ESO Solutions, Inc. is a Texas corporation having its principal place of business at 2803 Manor Road, Austin, TX 78722 (including its controlled subsidiaries, “Business Associate”). Business Associate has partnered with certain hospitals to provide ESO Health Data Exchange (“HDE”) to enable the electronic data exchange of electronic patient care records and the hospital electronic medical record using the ESO HDE interface. ESO HDE is a bidirectional data exchange between Emergency Medical Services (EMS) agencies such as the undersigned (the “Covered Entity”) and the treatment facility receiving the patient (“Hospital”).
This Business Associate Agreement (this “Agreement”) automatically applies whenever both (i) Covered Entity and Hospital agree to use ESO HDE, and (ii) Business Associate and Covered Entity have no other Business Associate Agreement in effect that covers ESO HDE services. This Agreement will remain in effect as long as ESO HDE is utilized by the Covered Entity unless it is superseded by another Business Associate Agreement between ESO and Covered Entity.
1. Definitions. For purposes of this Agreement, the terms used herein, unless otherwise defined, shall have the same meanings as used in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), or the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and any amendments or implementing regulations, (collectively “HIPAA Rules”).
2. Compliance with Applicable Law. The parties acknowledge and agree that Business Associate shall comply with its obligations under this Agreement and with all obligations of a business associate under HIPAA, HITECH, the HIPAA Rules, and other applicable laws and regulations, as they exist at the time this Agreement is executed and as they are amended, for so long as this Agreement is in place.
3. Permissible Use and Disclosure of PHI. Business Associate may use and disclose PHI as necessary to carry out its duties to a Covered Entity pursuant to the terms of this Agreement and as required by law. Business Associate may also use and disclose PHI (i) for its own proper management and administration, and (ii) to carry out its legal responsibilities. If Business Associate discloses Protected Health Information to a third party for either above reason, prior to making any such disclosure, Business Associate must obtain: (i) reasonable assurances from the receiving party that such PHI will be held confidential and be disclosed only as required by law or for the purposes for which it was disclosed to such receiving party; and (ii) an agreement from such receiving party to immediately notify Business Associate of any known breaches of the confidentiality of the PHI.
4. De-Identification. Covered Entity acknowledges and agrees that, notwithstanding any other provision herein, Business Associate may use De-identified Data for internal and external purposes (including benchmarking and research), provided that Business Associate will not sell De-identified Data to third parties for commercial use. Without limiting the foregoing, Business Associate will own all right, title and interest in all Intellectual Property of any aggregated and de-identified reports, summaries, compilations, analysis, statistics or other information derived therefrom. For the avoidance of doubt, De-identified Data means data which (i) if PHI, has been deidentified in accordance with HIPAA, or (ii) if not PHI, which has had all personally identifiable information removed, as well as the names and addresses of Covered Entity and any of its Users and/or Covered Entity’s patients, and in each case as a consequence is neither PHI nor identifiable to or by Covered Entity.
5. Limitations on Use and Disclosure of PHI. Business Associate shall not, and shall ensure that its directors, officers, employees, subcontractors, and agents do not, use or disclose PHI in any manner that is not permitted by this Agreement or that would violate Subpart E of 45 C.F.R. 164 (“Privacy Rule”) if done by a Covered Entity. All uses and disclosures of, and requests by, Business Associate for PHI are subject to the minimum necessary rule of the Privacy Rule.
6. Required Safeguards to Protect PHI. Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 (“Security Rule”) with respect to electronic PHI, to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of this Agreement.
7. Reporting to Covered Entity. Business Associate shall report to the affected Covered Entity without unreasonable delay: (a) any use or disclosure of PHI not provided for by this Agreement of which it becomes aware; (b) any breach of unsecured PHI in accordance with 45 C.F.R. Subpart D of 45 C.F.R. 164 (“Breach Notification Rule”); and (c) any security incident of which it becomes aware. With regard to Security Incidents caused by or occurring to Business Associate, Business Associate shall cooperate with the Covered Entity’s investigation, analysis, notification and mitigation activities, and except for Security Incidents caused by Covered Entity, shall be responsible for reasonable costs incurred by the Covered Entity for those activities. Notwithstanding the foregoing, Covered Entity acknowledges and shall be deemed to have received advanced notice from Business Associate that there are routine occurrences of: (i) unsuccessful attempts to penetrate computer networks or services maintained by Business Associate; and (ii) immaterial incidents such as “pinging” or “denial of services” attacks.
8. Mitigation of Harmful Effects. Business Associate agrees to mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement, including, but not limited to, compliance with any state law or contractual data breach requirements.
9. Agreements by Third Parties. Business Associate shall enter into an agreement with any subcontractor of Business Associate that creates, receives, maintains or transmits PHI on behalf of Business Associate. Pursuant to such agreement, the subcontractor shall agree to be bound by the same or greater restrictions, conditions, and requirements that apply to Business Associate under this Agreement with respect to such PHI.
10. Access to PHI. Within five business days of a request by a Covered Entity for access to PHI about an individual contained in a Designated Record Set, Business Associate shall make available to the Covered Entity such PHI for so long as such information is maintained by Business Associate in the Designated Record Set, as required by 45 C.F.R. 164.524. In the event any individual delivers directly to Business Associate a request for access to PHI, Business Associate shall within five (5) business days forward such request to the Covered Entity.
11. Amendment of PHI. Within five business days of receipt of a request from a Covered Entity for the amendment of an individual’s PHI or a record regarding an individual contained in a Designated Record Set (for so long as the PHI is maintained in the Designated Record Set), Business Associate shall provide such information to the Covered Entity for amendment and incorporate any such amendments in the PHI as required by 45 C.F.R. 164.526. In the event any individual delivers directly to Business Associate a request for amendment to PHI, Business Associate shall within five business days forward such request to the Covered Entity.
12. Documentation of Disclosures. Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for a Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528 and HITECH.
13. Accounting of Disclosures. Within five business days of notice by a Covered Entity to Business Associate that it has received a request for an accounting of disclosures of PHI, Business Associate shall make available to a Covered Entity information to permit the Covered Entity to respond to the request for an accounting of disclosures of PHI, as required by 45 C.F.R. 164.528 and HITECH.
14. Other Obligations. To the extent that Business Associate is to carry out one or more of a Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with such requirements that apply to the Covered Entity in the performance of such obligations.
15. Judicial and Administrative Proceedings. In the event Business Associate receives a subpoena, court or administrative order or other discovery request or mandate for release of PHI, the affected Covered Entity shall have the right to control Business Associate’s response to such request, provided that, such control does not have an adverse impact on Business Associate’s compliance with existing laws. Business Associate shall notify the Covered Entity of the request as soon as reasonably practicable, but in any event within seven business days of receipt of such request.
16. Availability of Books and Records. Business Associate hereby agrees to make its internal practices, books, and records available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
17. Breach of Contract by Either Party. In addition to any other rights a party may have in this Agreement or by operation of law or in equity, either party may: (i) immediately terminate this Agreement if the other party has violated a material term of this Agreement ; or (ii) at the non-breaching party’s option, permit the breaching party to cure or end any such violation within the time specified by the non-breaching party. The non-breaching party’s option to have cured a breach of this Agreement shall not be construed as a waiver of any other rights the non-breaching party has in this Agreement or by operation of law or in equity. Neither party shall be liable to the other party for any indirect, incidental, consequential, special, or punitive damages, including but not limited to loss of profits, revenue, data, or use, even if advised of the possibility of such damages. The total aggregate liability of either party under this Agreement shall be limited to $1,000,000.
18. Effect of Termination of Agreement. Upon the termination of this Agreement for any reason, Business Associate shall return to a Covered Entity or, at the Covered Entity’s direction, destroy all PHI received from the Covered Entity that Business Associate maintains in any form, recorded on any medium, or stored in any storage system. This provision shall apply to PHI that is in the possession of Business Associate, subcontractors, and agents of Business Associate. Business Associate shall retain no copies of the PHI. Business Associate shall remain bound by the provisions of this Agreement, even after termination of this Agreement, until such time as all PHI has been returned or otherwise destroyed as provided in this Section. For the avoidance of doubt, de-identified Covered Entity Data shall not be subject to this provision.
19. Injunctive Relief. Business Associate stipulates that its unauthorized use or disclosure of PHI while performing services pursuant to this Agreement would cause irreparable harm to a Covered Entity, and in such event, the Covered Entity shall be entitled to institute proceedings in any court of competent jurisdiction to obtain damages and injunctive relief.
20. Owner of PHI. Under no circumstances shall Business Associate be deemed in any respect to be the owner of any PHI created or received by Business Associate on behalf of a Covered Entity.
21. Safeguards and Appropriate Use of Protected Health Information. Covered Entity is responsible for implementing appropriate privacy and security safeguards to protect its PHI in compliance with HIPAA. Without limitation, it is Covered Entity’s obligation to:
21.1. Not include PHI in information Covered Entity submits to technical support personnel through a technical support request or to community support forums. In addition, Business Associate does not act as, or have the obligations of a Business Associate under the HIPAA Rules with respect to Covered Entity Data once it is sent to or from Covered Entity outside ESO’s Software over the public Internet; and
21.2. Implement privacy and security safeguards in the systems, applications, and software Covered Entity controls, configures and connects to ESO’s Software.
22. Third Party Rights. The terms of this Agreement do not grant any rights to any parties other than Business Associate and the Covered Entity.
23. Severability. In the event that any provision of this Agreement is found to be invalid or unenforceable, the remainder of this Agreement shall not be affected thereby, but rather the remainder of this Agreement shall continue to be enforced to the greatest extent permitted by law.