If any Healthcare Provider registering on CmyDr.com has a pre-existing Business Associate Agreement with Revation Systems, Inc. or its subsidiary North Light Software, Inc., this Agreement shall be superseded by that pre-existing Business Associate Agreement, and such agreement shall be in full force and effect during Covered Entity’s use of CmyDr.com. If, however, any Healthcare Provider registering on CmyDr.com has no prior relationship with Revation Systems, Inc. or its subsidiary North Light Software, Inc., then Healthcare Provider’s click-to-accept of this Agreement during its registration on CmyDr.com, shall automatically apply this Agreement to Healthcare Provider’s use of CmyDr.com.
This Agreement is made effective as of the date of registration by Healthcare Provider to CmyDr.com, between registered Healthcare Provider hereinafter referred to as “Covered Entity”, and Revation Systems, Inc., owner and operator of CmyDr.com, hereinafter referred to as “Business Associate” (individually, a “Party” and collectively, the “Parties”).
WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, known as “the Administrative Simplification provisions,” direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information; and
WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services issued regulations modifying 45 CFR Parts 160 and 164 (the “HIPAA Security and Privacy Rule”); and
WHEREAS, the American Recovery and Reinvestment Act of 2009 (Pub. L. 111- 5), pursuant to Title XIII of Division A and Title IV of Division B, called the “Health Information Technology for Economic and Clinical Health” (“HITECH”) Act, provides modifications to the HIPAA Security and Privacy Rule (hereinafter, all references to the “HIPAA Security and Privacy Rule” are deemed to include all amendments to such rule contained in the HITECH Act and any accompanying regulations, and any other subsequently adopted amendments or regulations); and
WHEREAS, the Parties wish to enter into or have entered into an arrangement whereby Business Associate will provide certain services to Covered Entity, and, pursuant to such arrangement, Business Associate may be considered a “business associate” of Covered Entity as defined in the HIPAA Security and Privacy Rule; and
WHEREAS, Business Associate may have access to Protected Health Information (as defined below) in fulfilling its responsibilities to Covered Entity; and
THEREFORE, in consideration of the Parties’ continuing obligations under the existing agreements, compliance with the HIPAA Security and Privacy Rule, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, and intending to be legally bound, the Parties agree to the provisions of this Agreement in order to address the requirements of the HIPAA Security and Privacy Rule and to protect the interests of both Parties.
Although no signatures are present on this Agreement, Covered Entity intends to be bound by this agreement by clicking to accept this Agreement during the registration process for Healthcare Providers on CmyDr.com. Furthermore, by offering this document and requiring acceptance of it before a Healthcare Provider may register on CmyDr.com, Revation Systems, Inc. fully and unequivocally intends to be bound by this Agreement should Covered Entity click-to-accept.
Except as otherwise defined herein, any and all capitalized terms in this Section shall have the definitions set forth in the HIPAA Security and Privacy Rule. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Security and Privacy Rule, as amended, the HIPAA Security and Privacy Rule shall control. Where provisions of this Agreement are different than those mandated in the HIPAA Security and Privacy Rule, but are nonetheless permitted by the HIPAA Security and Privacy Rule, the provisions of this Agreement shall control. The term “Protected Health Information” means individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. “Protected Health Information” includes without limitation “Electronic Protected Health Information” as defined below. The term “Electronic Protected Health Information” means Protected Health Information which is transmitted by Electronic Media (as defined in the HIPAA Security and Privacy Rule) or maintained in Electronic Media (ePHI). Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or is created or received by Business Associate on Covered Entity’s behalf shall be subject to this Agreement.
Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by Section 164.524 of the HIPAA Security and Privacy Rule. If Business Associate maintains Protected Health Information electronically, it agrees to make such Protected Health Information electronically available to the applicable individual. Business Associate agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule and Section 13405(c)(3) of the HITECH Act. Business Associate and Covered Entity shall cooperate in providing any accounting required on a timely basis.
CmyDr.com was designed and built as a free, HIPAA compliant and HITRUST CSF certified telehealth service for providers and healthcare professionals to connect with patients no matter either party’s location. However, no ePHI will ever be collected, stored, transmitted, sold, or otherwise used in any way by CmyDr.com, Revation Systems, Inc. or its subsidiary North Light Software, Inc. in connection with CmyDr.com.
Notwithstanding anything in this Agreement to the contrary, Covered Entity shall have the right to terminate this Agreement and the Arrangement Agreement immediately if Covered Entity determines that Business Associate has violated any material term of this Agreement. If Covered Entity reasonably believes that Business Associate will violate a material term of this Agreement and, where practicable, Covered Entity gives written notice to Business Associate of such belief within a reasonable time after forming such belief, and Business Associate fails to provide adequate written assurances to Covered Entity that it will not breach the cited term of this Agreement within a reasonable period of time given the specific circumstances, but in any event, before the threatened breach is to occur, then Covered Entity shall have the right to terminate this Agreement and the Arrangement Agreement immediately.
Business Associate shall indemnify, defend and hold harmless Covered Entity and its directors, officers, subcontractors, employees, affiliates, agents, and representatives from and against any and all third party liabilities, costs, claims, suits, actions, proceedings, demands, losses and liabilities of any kind (including court costs and reasonable attorneys’ fees) brought by a third party, arising from or relating to the acts or omissions of Business Associate or any of its directors, officers, subcontractors, employees, affiliates, agents, and representatives in connection with the Business Associate’s performance under this Agreement or Service Agreement, without regard to any limitation or exclusion of damages provision otherwise set forth in the Agreement. The indemnification provisions of this Section shall survive the termination of this Agreement. Business Associate shall obtain no later than one (1) month from Effective Date of this Agreement and maintain during the term of this Agreement liability insurance covering claims based on a violation of the Privacy Rule or any applicable law or regulation concerning the privacy of a patient information and claims based on its obligations pursuant to this Section in an amount not less than $ 1,000,000 per claim. Such insurance shall be in the form of occurrence-based coverage. A copy of such policy or certificate evidencing the policy shall be provided to Covered Entity upon written notice.
Except as expressly stated herein or the HIPAA Security and Privacy Rule, the Parties to this Agreement do not intend to create any rights in any third parties. The obligations of Business Associate under this Section shall survive the expiration, termination, or cancellation of this Agreement, or the business relationship of the Parties, and shall continue to bind Business Associate, its agents, employees, contractors, successors, and assigns as set forth herein. This Agreement may be amended or modified only in a writing signed by the Parties. No Party may assign its respective rights and obligations under this Agreement without the prior written consent of the other Party. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship. This Agreement will be governed by the laws of the State of Minnesota No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. The Parties agree that, in the event that any documentation of the arrangement pursuant to which Business Associate provides services to Covered Entity contains provisions relating to the use or disclosure of Protected Health Information which are more restrictive than the provisions of this Agreement, the provisions of the more restrictive documentation will control. The provisions of this Agreement are intended to establish the minimum requirements regarding Business Associate’s use and disclosure of Protected Health Information. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. In addition, in the event a Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, including any then-current requirements of the HITECH Act or its regulations, such Party shall notify the other Party in writing. For a period of up to thirty days, the Parties shall address in good faith such concern and amend the terms of this Agreement, if necessary, to bring it into compliance. If, after such thirty-day period, the Agreement fails to comply with the HIPAA Security and Privacy Rule, including the HITECH Act, then either Party has the right to terminate upon written notice to the other Party.
(Effective as of 4/1/2020)
(Providers & Healthcare Professionals)
(Effective as of 4/1/2020)
(Effective as of 4/1/2020)