BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (the “Agreement”) is made and entered into and between Healthcare Provider (“PROVIDER”) and Copay Inc, its agents and affiliates (“COPAY”).

WHEREAS, the PROVIDER and COPAY have or intend to enter into an Agreement (the “Underlying Agreement”), under which COPAY, on behalf of the PROVIDER, creates, receives, maintains, or transmits Protected Health Information;

WHEREAS, PROVIDER submits medical claim information to COPAY and/or its wholly owned affiliates, and whereas PROVIDER will have to disclose certain information to COPAY for processing patient medical and billing information; and such information may constitute Protected Health Information (“PHI”) and,

WHEREAS, PROVIDER may be considered a “Covered Entity” under certain provisions of the Health Insurance Portability and Accountability Act and the current Privacy Standards, and PROVIDER has an obligation on behalf of its clients to comply with the Privacy Standards pursuant to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA) and its subsequent amendments.

NOW THEREFORE, in consideration of the foregoing and the mutual promises and covenants herein contained, COPAY and PROVIDER agree as follows:

DEFINTIONS:

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms are used in 45 CFR §160.103 and §164.501.

Business Associate

A person or entity that with respect to a plan (1) performs or assists in the performance of a function or activity involving the use or disclosure of Individually Identifiable Health Information; or (2) provides legal, actuarial, accounting, consulting data aggregation management, administrative, accreditation, or financial services to health plans, where the provision of such service involves the disclosure of Individually Identifiable Health Information from the health plan, or from another Business Associate of the health plan.

CFR

Code of Federal Regulations.

Data Aggregation

The combining of protected health information by COPAY and PROVIDER with the protected health information received by PROVIDER or other of its Business Associates on behalf of another health plan, to perform data analyses that relate to the health care operations of the respective health plans.

Designated Record Set

A group of records maintained by or for the health plan, including: (і) the medical records and billing records about individuals maintained by or for a covered health care provider; or (іі) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan: used, in whole or part, by or for the health plan to make decisions about individuals pertaining to treatment, payment and health care operations of the health plan.

Disclosure

The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

Individual

The person who is the subject of protected health information.  This definition shall include a person who qualifies as a personal representative in accordance with the Privacy Rule.

Individually Identifiable Health Information

Information that: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) related to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (3) that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Privacy Rule

The Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.

Protected Health Information (PHI)

Individually Identifiable Health Information that is: (і) transmitted by electronic media; (іі) maintained in electronic media; or (ііі) transmitted or maintained in any other form or medium.  This definition does not include education records covered by the Family Educational Right and Privacy Act.

Required by Law

A mandate contained in law that compels COPAY, PROVIDER, or an involved health plan to make a use or disclosure of PHI and that is enforceable in a court of law.  Required by law includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court or grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care PROVIDER participating in the program; and statues or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.

Secretary

The Secretary of the Department of Health and Human Services or his/her designee.

U.S.C

United States Code.

Use

With respect to individually identifiable health information, the sharing, employment, application, utilization, examination or analysis of such information within an entity that maintains such information.

USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION

COPAY shall not use or disclose PHI in any manner that would violate the Privacy Rule if such use or disclosure were done by the health plan.

COPAY shall limit its use of protected health information (PHI) to the following purposes:

To perform its duties as specified; or

For the proper management and administration of COPAY’s business; or

As permitted by law; or

To provide data aggregation services to PROVIDER.

COPAY shall limit disclosure of PHI to the following circumstances:

To PROVIDER and its authorized representatives; or

in compliance with a valid authorization; or

as Required by Law; or

as permitted by law.

When using or disclosing PHI, or when requesting PHI, COPAY shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.

Business Associate shall not use, or further disclose PHI other than as permitted or required by this Agreement or as permitted or Required By Law.

DUTIES OF PROVIDER

PROVIDER shall provide COPAY with written notice of PROVIDER’s privacy policy(ies), as well as any changes to such policy(ies).

PROVIDER shall notify COPAY of any restrictions with respect to the use or disclosure of PHI that an individual has requested and to which an involved health plan has agreed, in accordance with 45 CFR § 164.522.

PROVIDER shall notify COPAY of an Individual’s request for an accounting of disclosures of PHI in a timely manner, so as to enable COPAY to supply the requested information within a time sufficient for PROVIDER to comply with the individual’s request.

INDEMNIFICATION

Each party shall hold harmless and will not indemnify the other parties to this Agreement for any claims, losses, liabilities, costs and other expenses incurred as a result of, or arising directly or indirectly out of or in connection with any misrepresentation, breach of warranty or non-fulfillment of any undertaking on the part of such indemnifying party.

MISCELLANEOUS

COPAY shall use appropriate safeguards to prevent use or disclosure by COPAY of PHI other than as provided for by this Agreement or as permitted or required by Law.

COPAY shall report to PROVIDER any use or disclosure by COPAY of PHI not provided for by this Agreement of which it becomes aware.

COPAY shall ensure that any agent or subcontractor of COPAY, to whom it provides PHI created or received by COPAY on behalf of PROVIDER or an involved health plan, agrees to the same restrictions and conditions that apply through this Agreement.

COPAY, at the request of PROVIDER shall provide access as directed by such PROVIDER to an Individual in order to meet the requirements under 45 CFR §164.524 granting the Individual access to his/her PHI that Business Associate maintains in a designated record set.  If the Individual requests access to PHI directly from COPAY, COPAY shall provide the requested information directly to the PROVIDER, which in turn will provide the requested information to the requesting Individual.  This Section shall not be construed to allow the Individual access to psychotherapy notes or other categories of information to which access is not authorized under the Privacy Rule.  Any authorization or denial of access to PHI shall be decided solely by the PROVIDER.

COPAY will review any requests by PROVIDER to make any amendment(s) to PHI in a Designated Record Set maintained by COPAY that PROVIDER direct or agree to pursuant to 45 CFR §164.526, at the request of the Individual, and in the time and manner designated by the Individual.  COPAY shall provide the requested information to the applicable PROVIDER to furnish directly to the Individual. 

COPAY shall make internal practices, books and records relating to its use and disclosure of PHI received from, or created or received by COPAY from PROVIDER available to PROVIDER.  A reasonable time notice must be given to COPAY for such inspection.  Any and all costs related to such inspection are to be borne by PROVIDER, or another Covered Entity making the request.  If the Covered Entity deems that COPAY is in violation of any term of this agreement, COPAY shall promptly review the alleged violation and advise the Certified Entity if any changes are to be made.

In the event it is felt that COPAY has breached a material term of this Agreement, PROVIDER shall immediately notify COPAY of such alleged breach in writing.  COPAY will provide PROVIDER a report of fact-finding on the alleged breach and if it is mutually determined that there is a breach; COPAY will cure such breach within fifteen (15) days of the mutual determination. 

COPAY and PROVIDER acknowledge that state and federal laws relating to Protected Health Information (PHI) are constantly changing and evolving and that amendment to this agreement may be required in the future to ensure compliance with such new laws.

If the Purchase Agreement is terminated by either COPAY or PROVIDER, COPAY shall return, or provide proof of proper destruction all PHI material and data received from or created by PROVIDER.

The respective rights and obligations of this Agreement shall survive the termination of the Purchase Agreement between COPAY and PROVIDER.