Business Associate Agreement

This Business Associate Agreement (the “Agreement”) between Customer (“Covered Entity”) and Iconic Data Inc. (“Business Associate”) will be in effect during any such time period that Covered Entity has created a SwiftPayMD account, and is using the SwiftPayMD Service in a fashion compliant with the SwiftPayMD Terms and Conditions, and upon termination as set forth in Section 7 of this Agreement.

  1. Background

    Covered Entity and Business Associate ("the Parties") are party to certain Terms and Conditions (the "Underlying Agreement") pursuant to which Business Associate may receive Protected Health Information in its performance of the Service it provides to Covered Entity. Both Covered Entity and Business Associate are committed to complying with the Privacy Standards and the Security Standards under the Health Insurance Portability and Accountability Act of 1996 and its implementing Administrative Simplification regulations ("HIPAA"), as amended by the provisions of the Health Information Technology for Economic and Clinical Health Act and its implementing regulations ("HITECH").

    This Agreement sets forth the terms and conditions pursuant to which Protected Health Information that is provided by, or created or received by, Business Associate from or on behalf of Covered Entity, will be handled by Business Associate and with third parties during the Term of the Underlying Agreement and after its termination or expiration.

    NOW THEREFORE, the Parties hereto, intending to be legally bound, agree to the following provisions. Except as expressly set forth herein, all terms and conditions of the Underlying Agreement are hereby ratified and shall remain in full force and effect.

  2. Definitions

    For purposes of this Agreement, the following terms shall have the meanings set forth below:

    1. Breach shall mean the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of the PHI.
    2. Business Associate shall be interpreted in a manner consistent with the definition of "business associate" under HIPAA.
    3. Covered Entity shall be interpreted in a manner consistent with the definition of "covered entity" under HIPAA.
    4. Effective Date shall mean the date Covered Entity initially created a SwiftPayMD account.
    5. Electronic Protected Health Information shall have meaning set forth in 45 CFR 160.103.
    6. HIPAA Regulations shall mean the federal Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information described at 45 CFR part 160 and part 164, subparts A, C and E, as amended from time to time.
    7. Individual shall have the meaning set forth in 45 C.F.R. 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
    8. Protected Health Information or PHI shall have the meaning set forth in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
    9. Required by Law shall have the meaning set forth in 45 CFR 164.103.
    10. Secretary shall mean the Secretary of the Department of Health and Human Services or his or her designee.
    11. Security Incident shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
    12. Service means the intellectual property owned by Iconic Data which is provided as a part of the SwiftPayMD offering including any related services, necessary software, data formats, file structures, database documentation, hosted services, and all updates to the Service.
    13. Term shall have the meaning set forth in Section 7 of this Agreement.
    14. Unsecured PHI shall mean PHI that is not secured through the use of technology or methods approved by the Secretary of Health and Human Services to render the PHI unusable, unreadable or indecipherable to unauthorized individuals.

    Any capitalized term without definition shall have the same meaning ascribed to it in HIPAA Regulations and HITECH statutory and regulatory provisions.

  3. HITECH compliance

    Business Associate shall comply with all applicable requirements of Title XII, Subtitle D of HITECH, 42 U.S.C. Sections 17921-17954 and all applicable HITECH implementing regulations issued by the Department of Health and Human Services as of the date by which Business Associate must comply with such statutory and regulatory requirements.

  4. Permitted uses and disclosures of PHI

    1. Services.  Business Associate shall retain, use and disclose PHI only to perform functions, activities, or services for, or on behalf of, Covered Entity as contemplated by this Agreement and the Underlying Agreement, provided that such retention, use or disclosure would not violate the HIPAA Regulations if done by the Covered Entity.
    2. Business Activities of the Business Associate.  In addition to those provisions dealing with information and Business Associate provisions as detailed in the Underlying Agreement entered into by the Covered Entity and Iconic Data Inc., and unless otherwise limited herein, Business Associate may:
      1. Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate;
      2. Disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required by Law, or that Business Associate obtains reasonable assurances from the person to whom the information is disclosed that such PHI will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and
      3. With express written permission by the Covered Entity, use PHI to provide data aggregation services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B).

  5. Responsibilities with respect to PHI

    1. Responsibilities of the Business Associate. With regard to its use or disclosure of PHI, the Business Associate hereby agrees as follows:
      1. to use or disclose PHI only as permitted or required by the Underlying Agreement, this Agreement, or as Required by Law;
      2. to implement administrative, physical and technical safeguards that (a) reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity as required by the HIPAA Regulations, and (b) prevent the use or disclosure of PHI other than as contemplated by the Underlying Agreement and this Agreement;
      3. to report to the Covered Entity, within five (5) days after discovery by the Business Associate, (a) any Security Incident and (b) any other use or disclosure of PHI that is not permitted or required by the Underlying Agreement, including a Breach of Unsecured PHI. Upon notification by Business Associate (i) Covered Entity shall bear sole responsibility for determining the need for and directing the implementation of any notification concerning any Breach of Unsecured PHI, (ii) Business Associate shall, at Covered Entity's direction, cooperate with or perform any additional investigation and/or assessment necessary to determine and document whether a Breach of Unsecured PHI has occurred and shall provide any and all related documentation to Covered Entity, and (iii) Business Associate shall provide Covered Entity with sufficient and detailed information in order that individual notification may be made if required, including the identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used or disclosed.
      4. to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of the Underlying Agreement and this Agreement;
      5. to require that all of its subcontractors and agents that receive, use or have access to PHI hereunder agree in writing to adhere to the same restrictions and conditions on the use or disclosure of PHI that apply to the Business Associate pursuant to this Agreement with respect to such information;
      6. to make available to the Covered Entity or the Secretary all records, books, agreements, internal practices, policies and procedures relating to the use or disclosure of PHI, in a time and manner designated by the Covered Entity or Secretary, for purposes of determining the Covered Entity's compliance with the HIPAA Regulations, subject to attorney-client and other applicable legal privileges;
      7. to document such disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528;
      8. to provide to the Covered Entity, in the time and manner designated by the Covered Entity, the information collected in accordance with the immediately preceding paragraph, to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528; and
      9. to disclose to its affiliates, subsidiaries, agents, subcontractors and other third parties, and to request from the Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder.
    2. Responsibilities of the Covered Entity. With regard to the use or disclosure of PHI by the Business Associate, the Covered Entity agrees as follows:
      1. to inform the Business Associate of any changes in the form of notice of privacy practices that the Covered Entity provides to Individuals pursuant to 45 CFR 164.520;
      2. to inform the Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose PHI to the extent that such changes affect the Business Associate's use or disclosure of PHI; and
      3. to notify Business Associate, in writing and in a timely manner, of any arrangements made by the Covered Entity that may affect the Business Associate's use or disclosure of PHI, including, but not limited to, restrictions on use or disclosure of PHI agreed to by the Covered Entity in accordance with 45 CFR 164.522.

  6. Additional responsibilities with respect to Designated Record Sets

    In the event that the Covered Entity notifies the Business Associate that any PHI created, held or maintained by the Business Associate or to which the Business Associate has access, constitutes a Designated Record Set, the Business Associate hereby agrees to:

    1. at the request of, and in the time and manner designated by the Covered Entity, to provide access to PHI maintained by the Business Associate to the Covered Entity or, as directed by the Covered Entity, to an Individual in order to meet the requirements of 45 CFR 164.524; and
    2. at the request of, and in the time and manner designated by the Covered Entity, to make any amendments to PHI that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526.

  7. Term and Termination

    1. Term.  The obligations set forth in this Agreement shall become effective on the Effective Date and, except as provided below, shall terminate upon the termination or expiration of the Underlying Agreement.
    2. Termination by the Covered Entity.  Without limiting the termination rights of the parties as described elsewhere in the Underlying Agreement, the Covered Entity shall be entitled to immediately terminate the Underlying Agreement (and any other agreements or arrangements relating thereto) if the Covered Entity determines that the Business Associate has breached a material provision of this Agreement. Alternatively, the Covered Entity may afford the Business Associate a thirty (30)-day cure period; provided, however, that failure by Business Associate to cure the alleged breach to the Covered Entity's satisfaction within the thirty (30) day period shall be grounds for immediate termination of the Underlying Agreement. If neither termination of the Underlying Agreement nor cure of the breach is feasible, the Covered Entity shall report the violation to the Secretary.
    3. Effect of Termination.
      1. Except as provided by law, by the Underlying Agreement entered into by the parties, which is incorporated by reference herein, or otherwise, upon termination of the Underlying Agreement, for any reason, the Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by the Business Associate on behalf of the Covered Entity (including without limitation destroying all backup tapes and permanently deleting all Electronic PHI). This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Except as provided herein, Business Associate shall retain no copies of the PHI.
      2. In the event that the Business Associate determines that returning or destroying any PHI (whether held by the Business Associate or its subcontractor) is not feasible, the Business Associate shall provide to the Covered Entity written notification of the conditions that make return or destruction of the PHI infeasible. Business Associate shall (or shall require its subcontractor to) extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate (or subcontractor) maintains such PHI.

  8. Indemnification

    Covered Entity shall indemnify and hold harmless Business Associate and its affiliates, directors, officers, employees and agents against any and all losses, liabilities, judgments, penalties, awards and costs, including, without limitations any costs associated with taking steps required under the HITECH Act in connection with a Breach of Unsecured PHI, and any other fees and expenses, arising out of or related to a breach of this Agreement by Covered Entity or Covered Entity’s agents and subcontractors.

    Likewise, Business Associate shall indemnify and hold harmless Covered Entity and its affiliates, directors, officers, employees and agents against any and all losses, liabilities, judgments, penalties, awards and costs, including, without limitations any costs associated with taking steps required under the HITECH Act in connection with a Breach of Unsecured PHI, and any other fees and expenses, arising out of or related to a breach of this Agreement by Business Associate or Business Associate’s agents and subcontractors.

  9. Miscellaneous

    1. Survival.  The respective rights and obligations of the Business Associate and the Covered Entity under Section V above shall survive the termination of this Agreement.
    2. No Third Party Beneficiaries.  Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights or remedies whatsoever.
    3. Conflict with Agreement.  In the event of a conflict between the terms of this Agreement and the terms of the Underlying Agreement, the terms of this Agreement shall control.