|
EXHIBIT C
<br /> BUSINESS ASSOCIATE AGREEMENT
<br /> This Business Associate Agreement(`Agreement")is entered into by and between ESO Solutions, Inc.("Vendor"),a Texas corporation,and
<br /> Customer's Fire Department ("Covered Entity"), as of the Effective Date of the Subscription Agreement, for the purpose of setting forth
<br /> Business Associate Agreement terms between Covered Entity and Vendor. Covered Entity and Vendor each are referred to as a"Party"and
<br /> collectively as the"Parties." This Agreement shall commence on the Effective Date set forth above.
<br /> WHEREAS, Covered Entity, owns, operates, manages, performs services for, otherwise are affiliated with or are themselves a
<br /> Covered Entity as defined in the federal regulations at 45 C.F.R. Parts 160 and 164(the"Privacy Standards")promulgated pursuant to the
<br /> Health Insurance Portability and Accountability Act of 1996("HIPAA")and the Health Information Technology for Economic and Clinical
<br /> Health Act of 2009("HITECH"):
<br /> WHEREAS, pursuant to HIPAA and HITECH. the U.S. Department of Health & Human Services ("HHS") promulgated the
<br /> Privacy Standards and the security standards at 45 C.F.R. Parts 160 and 164 (the "Security Standards") requiring certain individuals and
<br /> entities subject to the Privacy Standards and/or the Security Standards to protect the privacy and security of certain individually identifiable
<br /> health information("Protected Health Information"or"PHI"),including electronic protected health information("EPHI'); . .
<br /> WHEREAS, the Parties wish to comply with Privacy Standards and Security Standards as amended by the HHS regulations
<br /> promulgated on January 25,2013,entitled the"Modifications to the HIPAA Privacy, Security, Enforcement,and Breach Notification Rules
<br /> Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act," as
<br /> such may be revised or amended by HHS from time to time:
<br /> WHEREAS, in connection with Vendor's performance under its agreement(s)or other documented arrangements between Vendor
<br /> and Covered Entity, whether in effect as of the Effective Date or which become effective at any time during the term of this Agreement
<br /> (collectively "Business Arrangements"), Vendor may provide services for, or on behalf of, Covered Entity that require Vendor to use,
<br /> disclose,receive,access,create,maintain and/or transmit health information that is protected by state and/or federal law;and
<br /> WHEREAS,Vendor and Covered Entity desire that Vendor obtain access to PHI and EPHI in accordance with the terms specified
<br /> herein;
<br /> NOW,THEREFORE, in consideration of the mutual promises set forth in this Agreement and the Business Arrangements, and
<br /> other good and valuable consideration,the sufficiency and receipt of which are hereby severally acknowledged,the Parties agree as follows:
<br /> I. Vendor Obligations.
<br /> In accordance with this Agreement and the Business Arrangements, Vendor may use, disclose, access, create, maintain, transmit,
<br /> and/or receive on behalf of Covered Entity health information that is protected under applicable state and/or federal law, including without
<br /> limitation,PHI and EPHI. All capitalized terms not otherwise defined in this Agreement shall have the meanings set forth in the regulations
<br /> promulgated by HHS in accordance with HIPAA and HITECH,including the Privacy Standards and Security Standards(collectively referred
<br /> to hereinafter as the"Confidentiality Requirements"). All reference to PHI herein shall be construed to include EPHI. PHI shall mean only
<br /> that PHI Vendor uses, discloses,accesses, creates, maintains, transmits and/or receives for or on behalf of Covered Entity pursuant to the
<br /> Business Arrangements. The Parties hereby acknowledge that the definition of PHI includes"Genetic Information"as set forth at 45 C.F.R.
<br /> §I60.103. To the extent Vendor is to carry out an obligation of Covered Entity under the Confidentiality Requirements,Vendor shall comply
<br /> with the provision(s) of the Confidentiality Requirements that would apply to Covered Entity (as applicable) in the performance of such
<br /> obligations(s).
<br /> 2. Use of PHI.
<br /> Except as otherwise required by law,Vendor shall use PHI in compliance with this Agreement and 45 C.F.R.§164.504(e). Vendor
<br /> agrees not to use PHI in a manner that would violate the Confidentiality Requirements if the PHI were used by Covered Entity in the same
<br /> manner. Furthermore, Vendor shall use PHI for the purpose of performing services for,or on behalf of,Covered Entity as such services are
<br /> defined in the Business Arrangements. In addition, Vendor may use PHI (i)as necessary for the proper management and administration of
<br /> Vendor or to carry out its legal responsibilities; provided that such uses arc permitted under federal and applicable state law, and (ii) to
<br /> provide data aggregation services relating to the health care operations of the Covered Entity as defined by 45 C.F.R. § 164.501. Covered
<br /> Entity also authorizes Vendor to collect and store its data for aggregate reporting,but in no event shall Vendor disclose PHI unless permitted
<br /> by law. Moreover, Vendor will not identify Covered Entity without consent. Covered Entity authorizes Vendor to de-identify PHI it
<br /> receives from Covered Entity. All de-identification of PHI must be performed in accordance with the Confidentiality Requirements,
<br /> specifically 45 C.F.R.§I64.5I4(b).
<br /> 3. Disclosure of PHI.
<br /> ESO Solutions,Inc.
<br /> Subscription Agreement 092214
<br /> Page 9 of 13
<br />
|