This Agreement (“Agreement”) is made and entered into at the date and time your Thrizer account is created and is between you (“Covered Entity”) and Thrizer, Inc. (“Business Associate”), a Delaware Corporation.
The Covered Entity and Business Associate, collectively, the “Parties”, wish to enter into this agreement.
‍
The Parties may contemplate entering into one or more agreements (the “Services Agreement) pursuant to which Business Associate is providing certain services to the Covered Entity that require the disclosure and use of Protected Health Information (“PHI”). Unless the Service Agreement specifies otherwise, Business Associate is an Independent Contractor with respect to the performance of all Services, and neither Business Associate nor anyone employed by Business Associate will be deemed for any purpose to be the employee, agent, servant or representant of the Covered Entity. Both Parties are committed to complying with the Privacy Rule and the Security Rule promulgated pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”), as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act and associated regulations.
‍
  This Agreement sets forth the terms and conditions pursuant to which Protected Health Information that is provided by, or created or received by, the Business Associate from or on behalf of the Covered Entity, will be handled between the Business Associate and the Covered Entity and with third parties during the term of each Service Agreement and after its termination.
‍
In consideration of the terms of this Agreement, and other valuable considerations, the parties agree as follows:
‍
- Definitions
‍
Terms used, but not otherwise defined in this Agreement, shall have the same meaning as those terms in the Privacy Rule, Security Rule, and HITECH Act.
- Agent. “Agent” shall have the meaning as determined in accordance with the federal common law of agency.
- Breach. “Breach” shall have the same meaning as the term “breach” in 45 CFR § 164.402.
- Business Associate. “Business Associate” shall mean Thrizer, Inc.
- Covered Entity. “Covered Entity” shall mean active user of Thrizer.
- Data Aggregation. “Data Aggregation” shall have the same meaning as the term “data aggregation” in 45 CFR § 164.501.
- Designated Record Set. “Designated Record Set” shall have the same meaning as the term “designated record set” in 45 CFR § 164.501.
- Disclosure. “Disclosure” and “Disclose” shall have the same meaning as the term “Disclosure” in 45 CFR § 160.103.
- Electronic Health Record. “Electronic Health Record” shall have the same meaning as the term in Section 13400 of the HITECH Act.
- Health Care Operations. “Health Care Operations” shall have the same meaning as the term “health care operations” in 45 CFR § 164.501.
- HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
- HITECH Act. “HITECH Act” shall mean The Health Information Technology for Economic and Clinical Health Act, part of the American Recovery and Reinvestment Act of 2009 (“ARRA” or “Stimulus Package”), specifically DIVISION A: TITLE XIII Subtitle D—Privacy, and its corresponding regulations as enacted under the authority of the Act.
- Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
- Minimum Necessary. “Minimum Necessary” shall mean the Privacy Rule Standards found at §164.502(b) and § 164.514(d)(1).
- Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
- Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information created, received, maintained or transmitted by Business Associate on behalf of Covered Entity.
- Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.103.
- Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
- Security Incident. “Security Incident” shall have the same meaning as the term “Security Incident” in 45 CFR § 164.304.
- Security Rule. “Security Rule” shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. parts § 160 and § 164, Subparts A and C.
- Subcontractor. “Subcontractor” shall mean a person or entity “that creates, receives, maintains, or transmits protected health information on behalf of a business associate” and who is now considered a business associate, as the latter term is defined in 45 CFR § 160.103.
- Subject Matter. “Subject Matter” shall mean compliance with the HIPAA Rules and with the HITECH Act.
- Unsecured Protected Health Information. “Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402.
- Use. “Use” shall have the same meaning as the term “Use” in 45 CFR § 164.103.
‍
- Term & Termination
‍
- The Term of this Agreement shall be effective as of the date and time Covered Entity agrees to the Terms of Service for using Thrizer’s Website, Software, and Services by creating an account, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Agreement.
- Notwithstanding any other provision of this Agreement, Covered Entity may immediately terminate this Agreement if it determines that Business Associate breaches any term in this Agreement. Alternatively, Covered Entity may give written notice to Business Associate in the event of a breach and give Business Associate five (5) business days to cure such breach. Covered Entity shall also have the option to immediately stop all further disclosures of PHI to Business Associate if Covered Entity reasonably determines that Business Associate has breached its obligations under this Agreement.
- In the event that termination of this Agreement and the Agreement is not feasible, Business Associate hereby acknowledges that the Covered Entity shall be required to report the breach to the Secretary of the U.S. Department of Health and Human Services, notwithstanding any other provision of this Agreement or Agreement to the contrary.
- Upon Business Associate’s knowledge of a material breach of this Agreement by Covered Entity, Business Associate shall give Covered Entity notice via email of such breach and provide reasonable opportunity for Covered Entity to cure the breach or end the violation. Business Associate may terminate this Agreement, and Covered Entity agrees to such termination, if Covered Entity has breached a material term of this Agreement and does not cure the breach or cure is not possible. If neither termination nor cure is feasible, Business Associate shall report the violation to the Secretary.
- Effect of Termination
- Except as provided in paragraph (2) of this section, upon termination of this Agreement for any reason, Business Associate shall return or destroy all Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity. This provision shall also apply to Protected Health Information that is in the possession of Subcontractors of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
- In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity, within ten (10) business days, notification of the conditions that make return or destruction infeasible. Upon such determination, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
- Permitted Uses and Disclosures by Business Associate
- Except as otherwise limited by this Agreement, Business Associate may make any Uses and Disclosures of Protected Health Information necessary to perform its services to Covered Entity and otherwise meet its obligations under this Agreement, if such Use or Disclosure would not violate the Privacy Rule, or the privacy provisions of the HITECH Act, if done by Covered Entity. All other Uses or Disclosures by Business Associate not authorized by this Agreement, or by specific instruction of Covered Entity, are prohibited.
- Except as otherwise limited in this Agreement, Business Associate may Use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
- Except as otherwise limited in this Agreement, Business Associate may Disclose Protected Health Information for the proper management and administration of the Business Associate, provided that Disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and used, or further Disclosed, only as Required By Law, or for the purpose for which it was Disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Except as otherwise limited in this Agreement, Business Associate may Use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B). Business Associate agrees that such Data Aggregation services shall be provided to Covered Entity only wherein said services pertain to Health Care Operations. Business Associate further agrees that said services shall not be provided in a manner that would result in Disclosure of Protected Health Information to another covered entity who was not the originator and/or lawful possessor of said Protected Health Information. Further, Business Associate agrees that any such wrongful Disclosure of Protected Health Information is a direct violation of this Agreement and shall be reported to Covered Entity immediately after the Business Associate becomes aware of said Disclosure and, under no circumstances, later than three (3) business days thereafter.
- Business Associate may Use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).
- Business Associate shall make Uses, Disclosures, and requests for Protected Health Information consistent with the Minimum Necessary principle as defined herein.
Â
- Obligations and Activities of Business Associate
‍
- Business Associate agrees to not Use or Disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law.
‍
- Business Associate agrees to use appropriate safeguards to prevent Use or Disclosure of Protected Health Information other than as provided for by this Agreement. Business Associate further agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic Protected Health Information, as provided for in the Security Rule and as mandated by Section 13401 of the HITECH Act.
‍
- Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. Business Associate further agrees to report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this Agreement of which it becomes aware, and in a manner as prescribed herein.
- If the Breach, as discussed in paragraph 2(c), pertains to Unsecured Protected Health Information, then Business Associate agrees to report any such data Breach to Covered Entity within ten (10) business days of discovery of said Breach; all other compromises of Protected Health Information shall be reported to Covered Entity within twenty (20) business days of discovery. Business Associate further agrees, consistent with Section 13402 of the HITECH Act, to provide Covered Entity, via email or phone call, with information necessary for Covered Entity to meet the requirements of said section.
‍
- If Business Associate is an Agent of Covered Entity, then Business Associate agrees that any Breach of Unsecured Protected Health Information shall be reported to Covered Entity immediately after the Business Associate becomes aware of said Breach, and under no circumstances later than one (1) business day thereafter. Business Associate further agrees that any compromise of Protected Health Information, other than a Breach of Unsecured Protected Health Information as specified in 2(c) of this Agreement, shall be reported to Covered Entity within ten (10) business days of discovering said compromise, or attempted compromise.
‍
- Business Associate agrees to ensure that any Subcontractor, to whom Business Associate provides Protected Health Information, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate further agrees that restrictions and conditions analogous to those contained herein shall be imposed on said Subcontractors via a written agreement that complies with all the requirements specified in § 164.504(e)(2), and that Business Associate shall only provide said Subcontractors Protected Health Information consistent with Section 13405(b) of the HITECH Act. Further, Business Associate agrees to provide copies of said written agreements to Covered Entity within ten (10) business days of a Covered Entity’s request for same.
‍
- Business Associate agrees to provide access via in-app export, to Protected Health Information in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet Covered Entity’s requirements under 45 CFR § 164.524. Business Associate further agrees, in the case where Business Associate controls access to Protected Health Information in an Electronic Health Record, or controls access to Protected Health Information stored electronically in any format, to provide similar access in order for Covered Entity to meet its requirements of the HIPAA Rules and under Section 13405(c) of the HITECH Act. These provisions do not apply if Business Associate and its employees or Subcontractors have no Protected Health Information in a Designated Record Set of Covered Entity.
‍
- Business Associate agrees to make Protected Health Information in a Designated Record Set available to the Covered Entity for the purpose of making amendments and incorporate such amendments in the Designated Record Set pursuant to 45 CFR §164.526. This provision does not apply if Business Associate and its employees or Subcontractors have no Protected Health Information from a Designated Record Set of Covered Entity.
‍
- Unless otherwise protected or prohibited from discovery or disclosure by law, Business Associate agrees to make internal practices, books, and records, including policies and procedures (collectively “Compliance Information”), relating to the Use or Disclosure of Protected Health Information and the protection of same, available to the Covered Entity or to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Rules and the HITECH Act. Business Associate further agrees, at the request of Covered Entity, to provide Covered Entity with demonstrable evidence that its Compliance Information ensures Business Associate’s compliance with this Agreement over time. Business Associate shall have a reasonable time within which to comply with requests for such access and/or demonstrable evidence, consistent with this Agreement. In no case shall access, or demonstrable evidence, be required in less than ten (10) business days after Business Associate’s receipt of such request, unless otherwise designated by the Secretary.
‍
- Business Associate agrees to maintain necessary and sufficient documentation of Disclosures of Protected Health Information as would be required for Covered Entity to respond to a request by an Individual for an accounting of such Disclosures, in accordance with 45 CFR §164.528.
‍
- On request of Covered Entity, Business Associate agrees to provide to Covered Entity documentation made in accordance with this Agreement to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528. Business Associate shall provide said documentation in a manner and format to be specified by Covered Entity. Business Associate shall have a reasonable time within which to comply with such a request from Covered Entity and in no case shall Business Associate be required to provide such documentation in less than five (5) business days after Business Associate’s receipt of such request.
‍
- Except as provided for in this Agreement, in the event Business Associate receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, Business Associate shall redirect the Individual to the Covered Entity.
‍
- To the extent that Business Associate carries out one or more of Covered Entity’s obligations under the HIPAA Rules, the Business Associate must comply with all requirements of the HIPAA Rules that would be applicable to the Covered Entity.
‍
- A Business Associate must honor all restrictions consistent with 45 C.F.R. § 164.522 that the Covered Entity or the Individual makes the Business Associate aware of, including the Individual’s right to restrict certain disclosures of protected health information to a health plan where the individual pays out of pocket in full for the healthcare item or service, in accordance with HITECH Act Section 13405(a).
‍
Â
‍
- Obligations and Activities of Covered Entity
‍
- Covered Entity shall notify Business Associate of the provisions and any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such provisions and limitation(s) may affect Business Associate’s Use or Disclosure of Protected Health Information.
- Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that the changes or revocation may affect Business Associate’s use or disclosure of Protected Health Information.
- Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR §164.522, and also notify Business Associate regarding restrictions that must be honored under section 13405(a) of the HITECH Act, to the extent that such restrictions may affect Business Associate’s Use or Disclosure of Protected Health Information.
- Covered Entity shall notify Business Associate of any modifications to accounting disclosures of Protected Health Information under 45 CFR § 164.528, made applicable under Section 13405(c) of the HITECH Act, to the extent that such restrictions may affect Business Associate’s use or disclosure of Protected Health Information.
- Business Associate shall provide information to Covered Entity via email or phone call, wherein such information is required to be provided to Covered Entity as agreed to by Business Associate in paragraph 2(d) of this Agreement. Covered Entity reserves the right to modify the manner and format in which said information is provided to Covered Entity, as long as the requested modification is reasonably required by Covered Entity to comply with the HIPAA Rules or the HITECH Act, and Business Associate is provided sixty (60) business days notice before the requested modification takes effect.
- Covered Entity shall not require Business Associate to Use or Disclose Protected Health Information in any manner that would not be permissible under the HIPAA Rules if done by the Covered Entity.
‍
- No Third Party BeneficiariesÂ
‍
The parties agree that the terms of this Agreement shall apply only to themselves and are not for the benefit of any third party beneficiaries.Â
‍
- De-Identified DataÂ
‍
Notwithstanding the provisions of this Agreement, Business Associate and its subcontractors may disclose non-personally identifiable information provided that the disclosed information does not include a key or other mechanism that would enable the information to be identified.Â
‍
- AmendmentÂ
‍
Business Associate and Covered Entity agree to amend this Agreement to the extent necessary to allow either party to comply with the Privacy Standards, the Standards for Electronic Transactions, the Security Standards, or other relevant state or federal laws or regulations created or amended to protect the privacy of patient information.Â
‍
- Governing Law & Dispute Resolution
‍
- This Agreement and the rights of the parties shall be governed by and construed in accordance with the Federal Arbitration Act, Federal law as it pertains to the Subject Matter, and shall be governed by and construed in accordance with the laws of the State of California as it pertains to contract formation and interpretation, without giving effect to its conflict of laws.
- In the event of a Dispute between you and Thrizer (including any dispute over the validity, enforceability, or scope of this dispute resolution provision), other than with respect to claims for injunctive relief, the Dispute will be resolved by binding arbitration pursuant to the rules of the American Arbitration Association Commercial Arbitration Rules. The place of the arbitration shall be in San Francisco, California. In the event that there is any Dispute between you and Thrizer that is determined not to be subject to arbitration pursuant to the preceding sentence, you agree to submit in that event to the exclusive jurisdiction and venue of the state and federal courts located in the City and County of Los Angeles, California.
‍
- Miscellaneous
‍
- Regulatory References. A reference in this Agreement to a section in the Privacy Rule, Security Rule, or HITECH Act means the section as in effect or as amended.
- Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of the Privacy Rule, Security Rule, the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), and the HITECH Act and its corresponding regulations.
- Survival. The respective rights and obligations of Business Associate under Section 5(d) of this Agreement shall survive the termination of this Agreement.
- Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with the Privacy Rule, Security Rule, the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191), and the HITECH Act and its corresponding regulations.
- Severability. If any provision or provisions of this Agreement is/are determined by a court of competent jurisdiction to be unlawful, void, or unenforceable, this Agreement shall not be unlawful, void or unenforceable thereby, but shall continue in effect and be enforced as though such provision or provisions were omitted.
‍