CR BillMax Services BAA

CR BILLMAX BUSINESS ASSOCIATE AGREEMENT

Please read this Business Associate Agreement (“BAA”) carefully, as it forms a contract between Bronco Billing, LLC dba CR BillMax Services a Florida limited liability company (“BillMax”), and the customer agreeing to these terms (“Customer,” “you” or “your”), and covers all services provided by BillMax  to Customer in accordance with Customer’s Order (“Services”) as part of the Service Agreement as described by the Terms of Service.

BACKGROUND

Customer is a Covered Entity that possesses Protected Health Information as defined by the Health Insurance Portability and Accountability Act (“HIPAA”). Customer is permitted to Use or Disclose such Protected Health Information only in accordance with HIPAA and HITECH (and the applicable business associate agreement if Customer is a Business Associate). The services provided to Customer require BillMax to access and utilize Customer Data that may contain Protected Health Information. To the extent BillMax creates, receives, maintains, or transmits Protected Health Information on behalf of Customer, BillMax is a Business Associate of Customer. Accordingly, HIPAA requires BillMax and Customer to comply with certain obligations under the Privacy Rule, Breach Notification Rule, and Security Rule that relate to the use, access, and disclosure of Protected Health Information.

The terms and conditions in this BAA are intended to supersede any conflicting terms and conditions in the Service Agreements.

TERMS

In consideration of the foregoing and of the mutual representations, warranties, covenants and agreements contained herein, the mutuality, receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:

  1. Definitions. Except as otherwise defined in this BAA, all capitalized terms used in this BAA shall have the meanings set forth in HIPAA and in the Service Agreement.
    1. “Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule (45 C.F.R. part 164, subpart D).
    2. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103.
    3. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103.
    4. “Customer Data” means data submitted by Users into the Services (each as defined in the Terms of Service that comprises part of the Agreement).
    5. “Enforcement Rule” means the HIPAA enforcement standards (45 CFR part 160, subparts C, D, and E).
    6. “HHS” means the United States Department of Health and Human Services.
    7. “HIPAA” collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act (Public Law 104-191) enacted by the United States Congress, and the regulations and guidance promulgated thereunder by HHS, including the HIPAA Rules, as amended from time to time, including, without limitation, by HITECH and by the Modifications to the HIPAA Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.
    8. “HITECH” means the Health Information Technology for Economic and Clinical Health Act and the regulations and guidance promulgated thereunder by HHS. HITECH was adopted as part of the American Recovery and Reinvestment Act of 2009.
    9. “HIPAA Rules” means the Privacy Rules, Security Rules, Breach Notification Rules, and Enforcement Rules, 45 CFR Part 160 and Part 164.
    10. “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information (45 C.F.R. parts 160 and 164, subparts A and E).
    11. “Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. parts 160, 162 and 164, subparts A and C).
  1. Obligations and Activities of BillMax. The Parties agree that, to the extent BillMax creates, receives, maintains, or transmits Protected Health Information on behalf of Customer, BillMax is a Business Associate of Customer as contemplated by HIPAA and HITECH. To the extent that BillMax is acting as a Business Associate, BillMax agrees to the following:
    1. HIPAA Compliance. BillMax agrees to comply with the requirements of HIPAA and HITECH that are applicable to BillMax.
    2. Limitations on Use and Disclosure. BillMax agrees to not Use or Disclose Protected Health Information other than as permitted or required by this BAA and the Agreements, or as otherwise Required by Law, provided that any such Use or Disclosure would not violate HIPAA if done by Customer, unless expressly permitted for Business Associates under HIPAA. BillMax shall make reasonable efforts to Use, Disclose, and/or request the minimum necessary Protected Health Information to accomplish the intended purpose of such Use, Disclosure, or request.
    3. Safeguards. To maintain electronic data security and prevent the inappropriate Use or Disclosure of the Protected Health Information other than as provided for by this BAA and the Agreements, or as Required by Law, BillMax agrees to (i) implement appropriate safeguards, and (ii) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. BillMax agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits to or on behalf of Customer to the extent required by HIPAA and HITECH.
    4. Reporting. BillMax agrees to report to Customer (i) any Use or Disclosure of the Protected Health Information of which it becomes aware that is not permitted or required by this BAA and the Agreements, or otherwise Required by Law, (2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and (3) any Breach of Customer’s Unsecured Protected Health Information that BillMax may discover (in accordance with 45 CFR §164.410 of the Breach Notification Rule). BillMax agrees to deliver each such notification of a Breach to Customer without unreasonable delay, but in no event more than 15 calendar days after discovery of a Breach. Taking into account the level of risk reasonably likely to be presented by the Use, Disclosure, Security Incident, or Breach, the timing of other reporting will be made consistent with BillMax’s and Customer’s legal obligations.
    5. Subcontractors. In accordance with 45 CFR §164.502(e)(1)(ii) and 45 CFR §164.308(b) (2) of HIPAA, BillMax agrees to require that any Subcontractors who create, receive, maintain, or transmit the Protected Health Information on behalf of BillMax agree in writing to (i) the same or similar restrictions, conditions and requirements that apply through this BAA to BillMax with respect to the Protected Health Information.
    6. Designated Record Sets. If BillMax maintains Protected Health Information in a Designated Record Set for Customer, BillMax, at the request of Customer, agrees as follows:
      1. BillMax will make such Protected Health Information in the Designated Record Set available to Customer in accordance with 45 CFR §164.524 of the Privacy Rule.
      2. BillMax will make such Protected Health Information in the Designated Record Set available to Customer for amendment and will incorporate any reasonably requested amendment in such Protected Health Information in accordance with 45 CFR §164.524 of the Privacy Rule. If BillMax receives from a patient a request for access to or amendment of Protected Health Information in the Designated Record Set, BillMax will submit such request to Customer for Customer’s response as soon as reasonably practical. Customer acknowledges that the information it submits to BillMax does not constitute the Customer’s Designated Record Set (as defined in 45 CFR §164.501), and that all information contained within BillMax’s Customer account shall not constitute nor be construed to include a Designated Record Set. Customer further acknowledges that Customer’s Designated Record Set shall be comprised only of information maintained by Customer outside of its services with BillMax. Because BillMax does not maintain a Designated Record Set, patients shall have no rights to: (i) access BillMax files (as required of a Designated Record Set in 45 CFR §164.524), or (ii) request amendment of BillMax files (as required of a Designated Record in 45 CFR §164.526).
    7. Disclosure to Secretary. BillMax agrees, at the Customer’s reasonable expense, to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information that is subject to this BAA, available to the Secretary of HHS, at a time and in a manner reasonably designated by the Secretary, for purposes of the Secretary determining Customer’s compliance with the HIPAA Rules, subject to attorney-client and other applicable legal privileges.
    8. Accounting of Disclosure. BillMax shall maintain and, at the request of Customer, shall make available to Customer such information relating to Disclosures made by BillMax as are required for Customer to make any requested accounting of Disclosures in accordance with 45 CFR §164.528 of the Privacy Rule. If BillMax receives from a patient a request for an accounting of disclosures of information, BillMax will submit such request to Customer for Customer’s response as soon as reasonably practical. Unless otherwise Required by Law, no patient shall have a right to an accounting of disclosures of BillMax accounts (as defined in the Service Agreement) maintained within the CentralReach platform because all such disclosures shall be for billing purposes only.
      1. Performance of a Covered Entity’s Obligations. To the extent BillMax is to carry out a Covered Entity obligation under Subpart E of the 45 CFR Part 164, BillMax agrees to comply with the requirements of Subpart E that apply to Customer in the performance of that obligation.
  1. Obligations and Activities of Customer.
    1. No Impermissible Requests. Except as provided in Section 4(b), Customer shall not request BillMax to Use or Disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a Business Associate).
    2. Contact Information for Notices. Customer hereby agrees that any reports, notification, or other notice by BillMax pursuant to this BAA may be made electronically or as otherwise contemplated by the Service Agreement. Customer shall provide contact information to contracting@centralreach.com or as otherwise contemplated by the Service Agreement and shall ensure that Customer’s contact information remains up to date during the term of this BAA. Contact information must include name of individual(s) to be contacted, title of individuals(s) to be contacted, e-mail address of individual(s) to be contacted, name of Customer organization, and, if available, either contract number or subscriber identification number.
    3. Safeguards and Appropriate Use of Protected Health Information. Customer is responsible for implementing appropriate privacy and security safeguards to protect its Protected Health Information in compliance with HIPAA. Without limitation, it is Customer’s obligation to:
      1. Not include Protected Health Information in (1) information Customer submits to technical support personnel or to community support forums; and (2) Customer’s address book or directory information. In addition, BillMax does not act as, or have the obligations of, a Business Associate under HIPAA with respect to Customer Data once it is sent to or from Customer outside the Services over the public Internet.
      2. Implement privacy and security safeguards in the systems, applications, and software Customer controls, configures, and uses to upload Customer Data into the Services.
  1. Permitted Uses and Disclosures by BillMax.
    1. Performance of Agreements. Except as otherwise expressly limited in this BAA, BillMax may Use or Disclose Protected Health Information to perform functions, activities or services for, or on behalf of, Customer as specified in the Agreements, provided that such Use or Disclosure would not violate HIPAA or HITECH if done by Customer, unless expressly permitted for Business Associates under HIPAA and HITECH.
    2. Management, Administration, and Legal Responsibilities. Except as otherwise expressly limited in this BAA, BillMax may Use and Disclose Protected Health Information for the proper management and administration of BillMax and to carry out the legal responsibilities of BillMax, provided that any Disclosure may occur only if (i) Required By Law, or (ii) (a) BillMax obtains reasonable written assurances from the person to whom the Protected Health Information is disclosed that it will remain confidential and Used or further Disclosed only as Required By Law or for the purpose for which it was Disclosed to the person, and (b) the person notifies BillMax of any instances of which the person is aware in which the confidentiality of the Protected Health Information has been breached.
    3. Data Aggregation Services. Except as otherwise expressly limited in this BAA, BillMax may use Protected Health Information to provide Data Aggregation services to Customer as permitted by §164.504(e)(2)(i)(B) of the Regulations.
    4. Legal Violations. BillMax may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with §164.502(j) (1) of the Regulations.
  1. Term and Termination.
    1. Term. This BAA shall continue in effect until the earlier to occur of (1) the expiration or termination of all of the Agreements (or the applicable provisions thereof) that cause BillMax to be a Business Associate of Customer, or (2) the date on which either Party terminates this BAA for cause in accordance with Section 5(b).
    2. Termination for Cause. If either Party is in material breach or default of any obligation under this BAA, the other Party may, subject to BillMax’s duty to return or destroy the Protected Health Information as set forth in Section 5(d) below:
      1. Provide a reasonable opportunity for the breaching Party to cure the material breach or default and, if the breaching Party does not cure the material breach or default within a reasonable time, terminate this BAA and all of the Agreements (or the applicable provisions thereof) that cause BillMax to be a Business Associate of Customer; or
      2. If cure is not possible, immediately terminate this BAA and all of the Agreements (or the applicable provisions thereof) that cause BillMax to be a Business Associate of Customer.
    3. Effect of Termination of Agreements. In the event of the termination or expiration of all of the Agreements (or the applicable provisions thereof) that cause BillMax to be a Business Associate of Customer, this BAA shall automatically terminate, subject to BillMax’s duty to return or destroy the Protected Health Information as set forth in Section 5(d) below.
    4. Return, Destruction, or Retention of Protected Health Information Upon Termination. Upon expiration or termination of all of the Agreements (or the applicable provisions thereof) that cause BillMax to be a Business Associate of Customer, if it is feasible to do so, BillMax shall return or destroy all Protected Health Information in its possession in accordance with the applicable termination provisions of each of the Agreements and this BAA. If BillMax determines that it is not feasible to return or destroy any Protected Health Information upon such expiration or termination of all of the Agreements (or the applicable provisions thereof) that cause BillMax to be a Business Associate of Customer, then, for the duration of the retention of such Protected Health Information, this BAA shall remain in full force and effect solely with respect to such retained Protected Health Information and BillMax shall limit any further Use or Disclosure of the retained Protected Health Information to those purposes that make the return or destruction infeasible.
  1. Limitation of Liability. AS BILLMAX RELIES SOLELY ON THE CENTRALREACH PLATFORM TO STORE DATA AND HAS NO CONTROL OVER THE SECURITY MEASURES TAKEN BY THE PLATFORM, IT IS UNABLE TO PREVENT DATA BREACHES.  EXCEPT AS NOTED ABOVE IN THE THIRD SENTENCE OF THIS SECTION 6, IN NO EVENT SHALL BILLMAX, OR ANY OF ITS AFFILIATES, SUBCONTRACTORS, LICENSORS, OR ANY OTHER PERSON OR ENTITY WITH WHOM BILLMAX MAY BE CLAIMED TO BE JOINTLY LIABLE (FOR SUCH PURPOSES, COLLECTIVELY, THE “BILLMAX PARTIES”) BE LIABLE FOR ANY LOSS OF PROFITS, DATA OR GOODWILL OR FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE, EXEMPLARY OR SPECIAL LOSSES OR DAMAGES, OR EXPENSES (INCLUDING WITHOUT LIMITATION ATTORNEYS’ FEES) THAT CUSTOMER MAY INCUR OR SUFFER, WHETHER OR NOT THE POSSIBILITY OF SUCH DAMAGE WAS KNOWN, FORESEEABLE OR CONTEMPLATED BY BILLMAX OR CUSTOMER. IN NO EVENT SHALL BILLMAX OR ANY OF THE OTHER BILLMAX PARTIES BE LIABLE TO CUSTOMER FOR ANY CLAIM OR CAUSE OF ACTION, WHETHER BASED ON CONTRACT, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY, FOR AN AMOUNT IN EXCESS OF THE FEES (AS DEFINED IN THE AGREEMENTS) PAID TO BILLMAX BY CUSTOMER PURSUANT TO THE SERVICE AGREEMENT FOR THE THREE (3) MONTH PERIOD IMMEDIATELY PRECEDING THE DATE OF THE ACCRUAL OF THE CLAIM (THE “LIABILITY LIMIT”). The Parties agree that only reasonable breach mitigation costs and expenses incurred by Customer and caused primarily by BillMax’s material breach of this BAA shall be considered direct damages (not indirect or consequential) and BillMax’s liability for such costs and expenses shall be subject to the Liability Limit. The terms of this Section 6 allocate the risks under this BAA. BillMax’s pricing under the Agreements reelects, in part, this allocation of risk and the agreed upon limitation of liability.

  2. Applicability of Amendment. As of the effective date of this BAA, this BAA is applicable to the Agreements, whether current or future, between the Parties without additional action by the Parties.

  3. Miscellaneous.
    1. Changes to HIPAA. If either of the Parties determines in good faith that any regulations and interpretative guidance adopted or amended with respect to HIPAA or HITECH after the execution of this BAA is required by law to be implemented and made a part hereof, this BAA shall be renegotiated in good faith so as to amend all applicable provisions in a manner that would eliminate any substantial risk of noncompliance.
    2. Survival. The respective rights and obligations of the Parties shall survive the termination of this BAA.
    3. Interpretation. Any ambiguity in this BAA shall be resolved to permit compliance with HIPAA. This BAA is an addendum to the Agreements; provided, however, that under no circumstances shall the terms of the Agreements modify the terms of this BAA. In the event of any conflict or other inconsistency between the terms of this BAA and the terms of the Agreements, the terms of this BAA shall govern. The section headings contained in this BAA are for reference purposes only and should not affect in any way the meaning or interpretation of this BAA.
    4. Amendments; Waiver. Except as expressly set forth in this BAA, a provision of this BAA may be altered only by a writing signed by both Parties. The waiver of a breach hereunder may be effected only by a writing signed by the waiving Party and shall not constitute a waiver of any other breach.
    5. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
    6. Counterparts. This BAA may be executed in counterparts, each of which shall be deemed an, original and all of which together shall constitute one and the same instrument.
    7. Severability. If for any reason a court of competent jurisdiction finds any provision of this BAA invalid or unenforceable, that provision of this BAA shall be enforced to the maximum extent permissible and the other provisions of this BAA shall remain in full force and effect.
    8. Venue and Law. This BAA shall be governed by Florida law or Federal law as applicable. Exclusive jurisdiction in relation to any breach of this BAA shall lie in the state of Federal Courts of Broward County, Florida.
    9. Service Agreement. This BAA is part of the Service Agreement between Customer and BillMax as described in the BillMax Terms of Service located at CR BillMax Terms of Service.