BY REGISTERING FOR AN ACCOUNT OR USING/ACCESSING THE POWERSHARE SERVICES YOU ("CLIENT") HEREBY ACCEPT THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THE TERMS AND CONDITIONS OF THIS AGREEMENT AND, IN SUCH EVENT, "COVERED ENTITY" AS USED IN THIS AGREEMENT SHALL REFER TO SUCH ENTITY. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU OR SUCH ENTITY DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, YOU MAY NOT USE THE SERVICES.
HIPAA BUSINESS ASSOCIATE AGREEMENT
WHEREAS, Nuance Communications, Inc. ("Business Associate") or ("Nuance") may perform certain services on behalf of or for Client ("Covered Entity") pursuant to this Agreement that require Nuance to access, create and use health information that is subject to the federal privacy regulations (the "Privacy Rule") and the federal security regulations (the "Security Rule") issued pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and codified at 45 C.F.R. parts 160 and 164, and Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009 (the "HITECH Act"); and
WHEREAS, this Agreement, shall be attached to and made part of any and all Underlying Agreement(s) between the Parties, serves to establish the responsibilities of both parties regarding Protected Health Information, and to bring this Agreement into compliance with HIPAA and the HITECH Act.
NOW, THEREFORE, the parties agree to the following additional terms and conditions to those otherwise in the Agreement
1. Definitions. Capitalized terms used in this Agreement, but not otherwise defined, shall have the same meanings ascribed to them in the Privacy Rule, the Security Rule and the HITECH Act.
2. Permitted Uses and Disclosures. Except as otherwise specified herein, Business Associate may use and/or disclose Protected Health Information (“PHI”) to perform the functions, activities, or services for or on behalf of Covered Entity as specified in this Agreement, provided that such use and/or disclosure would not violate HIPAA if done by Covered Entity. Except as otherwise limited in this Agreement, Business Associate may:
- a. use PHI for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate, and except as otherwise limited by this Agreement or the Agreement, as permitted by HIPAA.
- b. disclose PHI for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate, provided that the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom PHI is disclosed that the PHI will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of PHI has been breached
- c. use PHI to provide Data Aggregation services to Covered Entity as permitted by 42 C.F.R. §164.504(e)(2)(i)(B).
Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. §164.502(j)(1).
3. Responsibilities of Business Associate. Except as otherwise required by law, Business Associate shall use PHI in compliance with 45 C.F.R. §164.504(e). To comply with the security and privacy obligations imposed by HIPAA, Business Associate agrees to:
- a. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by this Agreement.
- b. not use or further disclose PHI other than as permitted or required by this Agreement, HIPAA, or as required by law.
- c. use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement.
- d. report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including breaches of unsecured protected health information as required by § 164.410, and any successful security incident of which it becomes aware. The Parties acknowledge and agree that this section 3.d. constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI..
- e. in accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to substantially the same restrictions and conditions that apply to Business Associate with respect to such information
- f. make PHI available to Covered Entity for Covered Entity to comply with an Individual’s right of access to their PHI in compliance with 45 C.F.R. §164.524 and Section 13405(e) of the HITECH Act. This provision shall be applicable only if Business Associate maintains a Designated Record Set on behalf of Covered Entity.
- g. make PHI available to Covered Entity for amendment and incorporate any amendment(s) to PHI that Covered Entity directs, in accordance with 45 C.F.R. §164.526. This provision shall be applicable only if Business Associate has PHI in a Designated Record Set..
- h. document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528 and Section 13405(c) of the HITECH Act.
- i. make available to Covered Entity in response to a request from an Individual, the information required to provide an accounting of disclosures of PHI with respect to the Individual in accordance with 45 C.F.R. §164.528 and Section 13405(c) of the HITECH Act.
- (j) to the extent this Agreement requires Business Associate to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered entity in the performance of such obligation(s).
- k. make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of the Department of Health and Human Services or his/her designee (the “Secretary”), in a time and manner designated by the Secretary, for purposes of determining Covered Entity’s compliance with the HIPAA.
- l. notify Covered Entity following Business Associate’s discovery of a security breach of Unsecured PHI, in accordance with Section 13402 of the HITECH Act.
- m. refrain from exchanging any PHI with any entity (including Covered Entity) of which Business Associate knows of a pattern of activity or practice that constitutes a material breach or violation of HIPAA, and upon becoming aware of such behavior by an entity with which Business Associate has already exchanged PHI, take reasonable steps to cure the breach or end the violation, as applicable, and if such steps are unsuccessful, terminate the contract or arrangement with such entity, if feasible; or if termination is not feasible, report the problem to the Secretary, in accordance with Section 13404 of the HITECH Act and 45 C.F.R §164.504(e).
- n. limit the use, disclosure or request for PHI in accordance with Section 13405(b) of the HITECH Act
- o. refrain from receiving any remuneration in exchange for any Individual’s PHI unless such exchange (i) is pursuant to a valid authorization that includes a specification of whether the PHI can be further exchanged for remuneration by the entity receiving PHI of that Individual, or (ii) satisfies one of the exceptions enumerated in the HIPAA regulations and specifically Section 13405(d)(2) of the HITECH Act.
- p. refrain from marketing activities that would violate HIPAA and specifically Section 13406 of the HITECH Act.
4. Responsibilities of Covered Entity. Covered Entity shall:
- a. provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. §164.520, as well as any changes to such notice.
- b. provide Business Associate, in writing, with any changes in, or revocation of, permission by Individual to the use or disclosure of PHI, if such changes affect Business Associate’s permitted or required uses or disclosures. Upon receipt by Business Associated of such notice of changes, Business Associate shall cease the use and disclosure of any such Individual’s PHI except to the extent it has relied on such use or disclosure, or where an exception under HIPAA expressly applies.
- c. notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. §164.522.
- a. Termination for Cause. Either party may immediately terminate this Agreement if such party (the “Non-Breaching Party”) determines that the other party (the “Breaching Party”) has breached a material term of this Agreement. Alternatively, the Non-Breaching Party may choose to provide the Breaching Party with written notice of the existence of an alleged material breach and afford the Breaching Party an opportunity to cure the alleged breach. Failure to cure the material breach within thirty (30) days of the written notice constitutes grounds for immediate termination of this Agreement.
- b. Effect of Termination.
- (1) Except as provided in paragraph (2) of this Section 5(b), upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This Section 5(b)(1) shall apply to PHI that is in the possession of Business Associate and its subcontractors or agents. Business Associate shall retain no copies of the PHI.
- (2) In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity, in writing, notification of the conditions that make return or destruction infeasible, and Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
- a. Amendment. The parties agree to negotiate in good faith an amendment to this Agreement from time to time as is necessary for the parties to comply with the requirements of HIPAA, as amended from time to time. No amendment shall be effective unless in writing and signed by duly authorized representatives of both parties.
- b. Survival. The respective rights and obligations of Business Associate under Section 5(b) of this Agreement shall survive termination of this Agreement.
- c. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the parties to comply with HIPAA.
- d. No Third Party Beneficiary. Nothing in this Agreement is intended, nor shall be deemed, to confer any benefits on any third party.
- e. Severability. If a court of competent jurisdiction finds any term of this Agreement invalid, illegal or unenforceable, that term shall be curtailed, limited or deleted, but only to the extent necessary to remove the invalidity, illegality or unenforceability, and without in any way affecting or impairing the remaining terms.
- f. Counterparts; Facsimiles. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.
- g. Entirety. The terms and conditions of this Agreement supersede and replace any prior business associate agreements and any existing terms and conditions between the parties (including any such terms and conditions in any Agreement) pertaining to the privacy and security of PHI. This Agreement is made a part of and subject to the terms of the Agreement. In the event of any conflict between this Agreement and an Underlying Agreement, this Agreement shall control with respect to such conflict.