All businesses wishing to list themselves on MarijuanaDoctors.com must agree to this Business Associate Agreement.
This Business Associate Agreement (the "Agreement") is entered into on the date of e-signature on the accompanying quote, between you (the "Vendor"), and Medical Consulting Network, Inc., a Delaware Corporation, with an office address of 1121 Walt Whitman Rd, Suite 312, Melville NY 11747 (the "Company" and, together with the Practice, the “Parties”).
WHEREAS, the Company provides services related to the practice of medicine to doctors/practices with offices located at throughout the United States of America (the “Office” or “Offices”), which, such series, at times, involve the handling or custody of Protected Health Information (“PHI”), as defined by HIPAA; and
WHEREAS, the Vendor is an entity providing various services relevant to the Company’s services; and
WHEREAS, the Company, in the interest of ensuring compliance with the Health Information Portability and Accountability Act of 1996 ("HIPAA"), desires to enter into this Agreement to obtain satisfactory assurances that the Vendor, as a Business Associate, will appropriately safeguard all PHI disclosed, created, maintained or received by the Vendor on behalf of the Company and the Offices; and
WHEREAS, the Company desires to engage the Vendor to perform certain functions for or on behalf of the Company potentially involving the disclosure of PHI by the Company to the Vendor, or the creation, maintenance or use of PHI by the Vendor on behalf of the Company and/or the Offices, and the Vendor desires to perform such functions; and
WHEREAS, this Agreement shall be deemed an amendment to any other agreement into which the parties have entered (each, an "Underlying Agreement").
NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to any Underlying Agreements and in order to comply with all legal requirements for the protection of this information, the parties therefore agree as follows:
Article I. Definitions of Terms
All capitalized terms contained herein shall have the meaning given to such term or be
references to the associated regulations contained in 45 C.F.R. Parts 160 and 164.
Article II. Obligations and Activities of Company
2.01 PHI and Use of PHI
Company agrees and acknowledges that any individual’s PHI that comes within Company’s custody, exposure, possession or knowledge or is created, maintained, retained, transmitted, derived, developed, compiled, prepared or used by Company in the course of or in connection with the performance of services under this Agreement, is confidential and shall remain the exclusive property of the Practice and shall be used, disclosed, transmitted and/or maintained solely in accordance with this Agreement and as Required By Law. Company agrees to comply with its obligations as a Business Associate and acknowledges that it is subject to and agrees to comply with HIPAA and all applicable guidance and regulations issued by the Secretary to implement HIPAA and all other applicable law. Company shall not use or disclose PHI other than as permitted or required by this Agreement or as Required By Law.
2.02 Forwarding Requests for Disclosure from Government to the Practice
Company shall forward all requests for the disclosure of PHI from a law enforcement or government official, or pursuant to a subpoena, other legal request or court or administrative order, to the Practice as soon as possible before making the requested disclosure, but no later than five (5) business days following its receipt of such request or order.
2.03 Assisting the Practice Respond to Requests for Disclosure from Government
Company shall provide to the Practice all PHI necessary to respond to a request for the disclosure of PHI by a law enforcement or government official, or pursuant to a subpoena, other legal request, or court or administrative order as soon as possible, but no later than two (2) business days following its receipt of such written request from the Practice.
2.04 Restrictions on Use and/or Disclosure of PHI
Company shall comply with all granted restrictions on the use and/or disclosure of PHI, pursuant to 45 C.F.R. § 164.522(a), upon notice from the Practice. Company shall forward to the Practice any requests for restriction on the use and/or disclosure of PHI within five (5) business days of receipt.
2.05 Requests for Confidential Communication of PHI
Company shall comply with all granted requests for confidential communication of PHI, pursuant to 45 C.F.R. § 164.522(b), upon notice from the Practice. Company shall forward to the Practice any requests for confidential communication of PHI within ten (10) business days of receipt.
2.06 Appropriate Safeguards
Company shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI that it creates, receives, maintains, or transmits on behalf of the Practice, as required by the Security Rule. Upon request, Company shall make available Company’s security program, including the most recent electronic PHI risk analysis, policies, procedures, security incidents and responses and evidence of training.
2.07 Duty to Mitigate
Company shall take immediate steps to mitigate, to the extent practicable or as reasonably directed by the Practice, any harmful effect that is known to Company of a use or disclosure of PHI by Company in violation of the requirements of this Agreement, the Privacy Rule or the Security Rule, such as obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed.
2.08 Reporting of Unauthorized Uses or Disclosures
Company shall report to the Practice any use or disclosure of the PHI not provided for by this Agreement, the Privacy Rule or the Security Rule, including breaches of unsecured PHI, as required at 45 C.F.R. § 164.410, and any security incident of which it becomes aware, as soon as possible, but no later than five (5) business days after discovery, stating (to the extent known by Company) the nature of such use or disclosure, the names and addresses of the individuals who are the subject of such PHI and the names of the individuals who made or engaged in such use or disclosure and any other available information that the Practice is required to include in notifications to the affected individuals.
2.09 Subcompanies, Consultants, Agents and Other Third Parties
Company shall ensure that any subcompany, consultant, agent, or other third party that creates, receives, maintains, or transmits PHI on behalf of Company agrees to the same restrictions, conditions, and requirements that apply to Company with regard to its creation, use, and disclosure of PHI. Company shall, upon request from the Practice, provide the Practice with a list of all such third parties. Company shall ensure that any subcompany, consultant, agent, or other third party to whom it provides Electronic PHI agrees to implement reasonable and appropriate safeguards to protect such information. Company must terminate its agreement with any subcompany, consultant, agent or other third party, and obtain all PHI provided to such subcompany, consultant, agent or other third party, if Company becomes aware that the subcompany, consultant, agent or other third party has breached its contractual duties relating to HIPAA or this Agreement. If any subcompany, consultant, agent, or other third party of Company are not subject to the jurisdiction or laws of the United States, or if any use or disclosure of PHI in performing services under the Agreement will be outside of the jurisdiction of the United States, such entities must agree by written contract with the Company to be subject to the jurisdiction of the Secretary, the laws and the courts of the United States, and waive any available jurisdictional defenses as they pertain to the parties’ obligations under this Agreement, the Privacy Rule or the Security Rule.
2.10 Books and Records
Company shall make internal practices, books, and records relating to PHI received from, or created or received by Company, on behalf of the Practice, available to the Practice, or at the request of the Practice to the Secretary, for purposes of the Secretary determining the Practice’s compliance with the Privacy Rule.
2.11 Documenting Disclosures
Company shall document such disclosures of PHI and information related to such disclosures as would be required for the Practice to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
2.12 Accounting for Disclosures
Company shall provide to the Practice, upon request and in the time and manner required by 45 C.F.R. § 164.528(c)(1), an accounting of disclosures of an Individual’s PHI, collected in accordance with this Agreement, to permit the Practice to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
2.13 Minimum Necessary
Company acknowledges and agrees that it shall request from the Practice and so disclose to its affiliates, subsidiaries, agents, subcompanies or other third parties, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder, in accordance with the Secretary’s guidance.
2.15 Independent Company
The relationship of the Company with the Practice shall be one of independent Company, and not an employee or agent of the Practice.
2.16 Securing PHI
Company shall comply and ensure that any and all subcompanies, consultants, agents, vendors, or other third-parties comply with all applicable laws, rules, regulations, and guidance concerning the technologies and methodologies for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals such that breach notification is not required.
2.17 Breach Notification
Notwithstanding any provision above, if any PHI in the possession, custody or control of Company remains or becomes unsecured, Company shall, following discovery of a Breach of such unsecured PHI, provide notification to individuals, the media and the Secretary, Required By Law. All notifications shall be made without unreasonable delay and, in no case, later than 60 calendar days from discovery of the Breach, unless specifically instructed by an authorized government official to refrain.
2.18 Application of Privacy Rule to Company
Where provided, the standards, requirements, and implementation specifications adopted under 45 C.F.R. Part 164, Subpart E, apply to Company with respect to the PHI of the Practice.
Company shall defend, indemnify and hold harmless the Practice from and against any or all cost, loss, interest, damage, liability, claim, legal action or demand by third parties, (including costs, expenses and reasonable attorneys’ fees on account thereof) arising out of Company’s activities under the Agreement, including but not limited to, any breach of unsecured PHI by the Company or failure by the Company to provide the required breach notifications, except to the extent that such loss, interest, damage, liability, claim, legal action or demand was incurred as a result of the negligence or willful misconduct of the Practice. As a condition precedent to the Company’s obligation to indemnify the Practice under this Agreement, the Practice must notify Company within a reasonable amount of time upon learning of any claim or liability in order to give Company an opportunity to present any appropriate defense on behalf of the Practice and Company. The Practice shall have the right, but not the obligation, to participate in any defense at its own cost and with its own counsel. The provisions of this paragraph 2.20 will survive the termination of this Agreement.
2.20 Individual’s Access to PHI
Company shall cooperate with the Practice on a timely basis, consistent with 45 C.F.R. § 164.524(b)(2), to fulfill all requests by individuals for access to the individual’s PHI that are approved by the Practice. Company shall make available PHI in a designated record set to the Practice as necessary to satisfy the Practice’s obligations under 45 C.F.R. § 164.524(c). Company further agrees that to the extent Company maintains PHI of the Practice in an electronic health record (“EHR”), The Practice must comply with patients’ requests for access to their PHI by giving them, or any entity that they designate clearly, conspicuously and specifically, the information in an electronic format, and must not charge the requestor more than the labor costs in responding to the request for the copy (or summary or explanation).
2.21 Amendments to PHI
Company shall make any amendment(s) to PHI in a designated record set as directed or agreed to by the Practice pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy The Practice’s obligations under 45 C.F.R. § 164.526. Company must act on an individual’s request for an amendment in a manner and within the time period set forth in 45 C.F.R.§ 164.526(b)(2).
Article III. Permitted Uses and Disclosures by Company
3.01 General Use and Disclosure
Except as otherwise limited in this Agreement, Company may use or disclose PHI only to perform its obligations and services to the Practice or as Required By Law, provided that such use or disclosure would not violate the Privacy or Security Rule if done by the Practice.
Article IV. Obligations of The Practice
4.01 Provisions for the Practice to Inform Company of Privacy Practices and Restrictions.
4.01.01 Upon Company’s request, the Practice shall provide Company with the notice of privacy practices that the Practice produces, as well as any changes to that notice.
4.01.02 The Practice shall provide Company with any changes in, or revocation of, authorization by an Individual to use or disclose PHI, if such changes affect Company’s permitted or required uses and disclosures.
4.01.03 The Practice shall notify Company, in writing, of any restriction to the use or disclosure of PHI to which the Practice has agreed. Company agrees to conform to any such restriction.
4.01.04 The Practice acknowledges that it shall provide to the Company only the minimum PHI necessary for Company to perform a specific function required or permitted hereunder.
4.01.05 The Practice shall not request Company to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by the Practice.
Article V. Term and Termination
Except as otherwise provided herein, the Agreement shall terminate when all of the PHI provided by the Practice to Company, or created or received by Company on behalf of the Practice, is destroyed or returned to the Practice.
5.02 Termination for Cause
Upon a Party’s knowledge of a material breach by the other party, the non-breaching Party shall provide thirty (30) days for the breaching Party to cure the breach. In the event the breach remains uncured, the non-breaching party may terminate this Agreement, unless a cure is not possible.
5.03 Effect of Termination
5.03.01 Disposal of PHI
Except as provided in paragraph 5.03.02 of this Section, upon termination of this Agreement, for any reason, Company shall return or destroy all PHI received from the Practice, or created or received by Company on behalf of the Practice, at the direction of the Practice. Company shall request, in writing, PHI that is in the possession of subcompanies or agents of Company.
5.03.02 Return or Destruction Impossible
In the event the Company determines that returning or destroying the PHI is infeasible, Company shall provide to the Practice notification of the conditions that make return or destruction infeasible. If return or destruction of PHI is infeasible, Company shall extend the protection of this Agreement to such PHI, for so long as Company maintains such PHI. Following the termination of this Agreement, Company shall not disclose PHI except to the Practice or as Required by Law. This provision and the obligations hereunder shall survive termination of this Agreement.
Article VI. Miscellaneous
This Agreement may be amended upon the mutual written agreement of the parties.
Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Practice to comply with the HIPAA Rules. In the event of any inconsistency or conflict between this Agreement and any other agreement between the parties, the terms, provisions and conditions of this Agreement shall govern and control. Where provisions of this Agreement are different from those mandated by the HIPAA Rules, but are nonetheless permitted by the HIPAA Rules, the provisions of the Agreement shall control.
6.03 No third-party beneficiary
Nothing express or implied in this Agreement is intended to confer, and nothing herein shall confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
6.04 Governing Law
This Agreement shall be governed by and construed in accordance with the laws of the State of New York. Any disputes relating to this Agreement shall be resolved by the state or federal courts located in Suffolk County, New York, and the Practice consents to venue in those courts as proper.
By e-signing the MarijuanaDoctors.Com quote, the Client automatically agrees to the Business Associate Agreement in its entirety, not requiring a signature. This Business Associate Agreement is made available to the Client when registering on the Service Providers section of MarijuanaDoctors.com as well as when they are sent a quote for any and all subscribed services.