Healthcare / HIPAA Non-Disclosure Agreement

This Healthcare Non-Disclosure Agreement (this "Agreement") is entered into as of effective_date (the "Effective Date") by and between:

covered_entity (the "Covered Entity"); and

recipient_name (the "Recipient").

The Covered Entity and the Recipient are each referred to herein as a "Party" and collectively as the "Parties."

Recitals

WHEREAS, the Covered Entity is a "covered entity" as defined under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, "HIPAA");

WHEREAS, in the course of the Parties' business relationship, the Covered Entity may disclose to the Recipient certain confidential information, including Protected Health Information (as defined below);

WHEREAS, the Parties desire to establish the terms and conditions under which such information will be disclosed, used, and protected in compliance with HIPAA and all applicable federal and state privacy and security laws; and

WHEREAS, this Agreement is intended to satisfy the requirements of the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164, Subparts A and E), the HIPAA Security Rule (45 C.F.R. Parts 160 and 164, Subparts A and C), and the HITECH Act (Title XIII of the American Recovery and Reinvestment Act of 2009).

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Definitions

1.1 Protected Health Information (PHI)

"Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" as defined in 45 C.F.R. Section 160.103, limited to the information created, received, maintained, or transmitted by the Recipient on behalf of the Covered Entity.

1.2 Electronic Protected Health Information (ePHI)

"Electronic Protected Health Information" or "ePHI" shall have the same meaning as the term "electronic protected health information" as defined in 45 C.F.R. Section 160.103, limited to the information created, received, maintained, or transmitted by the Recipient on behalf of the Covered Entity.

1.3 Breach

"Breach" shall have the same meaning as the term "breach" as defined in 45 C.F.R. Section 164.402, and shall include the acquisition, access, use, or disclosure of PHI in a manner not permitted under this Agreement or the HIPAA Privacy Rule that compromises the security or privacy of the PHI.

1.4 Security Incident

"Security Incident" shall have the same meaning as the term "security incident" as defined in 45 C.F.R. Section 164.304, and shall include the attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI or interference with system operations in an information system.

1.5 Unsecured PHI

"Unsecured PHI" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of Health and Human Services in guidance issued under Section 13402(h)(2) of the HITECH Act.

1.6 Confidential Information

"Confidential Information" means, in addition to PHI and ePHI, any and all non-public, proprietary, or confidential information of the Covered Entity, whether disclosed orally, in writing, electronically, or by inspection, including without limitation:

(a) Business operations, strategies, financial information, and organizational data;

(b) Patient lists, referral sources, and provider network information;

(c) Clinical protocols, treatment methodologies, and quality assurance data;

(d) Information technology systems, security configurations, and network architectures;

(e) Employee and personnel information; and

(f) Any information designated as confidential or that a reasonable person would understand to be confidential.

1.7 Additional HIPAA Terms

All capitalized terms used in this Agreement that are not otherwise defined herein shall have the meanings ascribed to them under HIPAA, including the Privacy Rule, the Security Rule, and the HITECH Act.

2. Obligations of the Recipient Regarding PHI

2.1 Permitted Uses and Disclosures

The Recipient shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law. The Recipient may use or disclose PHI:

(a) As necessary to perform functions, activities, or services for, or on behalf of, the Covered Entity as specified in any underlying service agreement between the Parties;

(b) For the proper management and administration of the Recipient, provided that such use or disclosure is required by law or the Recipient obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as required by law or for the purposes for which it was disclosed;

(c) To provide data aggregation services to the Covered Entity as permitted by 45 C.F.R. Section 164.504(e)(2)(i)(B); and

(d) To de-identify PHI in accordance with 45 C.F.R. Section 164.514(a)-(c).

2.2 Minimum Necessary Standard

The Recipient shall, to the extent practicable, limit its use, disclosure, and request of PHI to the minimum amount of PHI necessary to accomplish the intended purpose, in accordance with the minimum necessary standard set forth in 45 C.F.R. Section 164.502(b) and Section 164.514(d).

2.3 Prohibited Uses and Disclosures

The Recipient shall not:

(a) Use or disclose PHI for marketing purposes without the prior written authorization of the individual who is the subject of the PHI and the Covered Entity;

(b) Sell PHI without the prior written authorization of the individual and the Covered Entity;

(c) Use or disclose genetic information for underwriting purposes as prohibited by the Genetic Information Nondiscrimination Act (GINA); or

(d) Use or disclose PHI in any manner that would violate the HIPAA Privacy Rule if done by the Covered Entity, except as otherwise permitted under this Agreement.

3. Safeguard Obligations

3.1 Administrative Safeguards

The Recipient shall implement appropriate administrative safeguards as required by 45 C.F.R. Section 164.308, including without limitation:

(a) Designating a security officer responsible for the development and implementation of security policies and procedures;

(b) Implementing workforce training programs to ensure that all employees and agents who have access to PHI are trained on HIPAA requirements and the Recipient's privacy and security policies;

(c) Establishing and maintaining sanctions policies for employees and agents who violate this Agreement or applicable privacy and security policies;

(d) Implementing procedures for the regular review of information system activity records, including audit logs and access reports; and

(e) Performing periodic risk assessments to identify threats and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

3.2 Physical Safeguards

The Recipient shall implement appropriate physical safeguards as required by 45 C.F.R. Section 164.310, including without limitation:

(a) Facility access controls to limit physical access to electronic information systems and the facilities in which they are housed;

(b) Workstation security measures to restrict access to authorized personnel only; and

(c) Device and media controls for the receipt, removal, transfer, and disposal of hardware and electronic media that contain ePHI.

3.3 Technical Safeguards

The Recipient shall implement appropriate technical safeguards as required by 45 C.F.R. Section 164.312, including without limitation:

(a) Access controls, including unique user identification, emergency access procedures, automatic logoff, and encryption and decryption mechanisms;

(b) Audit controls to record and examine activity in information systems that contain or use ePHI;

(c) Integrity controls to protect ePHI from improper alteration or destruction; and

(d) Transmission security measures, including encryption, to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.

4. Breach Notification

4.1 Notification to Covered Entity

The Recipient shall notify the Covered Entity without unreasonable delay, and in no event later than thirty (30) calendar days, after the discovery of a Breach of Unsecured PHI. The Recipient shall be deemed to have discovered a Breach as of the first day on which the Breach is known, or by exercising reasonable diligence would have been known, to the Recipient or any employee, officer, or agent of the Recipient.

4.2 Content of Notification

The notification required under Section 4.1 shall include, to the extent reasonably available:

(a) The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;

(b) A brief description of what happened, including the date of the Breach and the date of discovery;

(c) A description of the types of Unsecured PHI involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or similar information);

(d) Any steps the Recipient has taken or will take to investigate the Breach, mitigate losses, and protect against further Breaches; and

(e) Contact information for the Recipient's representative who can provide additional information regarding the Breach.

4.3 Security Incident Reporting

The Recipient shall report to the Covered Entity any Security Incident of which the Recipient becomes aware, including incidents that do not result in a Breach. The Recipient shall provide such reports within a reasonable time period after discovery. The Parties acknowledge that unsuccessful security incidents (such as unsuccessful log-in attempts, pings, port scans, or similar activities) occur regularly and agree that no additional reporting of such unsuccessful incidents is required beyond an annual summary, unless otherwise agreed in writing.

4.4 Mitigation

The Recipient shall take prompt corrective action to cure any Breach or Security Incident, mitigate any harmful effects, and cooperate with the Covered Entity in investigating and responding to any Breach or Security Incident.

5. Subcontractor Obligations

The Recipient shall ensure that any subcontractor or agent to whom the Recipient provides PHI agrees to the same restrictions, conditions, and requirements that apply to the Recipient under this Agreement, in accordance with 45 C.F.R. Section 164.502(e)(1)(ii) and Section 164.308(b)(2). The Recipient shall enter into a written agreement with each such subcontractor or agent that contains substantially similar terms to this Agreement. The Recipient shall be responsible for the acts and omissions of its subcontractors and agents with respect to PHI.

6. Individual Rights

6.1 Access to PHI

The Recipient shall, within ten (10) business days of receiving a request from the Covered Entity, make available to the Covered Entity (or, at the Covered Entity's direction, to an individual) PHI in the Recipient's possession that is necessary for the Covered Entity to respond to an individual's request for access to PHI in accordance with 45 C.F.R. Section 164.524.

6.2 Amendment of PHI

The Recipient shall, within ten (10) business days of receiving a request from the Covered Entity, make any amendment(s) to PHI in the Recipient's possession that the Covered Entity directs or agrees to in accordance with 45 C.F.R. Section 164.526. The Recipient shall incorporate any amendments to PHI into all copies of such PHI maintained by the Recipient.

6.3 Accounting of Disclosures

The Recipient shall maintain a record of all disclosures of PHI made by the Recipient as required for the Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 C.F.R. Section 164.528. The Recipient shall make such record available to the Covered Entity within ten (10) business days of a request. Such record shall include, at a minimum: (a) the date of the disclosure; (b) the name of the entity or person who received the PHI and, if known, the address of such entity or person; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the disclosure.

6.4 Restriction Requests

The Recipient shall comply with any restriction on the use or disclosure of PHI that the Covered Entity has agreed to in accordance with 45 C.F.R. Section 164.522, provided that the Covered Entity has notified the Recipient of such restriction in writing.

7. General Confidentiality Obligations

7.1 Non-PHI Confidential Information

In addition to the obligations regarding PHI set forth above, the Recipient agrees to hold all Confidential Information of the Covered Entity in strict confidence and not to disclose, use, or permit access to such Confidential Information except as necessary to perform its obligations under any underlying service agreement or as required by law.

7.2 Standard of Care

The Recipient shall protect all Confidential Information using the same degree of care that the Recipient uses to protect its own confidential information of a similar nature, but in no event less than a reasonable degree of care.

8. Term, Termination, and Return/Destruction of PHI

8.1 Term

This Agreement shall become effective on the Effective Date and shall remain in effect for the duration of the Parties' business relationship, unless earlier terminated in accordance with this Section.

8.2 Termination for Cause

Either Party may terminate this Agreement immediately upon written notice if the other Party materially breaches any provision of this Agreement and fails to cure such breach within thirty (30) days after receiving written notice of the breach. If the breach involves a violation of HIPAA, the non-breaching Party may terminate this Agreement immediately if cure is not reasonably possible.

8.3 Effect of Termination — Return or Destruction of PHI

Upon termination or expiration of this Agreement, the Recipient shall, at the direction of the Covered Entity:

(a) Return to the Covered Entity all PHI received from the Covered Entity, or created or received by the Recipient on behalf of the Covered Entity, including all copies, backups, and archival copies in any form; or

(b) Destroy all such PHI and certify in writing to the Covered Entity that all PHI has been destroyed in accordance with applicable standards for secure destruction.

If return or destruction of PHI is not feasible, the Recipient shall notify the Covered Entity in writing of the specific reasons why return or destruction is not feasible. In such case, the Recipient shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as the Recipient maintains such PHI.

8.4 Survival

The obligations of the Recipient regarding the confidentiality and protection of PHI and Confidential Information shall survive the termination or expiration of this Agreement for so long as the Recipient retains any PHI or Confidential Information.

9. No Warranty

ALL CONFIDENTIAL INFORMATION AND PHI IS PROVIDED "AS IS." THE COVERED ENTITY MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR OTHERWISE, REGARDING THE ACCURACY, COMPLETENESS, OR PERFORMANCE OF ANY CONFIDENTIAL INFORMATION OR PHI.

10. Remedies

The Recipient acknowledges that any unauthorized use or disclosure of PHI or Confidential Information may cause irreparable harm to the Covered Entity and to the individuals whose PHI is involved. The Covered Entity shall be entitled to seek equitable relief, including injunction and specific performance, in addition to all other remedies available at law or in equity, without the necessity of proving actual damages or posting any bond or other security.

The Recipient shall indemnify, defend, and hold harmless the Covered Entity from and against any and all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or related to: (a) any Breach of Unsecured PHI caused by the Recipient or its subcontractors or agents; (b) any violation of this Agreement by the Recipient; or (c) any violation of HIPAA by the Recipient.

11. Regulatory Compliance

The Recipient shall comply with all applicable provisions of HIPAA, including the Privacy Rule, the Security Rule, and the HITECH Act, as they may be amended from time to time. The Recipient shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining the Covered Entity's and the Recipient's compliance with HIPAA.

The Recipient shall comply with all applicable state privacy and security laws that are more stringent than HIPAA, to the extent applicable to the PHI received under this Agreement.

12. Governing Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with the laws of the State in which the Covered Entity's principal place of business is located, without regard to its conflict of law principles, except to the extent preempted by federal law. Each Party hereby irrevocably submits to the exclusive jurisdiction of the state and federal courts located in such State.

13. General Provisions

13.1 Entire Agreement

This Agreement constitutes the entire agreement between the Parties with respect to the protection of PHI and Confidential Information and supersedes all prior or contemporaneous agreements and understandings.

13.2 Amendments

This Agreement may not be amended except by a written instrument signed by both Parties. The Parties agree to amend this Agreement as necessary to comply with changes in HIPAA or other applicable law.

13.3 Severability

If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.4 Waiver

No failure or delay by either Party in exercising any right hereunder shall operate as a waiver thereof.

13.5 Counterparts

This Agreement may be executed in counterparts. Electronic signatures shall be deemed original signatures for all purposes.

13.6 Notices

All notices under this Agreement shall be in writing and shall be deemed duly given when delivered personally, sent by confirmed email, or sent by nationally recognized overnight courier.

13.7 Interpretation

Any ambiguity in this Agreement shall be resolved to permit the Covered Entity to comply with HIPAA. In the event of a conflict between the terms of this Agreement and HIPAA, HIPAA shall control.

IN WITNESS WHEREOF, the Parties have executed this Healthcare / HIPAA Non-Disclosure Agreement as of the Effective Date.

Covered Entity

covered_entity

[Electronic signature will be collected via zsign]

[Date will be recorded automatically]

Recipient

recipient_name

[Electronic signature will be collected via zsign]

[Date will be recorded automatically]