Vendor Downstream Subcontractor Business Associate Addendum
Homelegal
Vendor Downstream Subcontractor Business Associate Addendum

Vendor Downstream Subcontractor Business Associate Addendum

Vendor Downstream Subcontractor Business Associate Addendum

This Vendor Downstream Subcontractor Business Associate Addendum (the “Addendum”) forms a part of, and is subject to, the agreement(s) between Vendor and Flock Group Inc (“Flock”) for Vendor’s services (the “Agreement”). All capitalized terms used but not defined herein will have the meaning ascribed to them in the Agreement. To the extent of any conflict between this Addendum and any other agreement between Vendor and Flock, this Addendum shall control.

1. GENERAL PROVISIONS

1.1 Status of Parties. The parties acknowledge and agree that Flock is a Business Associate of one or more Covered Entities that contract with Flock (each, a “Covered Entity”) and Vendor is a Subcontractor of Flock and is a Business Associate when Vendor creates, receives, maintains, transmits, uses or discloses Protected Health Information on behalf of Flock or a Covered Entity.  

1.2 Effect. The provisions of this Addendum shall control with respect to Protected Health Information that Vendor receives from or on behalf of Flock or the Covered Entities, and the terms and provisions of this Addendum shall supersede any conflicting or inconsistent terms and provisions of this Agreement, including all exhibits or other attachments thereto and all documents incorporated therein by reference, to the extent of such conflict or inconsistency. This Addendum shall not modify or supersede any other provision of this Agreement.

1.3 Defined Terms. Capitalized terms used in this Agreement (including this Addendum) without definition shall have the respective meanings assigned to such terms by the Administrative Simplification section of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their implementing regulations as amended from time to time (collectively, “HIPAA”).

1.4 No Third Party Beneficiaries. The Parties have not created and do not intend to create by this Addendum any third party rights, including, but not limited to, third party rights for the Covered Entity’s patients.

1.5 HIPAA Amendments. Any future amendments to HIPAA affecting business associate agreements are hereby incorporated by reference into this Addendum as if set forth in this Addendum in their entirety, effective on the later of the effective date of this Addendum or such subsequent date as may be specified by HIPAA.

1.6 Regulatory References. A reference in this Addendum to a section in HIPAA means the section as it may be amended from time to time. 

1.7 Independent Contractor Status. The parties acknowledge and agree that Vendor is at all times acting as an independent contractor of Flock and not as an agent or employee of Flock under this Agreement. 

2. OBLIGATIONS OF CONTRACTOR

2.1 Use and Disclosure of Protected Health Information. Vendor may use and disclose Protected Health Information as permitted or required under this Agreement (including this Addendum) or as Required by Law, but shall not otherwise use or disclose any Protected Health Information. Vendor shall not and shall ensure that its employees, other agents and contractors do not use or disclose Protected Health Information received from Flock or the Covered Entities in any manner that would constitute a violation of HIPAA if so used or disclosed by Flock or the Covered Entities (except as set forth in Sections 2.1(a), (b) and (c) of this Addendum). To the extent Vendor carries out any of Flock’s or the Covered Entities’ obligations under HIPAA, Vendor shall comply with the requirements of HIPAA that apply to Flock or the Covered Entities (as applicable) in the performance of such obligations. Without limiting the generality of the foregoing, Vendor is permitted to use or disclose Protected Health Information as set forth below:

a. Vendor may use Protected Health Information internally for Vendor’s proper management and administrative services or to carry out its legal responsibilities; and

b. Vendor may disclose Protected Health Information to a third party for Vendor’s proper management and administration or to carry out its legal responsibilities, provided that (1) the disclosure is Required by Law, (2) Vendor makes the disclosure pursuant to an agreement consistent with Section 2.5 of this Addendum or (3) Vendor makes the disclosure pursuant to a written confidentiality agreement under which the third party is required to (A) protect the confidentiality of the Protected Health Information, (B) only use or further disclose the Protected Health Information as Required by Law or for the purpose for which it was disclosed to the third party and (C) notify Flock of any acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted by the confidentiality agreement.

2.2. Safeguards. Vendor shall use appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as permitted or required by this Addendum. In addition, Vendor shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of Electronic Protected Health Information that Vendor creates, receives, maintains or transmits on behalf of Flock or the Covered Entities. Vendor shall comply with the HIPAA Security Rule with respect to Electronic Protected Health Information.

2.3. Minimum Necessary Standard. To the extent required by the “minimum necessary” requirements of HIPAA, Vendor shall only request, use and disclose the minimum amount of Protected Health Information necessary to accomplish the purpose of the request, use or disclosure. Vendor shall comply with the minimum necessary guidance to be issued by the Secretary pursuant to HIPAA and, to the extent practicable, shall not request, use or disclose any Direct Identifiers (as defined in the limited data set standard of HIPAA).

2.4. Mitigation. Vendor shall take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Vendor) of a use or disclosure of Protected Health Information by Vendor in violation of this Addendum or HIPAA.

2.5. Subcontractors. Vendor may not subcontract any services that require it to disclose Protected Health Information that it has received from or created on behalf of Flock or the Covered Entities unless authorized in this Agreement (including this Addendum). In the event Vendor is authorized to disclose such Protected Health Information, prior to any such permitted disclosure, Vendor shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that will create, receive, maintain or transmit Protected Health Information. Vendor shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Vendor under this Addendum.

2.6. Reporting Requirements.

a. Vendor shall, without unreasonable delay, but in no event later than five business days after becoming aware of any acquisition, access, use, or disclosure of Protected Health Information in violation of this Addendum by Vendor, its employees, other agents or contractors or by a third party to which Vendor disclosed Protected Health Information (each, an “Unauthorized Use or Disclosure”), report such Unauthorized Use or Disclosure to Flock. 

b. Vendor shall, without unreasonable delay, but in no event later than five business days after becoming aware of any Security Incident, report it to Flock.

c. Vendor shall, without unreasonable delay, but in no event later than five business days after discovery of a Breach of Protected Health Information (whether secured or unsecured), report such Breach to Flock in accordance with 45 C.F.R. § 164.410.

2.7. Access to Protected Health Information. Within five business days of a request by Flock for access to Protected Health Information about an Individual contained in any Designated Record Set maintained by Vendor, Vendor shall make available to Flock such Protected Health Information for so long as Vendor maintains such information in the Designated Record Set. If Vendor receives a request for access to Protected Health Information directly from an Individual, Vendor shall forward such request to Flock within five business days.

2.8. Availability of Protected Health Information for Amendment. Within five business days of receipt of a request from Flock for the amendment of an Individual’s Protected Health Information contained in any Designated Record Set maintained by Vendor, Vendor shall provide such Protected Health Information to Flock for amendment and incorporate any such amendments in the Protected Health Information (for so long as Vendor maintains such information in the Designated Record Set) as required by 45 C.F.R. § 164.526. If Vendor receives a request for amendment to Protected Health Information directly from an Individual, Vendor shall forward such request to Flock within five business days.

2.9. Accounting of Disclosures. Within five business days of notice by Flock to Vendor that Flock has received a request for an accounting of disclosures of Protected Health Information (other than disclosures to which an exception to the accounting requirement applies), Vendor shall make available to Flock such information as is in Vendor’s possession and is required for Flock and/or any applicable Covered Entity to make the accounting required by 45 C.F.R. § 164.528. If Vendor receives a request for an accounting directly from an Individual, Vendor shall forward such request to Flock within five business days.

2.10. Availability of Books and Records. Vendor shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Vendor on behalf of, Flock or the Covered Entities available to Flock and/or the Secretary for purposes of determining Flock’s or Vendor’s compliance with HIPAA.

2.11. Restrictions; Limitations in Notice of Privacy Practices. Vendor shall comply with any reasonable limitation in a Covered Entity’s notice of privacy practices to the extent that such limitation may affect Vendor’s use or disclosure of Protected Health Information and Vendor is made aware of such limitation. Vendor shall comply with any reasonable restriction on the use or disclosure of Protected Health Information that Flock or any Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Vendor’s use or disclosure of Protected Health Information.

2.12. Indemnification. Vendor shall reimburse, indemnify and hold harmless Flock for all costs, expenses (including reasonable attorneys fees), damages and other losses resulting from any breach of this Addendum, any violation of HIPAA or other federal or state laws, Unauthorized Use or Disclosure, Security Incident or Breach of Protected Health Information maintained by Vendor or Vendor’s agent or subcontractor, including, without limitation: fines or settlement amounts owed to a state or federal government agency, the cost of any notifications to Individuals or government agencies, credit monitoring for affected Individuals, or other mitigation steps taken by Flock. This Section 2.12 shall survive the expiration or earlier termination of this Addendum.

3. TERMINATION OF AGREEMENT

3.1. Termination Upon Breach of this Addendum. Any other provision of this Agreement notwithstanding, Flock may terminate this Agreement upon 30 days advance written notice to Vendor in the event that Vendor breaches this Addendum and such breach is not cured to the reasonable satisfaction of Flock within such 30-day period; provided, however, that in the event that termination of this Agreement is not feasible, in Flock’s sole discretion, Flock may report the breach to the Secretary.

3.2. Return or Destruction of Protected Health Information upon Termination. Upon expiration or earlier termination of this Agreement, Vendor shall either return or destroy all Protected Health Information received from or on behalf of Flock or the Covered Entities or created by Vendor on behalf of Flock or the Covered Entities that Vendor still maintains in any form. Notwithstanding the foregoing, to the extent that Flock reasonably determines that it is not feasible to return or destroy such Protected Health Information, the terms and provisions of this Addendum shall survive termination of this Agreement and such Protected Health Information shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such Protected Health Information.