REMOTE MONITORING SERVICES AGREEMENT
This Remote Monitoring Services Agreement (“Agreement”) is made by and between NuGenHealth, LLC an Arizona Limited Liability Company, with an address of 11209 N. Tatum Blvd., Suite 180, Phoenix, AZ 85028 (hereinafter “NGH”) and Paradise Valley Family Medicine, P.C. an Arizona professional corporation, with an address of 11209 N. Tatum Blvd., Suite 180, Phoenix, AZ, 85028. (hereinafter “Client”) and is effective as of undersigned date (“Effective Date”).
RECITALS
WHEREAS, Client is an Arizona professional corporation who engages medical providers who are duly licenses in Arizona.
WHEREAS, NGH is an Arizona Limited Liability Company, a subsidiary of Generex Biotechnology Corporation, a publicly traded company, and is engaged to provide a software and services solution for physicians and medical practices for the purpose of providing the Connected Care Solutions (“CCS”) for patient engagement and more specifically, Remote Patient Monitoring “RPM” and Chronic Care Management “CCM” (where all such capitalized terms are defined and described in detail herein below).
WHEREAS, Client desires to retain the suite of services described in the preceding Recital and herein below in more detail, and Client desires to engage NGH to perform such services on the terms and conditions hereinafter set forth.
WHEREAS, the parties hereto understand, acknowledge and agree that the scope of this Agreement and the subject matter herein relates solely to NGH’s rendering the RPM and CCS services, and NGH shall not be engaged herein to provide any other services.
NOW, THEREFORE, in consideration of the foregoing premises, and the mutual covenants hereinafter stated, NGH and Client agree as follows:
The Recitals provided herein above are incorporated herein by this reference as if restated herein again in full.
I. SERVICES
A. Services. During the Term of this Agreement, NGH will provide to Client, upon the terms and conditions of this Agreement and in consideration for the Fees (as defined in Exhibit A), the services as set forth on Exhibit A attached hereto and made a part hereof (the “Services”).
B. Representations by Client. Client hereby warrants and represents as follows:
1. Duly Licensed: Client’s providers are is duly licensed, as applicable, to practice medicine or as a physician assistant or nurse practitioner, as the case may be, in the State of Arizona or in any state they intend to practice medicine.
2. Compliance with Rules and Regulations, Policies and Procedures: Client shall comply with NGH’s rules, regulations, policies, and procedures (the “Compliance Policies and Procedures”) during the Term for all periods of time such are in force.
3. NGH Exclusive Provider of Services: During the Term of this Agreement, Client agrees to use NGH as the exclusive provider of the Services.
II. TERM. Client’s engagement hereunder shall commence as of the Effective Date, and shall continue for a term of three (3) year, unless terminated earlier as set forth below (“Term”). This Agreement shall be extended to additional term(s) upon mutual written agreement of the parties.
III. TERMINATION.
A. For Cause Termination. Either party may terminate the Agreement at any time prior to the expiration of the Term of this Agreement in the event of a breach of or failure to comply with any provision or covenant herein by the other party in this Agreement, which breach or failure to comply is not cured to the reasonable satisfaction of the non-breaching party within ten (10) business days after written notice thereof by the non-breaching party to the breaching party. Upon termination, NGH’s Fee shall be paid out up until the Termination date, subject to offsets in the case where NGH is the breaching party.
B. Without Cause Termination. Either party may terminate the Agreement at any time prior to the expiration of the Term of this Agreement by providing the other party sixty (60) days’ written notice in advance. During such 60-day period, the for cause provisions of the preceding section III.A shall not be waived. Upon termination, NGH’s Fee shall be paid out up until the Termination date.
IV. FEES. NGH shall be paid the Fees as set forth in Exhibit A.
V. SERVICES, DUTIES AND OBLIGATIONS OF CLIENT
A. Good Community Standing. At all times during the Term of the Agreement, both parties shall be of high repute and good standing in the community served by NGH and Client.
B. Credentialing. At all times during the Term of this Agreement, Client shall comply with all credentialing, quality, and efficiency criteria as may be adopted from time to time by the State of Arizona and or the US Federal Government Agencies with oversight to these types of health care programs.
C. Insurability Requirements. Client shall satisfy all conditions for insurability under professional liability policies, as described herein, and, upon request, shall promptly provide (or Consent to disclosure to the person requesting the information) information requested by NGH.
D. Billing Procedures. Client shall follow applicable state and/or federal policies and procedures for charting, coding, and billing, along with those specific items outlined in Exhibit B (the “Billing Policies and Procedures”).
E. Client Obligations. Client shall provide the duties as set forth in Exhibit A.
VI. AUTHORITY OF NGH TO DISCLOSE INFORMATION
A. Disclosure of information. As relates to any patient who has used the RPM or CCM services of NGH, Client agrees to inform NGH of any claim of malpractice committed by Client and any investigation and/or disciplinary action involving Client.
B. Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act (“HIPAA”). NGH recognizes that the Client is a “covered entity” and NGH is a “business associate” are such phrases are defined by HIPAA and that, in the performance of Services hereunder, NGH will have access to the Client’s patients’ “protected health information,” as such phrase is defined by HIPAA. The parties, therefore, agree to execute a Business Associate Agreement in the form set forth on Exhibit “C,” which is attached hereto and incorporated by reference. NGH agrees to perform its Services involving any “protected health information” in accordance with such Business Associate Agreement.
C. Authorized Disclosure. Client, on the one hand, and NGH, on the other hand, hereby authorizes the other to obtain information related to the Client or NGH from a regulatory, hospital peer review or quality assurance group, committee or agency of all reports, records and other information pertaining to the applicable.
VII. OWNERSHIP OF SOFTWARE AND RECORDS; AND OTHERS COVENANTS
A. Records. Client shall own the medical and financial records as relates to its patients. NGH may obtain copies of such records in order to comply with a court order or court issued subpoena directed to NGH or for any other legal compliance purpose.
B. Confidentiality.
1. ACCESS TO CLIENT MATERIALS. CLIENT AGREES AND UNDERSTANDS THAT TO PERFORM THE SERVICES, CLIENT WILL NEED TO MAKE AVAILABLE TO NGH ACCESS TO CERTAIN CLIENT MATERIALS upon request.
2. PATIENTS. Client agrees and understands that, except as otherwise required by law, a patient’s account (defined below) with NGH will only be available to such patient so long as (a) the individual remains a patient of Client; (b) Client approves the patient’s enrollment in and ongoing use of the Services; (c) the patient signs (electronically or otherwise) that certain authorization form made available to the patient through the application (defined below) for access to the Services; and (d) the patient complies with the application terms as made available to such patient. Client agrees that Client will, to the extent able to, promptly disable a patient’s account upon such patient’s request. For the purposes of this subsection 2 and this Agreement, “patient’s account” means…… and “application” means….
3. “Confidential Information“ means all information, subject to the exceptions mentioned herein, disclosed before or after the date of this Agreement in written or oral format by the Disclosing Party, and, if disclosed orally, summarized in written format within 7 days of disclosure. “Disclosing Party” is the party disclosing Confidential Information. “Receiving Party” is the party receiving Confidential Information from the Disclosing Party. The Receiving Party shall only disclose the Confidential Information to persons in the direct employ of the Receiving Party who have a need to have access to and knowledge of the Confidential Information solely for the purposes of fulfilling the Receiving Party’s obligations in this Agreement, and only so long as persons agree to abide by these confidentiality terms. Each party shall take appropriate measures by instruction and agreement prior to disclosure to such employees to assure against unauthorized use or disclosure. The Receiving Party shall have no obligation with respect to information which (i) was rightfully in possession of or known to the Receiving Party without any obligation of confidentiality prior to receiving it from the Disclosing Party; (ii) is, or subsequently becomes, legally and publicly available without breach of this Agreement; (iii) is rightfully obtained by the Receiving Party from a source other than the Disclosing Party without any obligation of confidentiality; (iv) is disclosed by the Receiving Party under a valid order created by a court or government agency, provided that the Receiving Party provides prior written notice to the Disclosing Party of such obligation and the opportunity to oppose such disclosure. Upon written demand of the Disclosing Party, the Receiving Party shall cease using the Confidential Information and return the Confidential Information and all copies, notes, summaries or extracts thereof to the Disclosing Party within three (3) days of receipt of notice.
C. Non-Disparagement. During the term of this Agreement, and at all times subsequent thereto, Client and NGH shall maintain a professional relationship and shall conduct themselves with office staff, personnel and other third parties with whom they come into contact, whether directly or indirectly, in a professional manner and specifically agree not to disparage one another or otherwise discuss internal matters of any kind with any third party other than their attorneys or accountants. This is a material provision of this Agreement.
D. NGH DOCUMENTATION, TRADEMARKS, AND COPYRIGHTS. CLIENT ACKNOWLEDGES AND AGREES THAT ALL CONTENT ON THE APPLICATION (INCLUDING, WITHOUT LIMITATION, TEXT, IMAGES, USER INTERFACES, VISUAL INTERFACES, GRAPHICS, TRADEMARKS, LOGOS, SOUNDS, SOURCE CODE AND COMPUTER CODE, INCLUDING BUT NOT LIMITED TO THE DESIGN, STRUCTURE, SELECTION, COORDINATION, EXPRESSION, ‘LOOK AND FEEL’ AND ARRANGEMENT THEREOF) AND THE DOCUMENTATION IS THE EXCLUSIVE PROPERTY OF AND OWNED BY NGH OR ITS LICENSORS AND IS PROTECTED BY INTELLECTUAL PROPERTY RIGHTS AND UNFAIR COMPETITION LAWS. THESE MARKS AND COPYRIGHTS MAY NOT BE COPIED, IMITATED, CHANGED OR USED, IN WHOLE OR IN PART, WITHOUT THE EXPRESS PRIOR WRITTEN PERMISSION FROM THEIR RESPECTIVE OWNERS, AND THEN WITH THE PROPER ACKNOWLEDGMENTS. NOTHING ON OR IN THE LICENSED MATERIALS WILL BE CONSTRUED AS GRANTING, BY IMPLICATION, ESTOPPEL, OR OTHERWISE, ANY LICENSE OR RIGHT TO USE ANY TRADEMARK, LOGO, OR SERVICE MARK DISPLAYED ON THE LICENSED MATERIALS WITHOUT THE OWNER’S PRIOR WRITTEN PERMISSION, EXCEPT AS OTHERWISE DESCRIBED IN THESE MASTER TERMS.
E. NGH Third Party Software. Use of the Application may require a license to and use of third party products (“Third Party Products”), including, for example, an electronic medical system or health information exchange. All such Third Party Products are licensed to Client subject to the terms and conditions of an end user license agreement (“Third Party EULA”). NGH does not control, endorse, or accept responsibility for Third Party Products. Any and all agreements, services, or transactions between Client and such third party in connection with the Third Party Products, including but not limited to such third party’s privacy policies, delivery of services, and any other terms, conditions, warranties, or representations associated with such agreements, services, or transactions, are solely between Client and such third party. To the extent available to NGH and within NGH’s control, Client will have the right to review the Third Party EULA for any Third Party Products upon request and prior to executing the applicable Sales Order. Unless otherwise expressly provided in the Sales Order, Client will be solely responsible for all costs and license fees associated with such Third Party Products.
F. NGH USAGE DATA. THE APPLICATION MAY, FROM TIME TO TIME, AUTOMATICALLY REPORT BACK INFORMATION TO NGH’S SERVERS RELATED TO USAGE OF THE APPLICATION AND OTHER LICENSED MATERIALS, WITHOUT NOTICE TO CLIENT (“USAGE DATA”). USAGE DATA MAY BE USED BY NGH SOLELY TO ACCOMPLISH ITS SERVICES HEREUNDER AND FOR NO OTHER REASON.
H. LIMITATION OF LIABILITY. THE PARTIES AGREE AS FOLLOWS: UNDER NO CIRCUMSTANCES SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL OR EXEMPLARY DAMAGES (EVEN IF SUCH DAMAGES ARE FORESEEABLE AND WHETHER OR NOT PARTICIPANT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) ARISING FROM ANY ASPECT OF THIS AGREEMENT AND CONTRACTUAL RELATIONSHIP ESTABLISHED HEREIN.
VIII. SEVERABLE PROVISIONS. The provisions of this Agreement are severable, and if any one or more provisions may be determined to be illegal or otherwise unenforceable, in whole or in part, the remaining provisions and any partially unenforceable provisions to the extent enforceable shall nevertheless be binding and enforceable.
IX. INDEMNIFICATION. Each Party hereby indemnifies, defends, and holds the other Party, its affiliates and any shareholders, officers, Clients, agents and legal representatives harmless from and against any and all loss, cost, damage, expense or liability (including legal fees) incurred by any of them arising from or connected to any and all claims, demands, actions, or causes of action arising from or connected to (i) its own violation of any federal, state or local healthcare fraud and abuse laws, regulations or rules; (ii) its own violation of any federal, state or local laws and regulations; and, (iii) any of its own breaches of any agreement, including this Agreement.
X. PROFESSIONAL LIABILITY INSURANCE. During the Term of this Agreement, Malpractice coverage must be maintained the Client in accordance with all applicable state laws.
XI. WAIVER: No modification of or amendment to this Agreement shall be effective unless in writing and signed by the parties. No waiver shall be effective unless in writing and executed by the party against whom enforcement of the waiver is sought.
XII. ATTORNEY'S FEES: In any action at law or in equity to enforce any of the provisions or rights under this Agreement, the unsuccessful party to such litigation, as determined by the Court in a final judgment or decree, shall pay the successful party all costs, expenses and reasonable attorney's fees, as set by the Court and not by a jury, incurred by the Successful party (including, without limitation, costs, expenses and fees on any appeal).
XIII. REGULATORY COMPLIANCE: it is the intent of the parties that this Agreement comply in all respects with all applicable federal, state and local laws, regulations, rules and interpretive case decisions, and the parties have structured their relationship with that specific intent. However, each party understands that such laws, regulations and case decisions are Complicated and a state of flux. Therefore, in the event that any provision of this Agreement is rendered invalid or unenforceable by a court of competent jurisdiction, or the applicable laws and regulations are altered by any legislative or regulatory body, or either party notifies the other party in Writing of its reasonable belief that this Agreement or any of its provisions may be declared null, void, unenforceable, or in violation of applicable laws or regulations, the remaining provisions, if any, of this Agreement shall nevertheless continue in full force and effect.
XIV. OTHER UNDERSTANDINGS. This Agreement contains the entire agreement between the parties with respect to the subject matter of this Agreement. The Agreement supersedes all prior understanding, agreements, or representations. Further, this Agreement may be modified only by a writing executed by both Client and NGH.
XV. JURISDICTION AND VENUE. This Agreement is to be construed pursuant to the laws of the State of Arizona. Client agrees to submit to the jurisdiction and venue of any court of competent jurisdiction in Maricopa County, Arizona without regard to conflict of laws provisions, for any claim arising out of this Agreement.
XVI. ASSUMPTION OF OBLIGATIONS. Generex Biotechnology Corporation, a publicly traded company, by its signature hereto, agrees to be bound to the provisions of this Agreement that require indemnification and legal compliance of NGH.
IN WITNESS WHEREOF, the undersigned have executed this Agreement as of the date set forth below.
NuGenHealth, LLC | Paradise Valley Family Medicine, P.C. |
NGH | Client |
Signed: /s/ Joseph Moscato | Signed: /s/ Warren Johnson |
Print: Joseph Moscato | Print Warren Johnson MD, Ph.D. |
Title: President/CEO | Title: Vice President |
Date: September 24, 2020 | Date: September 24, 2020 |
Generex Biotechnology Corporation, a Delaware corporation
Signed: /s/ Joseph Moscato
Print: Joseph Moscato
Title: President/CEO
Date: September 24, 2020
1 |
EXHIBIT A
FEES AND SERVICES; AND CLIENT DUTIES
A. | Fees. |
1. | For the 1st year Term, NGH will provide an Invoice to Client every month with Patients processed and eligible for reimbursement. The invoiced amounts are to be as laid out in Exhibit B. per month for each complete Remote Patient Monitoring patient; and CCM patient. Thereafter, the pricing might be adjusted annually to reflect changes in policy. |
B. | Services. |
1. | Provide Client with a software suite, Bluetooth medical devices and associated services for CCS. |
2. | In collaboration with and assistance from NGH, Client will implement the NuGen SaaS suite on site at the Client’s clinic(s). |
3. | Provide necessary staff to perform the CCS services for Client’s patients. |
4. | Provide necessary training to Clients’ staff to ensure proper use of NGH’s products and services. |
5. | NGH will be responsible for providing FDA-cleared, CMS approved medical devices for Remote Patient Monitoring, technical assistance, device connection, and data reporting. |
6. | NGH will identify any patient threshold breeches so action can be taken in real time to avoid hospitalizations and gives the ability to direct care as appropriate. |
7. | NGH will seek improvement in patient medication compliance with the direct reminders (voice/text) for the patients to take their medications. |
8. | NGH will perform outbound calls and reviews of the patient’s health plan/care plan to direct, train and encourage compliance on medication, pain levels, and ensuring frequency of uploads of prescribed data such as glucose, blood pressure, weight, temperature, oxygen level, etc. |
9. | NGH will provide a dashboard provides the MA and the Physician with an easy to view, patient by patient, status as well as end of the month billing documentation. |
10. | NGH will provide a 24 hour call in number for emergencies. |
11. | NGH will provide manage oversight and continued software, hardware updates and improvements training and retraining of staff. |
12. | NGH will provide at the end of each billing period the documentation for Client to bill for the patients conforming to the set of standards required by CMS for reimbursement. |
13. | The parties agree to act in good faith to ensure success and will evaluate the reimbursements on a quarterly basis to assess any changes in reimbursement. |
14. | If PVFM requests customized or enhanced system designs or additional equipment, then NGH will bill at the scheduled rates in the IT support section below. |
C. | Client Duties. |
1. | Provide NGH’s Medical Assistants (MA’s) with desk space and computers to engage and register patients, coordinate connected patient care, and conduct the RPM and CCM patient service. |
2. | Client will be responsible for managing NGH medical device inventory located on site and will not allow devices to be given to non enrolled patients as well as replace any shortage at their expense. |
3. | Client agrees to sign a Business Associates Agreement (BAA) with NGH to comply with all HIPAA regulations. |
4. | Upon proof of concept and both parties agreement, Client shall integrate the eClinicalworks Electronic Health Record (EHR) with the NuGenHealth system for billing, data exchange, analytic analysis, and population health management to be conducted by NGH and shared with Client. |
5. | At the end of the collection period which shall be 30 days from the invoice received from NGH the Client will pay NGH in full for the invoice for the processed patients. |
6. | Client agrees to cooperate and comply with any and all audit requests by NGH’s auditors or other audits by any governmental agency as may be requested and/or required. |
2 |
EXHIBIT B
BILLING POLICIES AND PROCEDURES
Confidential and Protected Information | |||||
NGH will provide the specific data on each Patient that meets the eligibility requirements for the reimbursement of services. NGH will provide an invoice to the Client on at least a thirty day (30) basis and Client agrees to pay NGH the Charges above within thirty (30 days) of receipt of invoice.
3 |
EXHIBIT C
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (the “Agreement”) is entered into this __ day of _______, 2020, by and between, Paradise Valley Family Medicine, P.C. an Arizona professional corporation, with an address of 11209 N. Tatum Blvd., Suite 180, Phoenix, AZ, 85028 (“Covered Entity”) and NuGenHealth, LLC an Arizona Limited Liability Company, with an address of 11209 N. Tatum Blvd., Suite 180, Phoenix, AZ 85028 (“Business Associate”) (each a “Party” or collectively the “Parties”).
Recitals
Whereas, Covered Entity is a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as may be amended or supplemented; the regulations promulgated thereunder including the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”), 45 C.F.R. Parts 160 and 164, Subparts A and E, the Standards for the Security of Electronic Protected Health Information (the “Security Rule”), 45 C.F.R. Parts 160 and 164, Subpart C, the Breach Notification for Unsecured Protected Health Information (the “Breach Notification Rule”), 45 C.F.R. Parts 160 and 164, as may be amended or supplemented (collectively the “HIPAA Rules”); and the Health Information Technology for Economic and Officeal Health Act, Title VIII of the American Recovery and Reinvestment Act of 2009, as may be amended or supplemented, and the regulations promulgated thereunder, as may be amended or supplemented (the “HITECH Act”);
Whereas, Business Associate may receive, create, maintain, and transmit protected health information (“PHI”) on Covered Entity’s behalf in connection with the Services (defined below) below that Business Associate furnishes to Covered Entity, Business Associate is a “business associate” under HIPAA, the HIPAA Rules, and the HITECH Act;
Whereas, HIPAA, the HIPAA Rules, and the HITECH Act require that Covered Entity contract with Business Associate to mandate certain protections for the privacy and security of PHI that Business Associate may receive, create, maintain, or transmit on Covered Entity’s behalf; and
Whereas, Covered Entity and Business Associate intend for this Agreement to satisfy their obligations under HIPAA, the HITECH Act, and any implementing regulations.
Now, therefore, in consideration of the foregoing, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:
1. Definitions
a. Defined Terms Generally. Terms used in this Agreement but not otherwise defined in this Agreement shall have the same meaning as those terms in the Privacy Rule, the Security Rule, and the HITECH Act.
b. Specific Defined Terms.
i. Individual. “Individual” shall have the meaning set forth in 45 CFR § 160.103 and shall include a person who qualifies as a “personal representative” pursuant to 45 CFR § 164.502(g).
ii. Protected Health Information. “Protected Health Information” shall have the meaning set forth in 45 CFR § 160.103, limited to the information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity. All references to PHI shall also include electronic protected health information.
iii. Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
2. Business Associate’s Obligations and Scope of Activities
a. Use and Disclosure of PHI. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate further agrees to comply with this Agreement’s provisions and all present and future provisions of HIPAA, the HIPAA Rules, the HITECH Act, and Arizona law that relate to the privacy and security of PHI and apply to Business Associate. Business Associate agrees not to use or disclose PHI in any manner that would constitute a violation of HIPAA, the HIPAA Rules, the HITECH Act of Arizona law if so used or disclosed by Covered Entity. Business Associate agrees to use PHI solely for the purpose of and as necessary for performing Services for Covered Entity. Business Associate further agrees that Covered Entity shall retain all rights in PHI not granted herein.
b. Reasonable and Appropriate Safeguards. Business Associate has implemented and will continue to maintain administrative, physical, and technical safeguards (including written policies and procedures) to protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains, or transmits on Covered Entity’s behalf against reasonably anticipated threats or hazards to the security and integrity of the PHI as required by the Security Rule. Business Associate shall ensure that any agent or subcontractor to whom Business Associate provides PHI has implemented and will continue to maintain administrative, physical, and technical safeguards (including written policies and procedures) to protect the confidentiality, integrity, and availability of PHI as required by the Security Rule.
c. Reporting of Violations. Business Associate agrees to report in writing to Covered Entity, without unreasonable delay, and in no case later than ten (10) calendar days after discovery, the following: (1) any known access, use, or disclosure of PHI that is not authorized by this Agreement; (2) any Security Incident of which the Business Associate becomes aware, and (3) is any Breach of Unsecured PHI of which it becomes aware, without unreasonable delay, and in no case later than ten (10) calendar days after discovery. Business Associate further agrees to notify Covered Entity of any suspected access, use, or disclosure of data in violation of any applicable federal or state laws or regulations without unreasonable delay, and in no case later than thirty (30) calendar days after discovery. In the event of a Breach, Business Associate may delay notifying Covered Entity upon a request from law enforcement. At Covered Entity’s request, Business Associate agrees, to the extent possible, to identify each Individual whose PHI has been or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during the Security Incident and/or Breach; the date and scope of the Security Incident and/or Breach; Business Associate’s response to the Security Incident and/or Breach,; and the identity of the party responsible for causing the Security Incident and/or Breach, if known. Business Associate also agrees to provide Covered Entity with sufficient information to permit Covered Entity to comply with Breach Notification Rule’s requirements or applicable state law requirements. Business Associate shall cooperate reasonably and coordinate with Covered Entity in the investigation of any violation of this Agreement’s requirements and/or any Security Incident or Breach. Business Associate shall cooperate reasonably and coordinate with Covered Entity in the preparation of any reports or notices to the Individual, a regulatory body, or any third party required to be made under HIPAA, the HIPAA Rules, the HITECH Act, or any other federal or state laws, rules, or regulations.
d. Breach Pattern or Practice by Business Associate. Business Associate agrees that if Business Associate knows of a pattern of activity or practice of Business Associate that constitutes a material breach of Business Associate’s obligations under this Agreement, Business Associate shall take reasonable steps to cure the breach or end the violation. Business Associate agrees that if the steps are unsuccessful, Business Associate shall terminate this Agreement, or if termination is not feasible, report the problem to the Secretary.
e. Mitigation of Harmful Effects. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement.
f. Third-Party Agreements. Pursuant to 45 CFR §§ 164.308(b) and 164.502(e), Business Associate agrees to ensure that any agent and/or subcontractor, to whom it provides PHI that is created, received, transmitted, or maintained by Business Associate on behalf of Covered Entity agrees in a written business associate agreement to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. If Business Associate is aware of a pattern or practice of an agent and/or subcontractor that constitutes a material breach or violation by the agent and/or subcontractor of any such restrictions or conditions, Business Associate shall take reasonable steps to cure the breach or end the violation, as applicable, and if such steps are unsuccessful, to terminate the contract or arrangement with such agent and/or subagent.
g. Availability of Books and Records. Business Associate agrees to make available to Covered Entity or Secretary, within twenty (20) calendar days or such time as reasonably designated by the Secretary, any PHI and internal practices, books, records, accounts, and other sources of information, including policies and procedures, relating to the use and disclosure of PHI created, received, maintained, or transmitted by Business Associate on Covered Entity’s behalf for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
h. Access. To the extent that Business Associates possesses or maintains a Designated Record Set, Business Associate agrees to provide access, at the request of Covered Entity, to PHI in a Designated Record Set to the Covered Entity or, as directed by Covered Entity, to the Individual or an Individual’s designee, within twenty (20) calendar days of such request order to meet the requirements under 45 CFR § 164.524. If an Individual makes a request for access to PHI directly to Business Associate, Business Associate shall notify Covered Entity of the request within three (3) business days of such request and will cooperate with and allow Covered Entity to respond to the Individual or Individual’s designee.
i. Amendment. To the extent that Business Associates possesses or maintains a Designated Record Set, Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 in a manner reasonably requested by Covered Entity within forty (40) calendar days of the request. If an Individual requests that Business Associate make an amendment to PHI, Business Associate shall notify Covered Entity of the request within three (3) business days of such request and will cooperate with and allow Covered Entity to respond to the Individual or Individual’s designee.
j. Documentation of Disclosures. Business Associate agrees to document such disclosures of PHI that it has made and information related to such disclosures as would be required for Covered Entity to respond to an Individual’s request for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate further agrees to implement a process that allows for an accounting to be collected and maintained by Business Associate and its agents and/or subcontractors for at least six (6) years prior to the request. At a minimum, the information collected and maintained shall include:
i. The date of the disclosure;
ii. The name of the entity or person who received PHI and, if known, the address of the entity or person;
iii. A brief description of PHI disclosed; and
iv. A brief statement of purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the written request for disclosure by the Secretary or under 45 C.F.R. § 164.512, if any.
k. Accounting of Disclosures. Business Associate agrees to provide to Covered Entity or an Individual, within forty (40) days, information collected in accordance with Section j of this Agreement in order that Covered Entity may respond to an Individual’s request for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528 and the HITECH Act. Business Associate agrees that such accounting obligations shall survive termination of this Agreement and shall continue as long as Business Associate maintains PHI created, received, maintained, or transmitted pursuant to this Agreement. If multiple disclosures of PHI have been made to the Secretary or the same person or entity under 45 C.F.R. § 164.512, Business Associate shall also include in its disclosures the frequency, periodicity, or number of disclosures made during the accounting periods as well as the date of the last disclosure during the accounting period. If an Individual makes a request for an accounting of disclosure to Business Associate, Business Associate shall notify Covered Entity of the request within three (3) business days of such request and will cooperate with and allow Covered Entity to respond to the Individual or Individual’s designee.
l. Minimum Necessary. Business Associate agrees to request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure.
m. Compliance with Administrative Obligations. Business Associate agrees to comply with any administrative requirements imposed on it in its capacity as a business associate by HIPAA, the HIPAA Rules, and the HITECH Act.
n. Compliance with Electronic Transmission Standards. Business Associate agrees to comply with all applicable standards and requirements of HIPAA, HIPAA Rules, and the HITECH Act regarding the transmission of PHI in an electronic format in connection with any transaction for which the Secretary has adopted a standard (“Covered Transaction”) no less than thirty (30) days before prior to the applicable compliance dates established by the Secretary. Business Associate shall require all of its agents and/or subcontractors, if any, to comply with this Section 2.14.
3. Permitted Uses and Disclosures by Business Associate
a. General Use and Disclosure. Except as otherwise limited by this Agreement, Business Associate may use or disclose PHI on behalf of, or to provide the following services to, Covered Entity: the lien-related services as described in that certain Remote Monitoring Services Agreement dated the __ day of ____, 2020 (“Services”), if such use or disclosure of PHI would not violate:
i. The Privacy Rule, the Security Rule, and the HITECH Act if done by Covered Entity; or
ii. Business Associate’s minimum necessary policies and procedures.
b. Specific Uses and Disclosures.
i. Except as otherwise limited in this Agreement, Business Associate may use PHI for Business Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities.
ii. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities, provided that disclosures are:
(i) Required by Law; or
(ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that:
(a) PHI will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person; and
(b) The person notifies Business Associate of any instances of which it is aware in which confidentiality of PHI has been breached.
iii. Except as otherwise limited in this Agreement, Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
iv. Business Associate may use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 CFR § 164.502(j)(1).
4. Obligations of Covered Entity
a. Notice of Privacy Practices. Covered Entity shall provide Business Associate with a copy of Covered Entity’s Notice of Privacy Practices (“NPP”) and notify Business Associate of any limitation(s) therein to the extent that such limitation(s) may affect Business Associate’s use or disclosure of PHI in accordance with 45 CFR § 164.520.
b. Notification of Individual Authorization Revocations. Covered Entity shall notify Business Associate of any changes in, or revocations of, an Individual’s authorization to use and/or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
c. Notification of Restrictions. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI to which Covered Entity has agreed, in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
d. Notification of Amendments. Covered Entity shall notify Business Associate of any amendment to PHI to which Covered Entity has agreed that affects a Designated Record Set maintained by Business Associate.
e. Permissible PHI Disclosures. Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
5. Term and Termination
a. Term. This Agreement shall be effective as of date this Agreement is executed by both Parties and shall continue until Business Associate returns or destroys all PHI created or received by Business Associate on Covered Entity’s behalf, including any copies of PHI, or until Business Associate determines that such return or destruction is infeasible.
b. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either:
i. Provide an opportunity for Business Associate to cure the breach or end the violation within a specified period of time and terminate the Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; or
ii. Immediately terminate the Agreement if Business Associate has breached a material term of this Agreement and cure is not possible.
If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary. In no event will a disclosure by Business Associate that was authorized by Covered Entity be treated as a material breach.
c. Effect of Termination.
i. Except as provided in paragraphs (b) and (c) of this Section c, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of Business Associate’s agents and/or subcontractors. Business Associate and its agents and/or subcontractors shall retain no copies of PHI.
ii. If Business Associate determines that it is infeasible to return or destroy the PHI, Business Associate shall notify Covered Entity of the conditions that make the PHI’s return or destruction infeasible. Thereafter, Business Associate shall extend this Agreement’s protection to such PHI and limit such PHI’s further use and disclosure to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
iii. The preceding provisions of this Section c shall not apply to the extent that PHI is maintained in Business Associate’s possession pursuant to its record retention procedures. Nevertheless, this Agreement’s protections shall remain in effect as to that PHI as long as Business Associate retains such PHI.
6. General Provisions
a. Intent. The Parties expressly acknowledge that it is, and shall continue to be, their intent to comply fully with all relevant federal, state, and local laws, regulations, and rules. If a Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements under HIPAA, the HIPAA Rules, and/or the HITECH Act, such Party shall notify the other Party in writing. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA, the HIPAA Rules, the HITECH Act, or Arizona law. The Parties will have thirty (30) calendar days to negotiate in good faith to amend this Agreement’s provisions such that is complies with the then-current legal requirements. If after thirty (30) days, this Agreement is still not in compliance with the then-current law, either Party may terminate this Agreement upon written notice to the other Party.
b. Construction. Any ambiguity in this Agreement shall be resolved to permit Business Associate to comply with HIPAA, the HIPAA Rules, the HITECH Act, or Arizona law.
c. Governing Law. This Agreement shall be governed by and interpreted in accordance with the laws of the State of Arizona without regard to its conflicts-of-law provisions. Jurisdiction and venue for any dispute relating to this Agreement shall exclusively rest with the state and federal courts in the county in which Covered Entity is located.
d. Cross-References. A reference in this Agreement to a section in HIPAA, the HIPAA Rules, or the HITECH Act means the section as in effect or as amended.
e. No Agency Relationship. The Parties do not intend to establish expressly or by implication an agency relationship (as defined under federal common law of agency) between Covered Entity and Business Associate for the purposes of liability under HIPAA, the HIPAA Rules, or the HITECH Act. No terms or provisions contained in this Agreement shall be construed to make or render Business Associate an agent of Covered Entity.
f. Survival of Certain Rights and Obligations. Business Associate’s rights and obligations under Sections 2.11 and 5.c shall survive this Agreement’s termination.
g. Waiver. No provision of this Agreement or any breach thereof shall be deemed a waiver unless such waiver is in writing and signed by the Party against whom such waiver it sought to be enforced. No waiver of a breach shall constitute a waiver of or excuse for any different or subsequent breach.
h. Assignment. Neither Party may assign any of its rights or delegate or subcontract any of its obligations under this Agreement without the other Party’s prior written consent. Notwithstanding the foregoing, Covered Entity shall have the right to assign its rights and obligations hereunder to any entity that is an affiliate or successor of Covered Entity without Business Associate’s prior approval.
i. Notice. All notices, requests, demands, and other communications required or permitted to be given or made under this Agreement (“Notices”) shall be in writing and sent by personal delivery; certified or registered United States mail with return receipt requested, overnight delivery service with proof of delivery; or facsimile with return facsimile acknowledging receipt. Notices shall be effective upon receipt. Notices shall be sent to the addresses below in the opening paragraph of this Agreement.
j. Invalidity or Unenforceability. If any provision of this Agreement shall be held invalid or unenforceable, such invalidity or unenforceability shall attach only to such provision and shall not in any way affect or render invalid or unenforceable any other provision of this Agreement.
k. Rights. Nothing in this Agreement shall be deemed to:
i. Create any rights in third parties; or
ii. Waive the attorney-client, work product, or other privilege between Covered Entity and Business Associate arising under applicable law, except to the limited extent necessary to comply with the requirements of Section 2.g or applicable law.
l. Entire Agreement. This Agreement constitutes the complete agreement between Business Associate and Covered Entity relating to the matters specified in this Agreement, and supersedes all prior representations or agreements, whether oral or written, with respect to such matters. No oral modification or waiver of any of the provisions of this Agreement shall be binding on either Business Associate or Covered Entity.
m. Indemnification. Business Associate will indemnify Covered Entity and its owners from any and all damages, fees, fines, costs and expenses associated with a breach by Business Associate of this Business Associate Agreement.
4 |
In Witness Whereof, the parties hereto have executed this Agreement as of its effective date.
COVERED ENTITY: Paradise Valley Family Medicine, P.C. an Arizona professional corporation
By: /s/ Warren Johnson Its: Vice President | BUSINESS ASSOCIATE:
NuGenHealth, LLC an Arizona Limited Liability Company
By:/s/ Joseph Moscato Its: President/CEO |
5 |