11 Med Funding

BUSINESS ASSOCIATE ADDENDUM

RECITALS


WHEREAS, Customer is a “Covered Entity” as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191, as amended, and the regulations promulgated thereunder by the U.S. Department of Health and Human Services (“HIPAA”);

WHEREAS, pursuant to the Underlying Agreement, 11 Funding purchases account receivables from Customer relating to health services that Customer has provided to personal injury patients on a lien basis (“Services”);

WHEREAS, Customer may transmit or otherwise provide protected health information (“PHI”), as defined below, to 11 Funding to enable 11 Funding to provide the Services;

WHEREAS, in providing Services and receiving such PHI from Customer, 11 Funding may function as a “Business Associate” of Customer, as defined below;

WHEREAS, Customer and 11 Funding intend to protect the privacy and provide for the security of PHI disclosed to 11 Funding pursuant to the Underlying Agreement and this BAA in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (“HITECH Act”), and other applicable laws;

WHEREAS, as a Covered Entity, Customer is required under HIPAA to enter into this BAA with 11 Funding, governing 11 Funding’s use and disclosure of PHI, and this BAA is an integral part of 11 Funding’s provision of Services to Customer.

NOW, THEREFORE, in consideration of the recitals, conditions and mutual promises below and in the Underlying Agreement, 11 Funding and Customer agree as follows:

AGREEMENT

1.              Definitions.

a.              Breach shall have the meaning given under 42 U.S.C. § 17921(1) and 45 C.F.R. § 164.402.

b.              Business Associate shall have the meaning given to such term under
42 U.S.C. § 17938 and 45 C.F.R. § 160.103.

c.              Customer shall include, as applicable, Customer and any Covered Entities under common ownership or control of Customer, whether for-profit or non-profit, including, without limitation, any providers or suppliers.

d.              Covered Entity shall have the meaning given to such term under
45 C.F.R. § 160.103. 

e.              Data Aggregation shall have the meaning given to such term under
45 C.F.R. § 164.501.

f.               Data Breach Notification Rule shall mean the HIPAA Regulations that are codified at 45 C.F.R. Parts 160 and 164, Subparts A and D.

g.              Designated Record Set shall have the meaning given to such term under
45 C.F.R. § 164.501.

h.              Electronic Protected Health Information or ePHI means Electronic Protected Health Information that is maintained in or transmitted by electronic media.

i.               Electronic Health Record shall have the meaning given to such term under
42 U.S.C. § 17921(5).

j.               Health Care Operations shall have the meaning given to such term
45 C.F.R. § 164.501.

k.              Privacy Rule shall mean the HIPAA Regulations that are codified at 45 C.F.R. Parts 160 and 164, Subparts A and E.

l.               Protected Health Information or PHI means that information defined in
45 C.F.R. § 160.103 which is created or received by 11 Funding from or on behalf of Customer.

m.            Security Rule shall mean the HIPAA Regulations that are codified at 45 C.F.R. Parts 160 and 164, Subparts A and C.

n.              Subcontractor shall mean a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate, pursuant to 45 C.F.R. § 160.103.

o.              Unsecured PHI shall have the meaning given to such term under
42 U.S.C. § 17932(h), 45 C.F.R. § 164.402 and guidance issued pursuant to the HITECH Act and corresponding regulations.

Terms used but not otherwise defined in this BAA shall have the same meaning as those terms in 45 C.F.R. Part 160 and Part 164, including sections 160.103, 164.103, 164.304 and 164.501.

2.              Obligations of 11 Funding.

a.              Permitted Uses and Disclosures.  11 Funding shall not use or disclose PHI other than for purposes of providing the Services or as permitted or required by the Underlying Agreement, this BAA or as permitted or required by law.  Further, 11 Funding shall not use PHI in any manner that would constitute a violation of the Privacy Rule or the HITECH Act if so used by Customer.  However, 11 Funding may use PHI from Customer for Data Aggregation purposes for the Health Care Operations of Customer in accordance with the Privacy Rule.  To the extent that 11 Funding carries out Customer’s obligation under the Privacy Rule, it must comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligations.

b.              11 Funding Management and Administration.  11 Funding may use Customer’s PHI for the management and administration of 11 Funding and to carry out 11 Funding’s own legal and ethical responsibilities.  11 Funding may disclose PHI for these purposes if 11 Funding is required to do so by law, or if 11 Funding obtains reasonable assurances from the recipient of the information: (1) that it will be held confidentially, and used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient; and (2) that the recipient will notify 11 Funding of any instances of which the recipient is aware in which the confidentiality of the information is breached.

c.              Appropriate Safeguards.  11 Funding shall implement appropriate safeguards and comply where applicable, with the HIPAA Security Rule with respect to Electronic Protected Health Information to prevent the use or disclosure of PHI other than as permitted or required by the Underlying Agreement, this BAA or other applicable laws.  To the extent 11 Funding creates, maintains, receives or transmits ePHI on Customer’s behalf, 11 Funding shall use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of such ePHI. 

d.              Mitigation.  11 Funding shall mitigate, to the extent practicable, any harmful effect that is known to 11 Funding of a use or disclosure of PHI in violation of this BAA.

e.              Reporting of Improper Access, Use or Disclosure.  11 Funding shall promptly report to Customer in writing:  (i)  any access, use or disclosure of PHI not permitted by the Underlying Agreement, this BAA or applicable law;  (ii)  any security incident, as defined in the Security Rule; and  (iii)  any Breaches of Unsecured Protected Health Information of which it becomes aware as required by the Data Breach Notification Rule (45 C.F.R. § 164.410).  11 Funding hereby gives notice to Customer of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no further notice to Customer by 11 Funding shall be required.  “Unsuccessful Security Incidents” shall include but not be limited to, any attempted access of system operations in an information system by a ping program and other broadcast attacks on 11 Funding’ firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. 

f.               11 Funding’s Subcontractors.  11 Funding shall ensure that any Subcontractors to whom it provides PHI, or who create, receive, maintain or transmit Protected Health Information on 11 Funding’s behalf agree in writing to the same restrictions and conditions that apply to 11 Funding with respect to such PHI, including without limitation, the duty to notify 11 Funding of the discovery of any Breach of Unsecured PHI without unreasonable delay and in no event later than sixty (60) days after discovery.

g.              Access to PHI.  To the extent 11 Funding maintains a Designated Record Set on Customer’s behalf, 11 Funding shall make the PHI that 11 Funding or its Subcontractors maintain in Designated Record Sets available to Customer for inspection and copying within fifteen (15) days of a Customer’s request to enable Customer to fulfill its obligations under the Privacy Rule, including, but not  limited to, 45 C.F.R. § 164.524.  11 Funding may charge a reasonable fee including its labor costs in responding to a request to access PHI and a cost-based fee for the production of non-electronic media copies.  11 Funding shall notify Customer within fifteen (15) days of receipt of any request for access to PHI.   

h.              Amendment of PHI.  To the extent 11 Funding maintains a Designated Record Set on Customer’s behalf, within thirty (30) days of receipt of a request from the Customer or an individual for an amendment of PHI or a record about an individual contained in a Designated Record Set, 11 Funding or its Subcontractors shall make any amendments that Customer directs or agrees to in accordance with the Privacy Rule.  11 Funding may charge a reasonable fee including its labor costs in responding to a request to amend PHI and a cost-based fee for the production of non-electronic media copies.  11 Funding shall notify Customer within fifteen (15) days of receipt of any request for amendment to PHI.

i.               Accounting Rights.  Within thirty (30) days of notice by Customer of a request for an accounting of PHI disclosures, 11 Funding and its Subcontractors shall make available to Customer the information required to provide an accounting of the PHI disclosures to enable Customer to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.528, and its obligations under the HITECH Act, as determined by Customer.  The provisions of this Section 2(i) shall survive the termination of this BAA.  The accounting must be provided without cost to the individual or the requesting party if it is the first accounting requested by such individual within any twelve (12) month period.  For subsequent accountings within a twelve (12) month period, 11 Funding may charge the individual or party requesting the accounting a reasonable fee including its labor costs in responding to the request and a cost-based fee for the production of non-electronic media copies, so long as 11 Funding informs the individual or requesting party in advance of the fee and the individual or requesting party is afforded an opportunity to withdraw or modify the request.  11 Funding shall notify Customer within fifteen (15) days of receipt of any request by an individual or other requesting party for an accounting of disclosures. 

j.               Governmental Access to Records.  11 Funding shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services (“Secretary”) for purposes of determining Customer’s compliance with HIPAA.  Nothing in this Section shall be construed to require 11 Funding to disclose or produce to the Secretary communications that are subject to the attorney-client privilege or that otherwise may require 11 Funding to violate its ethical obligations to Customer or its professional responsibilities. 

k.              Minimum Necessary.  11 Funding (and its Subcontractors) shall request, use and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.

3.              Obligations of Customer.

a.              Customer shall notify 11 Funding of any limitation in its privacy practices, to the extent such limitation may affect 11 Funding’s access to or use or disclosure of PHI.

b.              Customer shall notify 11 Funding of any changes in, or revocation of an individual’s authorization for Customer to use or disclose PHI to the extent that such changes may affect 11 Funding’s access to or use or disclosure of PHI.

c.              Customer shall notify 11 Funding of any restriction to the use or disclosure of PHI that Customer has agreed to (including, without limitation any agreement by Customer not to disclose PHI to a health plan for payment or health care operations purposes) to the extent that such restriction may affect 11 Funding’s access to or use or disclosure of PHI.

d.              Customer shall notify 11 Funding of any amendments required to be made to PHI that 11 Funding possesses in a Designated Record Set.

4.              Termination.

a.              Term.  The term of this BAA shall be effective as of the Effective Date and shall terminate when all of the PHI that Customer provided 11 Funding, or that 11 Funding created or received on Customer’s behalf, is destroyed or returned to Customer. 

b.              Material Breach by 11 Funding.  Upon 11 Funding’s material breach of this BAA, Customer shall provide 11 Funding with written notice of the breach and 11 Funding shall cure the breach within thirty (30) business days of receiving the written notice.  If 11 Funding does not cure the breach within the designated time period, Customer shall have the right to terminate this BAA and the Underlying Agreement.  Customer will remain responsible for any and all fees incurred up to and including the effective date of the termination of the Underlying Agreement. 

c.              Material Breach by Customer.  Pursuant to 42 U.S.C. § 17934(b), if 11 Funding knows of a pattern of activity or practice of the Customer that constitutes a material breach or violation of the Customer’s obligations under the BAA, 11 Funding must take reasonable steps to cure the breach or end the violation.  If the steps are unsuccessful, 11 Funding may be required to terminate the Underlying Agreement, this BAA or the provision of Services, if feasible. 

d.              Effect of Termination.  Upon termination of the Underlying Agreement for any reason, 11 Funding shall, at Customer’s option, return or destroy all PHI that 11 Funding or its Subcontractors still maintain in any form, and shall retain no copies of the PHI unless such return or destruction is infeasible.  Customer acknowledges that 11 Funding’ legal obligations may require it to retain a record of the Services, and that return or destruction may not be feasible.  If return or destruction of the PHI is not feasible, as determined by 11 Funding, 11 Funding shall continue to extend the protections of this BAA to such information, and limit further use of the PHI to those purposes that make the return or destruction of such PHI infeasible. 

5.              Amendment To Comply With Law.  Customer and 11 Funding acknowledge that they may be required to amend this BAA or Underlying Agreement to ensure compliance with state and federal laws relating to data security and privacy.  Customer and 11 Funding shall each take such action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule and other applicable laws relating to the security, privacy or confidentiality of PHI.  Upon either party’s request, the other party shall promptly enter into negotiations concerning the terms of an amendment to this BAA embodying written assurances consistent with the standards and requirements of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule or other applicable laws.

6.              No Third-Party Beneficiaries.  Nothing express or implied in the Underlying Agreement or BAA is intended to confer, nor shall anything herein confer upon any person other than Customer, 11 Funding and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.

7.              Interpretation. The provisions of this BAA shall prevail over any provisions in the Underlying Agreement that may conflict or appear inconsistent with any provision in this BAA.  This BAA and the Underlying Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HITECH Act and the regulations promulgated there under, the Privacy Rule and the Security Rule.  Any ambiguity in this BAA will be resolved in favor of a meaning that complies and is consistent with HIPAA, the HITECH Act, the Privacy Rule and the Security Rule.  Except as specifically required to implement the purposes of this BAA, or to the extent inconsistent with this BAA, all other terms of the Underlying Agreement shall remain in force and effect.

8.              Entire Agreement of the Parties.  This BAA supersedes any and all prior and contemporaneous business associate agreements or addenda between Customer and 11 Funding and constitutes the final and entire agreement between Customer and 11 Funding with respect to the subject matter hereof.  Each party to this BAA acknowledges that no representations, inducements, promises, or agreements, oral or otherwise, with respect to the subject matter hereof, have been made by either party, or by anyone acting on either party’s behalf, which are not embodied herein.  No other agreement, statement or promise, with respect to the subject matter hereof, not contained in this BAA shall be valid or binding.

9.              Regulatory References.  A reference in this BAA to a section of regulations means the section as in effect or as amended, and for which compliance is required.