This
Health Care Information Privacy Addendum to the Paymode
Operating Rules (this "Addendum")
shall apply to each Network Member:
(i) if the Network Member is a "Covered Entity," as defined
in the Health Insurance Portability and Accountability
Act of 1996, Pub. L. No. 104-191 ("HIPAA"), and it provides Paymode, or Paymode creates or receives on its behalf, at any time on or after April 14, 2003, "Protected Health Information," as defined in the Standards for Privacy of Individually Identifiable Health Information promulgated by the U.S. Department of Health and Human Services pursuant to HIPAA and codified at 45 CFR part 160 and part 164, subparts A and E (the "Privacy Rule"); or
(ii) if
the Network Member is a "Business
Associate," as
defined in HIPAA, of one or more Covered Entities,and it provides Paymode, or Paymode creates or receives on its behalf or on behalf of its Covered Entity customer(s), at any time on or after April 14, 2003, Protected Health Information belonging to its Covered Entity customer(s).
If the Network Member is a Covered Entity under HIPAA, this
Addendum is for the purpose of complying with the
requirement that Covered Entities enter into a "Business
Associate Agreement" with any of their service providers
that receive Protected Health Information from, or
create or receive Protected Health Information on
behalf of, the Covered Entity in the course of providing
services to the Covered Entity.
If the Network Member is a Business Associate to whom this
Addendum applies by virtue of subparagraph (ii)
above, this Addendum is for the purpose of
permitting the Network Member to comply with its obligation under
its business associate agreement(s) with its
Covered Entity customer(s) to pass on its obligations
under such agreement(s) to any third-party service
providers to whom it provides its customers' Protected
Health Information.
As Paymode,
in the course of providing the Paymode Processing Services, may be or become (i) a Network Member's
Business Associate, as defined in the Privacy Rule,
or (ii) a third-party service provider with respect
to the Network Member as the Business Associate of one or more Covered
Entities, Paymode and the Network Member (together, the "parties") agree
that this Addendum shall serve as such Business
Associate Agreement, or third-party service provider
agreement, as the case may be, for purposes of HIPAA.
Although not a Covered Entity under HIPAA, a Business
Associate to whom this Addendum applies pursuant
to the above paragraph shall be governed by the same
obligations as are set forth herein for a Covered
Entity under HIPAA.
The
parties recognize that Paymode is not required
to maintain and does
not maintain Protected Health
Information in a Designated Record Set as those terms
are defined in 45 CFR §164.502.
The parties hereby agree to the following terms
and conditions with respect to Protected Health Information
received from, or created or received by Paymode
on behalf of, the Covered Entity in connection with
the Service:
I. Definitions
Capitalized terms used herein, but not otherwise
defined in this Addendum, shall have the meanings
given to such terms in the Privacy Rule.
A. Individual. "Individual" shall have the
same meaning as the term "individual" in 45 CFR § 164.501
and shall include a person who qualifies as a personal
representative in accordance with 45 CFR § 164.502
(g).
B. Law. "Law" shall
mean HIPAA and all regulations promulgated thereunder.
C. Protected Health Information. "Protected
Health Information" shall have the same meaning as
the term "Protected Health Information" in 45 CFR § 164.501,
limited to the information created or received by
Paymode from or on behalf of Covered Entity.
D. Required by Law. "Required by Law" shall
have the same meaning as the term "required by law" in
45 CFR § 164.501 ("a mandate in law that compels
a covered entity to make a use or disclosure of protected
health information and that is enforceable in a court
of law").
E. Secretary. "Secretary" shall
mean the Secretary of the Department of Health
and Human Services,
or his or her designee.
II. Obligations and Activities of Paymode
A. No Unauthorized Disclosure. Paymode shall
not use or disclose Protected Health Information
other than in accordance with this Addendum, as
permitted by Law, or as Required by Law.
B. Safeguards. Paymode shall use reasonable
safeguards to prevent use or disclosure of the Protected
Health Information other than as provided for by
this Addendum.
C. Access to Internal Practices, Books, and Records. Upon
reasonable notice, and at Covered Entity's expense,
Paymode shall make Protected Health Information and
books and records relating to the use and disclosure
of Protected Health Information available to Covered
Entity or the Secretary in a reasonable time and
manner, for purposes of the Secretary determining
Covered Entity's compliance with the Privacy Rule.
D. Referral for Accounting of Disclosures. Paymode
shall refer to Covered Entity all requests by Individuals
for information about, or an accounting for disclosures
of, their own individual Protected Health Information
in accordance with 45 CFR § 164.528. Covered Entity
acknowledges and agrees that it, and not Paymode,
has sole responsibility for responding to such requests.
E. Documentation of Disclosures. Paymode shall use reasonable efforts to document disclosures
of Protected Health Information, other than (i) disclosures
for Treatment, Payment or Healthcare Operations,
(ii) authorized disclosures that are incidental to
another permissible disclosure, (iii) disclosures
not subject to the Law's accounting requirements,
or (iv) disclosures for other purposes permitted
by Law, including for the proper management and administration
of Paymode's business, to the extent reasonably required
for Covered Entity to respond to a request by an
Individual for an accounting for disclosures of Protected
Health Information in accordance with 45 CFR § 164.528.
Based upon the nature of the relationship between
the parties and the capacity in which Protected Health
Information is expected to be received from, or created
or received by Paymode on behalf of, Covered Entity,
the parties acknowledge that there would appear to
be no disclosed Protected Health Information that
would be subject to such an accounting.
F. Access to Documented Disclosures to be Provided. (i)
At Covered Entity's expense, Paymode shall use reasonable
efforts to provide to Covered Entity information
collected in accordance with Section II.E., if any,
to the extent reasonably required to permit Covered
Entity to respond to a request by an Individual for
an accounting of disclosures of Protected Health
Information in accordance with 45 CFR § 164.528.
G. Agreement with Subcontractors. Paymode
shall include in any written agreement with any agents,
including subcontractors, to whom it provides Protected
Health Information in connection with providing the
Service or otherwise on behalf of Covered Entity,
assurances that such Protected Health Information
will be treated and handled under conditions that
are no less stringent than those that apply to Paymode
under this Addendum.
H. Duty to Report Unauthorized Disclosures. Paymode
shall report to Covered Entity any use or disclosure
of Protected Health Information not provided for
by this Addendum and prohibited by Law of which
it becomes aware.
III. Permitted Uses and Disclosures by Paymode
A. Performance of Services for Covered Entity. Except
as otherwise provided in this Addendum, Paymode
may use or disclose Protected Health Information
(i) as is reasonably necessary to perform the Service
and any other functions, activities, or services
for, or on behalf of, Covered Entity; (ii) for the
proper management and administration of Paymode as
determined by Paymode in its sole discretion; or
(iii) as may otherwise be Required by Law or permitted
by Law.
B. Disclosure by Whistleblowers and Workforce
Member Crime Victims. Notwithstanding anything
to the contrary in this Addendum, Paymode may
use Protected Health Information to report violations
of law to appropriate Federal and State authorities,
consistent with 42 CFR § 164.502(j)(1).
C. De-identified Information. Protected
Health Information that has been de-identified
by Paymode
in accordance with 42 CFR § 164.514 may be used and
disclosed by Paymode in the normal course of its
business.
IV. Covered Entity to Obtain Authorizations
Covered Entity shall bear sole responsibility for
determining whether authorization is required to
disclose any specific Protected Health Information
to Paymode, and shall obtain proper authorization
prior to disclosing such Protected Health Information
to Paymode.
V. Permissible Requests by Covered Entity
Covered Entity agrees, represents and warrants that
it shall not provide or request Paymode to use or
disclose Protected Health Information in any manner
that would not be permissible under Law if done by
Covered Entity.
VI. Term and Termination
A. Term. The
term of this Addendum shall begin on April 14,
2003,
if the Service was inaugurated
prior to such date, or upon the inauguration of the
Service, if the Service was or is inaugurated after
such date (the inaugural date of the Service to be
referred to herein as the "Effective Date") and shall
continue for as long as Protected Health Information
is being exchanged by Covered Entity and Paymode,
except as this Addendum may otherwise be terminated
pursuant to Section VI.B. Protected Health Information
received from, or created or received by Paymode
on behalf of, Covered Entity prior to the Effective
Date shall be excluded from the coverage of this
Addendum.
B. Termination.
(i)
Automatically: This Addendum shall terminate
automatically
upon termination, for any reason,
of the Paymode Processing Services, or upon such prior date
as Covered Entity shall cease to disclose Protected
Health Information to Paymode.
(ii) For Cause: Either party may terminate this
Addendum for a material breach by the other party
if such breach is not cured within thirty (30)
days of receipt of written notice thereof.
C. Effect of Termination. Upon termination
of this Addendum, Paymode shall, if feasible, return
or destroy all Protected Health Information received
from, or created or received by Paymode on behalf
of, Covered Entity that Paymode still maintains in
any form and retain no copies of such information.
If Paymode determines that such return or destruction
is infeasible due to legal requirements, record retention
obligations, or other valid business reasons, Paymode
shall extend the protections of this Addendum to
the Protected Health Information and limit further
uses and disclosures to those purposes that make
the return or destruction of the information infeasible.
VII. General Provisions
A. Amendment. Paymode shall amend this Addendum
as necessary pursuant to the requirements of any
future HIPAA-related regulations, including but not
limited to final HIPAA security regulations, in order
to permit Covered Entity to comply with such requirements.
Paymode will prepare any necessary amendment(s) to
this Addendum and provide it/them to Covered Entity
by means of an e-mail notice to Covered Entity highlighting
the changes and by posting the changes at https://secure.paymode.com/policies.
The parties agree that such amendment shall be deemed
effective immediately upon receipt of such e-mail
notice by Covered Entity, or upon such later date
as shall be specified in the notice or in the amendment
itself.
B. Entire Agreement. This Addendum constitutes
the entire Agreement between the parties concerning
the subject matter hereof, and supersedes all prior
oral and/or written agreements between the parties
relating thereto. If there is a conflict between
this Addendum and any provision(s) of the Agreement and/or Operating Rules
that govern the Processing Services, the terms of this
Addendum shall prevail.
C. Governing Law. This Addendum is governed by and interpreted according to (i) U.S. federal law and the law of the State of New York without reference to the principles of conflicts of law of the U.S. and of such state.
D. Regulatory References. A reference in
this Addendum to a section in the Privacy Rule means
the section as in effect from time to time.
E. Survival. The obligations of the parties
under Sections II and IV of this Addendum shall
survive the termination of this Addendum until such
time as the parties have destroyed or returned all
of the Protected Health Information received from
the other.
F. Third-Party Beneficiaries. There are no
third-party beneficiaries of this Addendum and no
other person or entity shall have rights arising
from the same.
Version 2.0 (9/2009)