HIPAA COMPLIANT DATA PRIVACY AND SECURITY AGREEMENT

This Agreement (“Agreement”) is effective upon the acceptance of the Software as a Service (SaaS) – Subscription Terms (“Software Subscription Agreement”) between your organization (“Entity”) and Rapid Improvement Systems (“Contractor”). The parties hereby agree that the terms of this Agreement are specifically incorporated by reference into the Software Subscription Agreement.

The parties acknowledge and agree that (i) the Entity is either a  “Covered Entity” or a “Business Associate” of a Covered Entity as those terms are defined by the Health Insurance Portability and Accountability Act and its implementing regulations (45 CFR Parts 160-164) (“HIPAA” or “Privacy Rule” or “Security Rule” or “Electronic Transactions Rule”), and (ii) the Contractor is either a  “Business Associate” of a Covered Entity or a subcontractor of a Covered Entity as those terms are defined by HIPAA and the requirements of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 and the implementing regulations, as issued and amended by the Secretary, that are applicable to business associates (“HITECH”).  Entity and Contractor agree that Contractor is obligated to meet applicable provisions of HITECH and that any regulations issued with respect to HITECH related to obligations of Business Associates are hereby incorporated into this Agreement.

Capitalized terms used in this Agreement and not otherwise defined herein shall have the meanings set forth in HIPAA, HITECH, and/or Software Subscription Agreement, as the case may be, which definitions are hereby incorporated by reference.

  1. Obligations and Activities of Contractor.
    1. Contractor shall use or disclose Protected Health Information (“PHI”) only as permitted or required by this Agreement or as Required by Law.
    2. Contractor shall use appropriate safeguards and security measures to prevent Use or Disclosure of PHI other than as provided for by this Agreement.  Contractor shall implement administrative, technical, and physical measures to protect the confidentiality, integrity, and availability of Electronic PHI as required by HIPAA and HITECH.
    3. Contractor shall mitigate, to the extent practicable, any harmful effect that is known to Contractor of a Use or Disclosure of PHI by Contractor in violation of the requirements of this Agreement or any Breach of Unsecured PHI.
    4. Contractor shall report to Entity any Use or Disclosure of PHI not provided for by this Agreement within five (5) days following Contractor's discovery of that event. Contractor’s report of a Use or Disclosure of PHI not provided for by this Agreement shall provide sufficient information to inform the Entity of the nature of the Use or Disclosure, the PHI used or disclosed, and the corrective action Contractor has taken or will take to prevent future similar unauthorized Use or Disclosure.
    5. Contractor shall report to Entity any Breach of Unsecured Protected Health Information as these terms are defined by HITECH and any implementing regulations, within five (5) days following Contractor discovery of that event; provided, that if a delay is requested by a law-enforcement official in accordance with 45 CFR § 164.412, Contractor may delay notifying Entity for the applicable time period.  Contractor shall cooperate with Entity in investigating the Breach and in meeting the Entity’s obligations under HITECH and any other security breach notification laws.  Any such report shall include the following:
      1. the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by the Contractor to have been, accessed, acquired, or disclosed during the breach,
      2. the date of the Breach,
      3. the date of discovery of the Breach,
      4. a description of the types of Unsecured Protected Health Information that were involved, and
      5. any other details necessary to complete an assessment of the risk of harm to the individual(s) whose PHI was disclosed.
    6. Contractor shall report to Entity any successful Security Incident of which Contractor becomes aware. Contractor shall make such report to Entity within five (5) days after Contractor discovers any successful Security Incident.  Any such report shall describe the successful Security Incident in sufficient detail to permit Entity to ascertain the nature and extent of the event and the corrective action Contractor has taken or will take to prevent future similar unauthorized Uses or Disclosures.  To avoid unnecessary burden on either Party, Contractor shall only be required to report as described below, upon the Entity’s request, attempted, but unsuccessful Security Incidents of which Contractor becomes aware; provided that the Entity’s request shall be made no more often than is reasonable based upon the relevant facts and circumstances.  Contractor’s report of unsuccessful Security Incidents shall consist only of a summary of such unsuccessful Security Incidents targeting Electronic Protected Health Information.  For the purposes hereof, an “unsuccessful” Security Incident is an unsuccessful attempt to breach the security of Contractor’s systems that Contractor determines was targeted at Entity’s Electronic Protected Health Information, and shall not include general “pinging” or “denial of service” attacks that are not determined by Contractor to have been directed at Entity’s Electronic Protected Health Information. 
    7. For the purposes of this Agreement, Contractor shall be deemed to have discovered an event, or become aware of that event, in accordance with 45 CFR § 164.410.
    8. Contractor shall cooperate with Entity as to the provision of any legally required notices to any individuals affected by an unauthorized Use or Disclosure of PHI or a Breach of Unsecured Protected Health Information, and, if applicable, government agencies, as such notices are determined necessary by Entity.
    9. Contractor shall ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Contractor on behalf of, Entity, agrees in writing to the same restrictions and conditions and security measures that apply through this Agreement to Contractor with respect to such information. 
    10. Contractor agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the Use and Disclosure of PHI received from, or created or received by Contractor on behalf of Entity, available to the Secretary of the Department of Health and Human Services (the “Secretary”), in a time and manner as reasonably requested by or designated by the Secretary, for purposes of the Secretary determining Entity’s compliance with the Privacy Rule.
    11. Contractor shall document such Disclosures of PHI and information related to such Disclosures as would be required for Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528.
    12. Contractor shall provide to Entity, in a time and manner as reasonably requested by Entity, information collected in accordance with Paragraph (k) of Section 1 hereof, to permit Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528 and HITECH.
    13. If an individual requests an accounting of Disclosures directly from Contractor, Contractor shall forward the request to Entity within two (2) business days of receipt of the request. 
    14. Contractor shall provide access to PHI at the request of Entity or an Individual, and in the time and manner as reasonably requested by Entity, to Entity or, as directed by Entity, to an Individual, in order to meet the requirements under 45 CFR § 164.524 and HITECH. 
    15. Contractor shall make any amendment(s) to PHI that the Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Entity or an Individual, and in the time and manner mutually agreed by the parties.  Entity shall be responsible for making all determinations regarding amendments to PHI and Contractor shall make no such determinations.
  2. Permitted Uses and Disclosures by Contractor.  Contractor may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Entity as specified in Paragraph (a) of Section 2 hereof, provided that such Use or Disclosure would not violate the minimum necessary and/or Limited Data Set requirements of the Privacy Rule and HITECH and any minimum necessary policies and procedures of the Entity. 
    1. Contractor may use or disclose PHI to perform functions, activities or services specified in the Software Subscription Agreement for, or on behalf of, the Entity in Contractor’s capacity as a Business Associate or subcontractor:
    2. Except as otherwise limited in this Agreement,  Contractor may Use or Disclose PHI for Contractor’s proper management, administration and legal responsibilities, provided that any Disclosures must either be Required By Law or Contractor must obtain reasonable assurances from the person to whom the information is Disclosed that the information will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person will notify the Contractor of any instances of which it is aware in which the confidentiality of the information has been breached.
    3. Except as otherwise limited in this Agreement, Contractor may use PHI to provide Data Aggregation services to Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
    4. Contractor may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).
  3. Obligations of Entity. 
    1. Entity shall notify Contractor of any limitation(s) in its Notice of Privacy Practices of Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Contractor’s Use or Disclosure of PHI.
    2. Entity shall notify Contractor of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Contractor’s Use or Disclosure of PHI.
    3. Entity shall notify Contractor of any restriction to the Use or Disclosure of PHI that Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Contractor’s Use or Disclosure of PHI.
  4. Permissible Requests by Entity.  Entity shall not request Contractor to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Entity, unless otherwise noted in this Agreement. 
  5. Term and Termination.
    1. Term. The Term of this Agreement shall begin upon acceptance of the Software Subscription Agreement and end upon the termination of the Software Subscription Agreement.
    2. Termination for Cause.  Upon Entity’s learning of a material breach by Contractor, Entity shall either:
      1. Provide an opportunity for Contractor to cure the breach or end the violation and terminate this Agreement and the Software Subscription Agreement if Contractor does not cure the breach or end the violation within the time specified by Entity;
      2. Immediately terminate this Agreement and the Software Subscription Agreement if Contractor has breached a material term of this Agreement and cure is not possible; or
      3. If neither termination nor cure is feasible, Entity shall report the breach to the Secretary. 
    3. Effect of Termination.
      1. Except as provided in Subparagraph (c)(2) hereof, upon termination of this Agreement, for any reason, Contractor shall return or destroy all PHI received from Entity, or created or received by Contractor on behalf of Entity. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Contractor.  Contractor shall retain no copies of the PHI.
      2. In the event that Contractor determines that returning or destroying the PHI is infeasible, Contractor shall provide to Entity written notification of the conditions that make return or destruction infeasible.  Upon approval by Entity, Contractor shall extend the protections of this Agreement to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Contractor maintains such PHI.
    4. Cure of Non-material Breach.  Entity shall provide an opportunity for Contractor to cure a non-material breach within the time period specified by Entity.
  6. Miscellaneous.
    1. Regulatory References.  A reference in this Agreement to HIPAA or HITECH includes the implementing regulations as issued and amended by the Secretary.
    2. Amendment.  Entity may upon notice to Contractor at any time modify or amend one or more provisions of this Agreement as Entity determines necessary to cause Entity and/or Contractor to be in compliance with HIPAA and/or HITECH.  Any other amendment to this Agreement shall require the mutual written agreement of the Parties.
    3. Survival.  The respective rights and obligations of Contractor and Entity under Paragraph (c) of Section 5 hereof shall survive the termination of the Agreement.
    4. Counterparts.  This Agreement may be executed in counterparts, each of which shall be deemed an original, and all of which shall constitute one binding agreement.
    5. Severability.  The provisions of this Agreement shall be severable, and if any provision of this Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained.
    6. Notices.  Any notices required under this Agreement shall be sent in writing and in a timely manner, by first class mail, fax or hand delivery, to:
      1. Entity at the address provided to Contractor for purposes of invoices under the Software Subscription Agreement.   
      2. Contractor at the address on the “Contact Us” page of the RIS web site. 
    7. Compliance with State Law. Notwithstanding anything to the contrary in this Agreement, if any provision of Virginia law applicable to Contractor, because of Contractor’s relationship with Entity, is contrary to and more stringent than an applicable requirement of the Privacy Rule, this Agreement shall be construed to permit Contractor to comply with such more stringent provision to the extent that Contractor is required to comply with such provision and to the extent that such provision is not preempted by the Privacy Rule or other applicable preemptive Federal law or regulation.

Featured projects