.

(v)The invalidity or unenforceability of any particular provision or part thereof of this Agreement shall not affect the remainder of this Agreement, and this Agreement shall be construed in all respects as if such invalid or unenforceable provision or part thereof had been omitted.

(vi)This Agreement shall not create nor be deemed to create any relationship between Covered Entity and Business Associate other than that of independent contractors contracting with each other solely for the purpose of performing the agreement pursuant to which Business Associate provides the Services to Covered Entity. Business Associate is not an agent of Covered Entity. Neither Covered Entity nor Business Associate shall assume or be responsible for the acts, omissions, liabilities, debts, or other obligations of the other party, other than as specifically set forth in this Agreement and the agreement pursuant to which Business Associate provides the Services to Covered Entity.

(vii)Any failure or delay by either party in exercising any right under this Agreement shall not operate as a waiver of such party’s rights, nor shall any single or partial exercise of any right serve to preclude a subsequent exercise of such right.

(viii)Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with the HIPAA/HITECH.

(ix)Notwithstanding anything to the contrary in this Agreement, nothing herein shall be construed to require Business Associate to take any action, the consequence of which could reasonably be foreseen to result in the waiver or loss of any legal right or ethical obligation of either Covered Entity or Business Associate to keep any information confidential.