BUSINESS ASSOCIATE ADDENDUM

In order to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) the American Recovery and Reinvestment Act of 2009 (ARRA) and the Health Information Technology for Economic and Clinical Health Act provisions of ARRA (HITECH) and its implementing regulations, the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164. (HIPAA Rules), this Business Associate Addendum (Addendum) is made and entered into by and between your organization, through you as its duly authorized representative (Covered Entity) and Attendance On Demand, Inc., located 22300 Haggerty Road, Northville, MI 48167-7028 (Business Associate), and Covered Entity and Business Associate agree as follows:

Definitions

  1. Terms used, but not otherwise defined in this Addendum, shall have the same meaning as those terms are used and defined in the HIPAA Rules and the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) ("ARRA") Health Information Technology for Economic and Clinical Health Act provisions of ARRA ("HITECH") and applicable regulations as set forth at 45 C.F.R Part 160 and Part 164, and in particular 45 C.F.R. §§160.103, 164.304, 164.308, 164.310, 164.312, 164.402, 164.501.
  2. “Secretary” shall mean the Secretary of the U.S. Department of Health and Human Services or his or her designee.

OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

Business Associate agrees to:

  1. Not use or disclose Protected Health Information (PHI) other than as permitted in this Addendum, or as Required by Law.
  2. Use reasonable and appropriate safeguards to prevent the use or disclosure of the PHI other than as provided for in this Addendum and to comply with the Security Rule with respect to Electronic Protected Health Information (ePHI).
  3. To the extent practicable, act in good faith to mitigate any harmful effect that is known to the Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Addendum.
  4. Report within fifteen (15) business days to the Covered Entity any use or disclosure of the PHI not provided for by this Addendum of which it becomes aware, including Breaches of Unsecured PHI as required at 45 CFR 164.410, and any Security Incident of which it becomes aware.
  5. Ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply throughout this Addendum to the Business Associate with respect to such information.
  6. Make its internal practices, books, and records including policies and procedures relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a timely manner as designated by the Secretary, for purposes of determining Business Associates compliance with the HIPAA Rules.
  7. Document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an Accounting of Disclosures of PHI in accordance with 45 C.F.R. 164.528.
  8. Provide to Covered Entity or an Individual, in the time and manner reasonably designated by Covered Entity, information collected in accordance with Section (g.) of this section, to permit Covered Entity to respond to a request by an Individual for an Accounting of Disclosures of PHI.
  9. Make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524.
  10. Make any Amendment(s) to PHI in a Designated Record Set as directed and agreed to by Covered Entity.
  11. As requested by the Covered Entity, provide data aggregation services relating to the Health Care Operations of the Covered Entity.
  12. Comply with the requirements of the HIPAA Rules that apply to the Covered Entity in the performance of such obligation(s) to the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under the HIPAA Rules.

HIPAA SECURITY RULE REQUIREMENTS

Business Associate agrees to:

  1. Implement and document Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of e PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity, and specifically, but not exclusively, including the following:
    1. Ensure the confidentiality, integrity, and availability of all ePHI the Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity;
    2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
    3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted under this Addendum or required under the HIPAA Rules; and
    4. Ensure compliance with these sections by its Workforce.
  2. Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement and document reasonable and appropriate Administrative Safeguards Physical Safeguards, and Technical Safeguards, including at least the requirements set forth in this section for the Business Associate;
  3. Report to the Covered Entity within fifteen (15) business days of becoming aware of or discovering any Security Incident, any Breach, any use or disclosure of PHI not permitted by this Addendum by the Business Associate, its contractors and agents, including but is not limited to:
    1. A brief description of what happened, including date of the Breach or Security Incident(s) or other inappropriate or impermissible or unlawful use or disclosure of PHI, if known; and
    2. A description of the types of PHI that were involved (e.g. social security number, name, date of birth, home address, account number or disability code).
  4. Assist the Covered Entity and act in good faith to mitigate potential or actual harms or losses including but not limited to any actual monetary costs due to the Business Associate or its agent(s) or contractor(s) fault or liability, and to assist and protect PHI, if appropriate, and to further protect any known suspected or actual Breaches, Security Incidents, or known inappropriate or unlawful use or disclosure of PHI;
  5. Make its policies and procedures, and documentation required by this section relating to such safeguards available to the Secretary and the Covered Entity for purposes of determining Business Associate's compliance with this section; and
  6. Authorize termination of the relationship with Covered Entity if it notifies Business Associate of a pattern of an activity or practice of Business Associate that constitutes a material breach or violation of the Business Associates' obligation under this Addendum, and the Business Associate has failed to cure the breach or end the violation in accordance with Section 8.b.

HITECH PROVISIONS

  1. Without limiting any uses or disclosures expressly permitted in the Service Agreement, Business Associate will not sell PHI created or received for or from Covered Entity or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA Rules.
  2. Effective upon the compliance date applicable to the Covered Entity, Business Associate shall record all disclosures by Business Associate of PHI required to be recorded by regulations promulgated by the Secretary pursuant to ARRA with respect to the accounting obligation.
  3. Business Associate shall limit its uses and disclosures of, and requests for, PHI (i) when practical, to the information making up a Limited Data Set, and (ii) to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.
  4. In the event Business Associate breaches the Service Agreement and termination of the Service Agreement(s) between the parties is not feasible, the Business Associate shall report the breach to the Covered Entity and to the Secretary, if applicable, consistent with the HIPAA Rules.
  5. To the extent Business Associate is acting as a Business Associate of Covered Entity, Business Associate shall be subject to the penalty provisions specified in 13404 of ARRA and HIPAA Rules.

PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

Except as otherwise limited in this Addendum and as necessary to perform the services on behalf of the Covered Entity, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, the Covered Entity as specified in this Addendum and as necessary to perform services, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.

SPECIFIC USE AND DISCLOSURE PROVISIONS

Except as otherwise limited in this Addendum, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate; and the Business Associate may disclose the PHI for its proper management and administration or to carry out the legal responsibilities of the Business Associate if the Business Associate obtains reasonable written assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the Business Associate and the person will promptly notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached, or impermissibly used or disclosed in violation of this Addendum.

OBLIGATIONS OF COVERED ENTITY

Covered Entity shall:

  1. Make available to Business Associate a copy of its Notice of Privacy Practices that Covered Entity produces, as well as any changes to such Notice.
  2. Provide Business Associate with any changes in, or revocation of, permission by Individual to use or disclose PHI, if such changes affect Business Associates permitted or required uses and disclosures.
  3. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to if such restriction affects Business Associates permitted or required uses and disclosures.
  4. Obtain any consent, authorization, or permission that may be required by the HIPAA Rules or applicable state laws and/or regulations prior to furnishing Business Associate with Individuals' PHI.

TERM AND TERMINATION

  1. Term: This Addendum shall be effective as of the date of Covered Entity’s first provision to Business Associate of PHI or ePHIand shall terminate when all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to PHI in accordance with the termination provisions of this section.
  2. Termination for Cause: Upon Covered Entity's knowledge of a material breach of this Addendum by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Addendum if Business Associate does not cure the breach or end the violation within thirty (30) calendar days.
  3. Effect Of Termination: Except as provided in paragraph (b) of this section, upon termination of this Addendum, for any reason, Business Associate shall return or destroy all PHI in any form that is received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
  4. Controlling Terms: Solely with respect to the subject matter of this Addendum, in the event of a conflict between Section 8 of this Addendum and the terms of underlying agreement between your organization and Attendance on Demand, Inc., the terms of this Section 8 shall prevail.

MISCELLANEOUS

  1. Amendment: The Parties agree to take such action as is necessary to amend this Addendum from time to time as is necessary for the Parties to comply with the requirements of HIPAA and ARRA, applicable regulations, and other laws.
  2. Survival: All provisions of this Addendum which by their terms or by reasonable implication may be performed after expiration or earlier termination of this Addendum, shall survive expiration or termination.