Business Associate Agreement

EXHIBIT A

BUSINESS ASSOCIATE ADDENDUM

This Business Associate Addendum (the “Addendum”) is entered into by and between our Company (as used herein, the terms our “Company,” “we,” “us” or “our” refer to Healthy Mind Map, LLC, a Utah limited liability company), and the Covered Entity (defined below), if any, associated with your Account under the Terms of Service (the “Underlying Agreement”) to which this Addendum is attached and incorporated by reference.  Unless otherwise defined herein, capitalized terms shall have the meanings given in the Underlying Agreement.

As used herein, “Covered Entity” means any health care provider (a person or organization who furnishes, bills, or is paid for health care in the normal course of business, such as physicians, licensed mental health care providers and other health care facilities) who transmits any health information in electronic form in connection with a transaction covered by the Privacy Standards (e.g., electronic transmission of health care claims or equivalent encounter information, inquiries regarding eligibility to receive health care under a health plan, pre-authorization requests). 

In addition, if and to the extent that You are employed with, or contracted by, a Covered Entity (other than You individually), and You use the Services in providing health care items or services on behalf of such Covered Entity, “Covered Entity” as used herein includes both You and such Covered Entity, which shall be, and hereby is, expressly intended as a third-party beneficiary of our covenants and agreements in this Addendum relative to the confidentiality of PHI, with full rights to enforce our duties and obligations set forth in this Addendum as if such Covered Entity was a party to this Addendum. 

Under HIPAA and HITECH, certain Covered Entities are subject to the Privacy Standards and Security Standards and are further required to enter into a “business associate agreement” with certain vendors which provide services for, under, or on behalf of Covered Entity if such services require access, creation, use or disclosure of PHI or Electronic PHI.  In connection with the Underlying Agreement, and the covenants and commitments set forth therein, and for other good and valuable consideration, we agree with Covered Entity as follows:

1. Certain Definitions.  Unless otherwise defined herein, capitalized terms shall have the meanings given in Section 16 below and, if not defined herein or therein, the meanings given in HIPAA or HITECH. 
2. Compliance with Applicable Law.  We shall comply with our obligations under this Addendum and with all obligations of a business associate under HIPAA, HITECH, the Confidentiality Requirements and other related laws and any implementing regulations, as they exist at the time this Addendum is executed and as they are amended.
3. Our Duties.
   1. We shall not use or disclose (or permit the use or disclosure of) PHI in a manner that would violate the Confidentiality Requirements if the PHI were used or disclosed by Covered Entity in the same manner, except as otherwise permitted or required by this Addendum or as required by law.
   1. We shall use appropriate safeguards to prevent the use or disclosure of PHI other than as expressly permitted under this Addendum.
   1. We will implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that we create, receive, maintain or transmit on behalf of Covered Entity.  We acknowledge that HITECH requires that we comply with 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316 as if our Company were a covered entity, and we agree to comply with these provisions of the Security Standards and all other applicable security provisions of HITECH. 
   1. To the extent feasible, We will use commercially reasonable efforts to ensure that the Technical Safeguards used by our Company to secure PHI will render such PHI unusable, unreadable and indecipherable to individuals unauthorized to acquire or otherwise have access to such PHI in accordance with the Confidentiality Requirements.
   1. We will implement policies and procedures to identify and respond to suspected and known Security Incidents and promptly report to Covered Entity any successful Security Incident of which it becomes aware.  At the request of Covered Entity, We shall identify (and provide reasonable updates to Covered Entity regarding): the date of the successful Security Incident, the scope of the successful Security Incident and our response to the successful Security Incident.  For this purpose, We hereby notify Covered Entity (and Covered Entity acknowledges) that We experience attempted but unsuccessful security incidents in the ordinary course of business for which no additional notice to Covered Entity is required.  For purposes of this Addendum, unsuccessful security incidents include activity such as pings and other broadcast attacks on our firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI.
   1. Except as otherwise required by law, We shall use PHI (i) only for the purpose of performing services for, or on behalf of, Covered Entity pursuant to the Underlying Agreement, and (ii) as necessary for the proper management and administration of our Company or to carry out our legal responsibilities, provided that such uses are permitted under applicable federal and state law.
   1. We may de-identify PHI in accordance with 45 CFR 164.514(a)-(c), and resulting De-Identified Data may be used or disclosed by our Company in a manner consistent with its business and affairs, as determined in our sole discretion (but which may include, without limitation, the creation or development of derivative works, reports, publications, models, guidelines, algorithms or other treatment protocols relative to the diagnosis, prevention or treatment of human disease or other medical conditions, as well as copying, distributing or publishing any of the foregoing), provided that such uses or disclosures are permitted under applicable laws.  Subject to the foregoing limitations, our Company is, and shall be, the sole and exclusive owner of any De-Identified Data created or developed by it.

• Disclosure of PHI.
  • Subject to any limitations in this Addendum, We may disclose PHI to any third party persons or entities as necessary to perform our obligations under the Underlying Agreement and as permitted or required by applicable federal or state law.  Further, We may disclose PHI for the proper management and administration of our Company, provided that (i) such disclosures are required by law or (ii) We: (A) obtain reasonable assurances from any third party to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the third party and (B) agree to promptly notify Covered Entity of any instances of which We are aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this Addendum or for a purpose not expressly permitted by the Confidentiality Requirements.
  • We will make reasonable efforts to limit any disclosures of PHI by our Company to any third party to the “minimum necessary use and disclosure,” i.e., only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed.  We shall comply with Section 13405(b) of HITECH, and any applicable regulations or guidance issued by Secretary concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets.
  • We agree to ensure that any agent or subcontractor, to whom We provide PHI, agrees in writing: (i) to restrictions and conditions with respect to use and disclosure of such PHI that are at least as restrictive as those that apply through this Addendum to our Company; and (ii) to implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits, directly or indirectly, on behalf of Covered Entity.
  • We shall report to Covered Entity any use or disclosure of PHI not permitted by this Addendum, of which our Company becomes aware, such report to be made as soon as is practicable, but in any event within ten (10) business days of our Company becoming aware of such use or disclosure. 
• Breach Notification.  We agree to implement reasonable systems for the discovery and prompt reporting of any HIPAA Breach.  The parties acknowledge and agree that 45 C.F.R. § 164.404 governs the determination of the date of a HIPAA Breach.  We will, following the discovery of a HIPAA Breach, notify Covered Entity promptly and in no event later than ten (10) business days after We discover such HIPAA Breach, unless We are prevented from doing so by 45 C.F.R. §164.412 concerning law enforcement investigations.  We shall provide Covered Entity with sufficient information to permit Covered Entity, as appropriate, to comply with the HIPAA Breach notification requirements set forth at 45 C.F.R. §164.400 et seq.
• Designated Record Sets.  If our Company maintains a Designated Record Set on behalf of Covered Entity that Covered Entity does not maintain, the following provisions shall apply:
  • We shall (i) provide access to, and permit inspection and copying of, PHI by Covered Entity or, if so requested in writing by Covered Entity, an individual who is the subject of the PHI under conditions and limitations required under 45 C.F.R. § 164.524, as it may be amended from time to time, and (ii) amend PHI maintained by our Company as requested by Covered Entity.
  • We shall respond to a request from Covered Entity for access by an individual within five (5) business days of such request and shall make PHI in a Designated Record Set available for amendment and incorporate any amendments to PHI in accordance with 45 C.F.R. §164.526 requested by Covered Entity within ten (10) days of such request.  Any information requested under this Section 6 shall be provided in the form or format requested, if it is readily producible in such form or format.  We may charge a reasonable fee based upon our labor costs in responding to a request for electronic information (or a cost-based fee for the production of non-electronic media copies).  Covered Entity shall determine whether a denial is appropriate or an exception applies. 
  • We shall notify Covered Entity within five (5) business days of receipt of any request for access or amendment by an individual.  Covered Entity shall determine whether to grant or deny any access or amendment requested by the individual.  We shall have a process in place for receiving requests for amendments and for appending such requests to the Designated Record Set.
• Accounting for Disclosures.  We shall make available to Covered Entity in response to a request from an individual, information required for an accounting of disclosures of PHI with respect to the individual, in accordance with 45 C.F.R. § 164.528.  We shall provide to Covered Entity such information necessary to provide an accounting within thirty (30) days of Covered Entity’s request or such shorter time as may be required by applicable state or federal law.  Such accounting must be provided without cost to the individual or to Covered Entity if it is the first accounting requested by an individual within any twelve (12) month period; however, a reasonable fee based on our labor costs in responding to a request for electronic information (or a cost-based fee for the production of non-electronic media copies) may be charged for subsequent accountings within the same twelve (12) month period so long as our Company informs Covered Entity and Covered Entity informs the individual in advance of the fee, and the individual is afforded an opportunity to withdraw or modify the request.  Such accounting obligations shall survive termination of this Addendum and shall continue as long as our Company maintains PHI.  We shall notify Covered Entity within five (5) business days of receipt of any request from an individual for an accounting of disclosures.
• Records.  We shall make available to Secretary or its agents, our internal practices, books, and records relating to the use and disclosure of PHI accessed, created, or received by our Company on behalf of Covered Entity for the purpose of determining Covered Entity’s compliance with the Confidentiality Requirements, such internal practices, books and records to be provided in the time and manner designated by Secretary and its agents.  Except to the extent prohibited by law, our Company agrees to notify Covered Entity promptly upon receipt by our Company of any and all requests by or on behalf of any and all federal, state, and local government authorities served upon our Company for PHI subject to this Addendum.
• Effect of Termination of Agreement.  Upon the termination of the Underlying Agreement or this Addendum for any reason, We shall return to Covered Entity, or, at Covered Entity’s direction, destroy, all PHI received from Covered Entity that our Company maintains in any form, recorded on any medium, or stored in any storage system.  If We elect to destroy the PHI, upon request We will certify in writing to Covered Entity that such PHI has been destroyed.  This provision shall apply to PHI that is in the possession or control of our Company or any of our employees, agents or subcontractors.  We shall retain no copies of the PHI.  In the event that We determine that returning or destroying the PHI is infeasible, We shall extend the protections of this Addendum to such PHI and limit further use of the PHI to those purposes that make the return or destruction infeasible, for so long as We maintain such PHI.  We shall remain bound by the provisions of this Addendum, even after termination of the Underlying Agreement or this Addendum until such time as all PHI has been returned, de-identified or otherwise destroyed as provided in this Section.
• Termination for Breach. 
  • Either party may terminate this Addendum due to a pattern of activity or practice (rather than an isolated occurrence) constituting a material breach of this Addendum by the other party upon giving the other party thirty (30) days prior written notice; provided the breaching party does not cure the breach prior to the effective date of termination. 
  • In addition to any other rights Covered Entity or our Company may have under the Underlying Agreement, this Addendum or by operation of law or in equity, Covered Entity may terminate the Underlying Agreement if it terminates this Addendum pursuant to Section 10(a) above.
  • Any dispute regarding any such alleged breach and/or cure shall be resolved in accordance with the dispute resolution provisions of the Underlying Agreement, if any.
• No Third Party Rights.  The terms of this Addendum are not intended, nor should they be construed, to grant any rights to any parties other than our Company and Covered Entity.
• Ownership of PHI.  Under no circumstances shall our Company be deemed in any respect to be the owner of any PHI used or disclosed by or to our Company pursuant to the terms of the Underlying Agreement.  Covered Entity shall retain all rights in the PHI not granted herein.
• Changes in the Law.  The parties agree to enter into good faith negotiations to amend either the Underlying Agreement or this Addendum, as necessary and appropriate, to conform to any new or revised legislation, rules and regulations to which Covered Entity is subject now or in the future including, without limitation, HIPAA, HITECH, the Privacy Standards, Security Standards or Technical Standards. 
• Judicial and Administrative Proceedings.  In the event our Company receives a subpoena, court or administrative order or other discovery request or mandate for release of PHI, unless prohibited by applicable law We shall notify Covered Entity of the request as soon as reasonably practicable, but in any event within five (5) days of receipt of such request.
• Conflicts.  If there is any direct conflict between the Underlying Agreement and this Addendum, the terms and conditions of this Addendum shall control.
• Definitions.  For purposes of this Addendum, the following terms shall have the designated meanings.  All other capitalized terms shall have the same meanings as in HIPAA or HITECH.
  • “Administrative Safeguards” shall mean administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect Electronic PHI and to manage the conduct of our workforce in relation to the protection of that information, as contemplated by 45 C.F.R. § 164.308.
  • “Confidentiality Requirements” means the Privacy Standards, Security Standards and HITECH, as applicable.
  • “De-Identified Data” means Health Information that meets (i) the standard and implementation specifications for de-identification under the Privacy Standards such that it no longer identifies an individual and there is no reasonable basis to believe that the information can be used to identify an individual (as further contemplated by 45 C.F.R. § 164.514(a) – (c)) and (ii) is not Individually Identifiable Health Information.
  • “Designated Record Set” shall mean Records maintained by or for Covered Entity, that are (i) the medical records and billing records about individuals maintained by or for Covered Entity, (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by Covered Entity to make decisions about individuals.  As used herein, the term “Record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Covered Entity.
  • “Electronic PHI” shall mean PHI that is transmitted or maintained in electronic media.
  • “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, and any amendments thereto.
  • “HIPAA Breach” shall mean the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Standards which compromises the security or privacy of such information, as contemplated by 45 C.F.R. § 164.402.
  • “HITECH” shall mean the Health Information Technology for Economic and Clinical Health Act, which is Title XIII of the American Recovery and Reinvestment Act, and any amendments, regulations, rules and guidance issued thereto and the relevant dates for compliance.
  • “Individually Identifiable Health Information” shall mean information that is a subset of health information, including demographic information collected from an individual and genetic information, and (i) is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and (ii) relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and (A) identifies the individual, or (B) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
  • “PHI” shall mean Individually Identifiable Health Information that is (i) transmitted by electronic media; (ii) maintained in any medium constituting electronic media; or (iii) transmitted or maintained in any other form or medium.  “PHI” shall not include education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. § 1232g, or records described in 20 U.S.C. § 1232g(a)(4)(B)(iv). For purposes of this Addendum, all references to “PHI” shall refer to PHI received from, or created or received by our Company on behalf of, Covered Entity in connection with the Underlying Agreement.
  • “Physical Safeguards” shall mean physical measures, policies and procedures to protect our electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion, as contemplated by 45 C.F.R. § 164.310.
  • “Privacy Standards” shall mean the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164.
  • “Secretary” shall mean the Secretary of the United States Department of Health and Human Services.
  • “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.
  • “Security Standards” shall mean the regulations with regard to security standards for health information, 45 C.F.R. Parts 160 and 164.
  • “Technical Safeguards” shall mean the technology, and the policy and procedures for its use, that protects Electronic PHI and controls access to it, as contemplated by 45 C.F.R.  § 164.312.
• Entire Agreement.  This Agreement contains the entire agreement of the parties with respect to the subject matter hereof, and there are no representations, warranties, covenants or other agreements except as stated or referred to herein.
• Obligations of Covered Entity.

• Compliance with Applicable Law. Covered Entity shall comply with its obligations under this Addendum and with all obligations of a covered entity under HIPAA, HITECH, the Confidentiality Requirements and other related laws and any implementing regulations, as they exist at the time this Addendum is executed and as they are amended.

• Consent.  Covered Entity agrees to obtain any consent, authorization or permission that may be required by the Privacy Standards or any other applicable federal or state laws and/or regulations prior to furnishing PHI pertaining to an Individual to our Company; and

• Minimum Necessary.  Covered Entity shall only request, use or disclose the minimum necessary PHI to accomplish its obligations under the Underlying Agreement or this Addendum.
  • Permissible Requests.  Covered Entity shall not request that we use or disclose PHI in any manner that would not be permissible under the Privacy Standards if done by a Covered Entity.