The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), the HIPAA Privacy rule (“Privacy Rule”), 45 C.F.R. Parts 160 and 164, and the HIPAA Security Rule (“Security Rule”), 45 C.F.R. Parts 160, 162 and 164, require a Covered Entity to enter into a written agreement with a Business Associate in order to protect the privacy and security of individually identifiable health information maintained by a Covered Entity (“Protected Health Information,” or “PHI”). To fulfill the obligations to the Covered Entity pursuant to either an existing or contemporaneously executed HIPAA Agreement for services to be provided to Covered Entity, the Parties enter into this HIPAA Agreement to protect PHI and, intending to be bound, hereby agree to the following:
Terms used, but not otherwise defined, in this HIPAA Agreement shall have the meanings set forth below.
1.1 “Breach” shall mean:
(A) IN GENERAL – The term “breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.
(B) EXCEPTIONS – The term “breach” does not include:
(i)Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a Covered Entity or a Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of Part II, 45 C.F.R. Parts 160 and 164.
(ii) Any inadvertent disclosure by a person who is authorized to access PHI at Covered Entity or Business Associate to another person authorized to access PHI at the same Covered Entity or Business Associate, or organized health care arrangement in which the Covered Entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of Part II, 45 C.F.R. Parts 160 and 164.
(iii)A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Except as provided in paragraph (B) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not otherwise permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been com-promised based on a risk assessment of at least the following factors:
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health in-formation was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated.
1.2 “Designated Record Set” shall mean a group of records maintained by or for the Covered Entity that is (i) the medical records and billing records about Individuals maintained by or for the Covered Entity, (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for the Covered Entity; or (iii) used, in whole or in part, by or for the Covered Entity to make decisions about Individuals. As used herein the term “Record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for the Covered Entity.
1.3 “Electronic Protected Health Information” shall mean Protected Health Information transmitted by Electronic Media or maintained in Electronic Media.
1.4 “Electronic Media” shall mean (1) electronic storage media on which data is or may be recorded electronically, including computer hard drives and any digital memory medium that is removable or transportable, such as magnetic tape or disk, optical disk, or digital memory card; and (ii) transmission data used to exchange information already in electronic storage media, including, for example, the Internet, extranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.
1.5 “Health Care Operations” shall mean activities including: (i) quality assessment and improvement activities (outcomes, evaluation and development of clinical guidelines), population-based activities relating to improving health or reducing health care costs, and related activities that do not include treatment; (ii) peer and entity review, education, credentialing activities; (iii) except as prohibited by 42 C.F.R. § 164.502(a)(5)(i) underwriting, enrollment premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits; (iv) conducting or arranging for medical review, legal services, and auditing services, including fraud and abuse detection and compliance programs; (v) business planning and development; (vi) business management and general administrative activities of the entity; and (vii) licensure/accreditation.
1.6 “Individual” shall have the same meaning given such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
1.7 “Individually Identifiable Health Information” shall mean information that is a subset of health information, including demographic information collected from an Individual, and (i) is created or received by Covered Entity or Business Associate on behalf of the Covered Entity; and (ii) relates to the past, present, or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual; and identifies the Individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
1.8 “Payment” shall mean (i) except as prohibited by 45 C.F.R. § 164.502(a)(5)(i) the activities undertaken by Covered Entity to obtain premiums or to determine or fulfill its responsibility for coverage and the provision of benefits under the Covered Entity’s health plan(s); or (ii) a covered health care provider or health plan’s activity to obtain or provide reimbursement for the provision of health care. Such activities include eligibility/coverage determinations, risk adjusting, billing, claims management and collection activities, health care data processing, reviews of health care services with respect to medical necessity, coverage under the Covered Entity’s health plans, appropriateness of care, or justification of charges; utilization review activities (including prior authorization), disclosure to consumer reporting agencies relating to the collection of premiums or reimbursement.
1.9 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E.
1.10 “Privacy Standards” shall mean the Standard for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164.
1.11 “Protected Health Information” or “PHI” shall mean Individually Identifiable Health Information that is (i) transmitted by Electronic Media, (ii) maintained in any medium constituting Electronic Media; or (iii) transmitted or maintained in any other form or medium. “Protected Health Information” shall not include (i) education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. § 1232g, (ii) records described in 20 U.S.C. § 1232g(a)(4)(B)(iv), employment records held by a covered entity in its role as an employer; and regarding a person who has been deceased for more than 50 years.
1.12 “Required By Law” shall have the same meaning as the term “required by law” in 45 C.F.R. 164.103.
1.13 “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
1.14 “Security Incident” shall mean any attempted or successful unauthorized access, use, disclosure, modification or destruction of information or systems operations in an electronic information system.
1.15 “Security Rule” shall mean the Security Standards at 45 C.F.R. Parts 160, 162 and 164.
1.16 “Services Agreement” collectively refers to and means the Kipu Records Service Agreement and/or Order Form and the Kipu Health Terms of Service Agreement entered between Business Associate and Covered Entity.
1.17 “Subcontractor” means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.
1.18 “Treatment” shall mean the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party, including Covered Entity and/or Business Associate; consultation between health care providers relating to an Individual; or the referral of an Individual for health care from one health care provider to another.
The HIPAA Agreement.
2.1 Incorporation of agreements. The Services Agreement with the Business Associate hereby incorporates the terms of this Agreement. In the event of express conflict between the terms governing HIPAA and confidentiality of patient data and files between in the Services Agreement and this HIPAA Agreement, the terms and conditions of the HIPAA Agreement shall govern.
2.1 Use and Disclosure of PHI to Provide Services. Except as otherwise permitted by this Agreement, the Services Agreement or HIPAA, the Privacy Rule, the Security Rule or the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”), Business Associate will use and disclose Protected Health Information only as permitted or required by the terms of this HIPAA Agreement, to the extent required to fulfill Business Associate’s obligations under the Services Agreement or to perform any other related function, activity or service specifically requested by Covered Entity in writing, or as Required By Law. All other uses not authorized by this HIPAA Agreement are prohibited. Specifically, Business Associate is prohibited from using to harm or to the detriment of Covered Entity any information learned or gathered by Covered Entity as part of its performance of the HIPAA Agreement.
3. Responsibilities of Business Associate.
Business Associate agrees to:
3.1 Use or further disclose only the minimum necessary PHI in performing the activities required under the Services Agreement between the Parties.
3.2 Not use or further disclose PHI except as permitted under this HIPAA Agreement, HIPAA, the Privacy Rule, the Security Rule, the Recovery Act and applicable state law or regulation, each as amended from time to time.
3.3 Establish, implement and enforce all appropriate safeguards to prevent the use or disclosure of Protected Health Information other than pursuant to the terms and conditions of this HIPAA Agreement.
3.4 Take reasonable steps to ensure that its employees’ actions or omissions do not cause Business Associate to breach the terms of this HIPAA Agreement.
3.5 Document disclosures of PHI in accordance with 45 C.F.R. 164.528, in order for Covered Entity to respond to a request from an Individual for an accounting of disclosures of PHI or in order for the Business Associate to respond to a request for an accounting to the extent required by the Recovery Act.
3.6 Report to Covered Entity in writing any use or disclosure of the PHI of which Business Associate becomes aware that is not permitted by this HIPAA Agreement within five days of Business Associate’s discovery of such use or disclosure.
3.7 Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this HIPAA Agreement.
3.8 Enter into a written agreement with any Subcontractors or agents that receives, creates, maintains or transmits PHI received by Business Associate on behalf of Covered Entity, binding such subcontractors or agents to the same restrictions, terms and conditions that apply to Business Associate pursuant to this HIPAA Agreement with respect to such PHI, including the requirement that the Subcontractor or agent, as applicable, implement reasonable and appropriate safeguards to protect any electronic PHI that is disclosed to it by Business Associate.
3.9 Upon Covered Entity’s request and within 10 days of such request, provide to Covered Entity all required information to permit Covered Entity to respond to a request from an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528.
3.10 Maintain the integrity of any PHI transmitted by or received from Covered Entity.
3.11 Provide Covered Entity or, as directed by Covered Entity, to an Individual to whom the PHI relates, the rights of access, amendment, and accounting as set forth in 45 C.F.R. 164.524, 45 C.F.R. 164.526 and 45 C.F.R. 164.528.
3.12 Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate shall implement policies and procedures regarding such safeguards.
3.13 Promptly report to Covered Entity, in writing, any Security Incident of which Business Associate becomes aware.
3.14 Notify Covered Entity of any Breach within 5 (five) days of discovery by Business Associate as required by federal law. Delay in notification may only be allowed under the Recovery Act § 13402(g) and 45 C.F.R. 164.412. The notice shall include the identification of each Individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during such Breach.
3.15 Comply with requested restrictions on the disclosure of PHI as communicated to Business Associate by Covered Entity if the disclosure is to a health plan for the purposes of carrying out Payment or Health Care Operations (and is not for the purpose of carrying out Treatment) and the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.
3.16 Limit required use and disclosure of PHI, to the extent practicable, to the limited data set as defined by 42 C.F.R. 164.514(e)(2), or the minimum necessary to accomplish the intended purpose of such disclosure, subject to exceptions set forth in the Privacy Rule.
3.17 If Business Associate maintains Electronic Health Records as that term is defined in Section 13400 of the Recovery Act and an Individual requests a copy of such records, transmit the electronic records directly to an entity or person designated by the Individual, provided that any such choice is clear, conspicuous, and specific. Any fee charged for such electronic records shall not exceed Business Associate’s labor costs.
3.18 If Business Associate knows of a pattern of activity or practice of Covered Entity that constitutes a material breach or violation of Covered Entity’s obligations under this HIPAA Agreement, unless Covered Entity successfully takes steps to cure the Breach or end the violation after receipt of notice from Business Associate, then Business Associate shall terminate this HIPAA Agreement and the Services Agreement or, if not feasible, notify the Secretary.
3.19 Be subject to the application of civil and criminal penalties for violation of Sections 13401 and 13404(a) and (b) of Part 1 of the HITECH Act.
3.20 to the extent Business Associate is carrying out one or more obligations of Covered Entity under 45 C.F.R. Part 164, Subpart E, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).
3.21 Business Associate shall keep such records and submit such compliance reports in such time and manner and containing such information as the Secretary may determine to be necessary to enable the Secretary to ascertain whether Business Associate has complied or is complying with the applicable administrative simplification provisions. Business Associate shall also cooperate with the Secretary if the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of Business Associate to determine whether Business Associate is complying with the applicable administrative simplification provisions.
4. Permitted Uses by Business Associate.
Business Associate may:
4.1 Use PHI in its possession for proper management and administration of its duties under the Services Agreement or to fulfill any of its legal responsibilities under the Services Agreement.
4.2 Disclose PHI in its possession to third-parties for proper management and administration, or to fulfill any of its legal responsibilities under this HIPAA Agreement or the Services Agreement; provided that (i) the disclosures are Required By Law, as provided for in 45 C.F.R. § 164.103, or (ii) Business Associate has received written assurances from the third party that the PHI will be held confidentially, and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the third party, and that the third party will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached, as required under 45 C.F.R. § 164.504(e)(4).
4.3 De-identify PHI in accordance with 45 CFR 164.514(a)-(c) and use such de-identified information as is legally permissible. Pursuant to 45 C.F.R. § 164.502(d), de-identified information does not constitute PHI and is not subject to the terms of the HIPAA Agreement.
5. Responsibilities of Covered Entity.
Covered Entity shall:
5.1 Provide to Individuals a notice of privacy practices pursuant to 45 C.F.R. § 164.520 that shall, throughout the term of this HIPAA Agreement, give notice of the types of uses and disclosures that are allowed, including types undertaken by Business Associate pursuant to this HIPAA Agreement. Covered Entity shall notify Business Associate of any limitations in Covered Entity’s notice of privacy practices to the extent such limitation(s) may affect Business Associate’s use of PHI.
5.2 Notify Business Associate in writing of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522 or a restriction pursuant to the Recovery Act § 13405 (a) to which Covered Entity’s compliance was mandatory to the extent such restriction may affect Business Associate’s use or disclosure of Protected Health Information. Before agreeing to any restriction on use or disclosure permitted under 45 C.F.R. § 164.522, but not mandated under the Recovery Act § 13405(a), Covered Entity shall advise Business Associate of the contemplated restrictions and Business Associate shall, as promptly as practicable, advise Covered Entity of the additional costs Covered Entity will incur to implement such restriction.
5.3 Notify Business Associate of any changes to, or withdrawal of, the consent or authorization of an Individual provided to Covered Entity pursuant to 45 C.F.R. § 164.506 or § 164.508 to the extent such changes may affect Business Associate’s ability to perform its obligations under this HIPAA Agreement.
6. Access to PHI. Within five (5) days of a request by Covered Entity for access to PHI maintained by Business Associate, Business Associate shall make PHI available to Covered Entity, or at the written direction of Covered Entity, to an Individual to whom such PHI relates or his or her authorized representative. In the event any Individual requests access to PHI directly from Business Associate, Business Associate shall, within five (5) days, forward such request to Covered Entity. Any denials of access to the PHI requested shall be the responsibility of Covered Entity.
7. Amendment of PHI. Business Associate shall make PHI available to Covered Entity and will amend PHI as instructed by Covered Entity, in a manner consistent with the Privacy Rule within ten (10) days of receipt of a request from Covered Entity for the amendment of patient’s PHI.
8. Accounting for Disclosures of PHI. Within thirty (30) days of notice by Covered Entity to Business Associate that it has received a request for an accounting of disclosures of PHI, Business Associate shall make available to Covered Entity such information as is in Business Associate’s possession required for Covered Entity to satisfy the accounting of disclosures requirement set forth in the Privacy Rule. In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall, within five (5) days, forward the request to Covered Entity. It shall be Covered Entity’s responsibility to prepare and deliver any such accounting requested.
9. Individual Rights Regarding Designated Record Sets. If Business Associate maintains any PHI that could be construed to be part of a Designated Record Set of Covered Entity, Business Associate shall (i) provide access to, and permit inspection and copying of, PHI by Covered Entity, or if directed by Covered Entity, an individual who is the subject of the PHI under conditions and limitations required under 45 C.F.R. § 164.524, as it may be amended from time-to-time, and (ii) amend PHI maintained by Business Associate as requested by Covered Entity. Business Associate shall respond to any request from Covered Entity for access by an individual within five (5) days of such request and shall make any amendment requested by Covered Entity within ten (10) days of such request. Any information requested under this Section 9 shall be provided in the form or format requested, if it is readily producible in such form or format. Business Associate may charge a reasonable fee based upon Business Associate’s labor cost in responding to a request for electronic information (or a cost-based fee for the production of non-electronic media copies). Covered Entity shall determine whether a denial is appropriate or an exception applies. Business Associate shall notify Covered Entity within five (5) days of receipt of any request for access or amendment by an individual. Covered Entity shall determine whether to grant or deny access or amendment requested by the individual. Business Associate shall have a process in place for receiving requests for amendments and for appending such requests to the Designated Record Set, as requested by Covered Entity.
Notwithstanding the above, Business Associate shall not permit access to any record if such access would violate Business Associate’s ethical responsibilities or any other privilege that may be applicable to Business Associate. To the maximum extent permitted by law, Covered Entity hereby reserves and retains any and all privileges in which Covered Entity has an interest with respect to Business Associate’s performance of its obligations under this section. The parties acknowledge that Covered Entity retains the right to waive any privilege with regard to its own records and to expressly instruct Business Associate to provide access to those records as a result of that waiver. In the event Covered Entity decides to waive any privilege, Covered Entity shall provide Business Associate with written notice of that waiver before Business Associate shall act on such decision.
10. Records and Audit. If Business Associate receives a request, made by or on behalf of HHS, requiring Business Associate to make available its internal practices, books, and records relating to the use and disclosure of PHI to HHS for the purpose of determining compliance of Covered Entity with the Privacy Standards, then Business Associate shall promptly notify Covered Entity that Business Associate has received such request. Except as otherwise set forth below, Business Associate shall make its books and records relating to the use and disclosure of PHI by Covered Entity available to HHS and its authorized representatives for purposes of determining compliance of Covered Entity with the Confidentiality Requirements.
To the maximum extent permitted by law, Covered Entity hereby reserves and retains any and all privileges in which Covered Entity has an interest with respect to Business Associate’s performance of its obligations under this Section 10. Business Associate, to the maximum extent permitted by law, hereby reserves and retains any and all privileges or rights. This section shall not be construed to require Business Associate to disclose or produce communications subject to any privileges or rights with respect to materials that analyze, evaluate or discuss the implications of PHI. Notwithstanding the above, in no event shall Business Associate delay complying with a request of HHS or its authorized representatives if such delay appears reasonably likely to result in any penalty, fine or other liability being levied or imposed upon Covered Entity (such likelihood to be determined in the sole discretion of Covered Entity), and Covered Entity has instructed Business Associate in writing to disclose the information requested by HHS or its authorized representatives. The Parties acknowledge that Covered Entity retains the right to: (i) waive any privilege with regard to books and records, and (ii) expressly instruct Business Associate to provide HHS and its authorized representatives with such books and records in the event of such waiver.
11. Government Access. Business Associate will make its internal policies, procedures, books and records relating to use and disclosure of PHI (excluding the actual PHI) received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of determining Covered Entity compliance with the HIPAA Privacy and Security Rules, subject to any privileges covering Business Associate.
12. 42 CFR Part 2 Responsibilities.
12.1. To the extent that in performing its services for or on behalf of Covered Entity, Business Associate uses, discloses, maintains, or transmits protected health information that is protected by Part 2, Business Associate acknowledges and agrees that in receiving, storing, processing or otherwise dealing with any such patient records, it is fully bound by the Part 2 regulations; and, if necessary will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by the Part 2 regulations.
12.2. Notwithstanding any other language in this Agreement, Business Associate acknowledges and agrees that any patient information it receives from Covered Entity that is protected by Part 2 is subject to protections that prohibit Business Associate from disclosing such information to agents or subcontractors without the specific written consent of the subject individual.
12.3. Business Associate acknowledges that any unauthorized disclosure of information under this section is a federal criminal offense.
13. Representations and Warranties.
Each Party represents and warrants to the other Party:
13.1 That all of its employees, agents, representatives and members of its workforce, whose services may be used to fulfill obligations under this HIPAA Agreement are, or shall be, appropriately informed of the terms of this HIPAA Agreement and are under legal obligation to each Party, respectively, by contract or otherwise, sufficient to enable each Party to fully comply with all provisions of this HIPAA Agreement.
13.2 That it will reasonably cooperate with the other Party in the performance of the mutual obligations under this HIPAA Agreement.
14. Term. Unless otherwise terminated as provided in Section 15, this HIPAA Agreement shall become effective on the Effective Date and is fully incorporated, as if fully set forth therein, with the Services Agreement (the “Termination Date”).
15.1 Automatic Termination. This HIPAA Agreement will automatically terminate without any further action of the Parties upon termination of Business Associate’s representation of Covered Entity; provided, however, certain provisions and requirements of this HIPAA Agreement shall survive such expiration or termination in accordance with Section 16.
15.2 Termination for Cause. Either Party may immediately terminate this HIPAA Agreement, the Services Agreement and any related agreements if the Party makes the determination that the other Party has breached a material term of this HIPAA Agreement. Alternatively, and in the sole discretion of the non-breaching Party, the non-breaching Party may choose to provide the breaching Party with written notice of the existence of the Breach and provide the breaching Party thirty (30) calendar days to cure said breach upon mutually agreeable terms. Failure by the breaching Party to cure said breach or violation in the manner set forth above shall be grounds for immediate termination of the Services Agreement by the non-breaching Party. If termination is not feasible, the Covered Entity shall report the problem to the Secretary.
16. Effect of Termination. Upon termination of this HIPAA Agreement, Business Associate agrees to return or destroy all PHI in whatever form or medium (including any Electronic Media under Business Associate’s custody or control) received from Covered Entity, created, received, transmitted or maintained by Business Associate on behalf of Covered Entity, including all copies of any data or compilations derived from PHI that are in the possession of subcontractors or agents of Business Associate, except to the extent that such PHI is necessary to carry out Business Associate’s obligations under the associated Agreement. Business Associate shall retain no copies of the PHI. Business Associate will complete such return or destruction as promptly as possible, following termination, cancellation, expiration or other conclusion of this HIPAA Agreement.
17. Third-Party Beneficiaries. Nothing in this HIPAA Agreement shall be construed to create third-party beneficiary rights in any person or entity.
18. Amendments; Waiver. This HIPAA Agreement may not be modified, nor shall any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties. The failure of either Party to enforce at any time any provision of this HIPAA Agreement shall not be construed to be a waiver of such provision, nor in any way to affect the validity of this HIPAA Agreement or the right of either Party thereafter to enforce each and every such provision.
19. Notices. Any notice or other communication required or desired to be given to any Party under this HIPAA Agreement shall be in writing and shall be deemed given when (a) deposited in the United States mail, first-class postage prepaid, and addressed to that Party at the address for such Party set forth below; (b) the next business day immediately following delivery to Federal Express, or any other similar express delivery service for next-day delivery to that Party at that address; or (c) sent by facsimile transmission, with electronic confirmation, to that Party at its facsimile number set forth below. Any Party may change its address or facsimile number for notices under this HIPAA Agreement by giving the other party notice of such change.
Covered Entity: (Company Address and Notice Information Listed in your Services Agreement and/or Order Form)
Business Associate Kipu Health LLC
Attn: Legal Department
55 Alhambra Plaza, 6th Floor
Coral Gables, FL 33134
Notice of change of address of a Party shall be given in writing to the other Party as provided above
20. Governing Law, Venue and Attorney Fees and Costs. This HIPAA Agreement shall be governed by and construed in accordance with the laws of the State of Florida. In the event of any litigation in connection with, arising out of, or related to this HIPAA Agreement, the Parties agree that the Circuit Court of Dade County, Florida shall be the exclusive venue and jurisdiction for any litigation. At the option of Covered Entity, the United States District Court for the Southern District of Florida, Miami Division, shall be the exclusive venue and jurisdiction for any litigation. Should legal action ever be necessary to enforce the terms of this HIPAA Agreement, the prevailing Party will be entitled to receive from the other Party all litigation expenses incurred in connection therewith, including but not limited to reasonable attorneys’ fees, paralegal fees, expert and investigator fees, and costs, on all levels, including any appeals, if any.
21. Assignment. Neither Party may assign this HIPAA Agreement without the prior written consent of the other.
22. Compliance with Law; Regulatory Changes. It is the Parties’ intent to comply strictly with all applicable laws, including without limitation, HIPAA, Medicare or Medicaid statutes, state statutes, or regulations (collectively, the “Regulatory Laws”), in connection with this HIPAA Agreement. In the event there shall be a change in the Regulatory Laws, or in the reasoned interpretation of any of the Regulatory Laws or the adoption of new federal or state legislation, any of which are reasonably likely to materially and adversely affect the manner in which either Party may perform or be compensated under this HIPAA Agreement or which shall make this HIPAA Agreement unlawful, the Parties shall immediately enter into good faith negotiations regarding a new arrangement or basis for compensation pursuant to this HIPAA Agreement that complies with the law, regulation or policy and that approximates as closely as possible the economic position of the Parties prior to the change. In addition, the Parties hereto have negotiated and prepared the terms of this HIPAA Agreement in good faith with the intent that each and every one or the terms, covenants and conditions herein be binding upon and inure to the benefit of the respective Parties. To the extent this HIPAA Agreement is in violation of applicable law, then the Parties agree to negotiate in good faith to amend this HIPAA Agreement, to the extent possible consistent with its purposes, to conform to law.
23. Severability. In the event any provision of this HIPAA Agreement is held to be unenforceable for any reason, the unenforceability thereof shall not affect the remainder of this HIPAA Agreement, which shall remain in full force and effect and enforceable in accordance with its terms.
24. Binding Effect. The provisions of this HIPAA Agreement shall be binding upon and shall inure to the benefit of the Parties and their respective heirs, executors, administrators, legal representatives, successors and assigns.
25. Headings. All section headings contained in this HIPAA Agreement are to be considered for reference purposes only, and are not intended to define or limit the scope of any provisions of this HIPAA Agreement.