This Business Associate Agreement (“Agreement”) between Customer (“Covered Entity”) and 4th Dimension EMR, Inc (“Business Associate”) will be in effect during any such time period that the Covered Entity has subscribed to and is using services provided by 4th Dimension EMR (“Services”) and upon termination as set forth in Section 5 of this Agreement.
1. Definitions
Except as otherwise defined in this Agreement, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.
“Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.
“Business Associate” shall have the same meaning as the term “business associate” in 45 CFR § 160.103 of HIPAA.
“Covered Entity” shall have the same meaning as the term “covered entity” in 45 CFR § 160.103 of HIPAA.
“Customer”, for this Agreement only, means Customer and its Affiliates.
“Data” means all data, including all text, sound, video, or image files, and software, that are provided to 4th Dimension EMR, Inc by or on behalf of Customer for performance of the Services.
“HIPAA” collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.
“Stage 4 Services”, for this Agreement only, means software provided by 4th Dimension EMR, Inc. including 4th Dimension EMR, Patient Portal, and any other 4th Dimension EMR software product designed for use with protected health information.
“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information.
“Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103 of HIPAA, provided that it is limited to such protected health information that is received by 4th Dimension EMR from, or created, received, maintained, or transmitted by 4th Dimension EMR on behalf of, Customer through the use of the Services.
“Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information.
“Terms of Service Agreement” or TOS is the Agreement between 4th Dimension EMR and its customers and end users. The TOS dictates the subscription terms and conditions, service level Agreements and payment terms.
“Data Retention Period” is a designated time defined within the 4th Dimension EMR Terms of Service Agreement (TOS). 4th Dimension EMR will maintain the customer’s data containing ePHI for the defined period of time to allow the customer sufficient time to validate their downloaded data from the 4th Dimension EMR system.
2. Permitted Uses and Disclosures of Protected Health Information
2.1. Performance of the Agreement for Services. Except as otherwise limited in this Agreement, 4th Dimension EMR may Use and Disclose Protected Health Information for, or on behalf of, Customer as specified in the Agreement; provided that any such Use or Disclosure would not violate HIPAA if done by Customer, unless expressly permitted under paragraph b of this Section.
2.2. Management, Administration, and Legal Responsibilities. Except as otherwise limited in this Agreement, 4th Dimension EMR may Use and Disclose Protected Health Information for the proper management and administration of 4th Dimension EMR and/or to carry out the legal responsibilities of 4th Dimension EMR, provided that any Disclosure may occur only if: (1) Required by Law; or (2) 4th Dimension EMR obtains written reasonable assurances from the person to whom the Protected Health Information is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person, and the person notifies 4th Dimension EMR of any instances of which it becomes aware in which the confidentiality of the Protected Health Information has been breached.
3. Responsibilities of the Parties with Respect to Protected Health Information.
3.1. 4th Dimension EMR’s Responsibilities. To the extent 4th Dimension EMR is acting as a Business Associate, 4th Dimension EMR agrees to the following:
3.1.1. Limitations on Use and Disclosure. 4th Dimension EMR shall not Use and/or Disclose the Protected Health Information other than as permitted or required by this Agreement or otherwise Required by Law. 4th Dimension EMR Services shall not use Protected Health Information for any advertising, Marketing or other commercial purpose of 4th Dimension EMR or any third party. 4th Dimension EMR shall not violate the HIPAA prohibition on the sale of Protected Health Information. 4th Dimension EMR shall make reasonable efforts to Use, Disclose, and/or request the minimum necessary Protected Health Information to accomplish the intended purpose of such Use, Disclosure, or request.
3.1.2. Safeguards. 4th Dimension EMR shall: (1) use reasonable and appropriate safeguards to prevent inappropriate Use and Disclosure of Protected Health Information other than as provided for in this Agreement; and (2) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule.
3.1.3. Reporting. 4th Dimension EMR shall report to Covered Entity: (1) any Use and/or Disclosure of Protected Health Information that is not permitted or required by this Agreement of which 4th Dimension EMR becomes aware; (2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (3) any Breach of Customer’s Unsecured Protected Health Information that 4th Dimension EMR may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than five (5) business days after 4th Dimension EMR’s determination of a Breach. Taking into account the level of risk reasonably likely to be presented by the Use, Disclosure, Security Incident, or Breach, the timing of other reporting will be made consistent with 4th Dimension EMR’s and Covered Entity’s legal obligations.
For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on 4th Dimension EMR’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information. Notification(s) under this Section, if any, will be delivered to contacts identified by Covered Entity pursuant to Section 3b(ii) (Contact Information for Notices) of this Agreement by any means 4th Dimension EMR selects, including through e-mail. 4th Dimension EMR’s obligation to report under this Section is not and will not be construed as an acknowledgement by 4th Dimension EMR of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.
3.1.4. Subcontractors. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, 4th Dimension EMR shall require its Subcontractors who create, receive, maintain, or transmit Protected Health Information on behalf of 4th Dimension EMR to agree in writing to: (1) the same or more stringent restrictions and conditions that apply to 4th Dimension EMR with respect to such Protected Health Information; (2) appropriately safeguard the Protected Health Information; and (3) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. 4th Dimension EMR remains responsible for its Subcontractors’ compliance with obligations in this Agreement.
3.1.5. Disclosure to the Secretary. 4th Dimension EMR shall make available its internal practices, records, and books relating to the Use and/or Disclosure of Protected Health Information received from Covered Entity to the Secretary of the Department of Health and Human Services for purposes of determining Covered Entity’s compliance with HIPAA, subject to attorney-client and other applicable legal privileges.
3.1.6. Access. If 4th Dimension EMR maintains Protected Health Information in a Designated Record Set for Customer, then 4th Dimension EMR, at the request of Covered Entity, shall within fifteen (15) days make access to such Protected Health Information available to Covered Entity in accordance with 45 CFR § 164.524 of the Privacy Rule.
3.1.7. Amendment. If 4th Dimension EMR maintains Protected Health Information in a Designated Record Set for Covered Entity, then 4th Dimension EMR, at the request of Covered Entity, shall within fifteen (15) days make available such Protected Health Information to Covered Entity for amendment and incorporate any reasonably requested amendment in the Protected Health Information in accordance with 45 CFR § 164.526 of the Privacy Rule.
3.1.8. Accounting of Disclosure. 4th Dimension EMR, at the request of Covered Entity, shall within fifteen (15) days make available to Covered Entity such information relating to Disclosures made by 4th Dimension EMR as required for Covered Entity to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.
3.1.9. Performance of a Covered Entity’s Obligations. To the extent 4th Dimension EMR is to carry out a Covered Entity obligation under the Privacy Rule, 4th Dimension EMR shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
3.1.10. Safeguards. 4th Dimension EMR agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity in accordance with the 45 CFR 164.306 (the HIPAA Security standards)..
3.1.11. Indemnification. 4th Dimension EMR shall, to the fullest extent permitted by law, protect, defend, indemnify and hold harmless Customer and his/her respective employees, directors, and agents (“Indemnitees”) from and against any and all losses, costs, claims, penalties, fines, demands, liabilities, legal actions, judgments, and expenses of every kind (including reasonable attorneys fees, at trial and on appeal) asserted or imposed against any Indemnitees arising out of the acts or omissions of 4th Dimension EMR or any subcontractor of 4th Dimension EMR or any of 4th Dimension EMR’s employees, directors, or agents related to the performance or nonperformance of this Agreement.
3.2. Customer Responsibilities.
3.2.1. Patient Permission to Communication. To the extent that Covered Entity utilizes services provided by the Business Associate to communicate with patients, Covered Entity is responsible for obtaining and documenting authorizations or requests from patients to communicate through this service and to inform patient of risks associated with such communications as applicable. It shall be Covered Entity’s responsibility to determine what permissions, authorizations or consents shall be documented and maintained for HIPAA compliance purposes. Business Associate does not obtain consent, authorization or permission from patients and the parties agree that is not Business Associate’s obligation to do so or to document or maintain any consent, authorization or permission obtained from patients.
3.2.2. Privacy Practice Limitations. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.
3.2.3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
3.2.4. No Impermissible Requests. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
3.2.5. Covered Entity agrees to comply with the HIPAA Security Rule, including, without limitation, safeguarding all computers, laptops, cell phones, tablets, or other mobile devices in accordance with the HIPAA Security Regulations.
4. Termination
4.1. Notwithstanding anything to the contrary stated in this Agreement, upon termination of this Agreement, for any reason, and after any Data Retention Period as is set forth in the 4th Dimension EMR Terms of Service Agreement between Business Associate and Covered Entity during which Business Associate may obtain copies of Protected Health Information, Business Associate shall destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
4.2. The respective rights and obligations of Business Associate under this Section 4 of this Agreement shall survive the termination of this Agreement for any reason.
5. Miscellaneous.
5.1. Interpretation. The Parties intend that this Agreement be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the HIPAA rules. Any captions or headings in this Agreement are for the convenience of the Parties and shall not affect the interpretation of this Agreement.
5.2. Amendments. The parties agree that Business Associate may unilaterally amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the HIPAA Rules and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191. and for other business reasons and that any such amended agreement which Business Associate signs on a later date will supersede this Agreement.
5.3. No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything in this Agreement confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
5.4. Severability. In the event that any provision of this Agreement is found to be invalid or unenforceable, the remainder of this Agreement shall not be affected thereby, but rather the remainder of this Agreement shall be enforced to the greatest extent permitted by law.
5.5. No Agency Relationship. It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Customer and 4th Dimension EMR under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this Agreement shall be construed to make or render 4th Dimension EMR an agent of Customer.