hipaa-privacy-policy.md

HIPAA PRIVACY POLICIES FOR CLEAR HEALTH STRATEGIES, LLC

LAST UPDATED: May 21, 2020

HIPAA Privacy Policies Introduction

INTRODUCTION The purpose of these HIPAA Privacy Policies (hereinafter referenced as the “Privacy Policies”) is to protect the confidentiality, privacy, and security of Protected Health Information (“PHI”) that the Clear Health Strategies, LLC (“Company”) uses, maintains, or discloses pursuant to the Health Insurance Portability and Accountability Act of 1996, any amendments thereto, and all rules and regulations promulgated thereunder, including the “Privacy Rule” at 45 CFR Part 160, 162, and 164, as amended (collectively, “HIPAA”). Company is considered a Business Associate under HIPAA because it creates, receives, maintains, or transmits PHI on behalf of health plans (each a “Covered Entity” and collectively, the “Covered Entities”), as part of services it provides.
Company has adopted these Privacy Policies in order to comply with the Privacy Rule, other HIPAA requirements, and to protect the confidentiality of PHI.
These Privacy Policies are subject in all respects to additional or more restrictive requirements under applicable state law and any Business Associate Agreement between Company and a Covered Entity. Various state laws may also apply. Responsibilities If not otherwise specified, Privacy Officer and his or her designee(s) (the “Privacy Officer”) is responsible for implementing the Privacy Policies contained herein. Please contact Privacy Officer if you have any questions about these Privacy Policies. ***

HIPAA Privacy Policies Defined Terms

DEFINED TERMS All terms used but not otherwise defined in these Privacy Policies shall have the same meaning as those terms are defined under HIPAA. The below definitions apply only to use of the defined terms in these Privacy Policies and not to any other policies of Company. “Breach” means an unauthorized acquisition, access, use, or disclosure of Unsecured PHI that compromises the security or privacy of such information. An unauthorized acquisition, access, use, or disclosure of Unsecured PHI is presumed to be a reportable Breach unless, after conducting a risk assessment, Company has demonstrated that there is a low probability that PHI has been compromised. The term “Breach” does not include: A. Any unintentional acquisition, access, or use of PHI by a Workforce Member, individual acting under the authority of Company, or a Business Associate if such acquisition, access, or use was made (1) in good faith, (2) within the course and scope of their authority with Company or a Business Associate, and (3) such information is not further used or disclosed in a manner not permitted by the HIPAA Privacy Rule; or B. Any inadvertent disclosure by a person who is authorized to access PHI at Company or Business Associate to another person authorized to access PHI at Company or Business Associate and any such information received as a result of such disclosure is not further used or disclosed in a manner not permitted by the HIPAA Privacy Rule; or C. A disclosure of PHI where Company or Business Associate has a good-faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. “Business Associate” or “BA” means an entity that provides, other than in the capacity of a member of the workforce of Company, services for or on behalf of Company, in which the provision of the service involves the access, use, or disclosure of PHI from Company or from another Business Associate of Company. “Business Associate Agreement” or “BAA” means a written agreement between Company and a Covered Entity which sets forth requirements to ensure that Company will appropriately use and safeguard PHI.
“Covered Entity” means a Covered Entity or a Business Associate under HIPAA to which Company provides services involving the access, use, or disclosure of PHI from the Covered Entity or Business Associate. “De-Identified Information” means health information that does not identify an Individual and is not subject to HIPAA or these Privacy Policies insofar as it comports with 6.1—Creation, Use, and Disclosures of De-Identified Information. “Designated Record Set” means the medical and billing records maintained by Company that includes (a) the medical records and billing records about Individuals maintained by or for Company; or (b) used, in whole or in part, by or for Company to make decisions about Individuals.

HIPAA Privacy Policies Defined Terms

For purposes of this definition, the term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Company. “Financial Remuneration” or “Remuneration” means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an Individual. Financial Remuneration does not include nonfinancial benefits, such as in-kind benefits, provided to Company in exchange for making a communication about a product or service.
“Individual” means a person who is receiving services from Company and whose PHI is protected by these Privacy Policies. A Personal Representative of an Individual must be treated the same as an Individual with respect to the Individual’s PHI.
“Individually Identifiable Health Information” means health information created or received by a health care provider, health plan, or health care clearinghouse, which relates to: (a) the past, present, or future physical or mental health or condition of an Individual; (b) the provision of health care to an Individual; or (c) the past, present, or future payment for the provision of health care to an Individual, where such information either identifies the Individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. “Limited Data Set” means PHI that excludes identifiers of the Individual or of relatives, employers, or household members of the Individual, specifically names, postal address information (other than city or town, state, and zip code), telephone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers account numbers, certificate/license numbers, vehicle identifiers and serial numbers (including license plate numbers), device identifiers and serial numbers, web universal resource locators (URLs), internet procedure (IP) address numbers, biometric identifiers (including finger and voice prints), and full face photographic images and any comparable images. “Marketing” means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.
“Personal Representative” means a person who has legal authority to make health care decisions on behalf of the Individual. For example, a parent or legal guardian.
“Privacy Officer” means Privacy Officer as designated by Company, or his or her designee. “Protected Health Information” or “PHI” means Individually Identifiable Health Information that the Company transmits or maintains in Electronic Media or any other form or medium. PHI does not include Individually Identifiable Health Information contained in education records or employment records held by the Company in its role as employer, and Individually Identifiable Health Information regarding a person who has been deceased for more than 50 years. This includes electronic PHI (“e-PHI”) and hardcopy formats of PHI.
“Research” means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. HIPAA Privacy Policies Defined Terms “Safe Harbor Methodology” is a method Company may use to determine health information is De Identified. This method specifies that identifying characteristics, such as but not limited to, names and unique numbers, geographic identifiers, unique dates, and records unique to Individual, are removed. “Secretary” means the Secretary of the United States Department of Health and Human Services. “Software” means the HIPAA-compliant software used by the Company and through which the Company electronically transmits PHI.
“Subcontractor” A person to whom Company delegates a function, activity, or service, other than in the capacity of a Workforce Member of Company.
“Subcontractor Business Associate Agreement” or “Sub-BAA” means a BAA which sets forth requirements to ensure that the Subcontractor will appropriately use and safeguard PHI. “Unsecured PHI” means PHI that is not encrypted and rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary. “Workforce” or “Workforce Member” means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for Company is under the direct control of Company, whether or not they are paid directly by Company.

1.1 HIPAA Privacy Policies Private Officer Designation and Duties SECTION 1: PRIVACY OFFICER AND ACCESS CONTROLS 1.1 Privacy Officer Designation and Duties Company must designate an individual as Privacy Officer who is responsible for the development and implementation of Company Privacy Policies. PROCEDURE: A. Designation

1. The governing body of Company will identify the individual it believes is qualified to act as Privacy Officer for Company.
2. Company Privacy Officer may be contacted as set forth here and in Exhibit B: Name: Maris Mejia Address: 9990 Coconut Road, #301, Bonita Springs, FL 34135 Telephone Number: (847) 840-3118 Email Address: [email protected] B. Duties include, but are not limited to:
3. Implementing Company Privacy Policies related to the use and disclosure of PHI, as required under HIPAA;
4. Developing, as appropriate, additional Privacy Policies of Company related to the Privacy Rule;
5. Developing and implementing Company privacy training and awareness programs; 4. Overseeing requests related to PHI;
6. Monitoring ongoing compliance with Company Privacy Policies;
7. Receiving, investigating, and responding to complaints and inquiries regarding Company compliance with the applicable provisions of HIPAA;
8. Providing further information about matters covered by a Covered Entity’s Notice of Privacy Practices and any changes made to Privacy Policies;
9. Overseeing compliance with Business Associate Agreements between Company and a Covered Entity;

1.1 HIPAA Privacy Policies Private Officer Designation and Duties 9. Monitoring new developments in health information privacy law; and 10. Delegating any of the above to a Workforce Member. 1.2 HIPAA Privacy Policies Authorized Access Control 1.2 Authorized Access Control Privacy Officer must implement a means of controlling and validating a Workforce Member’s access to facilities including remote access, where PHI may be accessed based on the Workforce Member’s role or function.

2.1 HIPAA Privacy Policies General Uses and Disclosures of PHI SECTION 2: GENERAL USES AND DISCLOSURES 2.1 General Uses and Disclosures of PHI Generally, Company will only use or disclose PHI if the use or disclosure is permitted by HIPAA and the applicable BAA, which may include:

1. On behalf of, or to provide services to, a Covered Entity pursuant to the parties’ respective service agreements, if such use or disclosure of PHI would not violate HIPAA if done by the Covered Entity or Company, applicable state law, or the terms of the applicable BAA (see 3.1 – Disclosures by Covered Entities Not Requiring Authorization);
2. When required by law (see 3.3 – Uses and Disclosures Required by Law); 3. For the proper management and administration of Company’s business;
3. To provide data aggregation service relating to the healthcare operations of a Covered Entity; and
4. When PHI is De-Identified in accordance with HIPAA and these Privacy Policies (see 6.1 – Creation, Use, and Disclosure of De-Identified Information). Workforce Members may use and disclose PHI as set forth in this Privacy Policy, including for those purposes set forth in Sections 3 and 4, and in accordance with their professional job duties. Workforce Members may not access, use, or disclose PHI, including medical records for his or her family, personal purpose, or for any other reason outside the scope of his or her job function.
   PROCEDURE: A. Workforce Members should only use or disclose PHI as permitted by these Privacy Policies and the applicable BAA. Workforce Members may contact Privacy Officer with questions. B. When disclosing PHI, the minimum necessary PHI should be disclosed (see 2.3 – Minimum Necessary Standard).

2.2 HIPAA Privacy Policies Incidental Disclosures of PHI 2.2 Incidental Disclosures of PHI Incidental disclosures are disclosures of PHI that occur as a byproduct of a permissible use or disclosure, are limited in nature, and cannot be prevented through reasonable measures. Incidental disclosures do not violate the Privacy Policies as long as: A. Reasonable and appropriate measures were taken to prevent the incidental disclosure; and B. The disclosure resulted from a use or disclosure that is otherwise permissible under the Privacy Policies. 2.3 HIPAA Privacy Policies Minimum Necessary Standard 2.3 Minimum Necessary Standard When using or disclosing PHI for a purpose authorized under these Privacy Policies, Company will make reasonable efforts to ensure that it accesses, uses, or discloses only the minimum amount of PHI required. A more stringent standard for what constitutes the minimum necessary amount of PHI may be set forth in, or disclosure of the minimum necessary may be prohibited by, a BAA between Company and the applicable Covered Entity.
PROCEDURE: A. Workforce Members should use the minimum amount of PHI in all uses and disclosures of PHI unless it is for treatment or meets another exception. Workforce Members should consider the following when determining minimum amount of PHI used or disclosed:

1. The purpose of the request;
2. Any potential harm that may result to the Individual, Company, or third party as a result of the use or disclosure;
3. The relevancy of information requested; and
4. Appropriate measures were taken to prevent incidental disclosures.
   B. The minimum necessary standard does not apply in these circumstances, unless a BAA between Company and a Covered Entity provides otherwise:
5. Disclosures to, or requests by, a health care provider for an Individual’s treatment; 2. Uses by, or disclosures to, the Individual or his or her legal representation;
6. When the Individual has signed an authorization form permitting the use or disclosure of such PHI;
7. Disclosures to the Secretary for HIPAA compliance purposes by Privacy Officer; 5. When the use or disclosure is required by law; or
8. When the use or disclosure is required for compliance with the Privacy Rule.

2.4 HIPAA Privacy Policies Sensitive Information 2.4 Sensitive Information
Sensitive information is information that is more likely to result in harm, embarrassment, or unfairness to an Individual. Examples of sensitive information may include information related to HIV/AIDS information, substance abuse treatment information, and mental health information. Additional precautions should be taken with sensitive information.
PROCEDURE: To the extent Company receives a request to disclose or otherwise use sensitive information, including psychotherapy notes, such request should be relayed to Privacy Officer, as appropriate to ensure such use and disclosure is proper/secure. 3.1 Uses and Disclosures by Covered Entities HIPAA Privacy Policies Not Requiring Authorization SECTION 3: USES AND DISCLOSURES FOR WHICH AUTHORIZATION IS NOT REQUIRED 3.1 Uses and Disclosures by Covered Entities Not Requiring Authorization
A Covered Entity is authorized to make certain uses and disclosures of PHI without the authorization of the Individual. If authorized by the applicable BAA and conducted on behalf of a Covered Entity, Company may use or disclose PHI for the following purposes in compliance with the applicable requirements under HIPAA.
A. For a patient directory B. Disclosures to persons involved in an Individual’s health care or payment C. For disaster relief efforts
D. To a public health authority for public health activities
E. Uses and disclosures of PHI regarding victims of abuse, neglect, or domestic violence F. To a health oversight agency for oversight activities authorized by law G. For judicial and administrative proceedings
H. To a law enforcement official for certain law enforcement purposes
I. Uses and disclosures of PHI regarding Workforce Members of a Covered Entity who are victims of a crime at work J. Uses and disclosures of PHI about decedents to a coroner, medical examiner, or funeral director K. For cadaveric organ, eye, or tissue donation purposes
L. For Research purposes
M. To avoid a serious threat to health or safety
N. To certain persons for specialized government functions
O. To comply with laws relating to workers’ compensation or other similar programs PROCEDURE:
P. Privacy Officer confirms that the use or disclosure of PHI meets the requirements of one of the above purposes under HIPAA and is authorized by the applicable BAA. 12 3.1 Uses and Disclosures by Covered Entities HIPAA Privacy Policies Not Requiring Authorization Q. If Company has access to the HIPAA policies and procedures of the applicable Covered Entity, the Privacy Officer will confirm that the use or disclosure is carried out in accordance with the Covered Entity’s policies.
R. Company will use or disclose the PHI only in accordance with the applicable requirements of HIPAA and only the amount of PHI authorized to be used or disclosed. 3.2 HIPAA Privacy Policies Disclosures to Personal Representatives 3.2 Disclosures to Personal Representatives In general, Company must treat a Personal Representative of an Individual in the same manner as Company would treat the Individual, to the extent that PHI is relevant to matters where Personal Representative is authorized to represent the Individual. In the case of any Individual, Company does not have to treat the Personal Representative of the Individual as the Individual if Company reasonably believes:
A. Individual has been or may be subject to domestic violence, abuse, or neglect by the Personal Representative;
B. Treating the Personal Representative as such could endanger the Individual; or
C. That it is not in the best interest of the Individual to treat such person as the Personal Representative.
PROCEDURE: D. Workforce Member verifies that the person to whom PHI is to be disclosed is the Personal Representative of the Individual. E. Workforce Member determines whether disclosure should not be made due to any of the exceptions set forth above. Workforce Member may consult with health care provider or Privacy Officer. F. If Workforce Member determines that Company should make the disclosure or provide access to the Personal Representative, then Company should deliver the requested PHI to the Personal Representative. 3.3 HIPAA Privacy Policies Uses and Disclosures Required by Law 3.3 Uses and Disclosures Required by Law A use or disclosure is required by law if it is mandated by law. Company will, as appropriate, use and disclose PHI to the extent that Company is required by law to make such use or disclosure. Company must limit such use or disclosure to the requirements of such law.
PROCEDURE: A. Workforce Member receives a request for PHI. B. Workforce Member reviews the request to determine if Company is legally obligated to make the requested disclosure. Workforce Member may direct any questions or concerns to Company’s Privacy Officer.
C. If Company is required by law to make the disclosure, Workforce Member should only disclose required PHI. D. If Company is not required by law to make such disclosure, Company should contact the applicable Covered Entity for a determination of whether to deny the request for PHI, subject to the Privacy Policies. 3.4 HIPAA Privacy Policies Uses and Disclosures by Whitsleblowers 3.4 Uses and Disclosures by Whistleblowers If a Workforce Member or Subcontractor believes in good faith that Company is engaged in unlawful conduct, conduct that violates professional or clinical standards, or provides care that potentially endangers Individual(s), Workforce Members, or the public, such Workforce Member or Subcontractor may disclose PHI to:
A. An appropriate health oversight agency;
B. Public health authority;
C. A health accreditation agency; or
D. To an attorney retained by Workforce Member or Subcontractor for the purpose of determining such Workforce Member’s or Subcontractor’s legal options. PROCEDURE: E. Workforce Member becomes aware of a disclosure of PHI that may constitute a violation of these Privacy Policies. F. Workforce Member determines if a disclosure of PHI was made and to whom such disclosure was made. Workforce Member may consult with Company’s Counsel or the Privacy Officer. G. Workforce Member assesses the disclosure to determine whether the disclosure was made following the above Privacy Policy.
H. If the disclosure by Workforce Member or Subcontractor does not meet the requirements set forth above, Company may:

1. If disclosure was made by a Subcontractor, take the appropriate action as set forth in the Business Associate Agreement.
2. If disclosure was made by a Workforce Member, sanction Workforce Member in accordance with Privacy Policy, 8.2 – Sanctions. Company may consider consulting legal counsel prior to imposition of sanctions. I. If the disclosure by the Workforce Member or Subcontractor meets the requirements set forth above, Company may not, as appropriate, take action against the Workforce Member or Subcontractor.

4.1 HIPAA Privacy Policies Uses and Disclosures for Marketing SECTION 4: USES AND DISCLOSURES REQUIRING AUTHORIZATION 4.1 Uses and Disclosures for Marketing Company will only use PHI for Marketing on behalf of a Covered Entity pursuant to a BAA. PROCEDURE: A. Company will use and disclose PHI for Marketing purposes only if the Marketing is performed on behalf of a Covered Entity and authorized pursuant to a BAA. B. Workforce Members may consult with Privacy Officer to determine permissible use or disclosure without authorization. 4.2 HIPAA Privacy Policies Sale of PHI 4.2 Sale of PHI Company will only sell PHI on behalf of a Covered Entity pursuant to a BAA. PROCEDURE: A. Company will sell PHI only as authorized pursuant to a BAA. B. Workforce Members shall consult with Privacy Officer to determine permissible sale of PHI. 5.1 HIPAA Privacy Policies Right to Access PHI SECTION 5: INDIVIDUAL RIGHTS 5.1 Right to Access PHI Generally, Individuals have the right to inspect and obtain a copy of their own PHI held in a Designated Record Set, with limited exceptions.
If Company maintains PHI in a Designated Record Set on behalf of a Covered Entity and receives a request from the Covered Entity for access to PHI maintained by Company in a Designated Record Set, Company will arrange to provide access to the PHI to the Covered Entity within the time frame and in the manner provided in the applicable BAA. If an Individual directly requests access to PHI from Company, Company will immediately forward the Individual’s request to the Covered Entity. All determinations regarding whether to grant or deny an Individual’s request for access to the PHI will be made by the Covered Entity.
PROCEDURE: A. Company receives a request from a Covered Entity to provide access to PHI maintained by Company in a Designated Record Set.
B. Company provides access to the Covered Entity, or to an Individual if directed by the Covered Entity, in the time and manner provided in the applicable BAA.
C. If a Workforce Member receives a written request to access PHI from an Individual, the Workforce Member will provide the request to the Privacy Officer, who will deliver the request to the applicable Covered Entity. D. Company will abide by a Covered Entity’s determination as to whether to grant or deny a request received directly by Company.
E. If a request for access is granted and the Individual requests an electronic copy of his or her PHI, and if Company maintains such PHI in an electronic health record, then Company will provide an electronic copy of the PHI.
F. Company may charge a reasonable cost-based fee that does not exceed any applicable state law for providing copies. 5.2 HIPAA Privacy Policies Right to Amend PHI 5.2 Right to Amend PHI Individuals have the right to request Company amend PHI or a record about the Individual in a Designated Record Set.
If Company maintains PHI in a Designated Record Set on behalf of a Covered Entity and receives a request from the Covered Entity for amendments to PHI maintained by Company in a Designated Record Set, Company will make such amendments to the PHI within the time frame and in the manner provided in the applicable BAA. If an Individual directly requests amendments to PHI from Company, Company will immediately forward the Individual’s request to the Covered Entity. All determinations regarding whether to grant or deny an Individual’s request for amendments to the PHI will be made by the Covered Entity.
PROCEDURE: A. Company receives a request from a Covered Entity to amend PHI maintained by Company in a Designated Record Set.
B. Company amends the PHI in the time and manner provided in the applicable BAA.
C. If a Workforce Member receives a written request to amend PHI from an Individual, the Workforce Member will provide the request to the Privacy Officer, who will deliver the request to the applicable Covered Entity. D. Company will abide by a Covered Entity’s determination as to whether to grant or deny a request received directly by Company. E. If the amendment affects PHI disclosed to or maintained by a Subcontractor, Company will notify the applicable Subcontractor.

5.3 HIPAA Privacy Policies Right to an Accounting of Disclosures 5.3 Right to an Accounting of Disclosures Within 60 days of receiving a request from an Individual, a Covered Entity is required to provide an accounting of documented disclosures of PHI, that have been made during the period requested. If Company receives a request from a Covered Entity for an accounting of disclosures of PHI, Company will provide an accounting to Covered Entity within the time frame and in the manner provided in the applicable BAA. If an Individual directly requests an accounting of disclosures from Company, Company will immediately forward the Individual’s request to the Covered Entity.
An accounting will not be provided to the Individual for the following disclosures: A. Disclosures (other than those of ePHI made through an EHR) made for the purpose of carrying out treatment, payment, or health care operations; B. Disclosures made to the Individual or the Individual’s Personal Representative; C. Disclosures made to persons involved in the Individual’s care, or for the purpose of notifying the Individual’s family or friends about the Individual’s whereabouts; D. Disclosures for national security or intelligence purposes; E. Disclosures to correctional institutions or law enforcement officials who had the Individual in custody at the time of disclosure; F. Disclosures made pursuant to an authorization signed by the Individual; G. Disclosures that are part of a Limited Data Set; H. Incidental disclosures that comply with 2.2 – Incidental Disclosures of PHI; and I. Disclosures that occurred prior to the compliance date. PROCEDURE: J. Company receives a request from a Covered Entity for an accounting of disclosures of PHI maintained by Company.
K. Company provides the accounting to Covered Entity in the time and manner provided in the applicable BAA.
L. If a Workforce Member receives a written request for an accounting of disclosures of PHI from an Individual, the Workforce Member will provide the request to the Privacy Officer, who will deliver the request to the applicable Covered Entity. M. If the accounting includes PHI disclosed to or maintained by a Subcontractor, Company will notify the applicable Subcontractor to provide an accounting of disclosures.

5.3 HIPAA Privacy Policies Right to an Accounting of Disclosures N. Accounting will include the following information with respect to disclosures made during the accounting period, a period of six (6) years prior to the date on which the request was received:

1. The date of the disclosure;
2. The name of the entity or person who received the disclosure, and, if known, that entity or person’s address;
3. A brief description of the information disclosed; and
4. A brief statement of the purpose of the disclosure that would reasonably inform a reader of the basis for the disclosure. 5.4 HIPAA Privacy Policies Documentation of Disclosures of PHI 5.4 Documentation of Disclosures of PHI Company should document disclosures of PHI in the Disclosure Log, except as provided otherwise.
   PROCEDURE: A. When certain PHI is disclosed, Workforce Member making the disclosure should record the disclosure in the Disclosure Log. A sample Disclosure Log may be found in Exhibit C. B. A record of a disclosure should include:
5. The date the disclosure was made;
6. The name and, if known, address of the entity or person who received PHI; 3. A brief description of PHI disclosed;
7. A brief statement of the purpose of the disclosure which reasonably describes the basis on which the disclosure was made; and
8. If applicable, a copy of the written request for the disclosure. C. A disclosure need not be documented if it is exempted under 5.3 – Right to an Accounting of Disclosures. 5.5 HIPAA Privacy Policies Right to Request Restrictions 5.5 Right to Request Restrictions Company will comply with restrictions granted by a Covered Entity on uses and disclosures of PHI to carry out treatment, payment, or health care operations; and disclosures made to relatives, friends, or designees for care or payment. If an Individual directly requests restrictions on use or disclosures of PHI from Company, Company will immediately forward the Individual’s request to the Covered Entity. All determinations regarding whether to grant or deny an Individual’s request for restrictions on PHI will be made by the Covered Entity. PROCEDURE: A. Company receives a written request from a Covered Entity to restrict the use or disclosure of PHI related to an Individual.
   B. Company restricts its use and disclosure of the PHI in the manner agreed to by the Covered Entity.
   C. If a Workforce Member receives a written request to restrict the use or disclosure of PHI from an Individual, the Workforce Member will provide the request to the Privacy Officer, who will deliver the request to the applicable Covered Entity. D. Company will abide by a Covered Entity’s determination as to whether to grant or deny a request received directly by Company. E. If the restrictions affect PHI disclosed to or maintained by a Subcontractor, Company will notify the applicable Subcontractor.

5.6 HIPAA Privacy Policies Right to Request Alternative Confidential Communications 5.6 Right to Request Alternative Confidential Communications An Individual may request that the Individual’s PHI be communicated to the Individual by reasonable alternative means or at alternative locations.
If a Covered Entity agrees to an Individual’s request for confidential communications, then Company will make communications with the Individual pursuant to the request. If an Individual directly requests confidential communications from Company, Company will immediately forward the Individual’s request to the Covered Entity. All determinations regarding whether to grant or deny an Individual’s request for confidential communications will be made by the Covered Entity.
PROCEDURE: A. Company receives a written request from a Covered Entity to use alternative means or locations to communicate PHI to an Individual.
B. Company will comply with the request for confidential communications agreed to by the Covered Entity.
C. If a Workforce Member receives a written request for confidential communications of PHI from an Individual, the Workforce Member will provide the request to the Privacy Officer, who will deliver the request to the applicable Covered Entity. D. Company will abide by a Covered Entity’s determination as to whether to grant or deny a request received directly by Company. E. If the request affects PHI disclosed to or maintained by a Subcontractor, Company will notify the applicable Subcontractor. 5.7 HIPAA Privacy Policies Revocation of Authorization 5.7 Revocation of Authorization Company must, upon receipt of a written notice from a Covered Entity that an Individual has revoked a prior authorization, discontinue using or disclosing Individual’s PHI for purposes that required the authorization. The revocation will have no effect on uses and disclosures previously made by Company in reliance on such authorization. If an Individual directly notifies Company of revocation of a prior authorization, Company will immediately forward the Individual’s notification to the Covered Entity. PROCEDURE: A. Workforce Member accepts written notice from Covered Entity revoking authorization. B. Workforce Member should notify other Workforce Members and any Subcontractors who may be affected by the revocation. C. Company will discontinue use or disclosure of PHI which was dependent upon the validity and effectiveness of the revoked authorization. D. If a Workforce Member receives a notification of revocation from an Individual, the Workforce Member will provide the notification to the Privacy Officer, who will deliver the notification to the applicable Covered Entity. E. If the revocation affects PHI disclosed to or maintained by a Subcontractor, Company will notify the applicable Subcontractor.

5.8 HIPAA Privacy Policies Waiver of Rights 5.8 Waiver of Rights Company may not require an Individual to waive their rights related to PHI as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

6.1 HIPAA Privacy Policies Creation, Use, and Disclosures of De-Identified Information SECTION 6: DE-IDENTIFICATION AND LIMITED DATA SETS 6.1 Creation, Use, and Disclosures of De-Identified Information De-Identified Information is information that does not require protection under these Privacy Policies or HIPAA. Company may use or disclose De-Identified Information, provided that de identification is permitted by the applicable BAA and no code or other means of re-identifying the Individually Identifiable Health Information is disclosed.
PROCEDURE: A. Workforce Member identifies the information which Company intends to use or disclose. B. Workforce Member ensures that the De-Identified Information does not include Individually Identifiable Health Information of the Individual, Individual’s family members, and personal connections using either the:

1. Expert Determination Methodology, according to which a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable applying such principles and methods, (a) determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (b) documents the methods and results of the analysis that justify such determination; or
2. Safe Harbor Methodology with the following 18 identifiers removed: a. Names; b. Any geographic subdivision smaller than a state; c. All dates, except a year, for dates directly related to Individual, such as birthday, admission or discharge date, or date of death; if over 89, any age and all elements of dates from which age may be deduced, except that the information may include that the Individual is 90 or older;
   d. Telephone numbers; e. Fax numbers; f. Email addresses; g. Website addresses; h. Internet protocol numbers;

6.1 HIPAA Privacy Policies Creation, Use, and Disclosures of De-Identified Information i. Social Security numbers; j. Medical record numbers; k. Health plan beneficiary numbers; l. Account numbers; m. Certificate/license numbers; n. Vehicle identifiers or serial numbers, including license plate numbers; o. Device identifiers or serial numbers; p. Biometric identifiers, including finger prints and voice prints; q. Full face images, or any comparable images; or r. Any other unique identifying number, characteristic, or code. C. Workforce Member ensures that the De-Identified Information may not be used, alone or in concert with other information, to identify the person to whom it relates. D. If necessary, Workforce Member assigns a code or other record identification that is not derived from or related to the information in order to allow the De-Identified Information to be re-identified.
E. Workforce Member consults Privacy Officer for additional concerns. 6.2 HIPAA Privacy Policies Disclosures of a Limited Data Set 6.2 Disclosures of a Limited Data Set Company may disclose PHI in the form of a Limited Data Set for purposes of Research, public health, or health care operations.
Company may use or disclose a Limited Data Set if Company obtains a Data Use Agreement, which stipulates that the recipient will only use or disclose the PHI for limited purposes. Each Data Use Agreement must contain the elements required by HIPAA. PROCEDURE: A. A Limited Data Set excludes the following identifiers of the Individual or of relatives, employers, or household members of the Individual:

1. Names;
2. Postal address information (other than city or town, state, and zip code); 3. Telephone numbers;
3. Fax numbers;
4. Email addresses;
5. Social Security numbers;
6. Medical record numbers;
7. Health plan beneficiary numbers;
8. Account numbers;
9. Certificate/license numbers, vehicle identifiers and serial numbers (including license plate numbers);
10. Device identifiers and serial numbers;
11. Web universal resource locators (URLs), internet procedure (IP) address numbers; 13. Biometric identifiers (including finger and voice prints); and
12. Full face photographic images and any comparable images. B. Workforce Member provides a Data Use Agreement.
    C. Workforce Member ensures that no more than a Limited Data Set is disclosed to the recipient of PHI.

7.1 HIPAA Privacy Policies Verification Requirements SECTION 7: VERIFICATION, SAFEGUARDS, AND TRANSMISSION 7.1 Verification Requirements Prior to disclosing PHI, Company will verify the identity of the person requesting PHI and the authority of that person to have access to PHI, if the identity is not known to Workforce Member.
PROCEDURE: A. Workforce Member receives a request for PHI. B. An authorized Workforce Member will take reasonable steps to verify the identity of the Individual requesting PHI:

1. Through appropriate photo identification if the person makes the request in person and is an Individual, Personal Representative or involved with the Individual’s care;
2. If the person makes the request via telephone or other electronic means, and is an Individual or Personal Representative, the person’s identity may be verified by one or more unique identifiers, such as date of birth or social security number; and
3. If the person making the request is a public official, the identity of that person may be verified by: a. Agency identification badge or proof of government employment; b. Providing the request on government letterhead; or c. If disclosure is to a person acting on behalf of a public official, providing a statement on government letterhead that states that the person is acting on behalf of a public official, or other documentation of the relationship between the person making the request and the public official.
   C. Workforce Member may disclose upon verification. 7.2 HIPAA Privacy Policies Safeguards to Protect the Privacy of PHI 7.2 Safeguards to Protect the Privacy of PHI Company should have appropriate safeguards in place to protect the privacy of PHI. PROCEDURE: A. Privacy Officer should identify current practices by Company that may result in use or disclosure of PHI that may be in violation of the Privacy Rule or the Security Rule. Privacy Officer may consult with the Security Officer to identify potential risks and vulnerabilities. B. Specific safeguards may include, but are not limited to:
4. Clean desk policy including dedicated file space for authorized Workforce Members.
5. On-site security including, but not limited to: closing or flipping over charts and files containing Individual information, not leaving Individual information unattended, and securely disposing of PHI that are no longer needed in appropriate locked bins.
6. Secure off-site storage facilities and access protocols.
7. If access to PHI work area is not significantly restricted, Company may consider, as appropriate, securing the computer workstations serving PHI work area by, among other things: a. Re-positioning computers so that they are in a safe and/or secure area; and b. Limiting viewing of computer screens to authorized Workforce Members.
8. Sign-In Sheets: Individual’s name may be marked off of sign-in sheets as reasonable.
9. Verbal Communications: When discussing PHI in any non-private area, conversations should be kept quiet, as is reasonable and appropriate.

7.3 HIPAA Privacy Policies Transmission of PHI 7.3 Transmission of PHI All transmission of PHI by email or fax will be made securely through the Software and limited to the minimum necessary PHI in accordance with 2.3 – Minimum Necessary Standard, and only upon the direction and on behalf of a Covered Entity. Workforce Members will not transmit PHI by telephone, mail, text message, or otherwise outside of the Software.
PROCEDURE: Email Workforce Members may send and receive PHI via email if Company has in place appropriate administrative, technical and physical safeguards to protect such PHI. Workforce Members should, as reasonable and appropriate:
A. Confirm email addresses for accuracy before sending an email containing PHI if sending to an email address at which the Company has not previously sent PHI via the Software; B. Verify each email addresses to which the Company sends PHI at least once every ninety (90) days;
C. Except as specifically required by a client with respect to such client’s PHI, only send PHI via email through the Software; and D. In the event a Workforce Member is required to send a client’s PHI to such client via email, only send PHI in an email that is encrypted and/or password protected.
Fax E. Workforce Members should confirm fax number prior to transmission if sending to a fax number at which the Company has not previously sent PHI via the Software. F. Workforce Members should verify the fax numbers to which the Company sends PHI at least once every ninety (90) days. G. Workforce Members should only send PHI via fax through the Software.

7.4 HIPAA Privacy Policies Use of Mobile Devices 7.4 Use Of Mobile Devices Laptops, tablets, mobile telephones, and all other portable device used to access, maintain, or transmit PHI (“Mobile Device”) must be approved by an appropriate Workforce Member or the Security Officer. Users of Mobile Devices assume responsibility for ensuring compliance with this Privacy Policy. This particularly means that precautions should be taken to prevent theft.
PROCEDURE: A. An appropriate Workforce Member or the Security Officer should approve the use of a Mobile Device and check that it is secure with the following:

1. Mobile Device is locked and accessible with a password;
2. Mobile Device requires re-authentication after a short period of inactivity; and 3. PHI may not be stored on Mobile Device.
   B. Workforce Members may take Mobile Devices out of Company as is needed within their job duties. When traveling, Workforce Members should be aware of the location and circumstances of the Mobile Device and may additionally take the following measures:
3. On flights, carry the Mobile Device in your hand luggage;
4. In hotels, lock it in a safe or otherwise secure it; and
5. Avoid leaving Mobile Devices unattended in public areas. C. Company should ensure that it has the ability to remotely access and control or remove access to PHI on any authorized Mobile Device. D. If a Workforce Member authorized to use a Mobile Device resigns or is terminated, Company should immediately terminate Workforce Member’s ability to access PHI through the Mobile Device. 7.5 HIPAA Privacy Policies Subcontractors 7.5 Subcontractors Disclosures to Subcontractors Company may disclose PHI to a Subcontractor that provides services to or on behalf of Company that involves PHI and upon the execution of a Subcontractor Business Associate Agreement (“Sub BAA”). A sample Sub-BAA may be found in Exhibit D. PROCEDURE: A. Prior to disclosing PHI to a Subcontractor, Workforce Member confirms that a Sub-BAA is on file.
   B. If no Sub-BAA is on file, Workforce Member will provide the Sub-BAA attached in Exhibit D. Any changes to the form must be approved by the Privacy Officer. Company may not disclose PHI to the Subcontractor until such an agreement is on file.
   Company as a Business Associate Company will, as appropriate, comply with these Privacy Policies and HIPAA subject to the terms of its BAA with the applicable Covered Entity with regard to that PHI.
   A sample BAA may be found in Exhibit E. PROCEDURE: C. Prior to entering into any new service agreement that would require Company to access or receive PHI, Workforce Member should confirm whether Company has entered into a BAA with the Covered Entity.
   D. Workforce Member will try to use the BAA attached in Exhibit E. Any other forms provided by a Covered Entity or any changes to the Company’s form must be approved by the Privacy Officer. Workforce Member, in conjunction with management as appropriate, should determine when issues related to a BAA should be referred for legal review.

8.1 HIPAA Privacy Policies Training Workforce Members SECTION 8: TRAINING AND SANCTIONS 8.1 Training Workforce Members Company will provide new orientation training, annual training, and supplemental training about Privacy Policies to Workforce Members. PROCEDURE: A. Privacy Officer will train each new Workforce Member on Company’s Privacy Policies prior to receiving access to PHI. Training attendance and materials should be documented. B. Privacy Officer will provide annual training to Workforce Members about Privacy Policies and any relevant changes. C. Privacy Officer will ensure that each Workforce Member is trained on how to appropriately and securely use the Software prior to transmitting PHI by email or fax.
D. When Company’s Privacy Policies change with respect to the use or disclosure of PHI, Privacy Officer will train those Workforce Members whose jobs are affected by the change within a reasonable time upon the change taking effect, or as appropriate. E. Refresher courses will be conducted as reasonably appropriate to ensure compliance and update workforce on any modifications to the Privacy Policies. F. Privacy Officer should document required training provided by recording attendance or reasonable logging and retaining applicable training materials. 8.2 HIPAA Privacy Policies Sanctions 8.2 Sanctions Company will sanction a Workforce Member who fails to comply with Company Privacy Policies as appropriate. Such sanctions will not apply to actions which meet the conditions for disclosures by whistleblowers as set forth in 3.4 – Uses and Disclosures by Whistleblowers. PROCEDURE: A. Sanctions will be appropriate to the level of infraction, but may include termination. B. Privacy Officer should review the facts surrounding the reported violation to determine whether there has been a violation of the Privacy Policies. C. If Privacy Officer determines that there has been a violation of the Privacy Policies, Privacy Officer or appropriate Workforce Member should assess whether the alleged violation is excused under the following situations:

1. Whistleblowing;
2. A Workforce Member who was the victim of a crime;
3. The filing of a complaint with the Secretary;
4. Participation in an investigation conducted under the authority of HIPAA; or
5. Opposition to an act that Workforce Member believed, in good faith, to be a violation of an Individual’s privacy rights. However, Workforce Member may face sanctions if he or she voices opposition in a manner that violates Individual’s privacy rights.
   D. Sanctions may include verbal reprimands, re-training, and potential termination, consistent with applicable Human Resources policies. Privacy Officer will coordinate with Human Resources as appropriate.
   E. Any sanctions imposed on any Workforce Member should be documented and such documentation will be included in Workforce Member’s file and retained in accordance with 10.1 – Maintenance of Documentation.

9.1 HIPAA Privacy Policies Mitigation of Impermissible Uses or Disclosures SECTION 9: COMPLAINTS AND INVESTIGATION 9.1 Mitigation of Impermissible Uses or Disclosures
Company will mitigate, to the extent possible, known harmful effects of a use or disclosure of PHI in violation of the Privacy Policies. PROCEDURE:
A. In the event a Workforce Member learns of a use or disclosure of PHI in violation of Company Privacy Policies, they should inform Privacy Officer or appropriate Workforce Member.
B. Privacy Officer or appropriate Workforce Member should review available information relating to the improper use or disclosure and determines what actions should be taken to minimize the harmful effects of the improper use or disclosure. C. Company should take the appropriate actions to mitigate the harmful effects of the improper use or disclosure of PHI and document all mitigating actions taken. D. Company should notify counsel, as appropriate, of any security or privacy Breach in order to determine whether outside reporting or other action is required or appropriate. 9.2 HIPAA Privacy Policies Investigation of Complaints 9.2 Investigation of Complaints Privacy Officer or appropriate Workforce Member will conduct an investigation regarding complaints, noncompliance with these Privacy Policies, or any violations of a BAA.
PROCEDURE: A. A Workforce Member that knows or reasonably suspects that there has been a violation of the Privacy Policies, should report the suspected violation to Privacy Officer or appropriate Workforce Member. B. Privacy Officer or appropriate Workforce Member should document the complaint and conduct an investigation to determine whether there has been a violation of the Privacy Policies in accordance with the process set forth in 8.2 – Sanctions. C. If Privacy Officer or appropriate Workforce Member determines that a violation has occurred, Company should take reasonable measures to mitigate harmful effects, as in 9.1 – Mitigation of Impermissible Uses or Disclosures. D. Privacy Officer or appropriate Workforce Member should maintain documentation regarding the complaint, the investigation of the complaint, and related remedial measures, in accordance with 10.1 – Maintenance of Documentation.

9.3 Refraining from Intimidating or HIPAA Privacy Policies Retaliatory Acts Against Individuals 9.3 Refraining from Intimidating or Retaliatory Acts Against Individuals Company will not intimidate, threaten, coerce, harass, discriminate against, or take other retaliatory action against an Individual for the following: A. Filing a complaint with the Secretary; B. Testifying, assisting, or participating in an investigation, compliance review, or proceeding; or C. Opposing any act or practice that is unlawful under the Privacy Rule, provided the Individual has a good faith belief that such action is unlawful; that the manner in which he or she voices his or her opposition is reasonable; and does not itself involve a disclosure of PHI that would violate the Privacy Rule. PROCEDURE:
D. If a Workforce Member becomes aware of a retaliatory act taken by any Workforce Member of Company, such Workforce Member should notify Privacy Officer or appropriate Workforce Member. E. Privacy Officer or appropriate Workforce Member should coordinate with Human Resources with regard to sanctioning the employee(s) responsible for the retaliatory act.

10.1 HIPAA Privacy Policies Maintenance of Documentation SECTION 10: MAINTENANCE OF DOCUMENTATION 10.1 Maintenance of Documentation Company will maintain documentation to support compliance, for example, Privacy Policies, an Individual’s PHI, and what is required by these Privacy Policies and HIPAA, for the longer of six (6) years from the date of its creation or six (6) years from the date such documentation was last in effect.
For example, authorization provided by an Individual for the disclosure of certain health information will be retained for a period of six (6) years after the authorization terminates.
PROCEDURE: A. Privacy Officer will develop a system of maintaining documentation that is required by the Privacy Rule. B. Privacy Officer should ensure that Workforce Members are trained on the documentation requirements of the Privacy Rule and should train Workforce Members on the system which Company uses to maintain such documentation. C. This Privacy Policy should be followed in accordance with other document retention policies.
D. Privacy Officer should, from time to time, audit Company files to ensure that all documentation is being properly retained by Company.

EXHIBIT A PRIVACY OFFICER CONTACT INFORMATION NAME: Maris Mejia ADDRESS: 9990 Coconut Road #301 Bonita Springs, FL 34135 TELEPHONE: (786) 304-0384 EMAIL: [email protected]

PRIVACY OFFICER CONTACT INFORMATION 42 EXHIBIT B SECURITY OFFICER CONTACT INFORMATION NAME: Maris Mejia ADDRESS: 9990 Coconut Road #301 Bonita Springs, FL 34135 TELEPHONE: (847) 840-3118 EMAIL: [email protected]

SECURITY OFFICER CONTACT INFORMATION 43

EXHIBIT C SAMPLE – PROTECTED HEALTH INFORMATION DISCLOSURE LOG Disclosure Tracking

Date Recipient Address of
Recipient Description of PHI
Involved Purpose of Disclosure Recorded
in Breach
Notification Log (Y/N)

SAMPLE – PROTECTED HEALTH INFORMATION DISCLOSURE LOG 44

EXHIBIT D SUBCONTRACTOR AGREEMENT THIS SUBCONTRACTOR AGREEMENT (the “Agreement”) is made and entered into this 15th day of April 1, 2020 (the “Effective Date”) by and between ClearHealth Strategies, LLC, (“Business Associate”) and SUBCONTRACTOR NAME, (“Subcontractor”). WITNESSETH: WHEREAS, Subcontractor provides certain services on behalf of Business Associate that may require Business Associate to create, receive, maintain, or transmit certain identifiable health information to Subcontractor, pursuant to the terms of a services agreement or other contract between the parties (the “Services Agreement”);
WHEREAS, the parties desire to enter into this Agreement to permit Subcontractor to use or disclose such identifiable health information and to comply with the Subcontractor requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the privacy and security regulations promulgated thereunder, as currently in effect or as hereafter amended (the “HIPAA Privacy and Security Rules”); WHEREAS, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5, modified the HIPAA Privacy and Security Rules (hereinafter, all references to the “HIPAA Privacy and Security Rules” shall include all amendments thereto set forth in the HITECH Act and the regulations promulgated thereunder, as currently in effect or as hereafter amended); and WHEREAS, on January 25, 2013, the United States Department of Health and Human Services published its final omnibus rule modifying the HIPAA Privacy and Security Rules, as set forth in 78 Fed. Reg. 5566 (the “HIPAA/HITECH Omnibus Rule”). NOW, THEREFORE, in consideration of the mutual promises and covenants made herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereby agree as follows:

1. DEFINITIONS 1.1 Breach. “Breach” shall have the same meaning as the term “Breach” set forth in 74 Fed. Reg. 42767-68 (Aug. 24, 2009), until codified at 45 C.F.R. § 164.402, upon which “Breach” shall have the meaning as codified at 45 C.F.R. § 164.402 upon the Compliance Date (as defined below). 1.2 Compliance Date. “Compliance Date” shall mean September 23, 2013 with respect to such provision of the HIPAA/HITECH Omnibus Rule, or such other compliance date as determined by the Secretary. SUBCONTRACTOR AGREEMENT 45 1.3 Electronic Protected Health Information. “Electronic Protected Health Information” shall mean Protected Health Information transmitted by or maintained in “electronic media” (as such term is defined in 45 C.F.R. § 160.103). 1.4 Protected Health Information. “Protected Health Information” (“PHI”) shall have the same meaning as the term “Protected Health Information” set forth at 45 C.F.R. § 160.103, limited to the information received from, or created or received by Subcontractor on behalf of, Business Associate. 1.5 Secretary. “Secretary” shall mean the Secretary of the United States Department of Health and Human Services or his/her designee. 1.6 Unsecured Protected Health Information. “Unsecured Protected Health Information” shall mean Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance published at 74 Fed. Reg. 19006 (April 27, 2009), and in annual guidance published thereafter. All other capitalized terms used, but not otherwise defined, in this Agreement shall have the same meaning for those terms as set forth in the HIPAA Privacy and Security Rules.
2. OBLIGATIONS OF SUBCONTRACTOR 2.1 Not to Use or Disclose PHI Unless Permitted or Required. Subcontractor agrees not to use or disclose Protected Health Information other than as permitted or required by this Agreement, or as required by law, or as otherwise authorized by Business Associate. 2.2 Use Safeguards. Subcontractor agrees to use appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as provided for by this Agreement. 2.3 Mitigate Harmful Effects. Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Subcontractor of a use or disclosure of Protected Health Information by Subcontractor in violation of this Agreement, subject to the limitations set forth in Section 8.11 of this Agreement. 2.4 Report Unpermitted Disclosures of PHI. Subcontractor agrees to report to Business Associate any use or disclosure of Protected Health Information not permitted or required by this Agreement of which Subcontractor becomes aware. 2.5 Compliance of Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(1)(ii), Subcontractor agrees to ensure that any subcontractors that create, receive, maintain or transmit Protected Health Information on behalf of Subcontractor, agree to substantially the same restrictions, conditions and requirements that apply to Subcontractor with respect to such information. SUBCONTRACTOR AGREEMENT 46 2.6 Requests for Restrictions. Subcontractor agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information to which Business Associate has agreed in accordance with 45 C.F.R. § 164.522 and of which Subcontractor has been notified by Business Associate. In addition, and notwithstanding 45 C.F.R. § 164.522(a)(1)(ii), Subcontractor agrees to comply with an individual’s request to restrict disclosures of Protected Health Information, of which Subcontractor has been notified by Business Associate, to a health plan for purposes of carrying out “payment” or “health care operations” (as such terms are defined in 45 C.F.R. § 164.501) if the Protected Health Information pertains solely to a health care item or service for which Business Associate has been paid in full by the individual or the individual’s representative. 2.7 Provide Access. Subcontractor will make available to Business Associate Protected Health Information to the extent requested by Business Associate as required under 45 C.F.R. § 164.524 and Section 13405(e) of the HITECH Act, which describe the requirements applicable to an individual’s request for access to Protected Health Information relating to the individual. The obligations of Subcontractor in this Section apply only to Protected Health Information in a “Designated Record Set” in Subcontractor’s possession or control as such term is defined at 45 C.F.R. § 164.501.
   2.8 Incorporate Amendments. Subcontractor will make available to Business Associate Protected Health Information requested by Business Associate as required for amendment of such Protected Health Information, and shall make and incorporate any such amendments, all in accordance with 45 C.F.R. § 164.526, which describes the requirements applicable to an individual’s request for an amendment to any Protected Health Information relating to the individual. The obligations of Subcontractor in this Section apply only to Protected Health Information in a “Designated Record Set” in Subcontractor’s possession or control as such term is defined at 45 C.F.R. § 164.501. 2.9 Document Disclosures. Subcontractor will make available Protected Health Information requested by Business Associate or an Individual as required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528 and Section 13405(c) of the HITECH Act. Subcontractor agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Business Associate to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and Section 13405(c) of the HITECH Act. 2.10 Business Associate Obligations. To the extent Subcontractor is to carry out one or more of Business Associate’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Subcontractor will comply with the requirements of Subpart E that apply to the Business Associate in the performance of such obligation(s) as of the Compliance Date. 2.11 Disclose Practices, Books, and Records. If Subcontractor receives a request, made on behalf of the Secretary, that Subcontractor make its internal practices, books, and records relating to the use and disclosure of Protected Health Information available to the Secretary for purposes of determining Business Associate’s compliance with the HIPAA Privacy and Security SUBCONTRACTOR AGREEMENT 47 Rules, then Subcontractor will promptly comply with the request within the time period required for such response as specified in such request.
3. PERMITTED USES AND DISCLOSURES BY SUBCONTRACTOR 3.1 Functions and Activities on Behalf of Business Associate. Subcontractor may use or disclose Protected Health Information for the purpose of meeting its obligations as set forth in this Agreement or as required by the Services Agreement. 3.2 Other Uses and Disclosures. Except as otherwise limited by this Agreement, Subcontractor may use and disclose Protected Health Information as follows: a. if necessary, for the proper management and administration of Subcontractor or to carry out the legal responsibilities of Subcontractor, provided that as to any such disclosure, the following requirements are met: i. the disclosure is required by law; or ii. Subcontractor obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially
   and used or further disclosed only as required by law or for the
   purpose for which it was disclosed to the person, and the person
   notifies Subcontractor of any instances of which it is aware in which
   the confidentiality of the information has been breached; b. for data aggregation services, if to be provided by Subcontractor for the health care operations (as such terms are defined in 45 C.F.R. § 164.501) of Business Associate pursuant to any agreements between the parties evidencing their business relationship. For purposes of this Agreement, data aggregation services means the combining of Protected Health Information by Subcontractor with the protected health information received by Subcontractor in its capacity as a Subcontractor of another Business Associate, to permit data analyses that relate to the health care operations of the respective covered entities.
   3.3 Minimum Necessary. Until such time as the Secretary issues regulations pursuant to the HITECH Act on what constitutes “minimum necessary” for purposes of the HIPAA Privacy and Security Rules, Subcontractor shall: (a) to the extent practicable, use, disclose, or request only Protected Health Information that is contained in a “limited data set” (as defined in 45 C.F.R. § 164.514(e)(2)); or (b) if needed by Subcontractor, use, disclose, or request only the minimum necessary amount of Protected Health Information to accomplish the intended purpose of such use, disclosure, or request. SUBCONTRACTOR AGREEMENT 48
4. SECURITY RULE SAFEGUARDS 4.1 Implement Safeguards. Subcontractor shall implement the administrative, physical, and technical safeguards set forth in 45 C.F.R. §§ 164.308, 164.310, and 164.312 that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Business Associate; in accordance with 45 C.F.R. § 164.316, implement and maintain reasonable and appropriate policies and procedures to enable it to comply with the requirements set forth in Sections 164.308, 164.310, and 164.312; and, as of the Compliance Date, comply with Subpart C of 45 C.F.R. Part 164, where applicable, with respect to Electronic Protected Health Information.
   4.2 Compliance of Subcontractors. In accordance with 45 C.F.R. § 164.308(b)(2), Subcontractor agrees to ensure that any subcontractors that create, receive, maintain or transmit Electronic Protected Health Information on behalf of Subcontractor agree to the same restrictions, conditions and requirements that apply to Subcontractor with respect to such information.
   4.3 Report Security Incidents. Subcontractor shall report to Business Associate any Security Incident of which it becomes aware. For purposes of this Agreement, “Security Incident” means the successful unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information or interference with system operations in an information system, excluding: (a) “pings” on an information system firewall; (b) port scans; (c) attempts to log on to an information system or enter a database with an invalid password or user name; (d) denial-of-service attacks that do not result in a server being taken offline; or (e) malware (e.g., a worm or virus) that does not result in unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information. Subcontractor agrees to mitigate, to the extent practicable, any harmful effect resulting from such Security Incident.
5. BREACH NOTIFICATION 5.1 Timing of Notification. Following the discovery of a Breach of Unsecured Protected Health Information, Subcontractor shall notify Business Associate of such Breach without unreasonable delay, but in no event later than five (5) days following the discovery of the Breach. A Breach shall be treated as discovered by Subcontractor as of the first day on which such Breach is known to Subcontractor or, through the exercise of reasonable diligence, would have been known to Subcontractor. 5.2 Law Enforcement Delay. Notwithstanding the provisions of Section 5.1, above, if a law enforcement official states to Subcontractor that notification of a Breach would impede a criminal investigation or cause damage to national security, then: a. if the statement is in writing and specifies the time for which a delay is required, Subcontractor shall delay such notification for the time period specified by the official; or SUBCONTRACTOR AGREEMENT 49 b. if the statement is made orally, Subcontractor shall document the statement, including the identity of the official making the statement, and delay such notification for no longer than thirty (30) days from the date of the oral statement unless the official submits a written statement during that time. 5.3 Contents of Notification. The Breach notification provided to Business Associate shall include, to the extent possible: a. the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Subcontractor to have been, accessed, acquired, used, or disclosed during the Breach; b. a brief description of what happened, including the date of the Breach and the date of discovery of the Breach, if known; c. a description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); d. any steps individuals should take to protect themselves from potential harm resulting from the Breach; e. a brief description of what Subcontractor is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breach; and f. contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. Subcontractor shall provide the information specified in this Section to Business Associate at the time of the Breach notification, if possible, or promptly thereafter as information becomes available. Subcontractor shall not delay notification to Business Associate that a Breach has occurred in order to collect the information described in this Section, and shall provide such information to Business Associate even if the information becomes available after the five (5) day period provided in Section 5.1, above.
6. OBLIGATIONS OF BUSINESS ASSOCIATE
   6.1 Limitations in Notice of Privacy Practices. Business Associate shall notify Subcontractor of any limitation(s) in the notice of privacy practices of Business Associate under 45 C.F.R. § 164.520, to the extent that such limitation may affect Subcontractor’s use or disclosure of Protected Health Information. SUBCONTRACTOR AGREEMENT 50 6.2 Changes in Permission. Business Associate shall notify Subcontractor of any changes in, or revocation of, the permission by an individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect Subcontractor’s use or disclosure of Protected Health Information. 6.3 Restriction on Use of Protected Health Information. Business Associate shall notify Subcontractor of any restriction on the use or disclosure of Protected Health Information that Business Associate has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Subcontractor’s use or disclosure of Protected Health Information. 6.4 Minimum Necessary. Business Associate shall disclose, and direct its other Subcontractors to disclose, to Subcontractor only the minimum amount of Protected Health Information necessary to accomplish the intended purpose of the permissible use, disclosure, or request in compliance with 45 C.F.R. § 164.502(b) and applicable guidance issued by the Secretary.
7. TERM AND TERMINATION 7.1 Term. The Term of this Agreement shall commence as of the Effective Date of this Agreement. This Agreement shall terminate upon the earlier of termination of the Services Agreement or termination in accordance with Section 7.2 below. 7.2 Termination for Cause. Upon Business Associate’s knowledge of a material breach or violation hereof by Subcontractor, Business Associate shall provide written notice to Subcontractor of the breach or violation, and Business Associate shall provide an opportunity for Subcontractor to cure the breach or end the violation. If Subcontractor does not cure the breach or end the violation within thirty (30) days of receiving notice of the breach or violation and Business Associate has taken reasonable steps to cure such breach or end such violation during such thirty (30) day period, and such steps are unsuccessful, Business Associate may terminate this Agreement. If Subcontractor has breached a material term of this Agreement and cure is not possible, Business Associate may immediately terminate this Agreement. 7.3 Effect of Termination. Upon termination of this Agreement for any reason, Subcontractor will return or destroy all Protected Health Information received from Business Associate or created or received by Subcontractor on behalf of Business Associate that Subcontractor still maintains in any form, and shall retain no copies of such information. If such return or destruction is not feasible, as reasonably supported by competent records and other written evidence of Subcontractor, Subcontractor will extend the protections of this Agreement to the information retained and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
8. MISCELLANEOUS PROVISIONS 8.1 Amendment. This Agreement cannot be amended except by the mutual written agreement of Subcontractor and Business Associate. In the event either party believes in good SUBCONTRACTOR AGREEMENT 51 faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Privacy and Security Rules, such party shall so notify the other party in writing. For a period of up to thirty (30) days, the parties shall address in good faith such concern and shall amend the terms of this Agreement, if necessary, to bring it into compliance. If after such thirty (30) day period this Agreement fails to comply with the HIPAA Privacy and Security Rules with respect to the concern(s) raised pursuant to this Section, then either party may terminate this Agreement upon written notice to the other party. 8.2 No Third Party Beneficiary Rights. This Agreement is intended for the sole benefit of Subcontractor and Business Associate and does not create any third-party beneficiary rights. 8.3 Independent Contractor Relationship. The parties agree that the legal relationship between Business Associate and Subcontractor is strictly an independent contractor relationship. Nothing in this Agreement shall be deemed to create a joint venture, agency, partnership, or employer-employee relationship between the parties.
   8.4 Headings. The section headings contained in this Agreement are for reference purposes only and will not affect the meaning of this Agreement. 8.5 Survival. The rights and obligations of Subcontractor under Section 7.3 of this Agreement shall survive the termination of this Agreement. 8.6 Interpretation. All Protected Health Information is solely subject to and shall be treated in accordance with this Agreement and shall not otherwise be considered “confidential information” under the Services Agreement. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the parties to comply with the HIPAA Privacy and Security Rules. In the event of inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Privacy and Security Rules, the HIPAA Privacy and Security Rules in effect at the time shall control. In the event of inconsistency between this Agreement and the Services Agreement, the terms and conditions of this Agreement shall control. 8.7 Waiver. Any failure of a party to exercise or enforce any of its rights under this Agreement will not act as a waiver of such rights. 8.8 Binding Effect. The Agreement shall be binding upon, and shall inure to the benefit of, the parties and their respective successors and permitted assigns. 8.9 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be illegal, invalid, or unenforceable under present or future laws effective during the term of this Agreement, the legality, validity, and enforceability of the remaining provisions of this Agreement shall not be affected thereby. 8.10 Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original but all of which shall constitute one and the same instrument. SUBCONTRACTOR AGREEMENT 52 8.11 Limitation of Liability. Notwithstanding anything in this Agreement or the Services Agreement to the contrary, the aggregate liability of either party arising from or relating to this Agreement, the subject matter thereof, or the breaching/offending party’s respective actions or omissions or the actions or omissions of its respective officers, directors, managers, employees (regardless of the form of action or claim, and whether based in contract, warranty, indemnity, tort, statute, equitable or other theory of recovery) shall be limited to the actual amount paid, if any, by the breaching/offending party’s respective insurance carrier(s) as a result of the breaching/offending party’s liability or potential liability. Further, notwithstanding anything in this Agreement or the Services Agreement to the contrary, neither party shall be liable for any indirect, punitive, exemplary, incidental or consequential loss or damage of any kind or nature. 8.12 Force Majeure. No party shall be liable for any delay or failure to perform under this Agreement if such delay or failure (a) is directly caused by acts of God, war, acts of terrorists, explosion, fire, flood, earthquake, power outage, epidemic, acts of civil or military authorities or civil disturbance, or (b) could not have been prevented or circumvented by the non-performing party’s reasonable precautions or commercially accepted processes (including through the use of substitute services, alternate sources, work-around plans, the implementation of appropriate security measures or the disaster recovery measures) (collectively a “Force Majeure Event”). The party experiencing any delay or failure as a result of any such Force Majeure Event shall: (x) provide prompt written notice of the actual or anticipated delay or failure to each other party; and (y) use reasonable commercial efforts to either remedy the delay or failure, or implement a plan (including business continuity and disaster recovery plans) to remedy the delay or failure in a manner which minimizes the disruption to each other party. [Signature Page to Follow] SUBCONTRACTOR AGREEMENT 53 [Signature Page to Subcontractor Agreement] IN WITNESS WHEREOF, the parties hereto have executed this Agreement, which is effective as of the date first above written. BUSINESS ASSOCIATE: ClearHealth Strategies, LLC By: ______________________________________ Title: _____________________________________ SUBCONTRACTOR: SUBCONTRACTOR NAME By: ______________________________________ Title: _____________________________________ SUBCONTRACTOR AGREEMENT 54 EXHIBIT E BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the “Agreement”) is made and entered into this ___ day of __________, 2016 (the “Effective Date”) by and between ________________ (“Covered Entity”) and Clear Health Strategies, LLC, a Florida limited liability company (“Business Associate”). WITNESSETH: WHEREAS, Business Associate provides certain services on behalf of Covered Entity that may require Covered Entity to create, receive, maintain, or transmit certain identifiable health information to Business Associate, pursuant to the terms of a services agreement or other contract between the parties (the “Services Agreement”);
   WHEREAS, the parties desire to enter into this Agreement to permit Business Associate to use or disclose such identifiable health information and to comply with the business associate requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the privacy and security regulations promulgated thereunder, as currently in effect or as hereafter amended (the “HIPAA Privacy and Security Rules”); WHEREAS, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5, modified the HIPAA Privacy and Security Rules (hereinafter, all references to the “HIPAA Privacy and Security Rules” shall include all amendments thereto set forth in the HITECH Act and the regulations promulgated thereunder, as currently in effect or as hereafter amended); and WHEREAS, on January 25, 2013, the United States Department of Health and Human Services published its final omnibus rule modifying the HIPAA Privacy and Security Rules, as set forth in 78 Fed. Reg. 5566 (the “HIPAA/HITECH Omnibus Rule”). NOW, THEREFORE, in consideration of the mutual promises and covenants made herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereby agree as follows:
9. DEFINITIONS 1.1 Breach. “Breach” shall have the same meaning as the term “Breach” set forth in 74 Fed. Reg. 42767-68 (Aug. 24, 2009), until codified at 45 C.F.R. § 164.402, upon which “Breach” shall have the meaning as codified at 45 C.F.R. § 164.402 upon the Compliance Date (as defined below). 1.2 Compliance Date. “Compliance Date” shall mean September 23, 2013 with respect to such provision of the HIPAA/HITECH Omnibus Rule, or such other compliance date as determined by the Secretary. BUSINESS ASSOCIATE AGREEMENT 55 1.3 Electronic Protected Health Information. “Electronic Protected Health Information” shall mean Protected Health Information transmitted by or maintained in “electronic media” (as such term is defined in 45 C.F.R. § 160.103). 1.4 Protected Health Information. “Protected Health Information” (“PHI”) shall have the same meaning as the term “Protected Health Information” set forth at 45 C.F.R. § 160.103, limited to the information received from, or created or received by Business Associate on behalf of, Covered Entity. 1.5 Secretary. “Secretary” shall mean the Secretary of the United States Department of Health and Human Services or his/her designee. 1.6 Unsecured Protected Health Information. “Unsecured Protected Health Information” shall mean Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance published at 74 Fed. Reg. 19006 (April 27, 2009), and in annual guidance published thereafter. All other capitalized terms used, but not otherwise defined, in this Agreement shall have the same meaning for those terms as set forth in the HIPAA Privacy and Security Rules.
10. OBLIGATIONS OF BUSINESS ASSOCIATE 2.1 Not to Use or Disclose PHI Unless Permitted or Required. Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by this Agreement, or as required by law, or as otherwise authorized by Covered Entity. 2.2 Use Safeguards. Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as provided for by this Agreement. 2.3 Mitigate Harmful Effects. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of this Agreement, subject to the limitations set forth in Section 8.11 of this Agreement. 2.4 Report Unpermitted Disclosures of PHI. Business Associate agrees to report to Covered Entity any use or disclosure of Protected Health Information not permitted or required by this Agreement of which Business Associate becomes aware. 2.5 Compliance of Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(1)(ii), Business Associate agrees to ensure that any subcontractors that create, receive, maintain or transmit Protected Health Information on behalf of Business Associate, agree to substantially the same restrictions, conditions and requirements that apply to Business Associate with respect to such information. BUSINESS ASSOCIATE AGREEMENT 56 2.6 Requests for Restrictions. Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information to which Covered Entity has agreed in accordance with 45 C.F.R. § 164.522 and of which Business Associate has been notified by Covered Entity. In addition, and notwithstanding 45 C.F.R. § 164.522(a)(1)(ii), Business Associate agrees to comply with an individual’s request to restrict disclosures of Protected Health Information, of which Business Associate has been notified by Covered Entity, to a health plan for purposes of carrying out “payment” or “health care operations” (as such terms are defined in 45 C.F.R. § 164.501) if the Protected Health Information pertains solely to a health care item or service for which Covered Entity has been paid in full by the individual or the individual’s representative. 2.7 Provide Access. Business Associate will make available to Covered Entity Protected Health Information to the extent requested by Covered Entity as required under 45 C.F.R. § 164.524 and Section 13405(e) of the HITECH Act, which describe the requirements applicable to an individual’s request for access to Protected Health Information relating to the individual. The obligations of Business Associate in this Section apply only to Protected Health Information in a “Designated Record Set” in Business Associate’s possession or control as such term is defined at 45 C.F.R. § 164.501.
    2.8 Incorporate Amendments. Business Associate will make available to Covered Entity Protected Health Information requested by Covered Entity as required for amendment of such Protected Health Information, and shall make and incorporate any such amendments, all in accordance with 45 C.F.R. § 164.526, which describes the requirements applicable to an individual’s request for an amendment to any Protected Health Information relating to the individual. The obligations of Business Associate in this Section apply only to Protected Health Information in a “Designated Record Set” in Business Associate’s possession or control as such term is defined at 45 C.F.R. § 164.501. 2.9 Document Disclosures. Business Associate will make available Protected Health Information requested by Covered Entity or an Individual as required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528 and Section 13405(c) of the HITECH Act. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and Section 13405(c) of the HITECH Act. 2.10 Covered Entity Obligations. To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s) as of the Compliance Date. 2.11 Disclose Practices, Books, and Records. If Business Associate receives a request, made on behalf of the Secretary, that Business Associate make its internal practices, books, and records relating to the use and disclosure of Protected Health Information available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Privacy and Security BUSINESS ASSOCIATE AGREEMENT 57 Rules, then Business Associate will promptly comply with the request within the time period required for such response as specified in such request.
11. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE 3.1 Functions and Activities on Behalf of Covered Entity. Business Associate may use or disclose Protected Health Information for the purpose of meeting its obligations as set forth in this Agreement or as required by the Services Agreement. 3.2 Other Uses and Disclosures. Except as otherwise limited by this Agreement, Business Associate may use and disclose Protected Health Information as follows: a. if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, the following requirements are met: i. the disclosure is required by law; or ii. Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held
    confidentially and used or further disclosed only as required by law
    or for the purpose for which it was disclosed to the person, and the
    person notifies Business Associate of any instances of which it is
    aware in which the confidentiality of the information has been
    breached; b. for data aggregation services, if to be provided by Business Associate for the health care operations (as such terms are defined in 45 C.F.R. § 164.501) of Covered Entity pursuant to any agreements between the parties evidencing their business relationship. For purposes of this Agreement, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
    3.3 Minimum Necessary. Until such time as the Secretary issues regulations pursuant to the HITECH Act on what constitutes “minimum necessary” for purposes of the HIPAA Privacy and Security Rules, Business Associate shall: (a) to the extent practicable, use, disclose, or request only Protected Health Information that is contained in a “limited data set” (as defined in 45 C.F.R. § 164.514(e)(2)); or (b) if needed by Business Associate, use, disclose, or request only the minimum necessary amount of Protected Health Information to accomplish the intended purpose of such use, disclosure, or request. BUSINESS ASSOCIATE AGREEMENT 58
12. SECURITY RULE SAFEGUARDS 4.1 Implement Safeguards. Business Associate shall implement the administrative, physical, and technical safeguards set forth in 45 C.F.R. §§ 164.308, 164.310, and 164.312 that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity; in accordance with 45 C.F.R. § 164.316, implement and maintain reasonable and appropriate policies and procedures to enable it to comply with the requirements set forth in Sections 164.308, 164.310, and 164.312; and, as of the Compliance Date, comply with Subpart C of 45 C.F.R. Part 164, where applicable, with respect to Electronic Protected Health Information.
    4.2 Compliance of Subcontractors. In accordance with 45 C.F.R. § 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain or transmit Electronic Protected Health Information on behalf of Business Associate agree to the same restrictions, conditions and requirements that apply to Business Associate with respect to such information.
    4.3 Report Security Incidents. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. For purposes of this Agreement, “Security Incident” means the successful unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information or interference with system operations in an information system, excluding: (a) “pings” on an information system firewall; (b) port scans; (c) attempts to log on to an information system or enter a database with an invalid password or user name; (d) denial-of-service attacks that do not result in a server being taken offline; or (e) malware (e.g., a worm or virus) that does not result in unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information. Business Associate agrees to mitigate, to the extent practicable, any harmful effect resulting from such Security Incident.
13. BREACH NOTIFICATION 5.1 Timing of Notification. Following the discovery of a Breach of Unsecured Protected Health Information, Business Associate shall notify Covered Entity of such Breach without unreasonable delay, but in no event later than ten (10) days following the discovery of the Breach. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, through the exercise of reasonable diligence, would have been known to Business Associate. 5.2 Law Enforcement Delay. Notwithstanding the provisions of Section 5.1, above, if a law enforcement official states to Business Associate that notification of a Breach would impede a criminal investigation or cause damage to national security, then: a. if the statement is in writing and specifies the time for which a delay is required, Business Associate shall delay such notification for the time period specified by the official; or BUSINESS ASSOCIATE AGREEMENT 59 b. if the statement is made orally, Business Associate shall document the statement, including the identity of the official making the statement, and delay such notification for no longer than thirty (30) days from the date of the oral statement unless the official submits a written statement during that time. 5.3 Contents of Notification. The Breach notification provided to Covered Entity shall include, to the extent possible: a. the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach; b. a brief description of what happened, including the date of the Breach and the date of discovery of the Breach, if known; c. a description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); d. any steps individuals should take to protect themselves from potential harm resulting from the Breach; e. a brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breach; and f. contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. Business Associate shall provide the information specified in this Section to Covered Entity at the time of the Breach notification, if possible, or promptly thereafter as information becomes available. Business Associate shall not delay notification to Covered Entity that a Breach has occurred in order to collect the information described in this Section, and shall provide such information to Covered Entity even if the information becomes available after the forty-five (45) day period provided in Section 5.1, above.
14. OBLIGATIONS OF COVERED ENTITY
    6.1 Limitations in Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information. BUSINESS ASSOCIATE AGREEMENT 60 6.2 Changes in Permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information. 6.3 Restriction on Use of Protected Health Information. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information. 6.4 Minimum Necessary. Covered Entity shall disclose, and direct its other business associates to disclose, to Business Associate only the minimum amount of Protected Health Information necessary to accomplish the intended purpose of the permissible use, disclosure, or request in compliance with 45 C.F.R. § 164.502(b) and applicable guidance issued by the Secretary.
15. TERM AND TERMINATION 7.1 Term. The Term of this Agreement shall commence as of the Effective Date of this Agreement. This Agreement shall terminate upon the earlier of termination of the Services Agreement or termination in accordance with Section 7.2 below. 7.2 Termination for Cause. Upon Covered Entity’s knowledge of a material breach or violation hereof by Business Associate, Covered Entity shall provide written notice to Business Associate of the breach or violation, and Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. If Business Associate does not cure the breach or end the violation within thirty (30) days of receiving notice of the breach or violation and Covered Entity has taken reasonable steps to cure such breach or end such violation during such thirty (30) day period, and such steps are unsuccessful, Covered Entity may terminate this Agreement. If Business Associate has breached a material term of this Agreement and cure is not possible, Covered Entity may immediately terminate this Agreement. 7.3 Effect of Termination. Upon termination of this Agreement for any reason, Business Associate will return or destroy all Protected Health Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form, and shall retain no copies of such information. If such return or destruction is not feasible, as reasonably supported by competent records and other written evidence of Business Associate, Business Associate will extend the protections of this Agreement to the information retained and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
16. MISCELLANEOUS PROVISIONS 8.1 Amendment. This Agreement cannot be amended except by the mutual written agreement of Business Associate and Covered Entity. In the event either party believes in good BUSINESS ASSOCIATE AGREEMENT 61 faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Privacy and Security Rules, such party shall so notify the other party in writing. For a period of up to thirty (30) days, the parties shall address in good faith such concern and shall amend the terms of this Agreement, if necessary, to bring it into compliance. If after such thirty (30) day period this Agreement fails to comply with the HIPAA Privacy and Security Rules with respect to the concern(s) raised pursuant to this Section, then either party may terminate this Agreement upon written notice to the other party. 8.2 No Third Party Beneficiary Rights. This Agreement is intended for the sole benefit of Business Associate and Covered Entity and does not create any third-party beneficiary rights. 8.3 Independent Contractor Relationship. The parties agree that the legal relationship between Covered Entity and Business Associate is strictly an independent contractor relationship. Nothing in this Agreement shall be deemed to create a joint venture, agency, partnership, or employer-employee relationship between the parties.
    8.4 Headings. The section headings contained in this Agreement are for reference purposes only and will not affect the meaning of this Agreement. 8.5 Survival. The rights and obligations of Business Associate under Section 7.3 of this Agreement shall survive the termination of this Agreement. 8.6 Interpretation. All Protected Health Information is solely subject to and shall be treated in accordance with this Agreement and shall not otherwise be considered “confidential information” under the Services Agreement. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the parties to comply with the HIPAA Privacy and Security Rules. In the event of inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Privacy and Security Rules, the HIPAA Privacy and Security Rules in effect at the time shall control. In the event of inconsistency between this Agreement and the Services Agreement, the terms and conditions of this Agreement shall control. 8.7 Waiver. Any failure of a party to exercise or enforce any of its rights under this Agreement will not act as a waiver of such rights. 8.8 Binding Effect. The Agreement shall be binding upon, and shall inure to the benefit of, the parties and their respective successors and permitted assigns. 8.9 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be illegal, invalid, or unenforceable under present or future laws effective during the term of this Agreement, the legality, validity, and enforceability of the remaining provisions of this Agreement shall not be affected thereby. 8.10 Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original but all of which shall constitute one and the same instrument. BUSINESS ASSOCIATE AGREEMENT 62 8.11 Limitation of Liability. Notwithstanding anything in this Agreement or the Services Agreement to the contrary, the aggregate liability of either party arising from or relating to this Agreement, the subject matter thereof, or the breaching/offending party’s respective actions or omissions or the actions or omissions of its respective officers, directors, managers, employees (regardless of the form of action or claim, and whether based in contract, warranty, indemnity, tort, statute, equitable or other theory of recovery) shall be limited to the actual amount paid, if any, by the breaching/offending party’s respective insurance carrier(s) as a result of the breaching/offending party’s liability or potential liability. Further, notwithstanding anything in this Agreement or the Services Agreement to the contrary, neither party shall be liable for any indirect, punitive, exemplary, incidental or consequential loss or damage of any kind or nature. 8.12 Force Majeure. No party shall be liable for any delay or failure to perform under this Agreement if such delay or failure (a) is directly caused by acts of God, war, acts of terrorists, explosion, fire, flood, earthquake, power outage, epidemic, acts of civil or military authorities or civil disturbance, or (b) could not have been prevented or circumvented by the non-performing party’s reasonable precautions or commercially accepted processes (including through the use of substitute services, alternate sources, work-around plans, the implementation of appropriate security measures or the disaster recovery measures) (collectively a “Force Majeure Event”). The party experiencing any delay or failure as a result of any such Force Majeure Event shall: (x) provide prompt written notice of the actual or anticipated delay or failure to each other party; and (y) use reasonable commercial efforts to either remedy the delay or failure, or implement a plan (including business continuity and disaster recovery plans) to remedy the delay or failure in a manner which minimizes the disruption to each other party. [Signature Page to Follow] BUSINESS ASSOCIATE AGREEMENT 63 [Signature Page to Business Associate Agreement] IN WITNESS WHEREOF, the parties hereto have executed this Agreement which is effective as of the date first above written. COVERED ENTITY: [INSERT NAME OF COVERED ENTITY] By: ______________________________________ Title: _____________________________________ BUSINESS ASSOCIATE: CLEAR HEALTH STRATEGIES, LLC By: ______________________________________ Title: _____________________________________ BUSINESS ASSOCIATE AGREEMENT 64