CoherentRx Inc. Business Associate Agreement
for Customers Using Patient Education Genius


This Business Associate Agreement (“Agreement”) between CoherentRx, Inc. (“Covered Entity”) and “Business Associate”.

WHEREAS, Business Associate may create, receive, maintain or transmit protected health information on behalf of Covered Entity in connection with Business Associate's performance of its obligations under any and all prior, existing and future agreements and arrangements between the parties (collectively, the "Underlying Agreement"); and WHEREAS, the parties wish to ensure the confidentiality and security of protected health information in accordance with applicable law, including, without limitation, HIPAA, HITECH and the HIPAA Regulations.  NOW, THEREFORE, the parties agree as follows:
 

  1. Definitions

    The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
     
    1. Specific definitions:
       
      1. Business Associate.  “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103.
      2. Covered Entity.  “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean CoherentRx, Inc.
      3. HIPAA Rules.  “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
         
  2. Obligations and Activities of Business Associate
     
    1. Use or Disclosure - Business Associate agrees not to use or disclose protected health information (“PHI”) created, received, maintained or transmitted by Business Associate on behalf of CoherentRx other than as permitted or as required by law.
       
    2. Safeguards - Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of PHI and shall comply with Subpart C of 45 CFR Part 164 (the Security Rule), as applicable.
      1. Mitigation - Business Associate agrees to mitigate, to the extent practicable, any harmful effect caused by Business Associate in violation of this Agreement of which Business Associate becomes aware.

      2. Reporting - Business Associate agrees to notify Covered Entity of any use or disclosure of PHI other than as provided for herein of which it becomes aware, including breaches of Unsecured PHI as required by 45 CFR §164.410, or any Security Incident of which it becomes aware.  Business Associate agrees to provide the Covered Entity with any reports necessary for the Covered Entity to respond to any inquiries pursuant to covered entity’s obligations under 45 CFR 164.524.

      3. Amendment - Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F. R. §164.526 at the request of Covered Entity, or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR 164.526.

      4. Audit and Inspection - Business Associate agrees to make its internal practices, books and records available to Covered Entity and/or the, Secretary of the United States Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

      5. Compliance with the Privacy Rule - To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under the Privacy Rule, Business Associate agrees to comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s), including the minimum necessary requirements.

    3. Permitted Uses and Disclosures by Business Associate

      1. General Use and Disclosure Provisions - Business Associate may use or disclose PHI on behalf of Covered Entity or to perform its obligations under the Underlying Agreement provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.

      2. Specific Use and Disclosure Provisions - Business Associate may use and disclose PHI for the proper management and administration of Business Associate or to meet its legal responsibilities, provided the disclosures are required by Law, or Business Associate obtains from the recipient of the PHI assurances that the information will remain confidential, will be used or further disclosed only as required by law or for the purpose for which it was disclosed to recipient, and the recipient will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached

      3. Report Violations - Business Associate may use and disclose PHI to report violations of law to appropriate federal and state authorities, consistent with 45 CFR § 164.502 U (1).

      4. Data Aggregation - Business Associate may use and disclose PHI it receives to provide Data Aggregation services for the healthcare operations of Covered Entity provided that Business Associate notifies Covered Entity in advance of its intended Data Aggregation Services

    4. Obligations Of Covered Entity

      1. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity or that is not otherwise expressly permitted under this Agreement.

      2. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI.

    5. Term and Termination

      1. Term and Termination - This Agreement shall be effective as of the date of execution of the Agreement and shall continue for the term of the respective Underlying Agreement.  Agreement may be terminated by either party without prior written notice, however Covered Entity may terminate this Agreement effective immediately, if Business Associate is named as a defendant in a criminal proceeding for a violation of HIPAA, HITECH, or other security or privacy laws or that Business Associate has violated any standard or requirement of HIPAA, HITECH, or other security or privacy laws.

      2. Effect of Termination - Upon termination of this Agreement, Business Associate shall return or destroy any and all PHI that Business Associate created, received, maintained or transmitted on behalf of Covered Entity.  Business associate shall retain no copies of any protected health information.  The obligations set forth herein shall survive the termination or expiration of this Agreement.
         

    6. Miscellaneous

      1. Regulatory References - A reference in this Agreement to a section in HIPAA, HITECH and the HIPAA Regulations means the section as in effect or as amended from time to time, and for which compliance is required.

      2. Amendment; Waiver - This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in writing duly signed by authorized representatives of the parties.  A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.  Notwithstanding the foregoing, in the event a change in any federal or state law or regulation governing PHI requires an amendment to this Agreement to ensure Covered Entity's ongoing compliance with such law or regulation, Business Associate agrees that Covered Entity may amend this Agreement, in its sole discretion.

      3. Interpretation - Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA, HITECH, the HIPAA Regulations, and any other applicable law protecting the privacy, security and confidentiality of PHI.  To the extent that any provision of this Agreement conflicts with the any understanding between the parties, this Agreement shall control.

      4. State Law - Nothing in this Agreement shall be construed to require Business Associate to use or disclose PHI in violation of Michigan State law.  This agreement will be governed under the laws of the State of Michigan.

      5. Indemnification - Business Associate shall indemnify and hold harmless Covered Entity from and against any and all claims, losses, liabilities, costs and other expenses resulting from, or relating to, the acts or omissions of Business Associate in performance of its obligations hereunder.

      6. Injunctions - Covered Entity and Business Associate agree that any violation of this Agreement may cause irreparable harm to Covered Entity.  Accordingly, in addition to any other remedies available to Covered Entity at law or in equity, Covered Entity shall be entitled to an injunction or other decree of specific performance with respect to any violation of this Agreement without the necessity of demonstrating actual damages.

      7. No Third Party Beneficiaries - Nothing express or implied in this Agreement is intended or shall be deemed to confer upon any person other than Covered Entity, Business Associate and their respective successors any rights, obligations, remedies or liabilities.