WHEREAS Evexia and Client mutually agree to comply with the Standards for Privacy of Individually Identifiable Health Information (45 C.F.R. §§ 160.101-160.312; 164.102-164.534) (“Privacy Regulations”) as promulgated by the U.S. Department of Health and Human Services (“HHS”) pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) with respect to its dealings with Evexia; and,
WHEREAS, the Client has engaged Evexia to perform various clinical laboratory diagnostic and testing services (“Services”); and,
WHEREAS, in the performance of the Services, Evexia must use and/or disclose Protected Health Information (“PHI”), as that term is defined in Section 164.501 of the Privacy Regulations, received from or transmitted to the Client; and,
WHEREAS, the Parties are committed to complying with the Privacy Regulations with respect to dealings between Client and Evexia,
NOW THEREFORE, the parties agree as follows:
A. Obligations and Activities of Evexia
Evexia agrees to:
- Not use or disclose PHI other than as permitted or required by the Agreement or as Required by Law;
- Use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement;
- Report to Client any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware;
- Ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Evexia on behalf of Client agrees to the same restrictions and conditions that apply through this Agreement to Evexia with respect to such information;
- Provide access, at the request of Client, in a timely manner, to PHI in a Designated Record Set, to Client or, as directed by Client, to an Individual in order to meet the requirements under 45 CFR § 164.524;
- Make internal practices, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by Evexia on behalf of Client available to the Client within five (5) business days by fax or mail for purposes of the U.S. Department of Health & Human Services Secretary determining Client’s compliance with the Privacy Regulations;
- To document such disclosures of PHI and information related to such disclosures as would be required for Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
B. Permitted Uses and Disclosures by Evexia General Use and Disclosure Provisions
Furthermore, the parties agree that Evexia:
- May use or disclose PHI as required by law;
- May not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Client, except with regards to the data aggregation, management, administration and legal responsibilities of Evexia;
- May use PHI for Evexia’s proper management and administration or to carry out the legal responsibilities of Evexia;
- May use PHI with any laboratories and internal licensed physicians contracted by Evexia;
- Evexia may use PHI to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).
C. Provisions for Client to Inform Evexia of Privacy Practices and Restrictions
Client agrees that:
- Client shall notify Evexia of any limitation(s) in its notice of privacy practices of Client in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Evexia’s use or disclosure of PHI;
- Client shall notify Evexia of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Evexia’s use or disclosure of PHI;
- Client shall notify Evexia of any restriction to the use or disclosure of PHI that Client has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Evexia’s use or disclosure of PHI.
D. Term and Termination
The Parties agree that:
- The Term of this Agreement shall be effective as of date signed below, and shall terminate when all of the PHI provided by Client to Evexia, or created or received by Evexia on behalf of Client, is destroyed or returned to Client, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.
- Termination for Cause. Upon Client’s knowledge of a material breach by Evexia, Client shall either:
a. Provide an opportunity for Evexia to cure the breach or end the violation within 30 days and
terminate this Agreement if Evexia does not cure the breach or end the violation within the
time specified by Agreement;
b. Immediately terminate this Agreement if Evexia has breached a material term of this
Agreement and cure is not possible.
E. Obligations of Evexia Upon Termination
Upon the termination of the Agreement, Evexia agree to:
- Retain only that PHI which is necessary for Evexia to continue its proper management and administration or to carry out its legal responsibilities; 2 of 3 August 1, 2018
- Destroy the remaining PHI that Evexia still maintains in any form;
- Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than is provided for in this Section, for as long as Evexia retains the PHI;
- Not use or disclose the PHI retained by Evexia other than for the purposes for which such PHI was retained and subject to the same conditions set out at above which applied prior to termination.
- Destroy the PHI retained by Evexia when it is no longer needed by Evexia for its proper management and administration or to carry out its legal responsibilities.
- Regulatory References. A reference in this Agreement to a section in the Privacy Regulations means the section as in effect or as amended.
- Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for to comply with the requirements of the Privacy Regulations and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 with respect to its dealings with Evexia.
- Survival. The respective rights and obligations of Evexia under the “Effect of Termination” Section 8-C of this Agreement shall survive the termination of this Agreement.
- Interpretation. Any ambiguity in this Agreement shall be resolved to permit Client to comply with the Privacy Regulations with respect to its dealings with Evexia.