HIPAA BUSINESS ASSOCIATE ADDENDUM

This HIPAA Business Associate Addendum (this "Addendum") is made and entered into in conjunction with the Recon Services Exhibit which is contained in the Inmar Customer Agreement (the "Underlying Contract"), by and between Client ("Covered Entity") and Inmar Rx Solutions, Inc. ("Business Associate") (each, a "Party" and collectively, the "Parties").

  1. BACKGROUND AND PURPOSE.

    The Parties have entered into the Underlying Contract pursuant to which Business Associate performs functions or activities for, or provides services to, Covered Entity that involve the use and disclosure of Protected Health Information (as defined below). In connection with the Underlying Contract, the Parties wish to execute this Addendum (1) to ensure Covered Entity's and Business Associate's compliance with health information privacy and security rules promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and codified at 45 C.F.R. Part 160 and Part 164, subparts A and C (the "Security Rule"), subparts A and D (the "Breach Notification Rule"), and subparts A and E (the "Privacy Rule"), all as applicable and as amended and clarified by guidance issued pursuant thereto, and (2) to ensure that Business Associate protects the privacy and security of Protected Health Information as further provided herein. This Addendum is intended to apply to any existing relationships between Covered Entity and Business Associate involving the exchange of Protected Health Information and supersedes any previous Business Associate Addendums entered into by the Parties.

  2. DEFINITIONS.

    Unless otherwise defined in this Addendum, all capitalized terms used in this Addendum have the meanings ascribed to them in HIPAA, the Privacy Rule, the Security Rule, and the Breach Notification Rule; provided, however, that "Protected Health Information" or "PHI" shall mean Protected Health Information limited to the information Business Associate received from, or created, maintained, transmitted, or received on behalf of, Covered Entity.

  3. OBLIGATIONS OF THE PARTIES WITH RESPECT TO PHI.

    1. Obligations of Business Associate.

      With regard to its use and disclosure of PHI, Business Associate agrees to:

      1. not use or further disclose PHI other than as permitted or required by this Addendum or as Required by Law.

      2. use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Addendum. Without limiting the generality of the foregoing, Business Associate will:

        • implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI (or "EPHI") that it receives from, or creates, receives, maintains, or transmits on behalf of, Covered Entity;
        • ensure that any agent of Business Associate, including a subcontractor, to whom Business Associate provides such EPHI agrees in writing to implement substantially the same safeguards and other measures to protect such EPHI as set forth in this Addendum; and

        • report to Covered Entity any Security Incident, as defined in 45 CFR § 164.304, of which Business Associate becomes aware. Notwithstanding the foregoing sentence, the Parties recognize and agree that there are likely to be unsuccessful attempts to access, use, disclose, modify or destroy EPHI without authorization ("Unsuccessful Security Incident") that do not necessitate reporting or mitigation because such an Unsuccessful Security Incident does not compromise EPHI. Therefore the Parties agree that Unsuccessful Security Incidents do not need to be reported at all and will not be reported. Among other examples, the Parties consider the following to be illustrative of Unsuccessful Security Incidents when they do not result in actual unauthorized access, use, disclosure, modification or destruction of EPHI, or interference with an information system:

          1. Pings on Business Associates' firewall,
          2. Port scans,
          3. Attempts to log on to a system or enter a database with an invalid password or username,
          4. Denial-of-service attacks that do not result in a server being taken off-line, and
          5. Malware (worms, viruses, etc.).

      3. report to Covered Entity any use or disclosure of PHI in violation of this Addendum, as well as any incident which, in Business Associate's view, compromises the security of PHI, of which Business Associate becomes aware.

      4. ensure that any agent, including any subcontractor, to whom Business Associate provides PHI agrees in writing to substantially the same restrictions and conditions on the use and disclosure of PHI that apply to Business Associate pursuant to this Addendum.

      5. make available, within thirty (30) days of a request by Covered Entity, any and all PHI required for Covered Entity to respond to an Individual's request for access to PHI about them in accordance with 45 C.F.R. 164.524. If Covered Entity requests that PHI be provided in an electronic format, Business Associate will provide PHI in such electronic format if the PHI is readily producible by Business Associate in such electronic format. Business Associate may charge Covered Entity a mutually agreed upon fee for processing a request which requires data or reporting outside Business Associate's standard.

      6. make available, within sixty (60) days of a request by Covered Entity, PHI for amendment and incorporate any such amendment as directed by Covered Entity to allow Covered Entity to comply with 45 C.F.R. 164.526. Business Associate may charge Covered Entity a mutually agreed upon fee for processing a request which requires data or reporting outside Business Associate's standard.

      7. document any and all disclosures of PHI by Business Associate or its agents, including subcontractors, as well as any other information related to such disclosures of PHI that would be required for Covered Entity to respond to an Individual's request for an accounting of disclosures in accordance with 45 C.F.R. 164.528. Business Associate may charge Covered Entity a mutually agreed upon fee for processing a request which requires data or reporting outside Business Associate's standard.

      8. make available, in the form, time, and manner reasonably requested by Covered Entity, any and all information documented in accordance with subsection 3.1.7.

      9. make available to the Secretary of the U.S. Department of Health and Human Services ("HHS") any and all internal practices and records of Business Associate or its agents, including subcontractors, relating to the use and disclosure of PHI, for purposes of determining Covered Entity's compliance with the Privacy Rule.

      10. comply with the Security Rule.

      11. unless a use, disclosure, or request is exempt from the Minimum Necessary standard as specified in 45 C.F.R. 164.502(b)(2), use, disclose, and request only the Minimum Necessary PHI in order to accomplish the intended purpose of the use, disclosure, or request, consistent with the terms of the Underlying Contract.

      12. not, directly or indirectly, receive remuneration in exchange for Covered Entity's PHI unless Business Associate or Covered Entity has obtained an authorization from the subject individual(s) which complies with all applicable requirements of HIPAA, or unless an exception specified in 45 C.F.R. 164.502(a)(5)(ii) applies.

      13. to the extent Business Associate has agreed to carry out any of the Covered Entity's obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.

    2. Permitted Uses and Disclosures of PHI by Business Associate.

      Except as otherwise specified in this Addendum, Business Associate may make any and all uses and disclosures of PHI necessary to perform its obligations under the Underlying Contract. Unless otherwise limited by this Addendum, Business Associate may also:

      1. use the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of Business Associate;
      2. disclose the PHI in its possession to a third party for the purpose of Business Associate's proper management and administration or to carry out the legal responsibilities of Business Associate, provided that the disclosures are Required by Law or that Business Associate has obtained reasonable assurances from the third party to whom PHI is to be disclosed that the PHI will be held confidentially and the third party has agreed to notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached;
      3. provide Data Aggregation services relating to the Health Care Operations of the Covered Entity as permitted by the Privacy Rule;
      4. process and use and disclose PHI consistent with the terms of properly executed HIPAA authorizations made by patients in accordance with 45 C.F.R. 164.508 and process and use and disclose PHI consistent with the terms of properly executed access requests made by patients in accordance with 45 C.F.R. 164.524; and
      5. de-identify PHI in accordance with 45 C.F.R. 164.514 and use such de-identified information on Business Associate's own behalf.
      Except for uses and disclosures permitted by Sections 3.2(a), (b), (c) and (d), Business Associate may not use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity.

       

    3. Obligations of Covered Entity.

      Covered Entity agrees to notify Business Associate in writing of any restrictions on uses and disclosures of PHI to which Covered Entity agrees that will impact in any manner the use and/or disclosure of that PHI by Business Associate under this Addendum. Covered Entity agrees to notify Business Associate in writing of any changes in, or revocation of, permission by an Individual to use or disclose PHI that will impact in any manner the use and/or disclosure of that PHI by Business Associate under this Addendum. Covered Entity agrees to notify Business Associate in writing of any changes in its Notice of Privacy Practices that will impact in any manner the use and/or disclosure of PHI by Business Associate under this Addendum.

    4. Breach of Unsecured Protected Health Information.

      As required by the Breach Notification Rule, as it may be amended from time to time, Business Associate shall maintain systems to monitor and detect a Breach of Unsecured PHI, whether the Unsecured PHI is in paper or electronic form. Business Associate shall provide to Covered Entity notice of a Breach of Unsecured PHI within thirty (30) days of the first day the Breach is known, or reasonably should have been known, to Business Associate, including for this purpose any employee, officer, or other agent of Business Associate (other than the individual committing the Breach). The notice shall include, to the extent possible, the identification of each individual whose Unsecured PHI was, or is reasonably believed to have been, subject to the Breach and the circumstances of the Breach, as both are known to Business Associate at that time. To the extent possible, the description of the circumstances of the Breach shall include: (1) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach; (2) a description of the types of Unsecured PHI that were involved in the Breach; and (3) a brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breaches. The notice shall be given in writing to Covered Entity's Privacy Officer or other contact provided by Covered Entity. Following the notice, Business Associate shall conduct such further investigation and analysis as is reasonably required, and shall promptly advise Covered Entity of additional information pertinent to the Breach which Business Associate obtains. Business Associate shall cooperate with Covered Entity to determine whether the Breach requires notification under the Breach Notification Rule. Covered Entity is responsible for providing notifications required by the Breach Notification Rule in a timely manner, provided that Covered Entity shall consult with Business Associate as needed regarding the details of such notifications.

    5. Marketing.

      In the event Business Associate engages in any marketing or fundraising communications for or on behalf of Covered Entity, Business Associate shall comply with the requirements of the Privacy Rule applicable to marketing and fundraising communications.

    6. Effect of Changes to HIPAA, the Privacy Rule, Security Rule, or Breach Notification Rule.

      To the extent that any relevant provision of HIPAA, the Privacy Rule, the Security Rule, or the Breach Notification Rule is amended in a manner that materially changes the obligations of Business Associate or Covered Entity that are embodied in the terms of this Addendum, the Parties agree to negotiate in good faith appropriate amendment(s) to this Addendum in order to give effect to such revised obligations. If the Parties cannot agree on an amendment to this Addendum, either Party may terminate this Addendum and the Underlying Contract upon sixty (60) days written notice to the other Party or upon such lesser notice as may be required by applicable law.

    7. Limitation.

      The terms of limitation of liability shall be as set forth in the Underlying Contract signed by the Parties.

  4. TERMINATION.

    1. Upon either Party's knowledge of a material breach of the terms of this Addendum by the other Party, the non-breaching Party shall provide the breaching Party written notice of that breach in sufficient detail to enable the breaching Party to understand the specific nature of that breach and afford the breaching Party an opportunity to cure the breach. If the breaching Party fails to cure the breach within a reasonable time as specified by the non-breaching Party, the non-breaching Party may terminate this Addendum and the Underlying Contract upon sixty (60) days written notice to the breaching party or upon such lesser notice as may be required by applicable law.

    2. Upon the termination of this Addendum, Business Associate shall return to Covered Entity or destroy any and all PHI and EPHI in the possession or control of Business Associate and its agents, including subcontractors, and retain no copies, if it is feasible to do so. If Business Associate determines that return or destruction of PHI and EPHI is infeasible, Business Associate agrees to: (a) provide written notification to Covered Entity of the conditions that make such return or destruction infeasible; and (b) for so long as Business Associate or its agents, including subcontractors, maintain such PHI or EPHI, (i) extend all protections contained in this Addendum to the use and/or disclosure of any retained PHI or EPHI by Business Associate or its agents, including subcontractors, and (ii) limit any further uses and/or disclosures of such PHI or EPHI by Business Associate or its agents, including subcontractors, to the purposes that make the PHI's or EPHI's return or destruction infeasible.

Each Party hereto acknowledges its agreement to the foregoing by due execution of the Underlying Contract by its respective authorized representative.