THIS BUSINESS ASSOCIATE AGREEMENT (the "Agreement"),
effective as of the sign up date on the login information page of the MDeReferral.Com website,
by and between Porteck with an office at 260 Madison Avenue, 8th Floor, New York New York 10016
(hereinafter referred to in this Agreement as “MDeReferral.Com”) and the provider (hereinafter referred to in this Agreement
as "Covered Entity") as entered in the MDeReferral.Com’s login information page with the location(s) as indicated on said location
page(which locations are incorporated into this Agreement and made a part hereof by reference).
WHEREAS, Covered Entity (hereafter defined) shall make available and/or transfer to
Porteck Corporation d/b/a MDeReferral.Com certain information, in conjunction with services that are being provided
by Business Associate to Covered Entity, that is confidential and must be afforded confidential treatment and protection
in accordance with the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule") under the
Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended ("HIPAA") and the
Health Insurance Technology for Economic and Clinical Health ("HITECH") Act, as amended.;
WHEREAS, MDeReferral.Com shall have access to and/or receive from Covered Entity (hereafter defined) certain
information that can be used or disclosed only for the purposes under which such Business Associate has been retained by
the Covered Entity, and in accordance with this Agreement and the Privacy Rule.
WHEREAS, Business Associate hereby acknowledges and agrees that Covered Entity is a covered entity and that Business
Associate is a Business associate of Covered Entity under HIPAA and the HIPAA Regulations.
NOW, THEREFORE , as required by the Health Insurance Portability and Accountability Act of 1996,
("HIPAA") and the Health Insurance Technology for Economic and Clinical Health ("HITECH") Act and the
regulations promulgated there under (collectively the "HIPAA and "HITECH" Regulations"), now or as hereafter
amended, and in consideration of Covered Entity (hereafter defined) engaging MDeReferral.Com
to provide Services and for other good and valuable consideration, the receipt and sufficiency of which
is hereby acknowledged, all parties hereto hereby intending to be legally bound hereby mutually agrees as follows:
1.Definitions.
a. Any terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms have under HIPAA and the
HIPAA Regulations.
b. "Business Associate" shall mean MDeReferral.Com and its agents, servants, staff and/or employees as well as and any and all
subsidiaries, subdivisions and/or related affiliates.
c. "Breach" shall have the same meaning as the term “breach” in 45 C.F.R. § 164.402.
d. "Covered Entity" shall mean the provider as entered in the login information page of the website and its respective agents, servants,
staff and/or employees as well as and any and all subsidiaries, subdivisions and/or related affiliates.
e. "HIPAA" means Title II, Subtitle F, "Administrative Simplification," of the Health Insurance Portability and Accountability Act of 1996,
Public Law 104-191.
f. "HIPAA Regulations" means the regulations promulgated under HIPAA by the United States Department of Health and Human Services, including,
but not limited to, 45 CFR Part 160 and 45 CFR part 164.
g. "Individual" shall have the same meaning as the applicable term "individual" in 45 CFR § 160.103 and/or 45 CFR § 164.501 and shall include
a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
h."Law Enforcement Official" shall have the same meaning as the term "law enforcement official"in 45 C.F.R. § 164.103.
i. "Privacy Rule" shall mean the applicable Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part
160 and Part 164, Subparts A and E, Health Insurance Portability and Accountability Act of 1996, ("HIPAA"), now or as hereafter amended
and the Health Insurance Technology for Economic and Clinical Health ("HITECH") Act
j. "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR §164.501 and/or 45 CFR §160.103,
now or as hereafter amended, including information received from, created and/or received by Business Associate on behalf of Covered Entity including
demographic information collected from an Individual which relates to the past, present and/or future physical and/or mental health and/or condition of
an Individual, the provision of health care to an Individual, or the past, present and/or future payment for the provision of health care to an Individual,
which information identifies the Individual and/or with respect to which there is a reasonable basis upon which to believe that the information can be
used to identify the Individual, but is all limited to the extent the Protected Health Information created and/or received by the Business Associate
from or on behalf of the Covered Entity.
k. "Required by Law" shall have the same meaning as the term "required by law" in 45 CFR § 164.501 and/or 45 CFR §164.103, now or as hereafter amended.
l. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee.
m. "Services" means those specific activities and/or functions for which Covered Entity engages Business Associate to perform for Covered
Entity and/or on Covered Entity’s behalf. Such engagement(s) may be by written and/or oral agreement entered into before or after the
date of this Agreement.
n. "Unsecured Protected Health Information" and/or "UPHI" shall have the same meaning as the term "unsecured protected health information" in
45C.F.R. § 164.402.
o. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR Part 160 and Part 164,
now or as hereafter amended.
2. Permitted Uses and Disclosures By Business Associate.
a. Except as otherwise limited in this Agreement,Business Associate shall:
(i) Except as otherwise expressly limited in this Agreement, if applicable, use and disclose Protected Health Information to perform
Services provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity;
(ii) Except as otherwise expressly limited in this Agreement, if applicable, use Protected Health Information for purposes of the proper
management and administration of Business Associate or to carry out Business Associate’s legal responsibilities;
(iii) Except as otherwise expressly limited in this Agreement, if applicable, disclose Protected Health Information for purposes of
the proper management and administration of the Business Associate and to carry out Business Associate’s legal responsibilities, provided
such disclosure(s) is/are required by law or if Business Associate obtains reasonable assurances from the person to whom the information
is disclosed that it will be held confidential and used or further disclosed only as required by law or for the purpose for which it was
disclosed to the person and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality
of the information has been breached; and/or
(iv) Use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 42 CFR §164.504(e)(2)(i)(B).
3. Business Associate’s Obligations.
a. As required by the HIPAA
and/or HITECH Regulations ,
Business Associate
shall:
(i) Not use or disclose Protected Health Information other than as expressly permitted or required by this Agreement or as required by law;
(ii) Not use or disclose Protected Health Information more than the minimum amount of information of necessary for the purpose of the use or disclosure;
(iii) Use appropriate safeguards to prevent the use and/or disclosure of Protected Health Information other than as expressly provided for by this
Agreement, and implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the confidentiality,
integrity and availability of any Electronic Protected Health Information that Business Associate creates, receives, maintains, and/or transmits
on behalf of Covered Entity;
(iv) Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use and/or disclosure of Protected Health
Information by Business Associate in violation of the requirements of this Agreement;
(v)Promptly report to Covered Entity any Security Incident of which Business Associate becomes aware, as well as any use or disclosure of
Protected Health Information that is in violation of the requirements of this Agreement; Business Associate agrees to report to Covered
Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware;
(vi) Ensure that any agents, including a subcontractor, to whom Business Associate provides Protected Health Information, agrees to the same
restrictions and conditions that apply through this Agreement to Business Associate with respect to such Protected Health Information;
(vii) If applicable, provide access, at the request of Covered Entity, to Protected Health Information in a Designated Record Set
(as that term is defined in 45 CFR. § 164.501, to Covered Entity or, as directed by Covered Entity, to an Individual in order to permit
Covered Entity to meet the requirements under 45 CFR§ 164.524;
(viii) If applicable, make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to
pursuant to 45 CFR §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity;
(ix) Document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity
to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528 now or
as hereafter amended;
(x) Provide to Covered Entity or, as directed by Covered Entity to an Individual, information collected in accordance with this Agreement, to permit
Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528
now or as hereafter amended;
(xi) Make Business Associate’s internal practices, books and records relating to the use and disclosure of Protected Health Information available to
the Secretary of Health and Human Services for purposes of determining the Covered Entity’s compliance with HIPAA and/or HITECH and the related
Regulations;
(xii) Business Associate agrees to report in writing the discovery of a Breach of UPHI to Covered Entity as soon as is practicable, but in no event
later than three (3) calendar days from the date of the discovery. Pursuant to HITECH and/or HIPAA, a Breach of UPHI shall be considered "discovered"
as of the first day on which the Breach is known, or by exercising reasonable diligence would have been known to Business Associate or any employee,
officer or other agent of Business Associate (other than the individual(s) committing the Breach). A report of a Breach of UPHI by Business Associate
to Covered Entity must include the identification of each individual whose PHI has been, or is reasonably believed by Business Associate to have been,
accessed, acquired or disclosed during the Breach; a description of what happened, including the date of the Breach and the date of discovery of the
Breach, if known; a description of the types of UPHI that were involved in the Breach along with the potential negative consequences the dissemination
may cause; a description of what Business Associate is doing to investigate the Breach, to mitigate harm to affected individuals and to protect
against any further Breaches; and contact information for an individual at Business Associate whom Covered Entity can contact for more information.
If any of this information is not available at the time Business Associate notifies Covered Entity of the Breach of UPHI, Business Associate shall
report the information to Covered Entity as soon as it becomes available, regardless of the amount of time that has passed since Business Associate
provided Covered Entity with notice of the Breach or whether Covered Entity has already provided notice of the Breach to affected individuals.
After receiving the above-referenced report from Business Associate, Covered Entity will make any further report of a Breach of UPHI by Business
Associate to affected individuals, the media and /or the Secretary that is required by HIPAA and/or HITECH. In accordance with the HITECH and/or
HIPAA, notwithstanding anything in this Section 3 to the contrary, Business Associate may temporarily delay notification of a Breach of UPHI to
Covered Entity in the event Business Associate is instructed to do so by a Law Enforcement Official. Business Associate shall implement systems,
policies and procedures that are reasonably calculated to detect Breaches of UPHI;
(xiii) Business Associate hereby agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created,
or received by Business Associate on behalf of the Covered Entity, agrees to the same terms, conditions and restrictions that apply through this
Agreement to Business Associate with respect to such information;
(xiv) Business Associate hereby agrees to provide access, at the request of the Covered Entity, and in the time and manner designated by the Covered
Entity, to PHI in a Designated Record Set (as that term is defined in 45 C.F.R. § 164.501), to Covered Entity or, as directed by the Covered Entity,
to an Individual, in order to meet the requirements under the Privacy Rule;
(xv) Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to
the Privacy Rule at the request of the Covered Entity or an Individual, and in the time and manner designated by the Covered Entity;
(xvi) Business Associate hereby agrees to make its internal practices, books, and records relating to the use or disclosure of PHI received from,
or created or received by Business Associate on behalf of the Covered Entity, available to the Covered Entity, or at the request of the Covered
Entity, to the Secretary, in a time and manner designated by the Covered Entity, or the Secretary, for purposes of the Secretary determining the
Covered Entity’s compliance with the Privacy Rule;
(xvii) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for
Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the Privacy Rule.
Business Associate agrees to provide to Covered Entity or an Individual, in a reasonable timeframe, information collected in accordance
with this Section, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance
with the Privacy Rule;
(xviii) Business Associate agrees and understands that it must develop and implement a system of sanctions for any employee, subcontractor or
agent who violates this Agreement, HITECH and/or HIPAA; and
(xix) The provisions of this Section 3 shall survive the termination of this Agreement.
4.Obligation of the Covered Entity.
a. Covered Entity agrees to provide Business Associate with its Notice of Privacy Practices that the Covered Entity must post in accordance
with the Privacy Rule. Covered Entity also agrees to provide Business Associate with any changes to that Notice.
b. Covered Entity agrees to provide Business Associate with any changes in, or revocation of, permission by an Individual to use or
disclose PHI, if such changes affect Business Associate’s permitted uses and disclosures.
c. Covered Entity agrees not to request Business Associate to use or disclose PHI in any manner that would not be permissible under the
Privacy Rule.
d. Covered Entity agrees to notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed
to in accordance with the Privacy Rule to the extent that such restrictions may affect Business Associate’s use or disclosure of PHI.
5. Term.
a. The term of this Agreement shall be effective as of the date first set forth above and shall terminate when all of the Protected Health
Information is destroyed or returned to Covered Entity, or, if it is unfeasible to return or destroy Protected Health Information,
protections are extended to such information, in accordance with the termination provisions in this Agreement; and
b. Upon Covered Entity’s knowledge of a material breach of this Agreement by Business Associate, Covered Entity shall provide a reasonable
opportunity for Business Associate to cure the breach, and Covered Entity may terminate this Agreement (and, if applicable, any agreement
pursuant to which Services are provided) if Business Associate does not cure the breach within a reasonable amount of time after notice
is provided to the Business Associate, or may immediately terminate this Agreement (and, if applicable, any agreement pursuant to which
Services are provided) if Business Associate has breached a material term of this Agreement and cure is not possible. Business Associate
shall be required to mitigate the damages caused by its breach whether or not Covered Entity terminates this Agreement.
6. Effect of Termination.
a. Except as otherwise expressly set forth in this Agreement, upon termination of this Agreement for any reason, Business Associate shall
return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf
of Covered Entity. This provision shall also apply to Protected Health Information that is in the possession of subcontractors or agents
of Business Associate. Business Associate shall retain no copies of the Protected Health Information. This provision shall survive termination
or expiration of this Agreement for any reason; and
b. In the event that Business Associate determines that returning or destroying Protected Health Information is unfeasible, Business Associate
shall provide to Business Associate notification of the conditions that make return or destruction infeasible. Upon delivering such notification
that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to
such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the
return or destruction unfeasible, for so long as Business Associate maintains such Protected Health Information. This provision shall survive
termination or expiration of this Agreement for any reason.
7. Re-Negotiation.
a. The parties agree to negotiate in good faith any modification to this Agreement that may be necessary or required to ensure consistency
with amendments to and changes in applicable Federal and State laws and regulations, including but not limited to, the HIPAA and/or
HITECH Regulations. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for
Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act of 1996,
Pub. L. No. 104-191 and the Health Insurance Technology for Economic and Clinical Health Act.
8.Miscellaneous Provisions.
a. A reference in this Agreement to a section in the HIPAA and/or HITECH Regulations means the section as now in effect or as hereafter amended.
This Agreement constitutes the entire Agreement between Covered Entity and Business Associate regarding the subject matter hereof and supersedes
and controls over any and all oral or written proposals, purchase orders, representations, understandings and/or agreements, if any, previously
made and/or existing with respect to any matter contained in this Agreement and none of the same have been relied upon by any party hereto.
Without limiting the generality of the foregoing, in the event of a conflict between the terms of this Agreement and any prior agreement
(written or oral) pursuant to which Business Associate is providing Services, the terms of the Agreement shall be controlling and such prior
agreement shall be deemed to be amended hereby to the extent necessary to resolve such conflict. Any ambiguity in this Agreement shall be resolved
in favor of a meaning that requires or permits Covered Entity to comply with the HIPAA and/or HITECH Regulations. Subject to HIPAA and/or HITECH,
this Agreement shall be governed by and construed in accordance with the laws of the State of New York applicable to agreements made and to be
performed entirely within such State, without regard to principles of conflicts of law. Nothing express or implied in this Agreement is intended
to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns,
any rights, remedies, obligations or liabilities whatsoever. All title to the physical medical records, medical charts and other PHI shall remain
the sole property of Covered Entity. Covered Entity and Business Associate agree that amendment of this Agreement may be required to ensure that
Covered Entity and Business Associate comply with changes to State and/or Federal laws and regulations relating to the privacy, security, and
confidentiality of PHI. Covered Entity may terminate this Agreement upon 14 days written notice in the event that Business Associate does not
promptly enter into an amendment that Covered Entity, in its sole discretion, deems sufficient to ensure that Covered Entity will be able to comply
with such laws and regulations. Nothing in this Agreement shall be construed to require Business Associate to use or disclose Protected Health
Information without a written authorization from an individual who is a subject of the Protected Health Information, or written authorization from
any other person, where such authorization would be required under state law for such use or disclosure. Covered Entity and Business Associate agree
that any violation of the provisions of this Agreement may cause irreparable harm to Covered Entity. Accordingly, in addition to any other remedies
available to Covered Entity at law, in equity, or under this Agreement, Covered Entity shall be entitled to an injunction or other degree of specific
performance with respect to any violation of this Agreement or explicit threat thereof; without any bond or other security being required and without
the necessity of demonstrating actual damages. To the extent that any provisions of this Agreement conflict with the provisions of any other agreement
or understanding between the parties, this Agreement shall control.
IN WITNESS WHEREOF, the parties have agreed to this Agreement with the intention to be legally bound hereby on the date indicated on the login
information page of the MDeReferral.Com’s website by clicking on the check box on MDeReferral.Com’s Login Information page of said website.
|