AMERICAN MEDICAL ASSOCIATION AND AMAGINE, INC.
BUSINESS ASSOCIATE AGREEMENT ("AGREEMENT") WITH USERS OF
THE AMAGINE™ PORTAL.
WHEREAS, Amagine, Inc. is a corporate subsidiary affiliated with the American Medical Association ("AMA"), and Amagine, Inc. operates the Amagine™ portal, as further defined in the Terms of Use) thereby assisting portal users ("Users") with support for products and services offered through the Amagine portal.
WHEREAS, this support requires Amagine, Inc., AMA and/or their third party licensors to have access to patient individually identifiable Protected Health Information (PHI or ePHI) in the possession of Users, thus necessitating a written agreement that meets the applicable requirements of the privacy requirements set forth in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (the ""HIPAA").
WHEREAS, this Agreement is incorporated into the Terms of Use of the Amagine portal and all Users agree to accept and are bound by the terms of this Agreement, effective upon the request for access by Amagine, Inc., AMA and/or their third party licensors to PHI or ePHI in the possession of Users to be accessed through the Amagine portal.
| 1. |
Definitions.The following terms shall have the meaning set forth below: |
|
(a) |
C.F.R. means the Code of Federal Regulations. |
|
(b) |
Designated Record Set has the meaning assigned to such term in 45 C.F.R. 164.501. |
|
(c) |
Electronic Protected Health Information or Electronic PHI or ePHI. "Electronic Protected Health Information" or "Electronic PHI" or "ePHI" shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. 160.103, as applied to the information that Amagine, Inc., AMA and/or their third party licensors create receive maintain or transmit from or on behalf of Users. |
|
(d) |
HIPAA means the Health Insurance Portability and Accountability Act of 1996. |
|
(e) |
HITECH Act means the Health Information Technology for Economic and Clinical Health Act of 2009. |
|
(f) |
Individual shall have the meaning given to such term in 45 C.F.R. 164.501 and shall include a person who qualifies as the Individual's personal representative in accordance with 45 C.F.R. 164.502 (g). |
|
(g) |
Protected Health Information or PHI "Protected Health Information" or "PHI" shall have the same meaning as the term "Protected Health Information", as defined by 45 C.F.R. 164.501, limited to the information created or received by Amagine, Inc., AMA and/or their third party licensors from or on behalf of Users. |
|
(h) |
Required By Law "Required By Law" shall have the same meaning as the term "required by law" in 45 C.F.R. 164.501. |
|
(i) |
Secretary "Secretary" shall mean the Secretary of the Department of Health and Human Services ("DHHS") or his designee. |
|
(j) |
Security Incident "Security Incident" shall have the meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. 164.304. |
|
(k) |
Security Rule "Security Rule" shall mean the Security Standards at 45 C.F.R. Parts 160 and 162 and Parts 164, Subparts A and C. |
|
(l) |
U.S.C. "U.S.C." means the United States Code. |
| 2. |
Obligations and Activities of Amagine, Inc. and AMA (hereinafter referred to collectively as AMAGINE) |
|
(a) |
AMAGINE shall not use or further disclose nor create, receive, maintain or transmit from or on behalf of Users Protected Health Information, other than as permitted or required by this Agreement or as Required By Law. |
|
(b) |
AMAGINE shall forward all requests for the disclosure of Protected Health Information from a law enforcement or government official, or pursuant to a subpoena, other legal request or court or administrative order, to Users as soon as possible before making the requested disclosure. |
|
(c) |
AMAGINE shall use appropriate safeguards to prevent use or disclosure of Protected Health Information. AMAGINE shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information, as required by the Security Rule. |
|
(d) |
AMAGINE shall mitigate, to the extent practicable or as reasonably directed by Users, any harmful effect that is known to AMAGINE of a use or disclosure of Protected Health Information by AMAGINE in violation of the requirements of this Agreement, the Privacy Rule or the Security Rule. |
|
(e) |
AMAGINE shall report to Users any use or disclosure by AMAGINE of the Protected Health Information not provided for by this Agreement, the Privacy Rule or the Security Rule as soon as possible, or as otherwise Required By Law. |
|
(f) |
AMAGINE shall take reasonable steps to ensure that any subcontractor, consultant, agent, or other third party performing services for AMAGINE agrees to the same restrictions and conditions that apply to AMAGINE with regard to its creation, use, and disclosure of Protected Health Information. AMAGINE shall, upon written request from Users, provide Users with a list of all such third parties. AMAGINE shall ensure that any agent, including a subcontractor, to whom it provides Electronic Protected Health Information agrees [i] to implement reasonable and appropriate safeguards to protect such information; and, [ii] to mitigate to the extent practicable, or as reasonably directed by Users, any harmful effect that is known to such agent of a use or disclosure of Protected Health Information by such agent in violation of this Agreement, the Privacy Rule or the Security Rule. If any agents or subcontractors of AMAGINE are not subject to the jurisdiction or laws of the United States, or if any use or disclosure of Protected Health Information in performing services under this Agreement will be outside of the jurisdiction of the United States, such entities must agree by written contract with AMAGINE to be subject to the jurisdiction of the Secretary, the laws and the courts of the United States, and waive any available jurisdictional defenses as they pertain to the parties' obligations under this Agreement, the Privacy Rule or the Security Rule. |
|
(g) |
AMAGINE shall document such disclosures of Protected Health Information and information related to such disclosures as would be required for Users to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. |
|
(h) |
AMAGINE shall provide to Users, upon request and in the time and manner Required by Law, an accounting of disclosures of an Individual's Protected Health Information, collected in accordance with Section 2(i) of this Agreement, to permit Users to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. |
|
(i) |
AMAGINE acknowledges that it shall request from the Users and so disclose to its affiliates, subsidiaries, agents and subcontractors or other third parties, only the minimum Protected Health Information necessary to perform or fulfill a specific function required or permitted hereunder. |
|
(j) |
AMAGINE shall provide training as to the Privacy Rule to all of its employees who will handle or be responsible for handling Protected Health Information on the Users' behalf. |
|
(k) |
AMAGINE shall take immediate steps to mitigate an impermissible use or disclosure of Protected Health Information, such as obtaining the recipient's satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed. |
|
(l) |
AMAGINE shall comply with the provisions of 45 C.F.R. 164.308, 164.310, 164.312, and 164.316 relating to implementation of administrative, physical and technical safeguards with respect to Electronic Protected Health Information in the same manner that such provisions apply to Users. AMAGINE shall also comply with any additional security requirements contained in the HITECH Act that are applicable to Users. |
|
(m) |
The additional requirements of the Privacy subtitle of HITECH that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to AMAGINE and shall be incorporated by reference into this Agreement. |
|
(n) |
AMAGINE shall comply with the prohibition on the sale of electronic health records and Protected Health Information set forth in 42 U.S.C. 17935(d). |
|
(o) |
AMAGINE and Users will comply with the provisions of the HITECH Act and will enter into such amendments to this Agreement to the extent required to reflect changes under the HITECH Act and any other applicable law. |
|
(p) |
AMAGINE will be held to the same standards as Users to rectify a pattern of activity or practice that constitutes a material breach or violation of AMAGINE's obligation under this Agreement, AMAGINE will be subject to the same penalties as a User for any violation of the HIPAA Privacy or Security requirements, and AMAGINE will also be subject to periodic audits by the DHHS Secretary. |
|
(q) |
AMAGINE will comply with any rule adopted by the DHHS Secretary regarding the sale of Protected Health Information. |
|
(r) |
AMAGINE shall cooperate with Users to fulfill all requests by Individuals for access to an Individual's Protected Health Information that are approved by the Users. AMAGINE shall cooperate with Users in all respects necessary for Users to comply with 45 C.F.R. 164.524. AMAGINE further acknowledges that to the extent AMAGINE maintains Protected Health Information of Users in an electronic health record, the Users must comply with Individuals' requests for access to their Protected Health Information by giving them, or any entity that they designate clearly, conspicuously and specifically, the information in an electronic format, and must not charge the requestor more than the labor costs in responding to the request for the copy (or summary or explanation). |
|
(s) |
AMAGINE shall implement a documented information security program that includes administrative, technical and physical safeguards designed to prevent the accidental or otherwise unauthorized use or disclosure of Protected Health Information, and the integrity and availability of Electronic Protected Health Information it creates, receives, maintains or transmits on behalf of Users. The security program shall include reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the Security Rule. In addition, AMAGINE shall (1) maintain written documentation of its policies and procedures, and any action, activity or assessment which the Security Rule requires to be documented, (2) retain this documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later, (3) make this documentation available to those persons responsible for implementing the procedures to which the documentation pertains, and (4) review this documentation periodically, and update it as needed in response to environmental or operational changes affecting the security of the Electronic Protected Health Information. AMAGINE shall encrypt all Electronic Protected Health Information and destroy all paper Protected Health Information such that it is unusable, unreadable, or indecipherable to unauthorized users. Upon request, AMAGINE shall make available AMAGINE's security program, including the most recent Electronic Protected Health Information risk analysis, policies, procedures, security incidents and responses and evidence of training. |
| 3. |
Permitted Uses and Disclosures by AMAGINE |
| 3.1 |
General Use and Disclosure |
|
AMAGINE may use or disclose Protected Health Information only to perform its services to Users or as Required By Law, provided that such use or disclosure would not violate the Privacy Rule if done by Users. |
| 3.2 |
Specific Use and Disclosure Provisions |
|
(a) |
AMAGINE may use Protected Health Information for the proper management and administration of AMAGINE (including the Amagine™ portal) or to carry out the legal responsibilities of AMAGINE. |
|
(b) |
AMAGINE may use Protected Health Information to provide data aggregation services to Users as permitted by 42 C.F.R. 164.504(e)(2)(i)(B). |
|
(c) |
AMAGINE may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. 164.502(i)(1). |
|
(d) |
AMAGINE shall use and disclose Protected Health Information for marketing purposes only as expressly directed by the Users, and in accordance with 42 U.S.C. 17936(a). |
|
(e) |
AMAGINE will not disclose Protected Health Information to a health plan if the Individual to whom the Protected Health Information pertains has so requested and (1) the disclosure would be for the purposes of payment or health care operations, and not for the purposes of treatment, (2) the Protected Health Information at issue pertains to a health care item or service for which the Individual pays out-of-pocket and in full, and (3) the disclosure is not Required By Law. |
|
(f) |
AMAGINE will, in the performance of its obligations and services to Users make reasonable efforts to use, disclose and request only the minimum amount of Users' Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure or request, except that AMAGINE will not be obligated to comply with this minimum necessary limitation if neither AMAGINE nor Users is required to limit the use, disclosure or request to the minimum necessary. AMAGINE and Users acknowledge that the phrase "minimum necessary" shall be interpreted in accordance with the HITECH Act and DHHS guidance on the definition. |
|
(g) |
AMAGINE shall not directly or indirectly receive remuneration in exchange for any Protected Health Information of an Individual unless the Users obtained from the Individual, in accordance with 45 C.F.R. 164.508, a valid authorization that includes a specification of whether the Protected Health Information can be further exchanged for remuneration by the entity receiving Protected Health Information of that Individual. |
| 4. |
Obligations of Users |
| 4.1 |
Provisions for Users to Inform AMAGINE of Privacy Practices and Restrictions |
|
(a) |
Users shall provide AMAGINE with any changes in, or revocation of, authorization by an Individual to use or disclose Protected Health Information, if such changes affect AMAGINE's permitted or required uses and disclosures. |
|
(b) |
Users shall notify AMAGINE, in writing, of any restriction to the use or disclosure of Protected Health Information that Users have agreed to in accordance with 45 C.F.R. 164.522, and AMAGINE shall conform to any such restriction. |
|
(c) |
Users acknowledge that they shall provide to, or request from, AMAGINE only the minimum Protected Health Information necessary for AMAGINE to perform or fulfill a specific function required or permitted hereunder. |
|
(d) |
Users shall take immediate steps to mitigate an impermissible use or disclosure of Protected Health Information from AMAGINE to the Users, including staff, employees and agents who send and receive Protected Health Information to and from AMAGINE in the course and scope of their employment, such as obtaining the recipient's satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means between Users and its staff, employees and agents) or will be destroyed. |
| 4.2 |
Permissible Requests by Users |
|
Users represent and warrant that they have the right and authority to disclose Protected Health Information to AMAGINE in order for AMAGINE to provide services to Users. Users shall not request AMAGINE to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Users. |
| 5. |
Terms and Termination |
|
(a) |
Term. The provisions of this Agreement shall take effect upon the earlier of: (1) acceptance of AMAGINE's support services by Users; or (2) the Users' acceptance of the Terms of Use or accessing the Amagine portal. Except as otherwise provided herein, this Agreement shall automatically terminate upon the earlier of: (A) the time when all of the Protected Health Information provided by Users to AMAGINE, or created or received by AMAGINE on behalf of Users, is destroyed or returned to Users; and (B) the time when the Users' rights to use or access the Amagine portal expire or are terminated (i.e., when the Users' rights under the Terms of Use have expired or been terminated). |
|
(b) |
Termination for Cause. Upon User's knowledge of a material breach by AMAGINE, User shall provide an opportunity for AMAGINE to cure the breach or end the violation and terminate this Agreement if AMAGINE does not cure the breach or end the violation within the time specified by User or immediately terminate this Agreement if cure of such breach is not possible or if AMAGINE has materially breached this Agreement more than one time in any 12 month period. |
|
(c) |
Effect of Termination. This Agreement may be terminated by AMA upon 30 days prior written notice to Users in the event that AMA believes that the requirements of any law, legislation, consent decree, judicial action, governmental regulation or agency opinion, enacted, issued, or otherwise effective after the date of this Agreement and applicable to Protected Health Information or to this Agreement, cannot be met by AMA in a commercially reasonable manner and without significant additional expense. |
|
(d) |
Effect of Termination.
(1) Except as provided in paragraph (2) below of this Section, upon termination of this Agreement, for any reason, AMAGINE shall return or destroy all Protected Health Information received from Users, or created or received by AMAGINE on behalf of Users, at the direction of Users. AMAGINE shall request, in writing, the return or destruction of all Protected Health Information that is in the possession of subcontractors or agents of AMAGINE.
(2) In the event AMAGINE determines that returning or destroying the Protected Health Information is infeasible, AMAGINE shall provide to Users notification of the conditions that make return or destruction infeasible. If return or destruction of Protected Health Information is infeasible, AMAGINE shall extend the protection of this Agreement to such Protected Health Information, for so long as AMAGINE maintains such Protected Health Information. Following the termination of this Agreement, AMAGINE shall not disclose Protected Health Information except to the Users or as Required by Law.
(3) Upon any termination or expiration of this Agreement, User's rights to access the Amagine portal or to receive support from the AMAGINE related to the Amagine portal shall immediately terminate. User shall not provide the AMAGINE with any Protected Health Information following the termination of this Agreement.
|
| 6. |
Miscellaneous |
|
(a) |
Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required. |
|
(b) |
Amendment. This Agreement may be amended upon the mutual written agreement of the parties. Upon the enactment of any law or regulation affecting the use or disclosure of Protected Health Information, or the publication of any decision of a court of the United States or any state relating to any such law or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, either party may, by written notice to the other party, and by mutual agreement, amend this Agreement in such manner as such party determines necessary to comply with such law or regulation. If the other party disagrees with such amendment, it shall so notify the first party in writing within thirty (30) days of the notice. If the parties are unable to agree on an amendment within thirty (30) days thereafter, 5 then either of the parties may terminate this Agreement on thirty (30) days written notice to the other party. |
|
(c) |
Survival. The obligations of AMAGINE under Sections 5(c)(2) and the provisions of this Section 6 shall survive the termination of this Agreement. |
|
(d) |
Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Users to comply with the Privacy Rule. In the event of any inconsistency or conflict between this Agreement and any other agreement between the parties, the terms, provisions and conditions of this Agreement shall govern and control. In the event of an inconsistency between the provisions of this Agreement and the mandatory terms of the Privacy Rule, as may be amended from time to time by DHHS or as a result of interpretations by DHHS, a court, or another regulatory agency with authority over the parties, the interpretation of DHHS, such court or regulatory agency shall prevail. In the event of a conflict among the interpretations of these entities, the conflict shall be resolved in accordance with rules of precedence. Where provisions of this Agreement are different from those mandated by the Privacy Rule, but are nonetheless permitted by the Privacy Rule, the provisions of this Agreement shall control. |
|
(e) |
Independent Contractor. The relationship of AMAGINE with Users shall be one of independent contractor, and not an employee or agent of Users. |
|
(f) |
No Third Party Beneficiary. Nothing express or implied in this Agreement is intended to confer, and nothing herein shall confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever. |
|
(g) |
Governing Law/ Arbitration. This Agreement shall be governed by and construed in accordance with the laws of the State of Illinois (without regard to conflict of law provisions). Any dispute, controversy or claim arising out of or relating to this Agreement shall be settled by a single impartial arbitrator pursuant to proceedings administered by the American Arbitration Association ("AAA") under its rules for resolution of commercial disputes. If the parties are unable to agree upon an impartial arbitrator within 30 days of either party requesting arbitration, either party may apply to the AAA to make the appointment. The impartial arbitrator shall be an attorney or a retired judge and admitted to practice in Illinois. The arbitration shall be held in Chicago, Illinois. All submissions to the arbitrator, the proceedings and the award shall be confidential. The parties express their desire that the arbitration be conducted on an expedited basis with minimal discovery. The award shall be in writing and set forth the factual and legal bases for the award. The parties renounce recourse to litigation, to the extent provided by law, and intend the award to be final and binding except that judgment with respect to the award may be entered in any court having jurisdiction over the parties or their assets.
Neither party consents or agrees to any arbitration on a class or representative basis, and the arbitrator will have no authority to proceed with an arbitration on a class or representative basis. No arbitration will be consolidated with any other arbitration proceeding without the consent of all parties. Any claim or controversy as to the enforceability of this arbitration provision's restriction on a User's right to participate in or pursue a class action or classwide arbitration shall be brought only in the United States District for the Northern District of Illinois or any State of Illinois court located in Cook County, Illinois. |
|
BY CLICKING "ACCEPT" TO THE TERMS OF USE OF THE AMAGINE PORTAL, USING OR ACCESSING THE AMAGINE PORTAL, OR ACCEPTING ANY SUPPORT SERVICES FROM AMAGINE (as such term is defined above and used herein)YOU ACCEPT AND ASSENT TO ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT. |
|
You may print or save a copy of these Business Associate Agreement for Your records. |
