ACCESS SERVICES AGREEMENT
This Customer Access Services Agreement ("Agreement") is entered into by and between Exela Enterprise Solutions Inc. (together with its subsidiaries, "Exela", "We", "Us", or "Our") and the Customer ("Customer", "You", or "Your" means a Medical Provider or Provider group or Billing company that provides medical goods and services or Billing Services to an individual or to an Organization) named herein, a "Covered Entity" as defined in 45 CFR §160.103. Exela and You are sometimes hereinafter referred to individually as the "Party" or collectively as the "Parties".
This Agreement governs Customer’s use of Exela's PCH services through Exela’s secure web sites ("Site") including, without limitation, all content and self-service functions ("Services") made available to Customer through the Site. This Agreement include the Terms and Conditions set forth below.
TERMS AND CONDITIONS
A. Administrator is the person identified herein who has legal authority to sign agreements for Customer and who is responsible for setting up and maintaining Users. The Administrator may, from time to time and in the manner prescribed by Exela, designate another person to setup and maintain Users, but the Administrator shall retain overall responsibility for setting up and maintaining Users.
B. A User or Authorized User is a person who has registered to use the Site and that Customer have authorized to access or use the Services.
2. Services. The Services include the exchange of transactions through direct web based claims entry & upload of files. The Services do not include the exchange of transactions using SoapWS or RestAPI integration, both of which require a separate agreement between Customer and Exela.
3. Use. Customer access to and use of the Services are permitted solely for internal use and benefit to submit transactions to Health Plans for medical and dental services that the Customer provided or on behalf of Customer’s client; any other access or use is strictly prohibited.
5. Customers Responsibilities.
The following responsibilities applies to all Customers and their Authorized Users.
- Customer will inform Authorized Users of all Customer terms and practices that are relevant to their use of the PCH Platform and of any settings that may impact the processing of Customer Data.
- Customer is completely responsible for the Customer Data on the PCH Platform including ensuring the usage practices by the Customer and their Authorized Users in maintaining the privacy and confidentiality of the patients’ healthcare data.
- Customer will comply with healthcare and data regulation rules applicable to healthcare providers and organizations in their respective country of business and locations of service. Customer is solely responsible for choosing to use Exela PCH Platform & Services after ascertaining that it meets the necessary regulatory compliance applicable to their operations.
- Customer will not publish or distribute in any form, any patient healthcare information without their informed consent. Exela is not liable for Customer handling of their own data and nor for any outcomes as a result of that.
- The Customer will be responsible for all the activities in their account and in the Authorized User accounts.
- The PCH Platform serves only as a technology enabler for the online healthcare services that the Customer choose to provide. Any disputes between the Customer and its Authorized Users will be dealt with by the Customer directly.
6. Business Associate Provisions.
The Parties agrees as follow: (1) Both Parties agree that the Business Associate Provisions (attached hereto as Exhibit A), which are hereby incorporated by reference into this Agreement, and which may be updated from time to time, will govern the rights and responsibilities of Customer and Exela with respect to the communication and treatment of Protected Health Information ("PHI"), as defined in the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder ("HIPAA"); (2) Both Parties agree that each Party will use or disclose PHI only in a manner consistent with all applicable laws and regulations, including HIPAA; (3) Customer represent and warrant to Exela that Customer have provided or will provide to patients all notices, and that Customer have obtained or will obtain from patients all consents and authorizations, required by HIPAA and other applicable laws in connection with Customer use of the Service; (4) Both Parties agree to keep confidential all proprietary or confidential information of the other Party, and of all affiliates and vendors, suppliers, licensors and service providers to the other Party (all such affiliates, vendors, suppliers, licensors and service providers, collectively, "Related Entities"), that either Party may receive or to which the other Party may have access ("Confidential Information") and that each Party will use Confidential Information only for the specific purpose of using the Service as contemplated in this Agreement; and (5) Both Parties agree to allow the other Party, upon at least thirty (30) days prior written notice to the other Party and in a manner that will not unreasonably disrupt the office or practice of the other Party, to access, inspect and audit the other Party's records relating to the Service and either Party's compliance with this Agreement. Both Parties agree that in the event any legislation or rules promulgated under HIPAA or any other federal or state governing statutes or regulatory action after the effective date of this Agreement, which modifies in any way the use, disclosure, or exchange of PHI, shall be deemed accepted upon the effective date and this Agreement shall be automatically updated to include such changes as of their effective date without requiring further amendment to this Agreement.
We require each User to have unique information to identify himself/herself when accessing or using the Services. Currently this unique information is a User ID and Password and later may be a digital certificate. Customers are solely responsible for (1) maintaining the strict confidentiality of the IDs and Passwords assigned to Customers and Customers Users, (2) instructing Customers Users to not allow another person to use their IDs or Passwords to access the Site or the Services, and (3) any charges, damages, or losses that may be incurred or suffered as a result of Customers or Customers Users’ failure to maintain the strict confidentiality of their IDs and/or Passwords. If Customer becomes aware of or suspects fraudulent activity or any other activity that threatens the security of the Site, Customer must immediately revoke the offending User's access to the site and promptly report the activity to Exela.
8. Intellectual Property Ownership.
Customer agrees that Exela (or third parties providing content or services for the Site) own all worldwide rights, titles and interests in and to the Site and all intellectual property rights therein. Exela may print a copy of the information contained on the Site for Customer professional use only, but Customer may not reproduce or distribute the text or graphics to others or substantially copy the information on Customer own server, or link to the Site, without prior written permission of Exela. All rights not expressly granted in this Agreement are reserved to Exela. No other rights or licenses are conveyed or intended by this Agreement.
9. General Disclaimers.
THE SITE AND THE SERVICES ARE PROVIDED TO CUSTOMER ON AN "AS IS, WITH ALL FAULTS" BASIS, AND CUSTOMER USE THEREOF IS AT CUSTOMER OWN RISK. IN NO EVENT WILL EXELA BE LIABLE TO CUSTOMER OR ANY OTHER PARTY FOR ANY DIRECT, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SITE, OR ANY OTHER HYPER-LINKED WEB SITE. THIS INCLUDES, WITHOUT LIMITATION, ANY LOST PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR DATA ON YOUR EQUIPMENT, OR OTHER DAMAGES OF ANY NATURE, EVEN IF EXELA IS EXPRESSLY ADVISED OF THE POSSIBILITY OR LIKELIHOOD OF SUCH DAMAGES.
10. General Indemnity.
Customer agree to defend, indemnify, and hold Exela harmless against any losses, expenses, costs, or damages (including Our reasonable attorneys' fees, expert fees, and other reasonable costs of litigation) arising from, incurred as a result of, or in any manner related to (1) as outlined in Section 4, (2) Customer breach of the terms of this Agreement, (3) Customer unauthorized or unlawful use of the Site or the Services, (4) the unauthorized or unlawful use of the Site or the Services by any other person using Your IDs or Passwords, and (5) any breach or unauthorized use of this Site or the Services of any person or entity that Customer delegate functions or User access to with regard to this Site or the Services.
It is understood and agreed that no failure or delay by a Party in exercising any right, power, or privilege hereunder shall operate as a waiver thereof, nor shall any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any other right, power or privilege hereunder.
Exela reserves the right to access, read, copy, delete, and disclose data/ information on Exela systems and equipment. Exela reserves the right to inspect any and all files stored on Exela equipment.
13. Third Party Software.
Customer agree to use any third-party software Exela may provide to Customer solely for the purposes of using the Site to transmit transactions to health plans. Customer agrees to comply with all of the terms and conditions of any licenses relating to such third-party software. Exela may, but shall have no obligation to assist in the installation of such software. Customer agree not to, or to attempt to, reverse engineer disassemble, copy, modify, decompile, or prepare derivative works of any part of Exela's system or any such third-party software. Upon Exela's request, Customer shall return all copies of such third-party software to Exela and remove, and certify to Exela such removal, of any electronic copies of such third-party software stored or residing on Customer systems.
14. Governing Law; Venue.
This Agreement shall be governed by the laws of the State of New York, without regard to its conflicts of law’s provisions. Any dispute relating to this Agreement, the Site, or the Services shall be brought only in a federal or state court sitting in New York City, New York.
BUSINESS ASSOCIATE PROVISIONS
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“BAA”) is part of the Customer Access Service Agreement between Customer and Exela (the “Agreement”) into which this BAA is incorporated by reference. Exela is providing services to Customer and Customer wishes to disclose certain information some of which may constitute Protected Health Information (“PHI”) (defined below).
Terms used but not otherwise defined in this BAA or the Agreement will have the same meaning as the meaning ascribed to those terms in the Health Information Portability and Accountability Act of 1996, codified as 42 U.S.C. §1320d (“HIPAA”), the Health Information Technology Act of 2010, as codified at 42 U.S.C.A. prec. § 17901 (the “HITECH” Act), and any current and future regulations promulgated under HIPAA or HITECH.
“Individual” will have the same meaning as the term “individual” in 45 C.F.R. §164.501 and will include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).
“HIPAA Privacy Regulations” will mean the Standards for Security of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E.
“HIPAA Security Regulations” will mean the Standards for Security of Individually Identifiable Health Information at 45 C.F.R. part 160 and subparts A and C of part 164.
“HITECH Standards” means the privacy, security and security breach notification provisions applicable to a Business Associate under Subtitle D of the HITECH Act and any regulations promulgated thereafter.
“Individually Identifiable Information” means information that is a subset of health information, including demographic information collected from an individual, and: (a) is created or received by a health care provider, health plan, employer or health care clearinghouse; and (b) relates to past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and: (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
“Protected Health Information” or “PHI” will have the same meaning as the term “protected health information” in 45 C.F.R. §160.103 (as amended by the HITECH Act), which will include electronic PHI, limited to the information created or received by Exela from or on behalf of Exela including, but not limited to Electronic PHI.
“Secretary” will mean the Secretary of the Department of Health and Human Services or his/her designee.
“Unsecured Protected Health Information” will mean Electronic PHI that is not secured through the use of technology or methodology specified by the Secretary in regulations or as otherwise defined in Section 13402(h) of the HITECH Act.
“Electronic Transaction Rule” will mean the standards for processing standard transactions and code sets at 45 CFR Parts 160 and 162.
2.1 Limited Use or Disclosure of PHI. Except as otherwise limited in this BAA, Exela may use or disclose Protected Health Information solely to perform functions, activities, or services for, or on behalf of the Customer as specified in the Agreement, provided that such use or disclosure would not violate (i) the Privacy Rule if done by Customer or (ii) the minimum necessary requirements under the HIPAA Privacy and Security Rules and the policies and procedures of Customer supplied to Exela, and any amendments thereto. To the extent the Exela is carrying out one or more of Customer’s obligation(s) subject to the Privacy Rule, Exela will comply with the applicable provisions of the Privacy Rule.
2.2 Subcontractors. Exela will ensure that any agents, including subcontractors, to whom Exela provides PHI that is received from, or created or received by Exela on behalf of Customer, agree to the same restrictions and conditions concerning compliance with the HIPAA Privacy and Security Rules and applicable state laws that apply through this BAA to Exela with respect to such information. Exela will ensure that any agents, including subcontractors, to whom Exela provides electronic PHI that is received from, or created or received by Exela on behalf of Customer, agree to implement reasonable and appropriate safeguards to protect PHI.
2.3 Safeguards. Exela agrees to implement and use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this BAA or required by law. In addition, Exela agrees to implement administrative, physical and technical safeguards consistent with the applicable requirements of the Security Rule (including 45 CFR §§ 164.308, 164.310, 164.312, 164.316) that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI.
2.4 Mitigation. Exela agrees to mitigate, to the extent practicable, any harmful effect that is known to Exela of a use or disclosure of Protected Health Information by Business Association in violation of this BAA.
2.5 Notice of Use or Disclosure, Security Incident or Breach.
(a) Exela agrees to notify the Customer of any use or disclosure of PHI by Exela not permitted by this BAA, any Security Incident (as defined in 45 C.F.R. §164.304) involving Electronic PHI, and any breach of Unsecured Protected Health Information without unreasonable delay, but in no case more than 24 hours following discovery of the breach. Exela will provide the following information in such notice to Customer: (i) the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Exela to have been, accessed, acquired, or disclosed during such breach; (ii) a description of the nature of the breach including the types of unsecured PHI that were involved, the date of the breach and the date of discovery; (iii) a description of the type of Unsecured PHI acquired, accessed, used or disclosed in the breach (e.g., full name, social security number, date of birth, etc.); (iv) the identity (if known) of the person who made and who received the unauthorized acquisition, access, use or disclosure; (v) a description of what Exela is doing to mitigate the damages and protect against future breaches; and (vi) any other details necessary for Customer to assess risk of harm to Individual(s), and steps such Individuals should take to protect themselves.
(b) Customer will be responsible for providing notification to Individuals whose unsecured PHI has been disclosed, as well as to the Secretary and the media, as required by the HITECH Act.
(c) Exela agrees to establish procedures to investigate the breach, mitigate losses, and protect against any future breaches, and to provide a description of these procedures and the specific findings of the investigation to Customer in the time and manner reasonably requested by the Customer.
(d) Upon request by Customer, but no more frequently than twice per year, Exela will provide notice to Customer of the ongoing existence and occurrence of any attempted but unsuccessful event, which, if successful, would constitute a Security Incident, including, but not limited to, pings and other broadcast attacks on Exela’s firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above.
2.6 Access. Exela agrees to provide access, at the request of Customer, and in the time and manner reasonably requested by the Customer, to Protected Health Information in a Designated Record Set, to Customer or, as directed by Customer, to an Individual.
2.7 Amendments. Exela agrees to make any amendment(s), at the written request of Customer or an Individual, and in a reasonable time and manner, to PHI Exela maintains in a Designated Record Set to the extent necessary to enable Customer to meet any requirements under 45 CFR §164.526.
2.8 Disclosure of Practices, Books and Records. Exela agrees to make internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Exela on behalf of the Customer, available to Customer or the Secretary in a time and manner designated by the Customer or Secretary, for the purposes of the Secretary in determining the parties’ compliance with HIPAA, the HITECH Act and corresponding regulations.
2.9 Accounting. Exela agrees to document disclosures of PHI and information related to such disclosures to the extent necessary to enable Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528. Exela agrees to provide to the Customer or an Individual, in a reasonable time and manner following Customer’s written request, information collected in accordance with the preceding paragraph, to the extent necessary to permit Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528.
2.10 Indemnification. Subject to any limitations on damage contained in the Access Service Agreement, to the extent any Security Incident or breach is attributable to a breach of the obligations under this BAA by Exela, Exela will bear the costs incurred by Customer to the extent it is necessary for Customer to comply with its respective legal obligations relating to such breach under the applicable breach notification statute or regulation, which will include the following costs reasonably incurred in responding to such breach: (i) the cost of preparing and distributing notifications to affected individuals; (ii) the cost of providing notice to government agencies, credit bureaus, and/or other required entities; (iii) the cost of provided affected individuals with credit monitoring services for a specific time period not to exceed twenty four (24) months, or longer if required by law; (iv) the cost of call center support for such affected individuals for a specific period not to exceed sixty (60) days from the date the breach notification is sent to such affected individuals; and (v) the cost of any other measures required under applicable law.
3.1 Effect of Termination.
(a) Upon termination of the Agreement, for any reason, Exela will return or destroy all Protected Health Information received from the Customer, or created or received by Exela on behalf of Customer. This provision will apply to Protected Health Information that is in the possession of subcontractors of Exela. Exela and/or Subcontractor must provide to Customer a Chain of Custody document and a duly authorized and executed Certificate of Destruction specifying the date electronic or physical, was destroyed.
(b) In the event that Exela determines that returning or destroying the Protected Health Information is infeasible, Exela will provide to Customer notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of Protected Health Information is infeasible, Exela will extend the protections of this BAA to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Exela maintains such Protected Health Information.
(c) In the event that Exela breaches its obligations under this BAA, Customer may, at its option, immediately and unilaterally terminate the Agreement without penalty to Customer, and with or without granting Exela an opportunity to cure the breach. Customer’s remedies under this paragraph and set forth elsewhere in this BAA, or in any other agreement between Customer and Exela, will be cumulative, and the exercise of any remedy will not preclude the exercise of any other.
Any ambiguity in this BAA will be resolved in favor of a meaning that permits Customer to comply with HIPAA or the HITECH Act or any applicable regulations in regard to such laws.