BACKGROUND
Covered Entity and Bindbee Inc. have entered into an agreement whereby Bindbee Inc. may have access to, use, or disclose Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations, including the Privacy Rule (45 C.F.R. Parts 160 and 164) and the Security Rule (45 C.F.R. Parts 160, 162, and 164) (collectively, "HIPAA Rules"), in connection with the services provided by Bindbee Inc. to Covered Entity ("Services").
In accordance with the HIPAA Rules, Covered Entity is a "covered entity" and Bindbee Inc. is a "Bindbee Inc." as defined under HIPAA.
The Parties desire to comply with the requirements of HIPAA and to protect the privacy and security of PHI in accordance with the HIPAA Rules.
Definitions
1.1. "PHI" shall have the meaning given to it under the HIPAA Rules and shall include, without limitation, any information that is created, received, maintained, or transmitted by Bindbee Inc. on behalf of Covered Entity in connection with the Services.
1.2. "Electronic Protected Health Information" or "ePHI" shall have the meaning given to it under the HIPAA Rules and shall include PHI that is transmitted or maintained in electronic form.
1.3. "Designated Record Set" shall have the meaning given to it under the HIPAA Rules and shall include, without limitation, any group of records maintained by or for Covered Entity that is used, in whole or in part, to make decisions about individuals.
1.4. "Breach" shall have the meaning given to it under the HIPAA Rules and shall mean the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Rules, which compromises the security or privacy of the PHI.
1.5. "Security Incident" shall have the meaning given to it under the HIPAA Rules and shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
Obligations of Bindbee Inc.
2.1. Use and Disclosure of PHI. Bindbee Inc. shall not use or disclose PHI, except as necessary to perform the Services or as otherwise required by law. Bindbee Inc. shall comply with the requirements of the HIPAA Rules with respect to the use and disclosure of PHI, including, without limitation, the minimum necessary standard.
2.2. Safeguards. Bindbee Inc. shall implement appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in this Agreement. Such safeguards shall comply with the requirements of the HIPAA Rules, including, without limitation, the Security Rule.
2.3. Reporting of Breaches and Security Incidents. Bindbee Inc. shall report to Covered Entity any Breach or Security Incident of which it becomes aware without unreasonable delay, but in no event later than 72 hours after discovery of the Breach or Security Incident. Such report shall include, without limitation, the following information: (a) a description of the Breach or Security Incident, including the nature of the PHI involved; (b) the date of the Breach or Security Incident; (c) the type of Breach or Security Incident; (d) any actions taken to mitigate (e) any additional information reasonably requested by Covered Entity.
2.4. Access to PHI. Bindbee Inc. shall provide access to PHI to Covered Entity or an individual as required by the HIPAA Rules within the timeframes and in the manner specified by the HIPAA Rules.
2.5. Amendments to PHI. Bindbee Inc. shall make amendments to PHI as requested by Covered Entity or an individual as required by the HIPAA Rules within the timeframes and in the manner specified by the HIPAA Rules.
2.6. Accounting of Disclosures. Bindbee Inc. shall document and provide an accounting of disclosures of PHI as required by the HIPAA Rules within the timeframes and in the manner specified by the HIPAA Rules.
Obligations of Covered Entity
3.1. Notice of Privacy Practices. Covered Entity shall provide Bindbee Inc. with a copy of its current notice of privacy practices, or any changes thereto, as required by the Privacy Rule.
3.2. Changes to Authorization or Permission. Covered Entity shall notify Bindbee Inc. of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Bindbee Inc.'s use or disclosure of PHI.
3.3. Restrictions on Use or Disclosure. Covered Entity shall notify Bindbee Inc. of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by, to the extent that such restrictions may affect Bindbee Inc.'s use or disclosure of PHI.
3.4. Compliance with HIPAA Rules. Covered Entity shall comply with the requirements of the HIPAA Rules, including, without limitation, the Privacy Rule, the Security Rule, and the Breach Notification Rule, as applicable to its use and disclosure of PHI and its safeguarding of ePHI.
Term and Termination
4.1. Term. This Agreement shall be effective as of the date of its execution by both Parties and shall continue in effect until terminated by either Party in accordance with this Section 4.
4.2. Termination for Convenience. Either Party may terminate this Agreement for any reason or no reason upon written notice to the other Party.
4.3. Termination for Breach. Either Party may terminate this Agreement upon written notice to the other Party in the event of a material breach of this Agreement by the other Party, unless the breach is cured within a reasonable time period specified by the non-breaching Party.
4.4. Obligations Upon Termination. Upon termination of this Agreement for any reason, Bindbee Inc. shall return or destroy all PHI data upon termination of this Agreement for any reason, Bindbee Inc. shall return or destroy all PHI in its possession or control, including any copies or derivatives thereof, in accordance with the requirements of the HIPAA Rules and any instructions provided by Covered Entity. Bindbee Inc. shall also provide written certification to Covered Entity that it has complied with this requirement within 30 days of termination.
Miscellaneous
5.1. Entire Agreement. This Agreement constitutes the entire understanding between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, understandings, representations, and warranties, whether oral or written, relating to the subject matter hereof.
5.2. Amendments. This Agreement may not be amended or modified except in writing signed by both Parties.5.3. No Third-Party Beneficiaries. This Agreement is not intended to and does not confer any rights or benefits upon any person or entity other than the Parties hereto and their respective successors and permitted assigns.
5.4. Governing Law and Jurisdiction. This Agreement shall be governed by and construed in accordance with the laws of the state or jurisdiction where Covered Entity is located. Any disputes arising under or in connection with this Agreement shall be resolved in the courts of competent jurisdiction in the same state or jurisdiction.
5.5. Survival. The obligations and responsibilities of the Parties under this Agreement shall survive termination of this Agreement for any reason, to the extent necessary to fulfill the purposes for which the PHI was disclosed or received under this Agreement.
5.6. Waiver. The waiver of any breach of this Agreement shall not be deemed a waiver of any other or subsequent breach, and shall not be construed as a modification of the terms of this Agreement.
5.7. Severability. If any provision of this Agreement is held to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect.
5.8. Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date first above written.
