Paymode-X® Policies > Policies > Next Policy


Health Care Information Privacy Addendum to Paymode-X® Operating Rules

This Health Care Information Privacy Addendum to the Paymode-X Operating Rules (this "Addendum") shall apply to each Network Member:

(i) if the Network Member is a "Covered Entity," as defined in the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 ("HIPAA"), and it provides Paymode-X, or Paymode-X creates or receives on its behalf, at any time on or after April 14, 2003, "Protected Health Information," as defined in the Standards for Privacy of Individually Identifiable Health Information promulgated by the U.S. Department of Health and Human Services pursuant to HIPAA and codified at 45 CFR part 160 and part 164, subparts A and E (the "Privacy Rule"); or

(ii) if the Network Member is a "Business Associate," as defined in HIPAA, of one or more Covered Entities,and it provides Paymode-X, or Paymode-X creates or receives on its behalf or on behalf of its Covered Entity customer(s), at any time on or after April 14, 2003, Protected Health Information belonging to its Covered Entity customer(s).

If the Network Member is a Covered Entity under HIPAA, this Addendum is for the purpose of complying with the requirement that Covered Entities enter into a "Business Associate Agreement" with any of their service providers that receive Protected Health Information from, or create or receive Protected Health Information on behalf of, the Covered Entity in the course of providing services to the Covered Entity.

If the Network Member is a Business Associate to whom this Addendum applies by virtue of subparagraph (ii) above, this Addendum is for the purpose of permitting the Network Member to comply with its obligation under its business associate agreement(s) with its Covered Entity customer(s) to pass on its obligations under such agreement(s) to any third-party service providers to whom it provides its customers' Protected Health Information.

As Paymode-X, in the course of providing the Paymode-X Processing Services, may be or become (i) a Network Member's Business Associate, as defined in the Privacy Rule, or (ii) a third-party service provider with respect to the Network Member as the Business Associate of one or more Covered Entities, Paymode-X and the Network Member (together, the "parties") agree that this Addendum shall serve as such Business Associate Agreement, or third-party service provider agreement, as the case may be, for purposes of HIPAA.

Although not a Covered Entity under HIPAA, a Business Associate to whom this Addendum applies pursuant to the above paragraph shall be governed by the same obligations as are set forth herein for a Covered Entity under HIPAA.

The parties recognize that Paymode-X is not required to maintain and does not maintain Protected Health Information in a Designated Record Set as those terms are defined in 45 CFR 164.502.

The parties hereby agree to the following terms and conditions with respect to Protected Health Information received from, or created or received by Paymode-X on behalf of, the Covered Entity in connection with the Service:

I. Definitions

Capitalized terms used herein, but not otherwise defined in this Addendum, shall have the meanings given to such terms in the Privacy Rule.

A. Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502 (g).

B. Law. "Law" shall mean HIPAA and all regulations promulgated thereunder.

C. Protected Health Information. "Protected Health Information" shall have the same meaning as the term "Protected Health Information" in 45 CFR 164.501, limited to the information created or received by Paymode-X from or on behalf of Covered Entity.

D. Required by Law. "Required by Law" shall have the same meaning as the term "required by law" in 45 CFR 164.501 ("a mandate in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law").

E. Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services, or his or her designee.

II. Obligations and Activities of Paymode-X

A. No Unauthorized Disclosure. Paymode-X shall not use or disclose Protected Health Information other than in accordance with this Addendum, as permitted by Law, or as Required by Law.

B. Safeguards. Paymode-X shall use reasonable safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Addendum.

C. Access to Internal Practices, Books, and Records. Upon reasonable notice, and at Covered Entity's expense, Paymode-X shall make Protected Health Information and books and records relating to the use and disclosure of Protected Health Information available to Covered Entity or the Secretary in a reasonable time and manner, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule.

D. Referral for Accounting of Disclosures. Paymode-X shall refer to Covered Entity all requests by Individuals for information about, or an accounting for disclosures of, their own individual Protected Health Information in accordance with 45 CFR 164.528. Covered Entity acknowledges and agrees that it, and not Paymode-X, has sole responsibility for responding to such requests.

E. Documentation of Disclosures. Paymode-X shall use reasonable efforts to document disclosures of Protected Health Information, other than (i) disclosures for Treatment, Payment or Healthcare Operations, (ii) authorized disclosures that are incidental to another permissible disclosure, (iii) disclosures not subject to the Law's accounting requirements, or (iv) disclosures for other purposes permitted by Law, including for the proper management and administration of Paymode-X's business, to the extent reasonably required for Covered Entity to respond to a request by an Individual for an accounting for disclosures of Protected Health Information in accordance with 45 CFR 164.528. Based upon the nature of the relationship between the parties and the capacity in which Protected Health Information is expected to be received from, or created or received by Paymode-X on behalf of, Covered Entity, the parties acknowledge that there would appear to be no disclosed Protected Health Information that would be subject to such an accounting.

F. Access to Documented Disclosures to be Provided. (i) At Covered Entity's expense, Paymode-X shall use reasonable efforts to provide to Covered Entity information collected in accordance with Section II.E., if any, to the extent reasonably required to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.

G. Agreement with Subcontractors. Paymode-X shall include in any written agreement with any agents, including subcontractors, to whom it provides Protected Health Information in connection with providing the Service or otherwise on behalf of Covered Entity, assurances that such Protected Health Information will be treated and handled under conditions that are no less stringent than those that apply to Paymode-X under this Addendum.

H. Duty to Report Unauthorized Disclosures. Paymode-X shall report to Covered Entity any use or disclosure of Protected Health Information not provided for by this Addendum and prohibited by Law of which it becomes aware.

III. Permitted Uses and Disclosures by Paymode-X

A. Performance of Services for Covered Entity. Except as otherwise provided in this Addendum, Paymode-X may use or disclose Protected Health Information (i) as is reasonably necessary to perform the Service and any other functions, activities, or services for, or on behalf of, Covered Entity; (ii) for the proper management and administration of Paymode-X as determined by Paymode-X in its sole discretion; or (iii) as may otherwise be Required by Law or permitted by Law.

B. Disclosure by Whistleblowers and Workforce Member Crime Victims. Notwithstanding anything to the contrary in this Addendum, Paymode-X may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 42 CFR 164.502(j)(1).

C. De-identified Information. Protected Health Information that has been de-identified by Paymode-X in accordance with 42 CFR 164.514 may be used and disclosed by Paymode-X in the normal course of its business.

IV. Covered Entity to Obtain Authorizations

Covered Entity shall bear sole responsibility for determining whether authorization is required to disclose any specific Protected Health Information to Paymode-X, and shall obtain proper authorization prior to disclosing such Protected Health Information to Paymode-X.

V. Permissible Requests by Covered Entity

Covered Entity agrees, represents and warrants that it shall not provide or request Paymode-X to use or disclose Protected Health Information in any manner that would not be permissible under Law if done by Covered Entity.

VI. Term and Termination

A. Term. The term of this Addendum shall begin on April 14, 2003, if the Service was inaugurated prior to such date, or upon the inauguration of the Service, if the Service was or is inaugurated after such date (the inaugural date of the Service to be referred to herein as the "Effective Date") and shall continue for as long as Protected Health Information is being exchanged by Covered Entity and Paymode-X, except as this Addendum may otherwise be terminated pursuant to Section VI.B. Protected Health Information received from, or created or received by Paymode-X on behalf of, Covered Entity prior to the Effective Date shall be excluded from the coverage of this Addendum.

B. Termination.

    (i) Automatically: This Addendum shall terminate automatically upon termination, for any reason, of the Paymode-X Processing Services, or upon such prior date as Covered Entity shall cease to disclose Protected Health Information to Paymode-X.

    (ii) For Cause: Either party may terminate this Addendum for a material breach by the other party if such breach is not cured within thirty (30) days of receipt of written notice thereof.

C. Effect of Termination. Upon termination of this Addendum, Paymode-X shall, if feasible, return or destroy all Protected Health Information received from, or created or received by Paymode-X on behalf of, Covered Entity that Paymode-X still maintains in any form and retain no copies of such information. If Paymode-X determines that such return or destruction is infeasible due to legal requirements, record retention obligations, or other valid business reasons, Paymode-X shall extend the protections of this Addendum to the Protected Health Information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

VII. General Provisions

A. Amendment. Paymode-X shall amend this Addendum as necessary pursuant to the requirements of any future HIPAA-related regulations, including but not limited to final HIPAA security regulations, in order to permit Covered Entity to comply with such requirements. Paymode-X will prepare any necessary amendment(s) to this Addendum and provide it/them to Covered Entity by means of an e-mail notice to Covered Entity highlighting the changes and by posting the changes at https://secure.paymode.com/policies. The parties agree that such amendment shall be deemed effective immediately upon receipt of such e-mail notice by Covered Entity, or upon such later date as shall be specified in the notice or in the amendment itself.

B. Entire Agreement. This Addendum constitutes the entire Agreement between the parties concerning the subject matter hereof, and supersedes all prior oral and/or written agreements between the parties relating thereto. If there is a conflict between this Addendum and any provision(s) of the Agreement and/or Operating Rules that govern the Processing Services, the terms of this Addendum shall prevail.

C. Governing Law. This Addendum is governed by and interpreted according to (i) U.S. federal law and the law of the State of New York without reference to the principles of conflicts of law of the U.S. and of such state.

D. Regulatory References. A reference in this Addendum to a section in the Privacy Rule means the section as in effect from time to time.

E. Survival. The obligations of the parties under Sections II and IV of this Addendum shall survive the termination of this Addendum until such time as the parties have destroyed or returned all of the Protected Health Information received from the other.

F. Third-Party Beneficiaries. There are no third-party beneficiaries of this Addendum and no other person or entity shall have rights arising from the same.

Version 2.0 (9/2009)

9/30/09