Business Associate Subcontractor Agreement

This Business Associate Subcontractor Agreement (“Subcontractor Agreement”) is entered into by and between Tabula Rasa HealthCare Group, Inc., with offices at 228 Strawbridge Drive, Moorestown, NJ 08057 (“Business Associate”), and you (“Subcontractor”).

RECITALS

WHEREAS, Business Associate has entered into one or more business agreements (“Covered Entity Agreements”) pursuant to which Business Associate provides products and services to covered entities and in furtherance of such agreements Subcontractor may from time to time perform on behalf of Business Associate a function or activity supporting the covered entities that involves the Use or Disclosure of Protected Health Information (“PHI”).

WHEREAS, Business Associate and Subcontractor have entered into that certain business agreement (the “Underlying Master Agreement”) pursuant to which Subcontractor will render services to, for, or on behalf of, Business Associate in connection with the Covered Entity Agreements.

WHEREAS, as part of the Underlying Master Agreement, Subcontractor will perform a function or activity on behalf of Business Associate that involves the Use or Disclosure of PHI.

WHEREAS, Business Associate and Subcontractor desire to enter into this Subcontractor Agreement regarding the Use and/or Disclosure of PHI as required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) and the Standards for Security of Electronic Protected Health Information (the “Security Rule”) promulgated thereunder, and the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII and Division B, Title IV, of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5) (the “HITECH Act”), and the regulations implementing the HITECH Act.

NOW, THEREFORE, in consideration of the mutual promises below and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:

AGREEMENT

A.              General Compliance with HIPAA Privacy Rule and Security Rule.

The parties shall conduct their respective businesses in accordance with all applicable laws and regulations regarding the privacy and security of PHI, including, without limitation, HIPAA and the HITECH Act, as amended from time to time, and the regulations promulgated thereunder.

B.              Definitions.

Terms used but not otherwise defined in this Subcontractor Agreement shall have the same meaning given to such terms in HIPAA, the HITECH Act, or any implementing regulations promulgated thereunder, including, but not limited to, the Privacy Rule and the Security Rule.  In the event of a conflict regarding any definition in this Subcontractor Agreement and the definitions in HIPAA, the HITECH Act, or any implementing regulations promulgated thereunder, including but not limited to the Privacy Rule and the Security Rule, the definitions in HIPAA, the HITECH ACT and any implementing regulations shall govern.

    1. Breach” means the acquisition, access, Use, or Disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of PHI (within the meaning of 45 C.F.R. § 164.402).
    2. Data Aggregation” means, with respect to PHI created or received by Subcontractor in its capacity as a subcontractor of Business Associate, the combining of such PHI by Subcontractor with the PHI received by Subcontractor in its capacity as a subcontractor of another business associate or business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
    3. Designated Record Set” means a group of records maintained by or for a covered entity that is:  (i) the medical records and billing records about Individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the covered entity to make decisions about Individuals.  For the purposes of this paragraph, the term “record” means any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used, or disseminated by or for a covered entity.
    4. Disclose” or “Disclosure” means the release, transfer, provision of access to, or divulging in any other manner of PHI outside the entity holding the information.
    5. Electronic Protected Health Information” or “ePHI” shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. § 160.103, limited to the information created or received by Subcontractor from or on behalf of Business Associate.
    6. Individual” means the person who is the subject of PHI and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
    7. Individually Identifiable Health Information” is information that is a subset of health information, including demographic information collected from an Individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present, or future payment for the provision of health care to an Individual; and (i) that identifies the Individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
    8. Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
    9. Protected Health Information” or  “PHI” means Individually Identifiable Health Information that is: (i) transmitted by “electronic media,” as defined in 45 C.F.R. § 160.103; (ii) maintained in any medium described in the definition of electronic media; or (iii) transmitted or maintained in any other form or medium.
    10. Required by Law” means a mandate contained in law that compels an entity to make a Use or Disclosure of PHI and that is enforceable in a court of law.
    11. Secretary” means the Secretary of Health and Human Services or any other officer or employee of the U.S. Department of Health and Human Services to whom the authority involved has been delegated.
    12. Security Incident” means the attempted or successful unauthorized access, Use, Disclosure, modification, or destruction of information or interference with system operations in an information system.
    13. Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 164 Subpart C.
    14. Unsecured Protected Health Information” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5.
    15. Use” means the sharing, employment, application, utilization, examination, or analysis of PHI within an entity that maintains such information.

C.              Obligations and Activities of Subcontractor.

    1. Nondisclosure.  Subcontractor shall not Use or Disclose PHI other than as permitted or required by the Underlying Master Agreement, this Subcontractor Agreement or as Required by Law.
    2. Minimum Necessary.  Subcontractor shall limit any PHI Used, Disclosed or requested to the minimum necessary to accomplish the intended purpose of the Use, Disclosure or request.
    3. Safeguards.  Subcontractor shall use appropriate safeguards to prevent the Use or Disclosure of PHI other than as provided for by the Underlying Master Agreement or this Subcontractor Agreement.
    4. Security Rule.  Subcontractor shall comply with the Security Rule provisions set forth in 45 C.F.R. Part 164, Subpart C, including the provisions relating to Security Standards General Rules (45 C.F.R. § 164.306), Administrative Safeguards (45 C.F.R. § 164.308), Physical Safeguards (45 C.F.R. § 164.310), Technical Safeguards (45 C.F.R. § 164.312), Organizational Requirements (45 C.F.R. § 164.314) and Policies and Documentation (45 C.F.R. § 164.316), and to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information Subcontractor creates, receives, maintains, or transmits on behalf of Business Associate.
    5. Reporting of Disclosures.  Subcontractor shall report, in writing, to Business Associate any Use or Disclosure of PHI not provided for by the Underlying Master Agreement or this Subcontractor Agreement of which Subcontractor becomes aware.
    6. Mitigation.  Subcontractor shall mitigate, to the extent practicable, any harmful effect that is known to Subcontractor of a Use or Disclosure of PHI by Subcontractor in violation of the requirements of this Subcontractor Agreement.
    7. Subcontractor’s Agents.  Subcontractor shall ensure that any agents, including subcontractors, which create, receive, maintain or transmit PHI on behalf of Subcontractor agree in writing to restrictions and conditions that are no less restrictive than those that apply to Subcontractor through this Subcontractor Agreement with respect to PHI.
    8. Access to PHI.  At the written request of Business Associate (and in the reasonable time and manner designated by Business Associate), Subcontractor shall provide access to PHI in a Designated Record Set to Business Associate or, as directed by Business Associate in writing, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524.  This provision shall only apply if Subcontractor has PHI in a Designated Record Set.  Subcontractor further shall notify Business Associate of any requests for access it receives from an Individual within five (5) business days of receipt.
    9. Documentation of Disclosures.  Subcontractor shall document such Disclosures of PHI and information related to such Disclosures as would be required for Business Associate to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528.
    10. Accounting of Disclosures.  At the written request of Business Associate (and in the reasonable time and manner designated by Business Associate), Subcontractor shall provide to Business Associate information collected in accordance with Section C.9 of this Subcontractor Agreement, to permit Business Associate to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528 (and HITECH Act § 13405(c). Subcontractor further shall notify Business Associate of any requests for accounting of Disclosures it receives from an Individual within ten (10) business days of receipt.
    11. Amendment of PHI. At the written request of Business Associate (and in the reasonable time and manner designated by Business Associate) Subcontractor shall make any amendment(s) to PHI in a Designated Record Set that Business Associate directs pursuant to 45 C.F.R. § 164.526.  This provision shall only apply if Subcontractor has PHI in a Designated Record Set.  Subcontractor further shall notify Business Associate of any requests for amendment it receives from an Individual within fifteen (15) business days of receipt.
    12. Internal Practices.  Subcontractor shall make its internal practices, books and records, including policies and procedures, relating to the Use and Disclosure of PHI received from Business Associate, or created or received by Subcontractor on behalf of Business Associate, available to Business Associate, or to the Secretary, for purposes of determining Business Associate’s and/or Subcontractor’s compliance with the Privacy Rule and/or Security Rule.
    13. Reporting of Potential Breaches and Security Incidents.  Subcontractor shall report in writing to Business Associate any Security Incident or potential Breach of Unsecured Protected Health Information as follows:

a) Subcontractor shall report any actual, successful Security Incident within two (2) days of Subcontractor’s discovery of such actual, successful Security Incident.

b) Subcontractor shall report any attempted, unsuccessful Security Incident of which Subcontractor becomes aware at the written request of Business Associate but in no event more frequently than on a quarterly basis.

c) Subcontractor shall report any potential Breach of Unsecured Protected Health Information within two (2) days of discovery.

In each instance (a) through (c) above, the written report shall include the following: (i) the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Subcontractor to have been accessed, acquired, Used or Disclosed during any such Security Incident or potential Breach, to the extent known by Subcontractor; (ii) such other information regarding the Security Incident or potential Breach as is known to Subcontractor at the time the report is made (such as the type of PHI involved, the nature of the information accessed, acquired, Used or Disclosed, etc.); and (iii) an acknowledgement by Subcontractor that the information provided pursuant to (i) and (ii) shall be supplemented if and when further information becomes available to Subcontractor.

14. Additional Responsibility.  To the extent Subcontractor is to carry out an obligation of Business Associate under the Privacy Rule provisions set forth at 45 C.F.R. Part 164, Subpart E, Subcontractor shall comply with the requirements of the Privacy Rule that apply to Business Associate in the performance of such obligation. Subcontractor shall comply with the obligations set forth in Exhibit 1 “Physical Security, Privacy and Safety Requirements” which is attached hereto and incorporated herein by reference.

D.              Permitted Uses and Disclosures by Subcontractor.

  1.                Permitted Uses and Disclosures.  Except as otherwise limited in this Subcontractor Agreement, Subcontractor may Use or Disclose PHI to perform functions, activities, or services for, or on behalf of, Business Associate as specified in the Underlying Master Agreement, provided such Use or Disclosure would not violate the Privacy Rule if done by Business Associate.
  2.                Use for Management and Administration.  Except as otherwise limited in this Subcontractor Agreement, Subcontractor may Use PHI for the proper management and administration of Subcontractor or to carry out the legal responsibilities of Subcontractor.
  3.                Disclosure for Management and Administration.  Except as otherwise limited in the Underlying Master Agreement and this Subcontractor Agreement, Subcontractor may Disclose PHI for the proper management and administration of Subcontractor or to carry out the legal responsibilities of Subcontractor, provided that:  (a) the Disclosures are Required by Law, or (b) Subcontractor obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person, and (c) the person notifies Subcontractor of any instances of which it is aware in which the confidentiality of the information has been breached.
  4.                Data Aggregation.  Except as otherwise limited in this Subcontractor Agreement, Subcontractor may Use PHI to provide Data Aggregation services to Business Associate as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

E.               Obligations of Business Associate.

    1.                Notice of Privacy Practices. Business Associate shall provide Subcontractor with the notices of privacy practices that Business Associate receives from covered entities, as well as any limitations and/or changes to such notices, of which Business Associate is notified, to the extent that such limitations and/or changes may affect Subcontractor’s Use or Disclosure of PHI.
    2.                Changes in Permission.  Business Associate shall notify Subcontractor of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, of which Business Associate is notified, to the extent that such changes may affect Subcontractor’s Use or Disclosure of PHI.
    3.                Notification of Restrictions.  Business Associate shall notify Subcontractor of any restriction to the Use or Disclosure of PHI that a covered entity has agreed to in accordance with 45 C.F.R. § 164.522 and of which Business Associate is notified, to the extent that such restriction may affect Subcontractor’s Use or Disclosure of PHI.
    4.                Permissible Requests by Business Associate.  Business Associate shall not request Subcontractor Use or Disclose PHI in any manner that would not be permissible under HIPAA, as amended by the HITECH Act, or any implementing regulations.

F.               Term and Termination.

    1.                Term.  The term of this Subcontractor Agreement shall be effective as of the date of the Underlying Master Agreement and shall terminate upon the earlier of:  (i) the date of termination of the Underlying Master Agreement, or (ii) the date upon which Subcontractor no longer provides functions or services subject to this Subcontractor Agreement for, or on behalf of, Business Associate.
    2.                Termination for Cause.  Notwithstanding any other provision of this Subcontractor Agreement to the contrary, (i) either party may terminate the Underlying Master Agreement and/or this Subcontractor Agreement in the event of a material breach of any term of this Subcontractor Agreement by the other party which is not corrected within thirty (30) days of receipt of written notice describing the nature of the alleged breach, and (ii) Business Associate may immediately terminate the Underlying Master Agreement and/or this Subcontractor Agreement in the event of a material breach of this Subcontractor Agreement that involves a Breach of Unsecured PHI.
    3.                Effect of Termination.  Except as provided in this Section F.3, upon termination of this Subcontractor Agreement for any reason, Subcontractor shall return or destroy all PHI received from Business Associate, or created or received by Subcontractor on behalf of Business Associate.  This provision shall apply to PHI that is in the possession of subcontractors or agents of Subcontractor.  Subcontractor shall retain no copies of the PHI.  In the event that Subcontractor believes that returning or destroying PHI is not feasible, Subcontractor shall notify Business Associate in writing of the conditions that make return or destruction infeasible.  Upon mutual agreement of Business Associate and Subcontractor that return or destruction of the PHI is infeasible, Subcontractor shall extend the protections of this Subcontractor Agreement to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Subcontractor maintains such PHI.
    4.                Indemnification.  Subcontractor agrees to indemnify and hold harmless Business Associate and its affiliates and their respective current and former officers, directors, members, employees and agents (collectively, “Indemnitees”), from and against any liability, claim, action, loss, cost, damage or expense (including reasonable fees of attorneys and experts) incurred or suffered by Indemnitees, to the extent that such liability, claim, action, loss, cost, damage, expense or fees are attributable to or incurred as a result of an unauthorized Use or Disclosure of PHI by Subcontractor or its subcontractor or agent; an acquisition, access, Use, or Disclosure, by Subcontractor or its subcontractor or agent, that constitutes a Breach or Security Incident; any breach of this Subcontractor Agreement by Subcontractor; or any breach of the agreement described in Section C.7 of this Subcontractor Agreement by Subcontractor’s subcontractor or agent.

G.              Miscellaneous.

    1.                Regulatory References. A reference in this Subcontractor Agreement to a section in the Privacy Rule or Security Rule means the section as in effect or as amended, and for which compliance is required.
    2.                Amendment.  The parties agree to take such action as is necessary to amend this Subcontractor Agreement from time to time for Business Associate and Subcontractor to comply with the requirements of the Privacy Rule and Security Rule, HIPAA, the HITECH Act and its implementing regulations that are binding on such party.
    3.                Survival.  The respective rights and obligations of Subcontractor under Sections F.3 and F.4 of this Subcontractor Agreement shall survive the termination of this Subcontractor Agreement.
    4.                Interpretation.  The parties agree that any ambiguity in this Subcontractor Agreement or conflict with the terms of the Underlying Master Agreement shall be resolved to permit the parties to comply with HIPAA and the HITECH Act and any implementing regulations promulgated thereunder, including but not limited to the Privacy Rule and Security Rule and applicable state laws.
    5.                No Third-Party Beneficiary.  Notwithstanding any other provision of this Subcontractor Agreement to the contrary, if any, nothing in this Subcontractor Agreement, or in the parties’ course of dealings, shall be construed as conferring any third-party beneficiary status with respect to this Subcontractor Agreement on any person not a party to this Subcontractor Agreement.
    6.                Assignment.  This Subcontractor Agreement may not be transferred or assigned by either party without the prior written consent of the other party.
    7.                Governing Law.  All questions with respect to the construction of this Subcontractor Agreement and the rights and liabilities of the parties except as otherwise provided, shall be determined in accordance with the laws of New Jersey without regard to conflicts of laws principles.  All disputes hereunder shall be resolved in the applicable state or federal courts in the State of New Jersey.  The parties consent to the jurisdiction of such courts and waive any jurisdictional or venue defenses otherwise available.
    8.               Counterparts.  This Subcontractor Agreement may be executed in one or more counterparts, each of which shall be deemed an original but all of which shall constitute one and the same instrument.
    9.                Effect of Subcontractor Agreement.  This Subcontractor Agreement sets forth the entire agreement and understanding between the parties regarding the subject matter hereof and supersedes all other discussions, representations, agreements and understandings of every kind, whether oral or written, with respect to the subject matter hereof.  In the event of a conflict between the terms of this Subcontractor Agreement and the terms of the Underlying Master Agreement or any agreement for services between the parties, the terms of this Subcontractor Agreement shall control.
    10.             Notices.

Any notices to be given hereunder to a Party shall be made via U.S. Mail or express courier to such Party’s address given below.

If to Subcontractor:

At the contact information provided to Business Associate.

 

If to Business Associate:

Tabula Rasa HealthCare Group, Inc.

Attn: Privacy Officer

228 Strawbridge Drive

Moorestown, NJ 08057

With a copy to: legal@trhc.com

Each Party named above may change its address and that of its representative for notice by the giving of notice thereof in the manner herein above provided.