Business Associate Addendum

Publication Date: January 1, 2024

This is a Business Associate Addendum (“Addendum”) to the Terms of Service that govern the use of the Esker on Demand, FlyDoc or TermSync Service (the “Underlying Agreement”). “Customer”, as defined in the Underlying Agreement, shall hereinafter be known as the “Covered Entity” and “Esker”, as defined in the Underlying Agreement, shall hereinafter be known as the “Business Associate”. Covered Entity and Business Associate shall collectively be known herein as the “Parties". This Addendum shall supersede any prior business associate agreements agreed to between the Parties and shall apply to any further agreement between the parties relating to Protected Health Information (as defined below). In the event Customer previously had a business associate agreement with Esker, Customer’s continued use of the Service, as defined in the Underlying Agreement, shall constitute acceptance of the terms and conditions contained in this Addendum.

The Parties acknowledge and agree that this Addendum is only applicable when the Business Associate provides services or functions to or on behalf of the Covered Entity as specified in the Underlying Agreement, that results in the access, maintenance, transmission, receipt, creation, use, or disclosure for or on behalf of Covered Entity (in its capacity as a “covered entity” of "Protected Health Information" (as those terms are defined in the Health Insurance Portability and Accountability Act of 1996, as amended, regulations and guidance promulgated thereunder, the Health Information Technology for Economic and Clinical Health Act, and regulations and guidance promulgated thereunder, as such laws and regulations may be amended from time to time (collectively, “HIPAA”)). Where this Addendum applies, the Covered Entity and Business Associate mutually agree to comply with the HIPAA's requirements, as applicable. The Parties, intending to be legally bound, hereby agree as follows:

1. PRIVACY OF PROTECTED HEALTH INFORMATION.

a) Permitted Uses and Disclosures. Business Associate is permitted to use and disclose Protected Health Information that it uses, discloses, creates, maintains, transmits, or receives for or on behalf of Covered Entity (collectively, “Covered Entity’s Protected Health Information”) only:

1. To perform the services as specified in the Underlying Agreement.
2. For Business Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities, provided that, with respect to disclosure of Covered Entity’s Protected Health Information, either: the disclosure is Required by Law; or Business Associate obtains reasonable assurances, in writing, from any person or entity to which Business Associate will disclose Covered Entity’s Protected Health Information that the person or entity will hold Covered Entity’s Protected Health Information in confidence and use or further disclose Covered Entity’s Protected Health Information only for the purpose for which Business Associate disclosed Covered Entity’s Protected Health Information to the person or entity or as Required by Law; and promptly notify Business Associate (who will in turn notify Covered Entity in accordance with Section 4(a)) of any instance of which the person or entity becomes aware in which the confidentiality of Covered Entity’s Protected Health Information was breached.
3. Business Associate will make reasonable efforts to use, to disclose, and to request only the minimum amount of Covered Entity’s Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request. Business Associate and Covered Entity acknowledge that the phrase “minimum necessary” shall be interpreted in accordance with HIPAA.

b) Prohibition on Unauthorized Use or Disclosure. Business Associate will neither use nor disclose Covered Entity’s Protected Health Information, except as specifically permitted or required by this Addendum or as Required by Law. This Addendum does not authorize Business Associate to use or disclose Covered Entity’s Protected Health Information or take any other action in a manner that will violate 45 C.F.R. Part 160 and Part 164, Subparts A and E “Standards for Privacy of Individually Identifiable Health Information” (the “Privacy Rule”) if done by Covered Entity, except as set forth in Section (a) (ii).

c) Information Safeguards. Business Associate will develop, implement, maintain, and use appropriate administrative, technical, and physical safeguards to protect the privacy of Covered Entity’s Protected Health Information, including Electronic Protected Health Information. The safeguards must reasonably protect Covered Entity’s Protected Health Information from any intentional or unintentional use or disclosure in violation of the Privacy Rule and limit incidental uses or disclosures made pursuant to a use or disclosure otherwise permitted by this Addendum, provided Business Associate has complied with the applicable minimum necessary requirements of HIPAA with respect to such otherwise permitted or required use or disclosure.

d) Subcontractors and Agents. In accordance with 45 CFR 164.504(e)(2)(ii)(D), Business Associate agrees to ensure that any Subcontractors that create, receive, maintain or transmit Protected Health Information on behalf of the Business Associate execute a written contract agreeing to abide by the same restrictions, conditions and requirements that apply to Business Associate with respect to such information, including without limitation, an agreement to implement reasonable and appropriate safeguards to protect Covered Entity’s Protected Health Information.

e) Prohibition on Sale of Records. Business Associate shall not directly or indirectly receive remuneration in exchange for any of Covered Entity’s Protected Health Information of an individual unless the Covered Entity or Business Associate obtained from the individual, in accordance with 45 CFR 164.508, a valid authorization that includes a specification of whether the Protected Health Information can be further exchanged for remuneration by the entity receiving Protected Health Information of that individual, except as otherwise allowed under HIPAA.

f) Compliance with Privacy Rule. To the extent Business Associate carries out an obligation of Covered Entity under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.

2. COMPLIANCE WITH TRANSACTION STANDARDS.

If Business Associate conducts in whole or part electronic Standard Transactions on behalf of Covered Entity for which the Department of Health and Human Services (“DHHS”) has established Standards, Business Associate will comply, and will require any subcontractor or agent it involves with the conduct of such Standard Transactions to comply, with each applicable requirement of the Transaction Rule, 45 C.F.R. Part 162. Business Associate shall comply with the National Provider Identifier requirements, if and to the extent applicable. Business Associate will not enter into, or permit its subcontractors or agents to enter into, any Trading Partner Agreement in connection with the conduct of Standard Transactions on behalf of Covered Entity that: changes the definition, data condition, or use of a data element or segment in a Standard Transaction; adds any data element or segment to the maximum defined data set; uses any code or data element that is marked “not used” in the Standard Transaction’s implementation specification or is not in the Standard Transaction’s implementation specification; or changes the meaning or intent of the Standard Transaction’s implementation specification.

3. INDIVIDUAL RIGHTS.

a) Access. Business Associate will, within 15 calendar days following Covered Entity’s request, make available to Covered Entity or, at Covered Entity’s direction, to an individual (or the individual’s personal representative) for inspection and obtaining copies, Covered Entity’s Protected Health Information about the individual that is in Business Associate’s (or Business Associate’s agent’s or subcontractor’s) custody or control, so that Covered Entity may meet its access obligations under 45 C.F.R. § 164.524. If none is possessed, Business Associate will so advise the Covered Entity within 15 calendar days. If the Protected Health Information is held in an Electronic Health Record, then Business Associate acknowledges that the individual shall have a right to obtain from Business Associate a copy of such information in an electronic format if it is readily producible in such format as is required under 45 C.F.R. § 164.524 and will comply with such requirement. Business Associate shall provide such a copy to Covered Entity.

b) Amendment. Business Associate will, upon receipt of written notice from Covered Entity, promptly amend any portion of Covered Entity’s Protected Health Information, so that Covered Entity may meet its amendment obligations under 45 C.F.R. § 164.526.

c) Disclosure Accounting. So that Covered Entity may meet its disclosure accounting obligations under 45 C.F.R. § 164.528, Business Associate shall maintain – in compliance with HIPAA – and provide to Covered Entity an accounting of disclosures as required pursuant to 45 C.F.R. § 164.528.

d) Restriction Addendums and Confidential Communications. Business Associate will comply prospectively with any limitation to which the Covered Entity agrees that either (i) restricts use or disclosure of Covered Entity’s Protected Health Information pursuant to 45 C.F.R. § 164.522(a), or (ii) requires confidential communication about Covered Entity’s Protected Health Information pursuant to 45 C.F.R. § 164.522(b), provided that Covered Entity notifies Business Associate in writing of the restriction or confidential communication obligations that Business Associate must follow. Covered Entity will promptly notify Business Associate in writing of the termination of any such restriction addendum or confidential communication requirement and, with respect to termination of any such restriction addendum, instruct Business Associate whether any of Covered Entity’s Protected Health Information will remain subject to the terms of the restriction addendum. Further, Business Associate will comply with any restriction request if: (i) except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment); and (ii) the Protected Health Information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.

4. BREACHES AND SECURITY INCIDENTS.

a) Reporting. Privacy or Security Breach. Business Associate will report to Covered Entity any use or disclosure of Covered Entity’s Protected Health Information not permitted by this Addendum; along with any Breach of Covered Entity’s Unsecured Protected Health Information. Business Associate will treat the Breach as being discovered in accordance with 45 C.F.R. § 164.410(a)(2). Business Associate will make the report to Covered Entity’s Privacy Official not more than 15 calendar days after Business Associate learns of such Breach or non-permitted use or disclosure. If a delay is requested by a law enforcement official in accordance with 45 C.F.R. § 164.412, Business Associate may delay notifying Covered Entity for the time period specified by such law enforcement request. Business Associate’s report will at least:

    A) To the extent possible, include the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used or disclosed during the Breach or other non-permitted use or disclosure;

    B) Identify the nature of the Breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach or other non-permitted use or disclosure and the date of the discovery of any Breach or other non-permitted use or disclosure;

    C) Identify Covered Entity’s Protected Health Information that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved) on an individual-by-individual basis;

    D) Identify who committed the Breach or made the non-permitted use or disclosure and who received the non-permitted disclosure;

    E) Identify what corrective or investigational action Business Associate took or will take with regard to the Breach or non-permitted uses or disclosures, actions to mitigate harmful effects of the Breach or non-permitted use or disclosure, and actions to protect against any further Breaches or non-permitted uses or disclosures;

    F) Identify what steps the individuals who were subject to a Breach should take to protect themselves;

    G) Provide such other information, including a written report, as Covered Entity may reasonably request; and

    H) Coordinate with Covered Entity regarding information to be provided to individuals who were subject to a Breach regarding a contact for the individual to ask questions or obtain additional information regarding such Breach.

b) Security Incidents. Business Associate will report to Covered Entity within 20 calendar days any attempted or successful Security Incident. Business Associate will make this report in accordance with Section 4(a) above. Notwithstanding the foregoing, the Parties acknowledge and agree that inconsequential incidents that occur on a daily basis, such as scans or pings on Business Associate’s networks or servers containing Electronic PHI occur with such frequency that these shall not be considered a Security Incident subject to this reporting requirement; provided, however, that the Covered Entity shall be entitle to receive such reporting if requested by the Covered Entity in writing.

c) Term and Termination of Addendum.

1. Term. The Term of this Addendum shall begin as of the Effective Date of the Underlying Agreement and shall terminate upon the termination of the business associate relationship between the parties.
2. Right to Terminate for Breach. Either party may terminate the Addendum if it determines, in its sole discretion, that the other party has breached any provision of this Addendum and upon written notice to breaching party of the breach, has failed to cure the breach within thirty (30) calendar days after receipt of such notice. The non-breaching party may exercise this right to terminate the Addendum by providing the breaching party with written notice of termination, stating the failure to cure the breach of the Addendum that provides the basis for the termination. Any such termination will be effective immediately or at such other date specified in the notice of termination if cure is permitted.
3. Obligations on Termination.

A) Return or Destruction of Covered Entity’s Protected Health Information. Upon termination of this Addendum, Business Associate will, if feasible, at Covered Entity’s option, return to Covered Entity or destroy all of Covered Entity’s Protected Health Information(“Data”). Business Associate will require any subcontractor or agent, to which Business Associate has disclosed Covered Entity’s Protected Health Information as permitted by Section 1(d) of this Addendum, to return to Business Associate (so that Business Associate may return it to Covered Entity or destroy in accordance with this Section 4(b) (iii) (A)), all Data and certify to Business Associate that all such information has been returned. Business Associate (including Business Associate’s Subcontractors and agents) will complete these obligations as promptly as possible, but not later than 30 calendar days following the effective date of the termination or other conclusion of this Addendum. If Business Associate (and Business Associate’s Subcontractors and agents) destroys Data, it shall be done with the use of technology or methodology that renders the Protected Health Information unusable, unreadable or indecipherable to unauthorized individuals.

B) Procedure When Return or Destruction Is Not Feasible. Business Associate will identify any Data, including any that Business Associate has disclosed to subcontractors or agents as permitted by Section 1(d) of this Addendum, that cannot feasibly be returned to Covered Entity or destroyed and explain why return or destruction is infeasible, which may include situations where retaining the Protected Health Information is necessary for Business Associate to continue its proper management and administrator or to carry out its legal responsibilities. Business Associate shall continue to use appropriate safeguards, comply with HIPAA, and adhere to the terms of this Addendum with respect to Protected Health Information for so long as Business Associate retains the Protected Health Information.

5. GENERAL PROVISIONS.

a) Inspection of Books, and Records. Business Associate will make its books, and records relating to its use and disclosure of Covered Entity’s Protected Health Information available to determine Covered Entity’s compliance with the Privacy Rule, 45 C.F.R. Part 164, Subpart E.

b) Definitions. All terms, whether or not capitalized, that are used but not otherwise defined in this Addendum shall have the meaning specified under HIPAA, including its statute, regulations and other official government guidance. For purposes of this Addendum, Covered Entity’s Protected Health Information encompasses Covered Entity’s Electronic Protected Health Information.

c) Amendment to Addendum. Upon the compliance date of any final regulation or amendment to final regulation promulgated by DHHS that affects Business Associate’s use or disclosure of Covered Entity’s Protected Health Information or Standard Transactions, the parties will update this Addendum such that the obligations imposed on Business Associate remain in compliance with the final regulation or amendment to final regulation.

d) Headings. Headings and titles of sections and clauses herein are for reference purposes only and are not part hereof and are not intended to be used in the interpretation hereof.

e) Notices. Any notices or other communications required or contemplated under the provisions of this Addendum shall be in writing and delivered in person, evidenced by a signed receipt, or mailed by certified mail, return receipt requested, postage prepaid, to the addresses specified in the Underlying Agreement. The Parties may also amend this Addendum in a writing signed by both parties.

f) No Third Party Beneficiaries. Nothing express or implied in this Addendum shall be construed as creating any rights or benefits to any third parties. Without in any way limiting the foregoing, it is the Parties’ specific intent that nothing contained in this Addendum shall give rise to any right or cause of action, contractual or otherwise, in or on behalf of any Individual whose Protected Health Information is used or disclosed pursuant to this Addendum.

g) Independent Contractor. It is stipulated and agreed between the Parties that Business Associate shall be deemed an independent contractor at all times for the performance of this Addendum.

h) Waiver of Breach. The Parties agree that the waiver by either party of a breach by the other Party of any of the provisions contained in this Addendum shall not operate as or be construed to be a waiver of any other breach of this Addendum by either Party.

i) Entire Agreement. This Addendum states the entire agreement between the Parties on this subject and supersedes all prior negotiations, understandings, and agreements between the Parties concerning the subject matter.