Business Associate Terms
Mingle Healthcare Solutions, Inc.
Business Associate Terms
Last Updated: August 31, 2018
These Business Associate Terms (“Business Associate Terms”) are a binding legal agreement between you (“Covered Entity”, “you” or “your”) and Mingle Healthcare Solutions, Inc. (“Mingle”, “we” or “us”). Mingle operates the previously separate businesses known as SilverVue and Mingle Analytics. You have agreed to the Terms of Service (the “Terms of Service”) regarding your use of Check™ and MIPS Solutions™ and our other services accessible via www.minglehealth.com and other websites on which these Business Associate Terms are posted (collectively, the “Services”), and pursuant to which Mingle may be considered a “business associate” of Covered Entity.
We may periodically make changes to these Business Associate Terms. By using the Services, you accept these Business Associate Terms and any modifications that we may make to these Business Associate Terms. You are responsible for reviewing these Business Associate Terms regularly to stay informed of any changes. If you continue to use the Services after the effective date of any modification to these Business Associate Terms, you agree to be bound by them as of the date of the modification. IF YOU DO NOT AGREE TO THESE TERMS, YOU MUST CEASE USING THE SERVICES.
Given that the provision of Services to Covered Entity may involve the use and disclosure of PHI (defined below), the parties desire to ensure that their respective rights and responsibilities under the Terms of Service reflect applicable federal statutory and regulatory requirements relating to the access, use, and disclosure of health information, including, the Standards for Privacy of Individually Identifiable Health Information, and the Security Standards, collectively codified at 45 C.F.R. Parts 160, 162, and 164 (respectively the “Privacy Standards” and “Security Standards” ) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and Subtitle D of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”), as each may be amended from time to time.
Accordingly, for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Covered Entity and Mingle agree as follows:
1. Definitions. Capitalized terms not otherwise defined herein will have the meaning as defined in the Privacy or Security Standards and corresponding official materials published, issued, or promulgated by the Secretary of the Department of Health and Human Services. For purposes of these Business Associate Terms:
a. “Affiliates” means, with respect to a party, any legal entity that is Owned by, Owns, or is under common Ownership with, such party. “Owned”, “Owns” and “Ownership” mean more than 50% ownership.
b. “Protected Health Information” and “PHI” has the same meaning as the term "PHI" in 45 C.F.R. § 160.103, limited to the information received by Mingle from Covered Entity, or created, maintained, or received by Mingle on behalf of Covered Entity, that is either labeled "PHI" or that a reasonable person would understand to be "PHI". All references to Protected Health Information and PHI will be deemed to include Electronic PHI.
c. “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. This term shall not include trivial incidents that occur on a daily basis, such as scans, “pings,” or unsuccessful attempts to penetrate computer networks or servers maintained by Mingle. The term shall be limited to such incidents involving PHI or information systems containing electronic PHI.
2. Mingle’s Obligations
a. Use and Disclosure of PHI. Mingle may use and disclose PHI as required to satisfy its obligations under the Terms of Service, as permitted herein, or required by law. Mingle will use or disclose PHI received from Covered Entity only in connection with providing services to Covered Entity; provided that Mingle may also use and disclose PHI (i) for Mingle’s proper management and administration (including improving its services), (ii) to carry out the legal responsibilities of Mingle, (iii) to provide data aggregation services relating to the health care operations of Covered Entity, or (iv) to create de-identified information consistent with the standards set forth at 45 CFR §164.514; and further provided, that disclosures of PHI for Mingle’s own management and administration or to carry out Mingle’s legal responsibilities will be made only if the disclosures are required by law, or Mingle obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Mingle of any instances of which it becomes aware in which the confidentiality of the information has been breached.
b. HITECH Act. In respect of Mingle’s use and disclosure of PHI, Mingle will comply with all requirements of the HITECH Act that relate to security or privacy and that the HITECH Act makes applicable to covered entities, and all such requirements are incorporated into these Business Associate Terms by reference for such purposes.
c. Safeguards Against Misuse of Information.
i. Mingle will use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by these Business Associate Terms and will comply with the Security Standards with respect to Electronic PHI.
ii. To the extent that Mingle is to carry out one or more obligations of the Covered Entity under the Privacy Standards, Mingle will comply with the requirements of the Privacy Standards that apply to the Covered Entity in the performance of such obligation(s).
iii. Mingle will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity as required by 45 CFR 164.314, and Mingle will document and keep these security measures current.
iv. For purposes of this Section 2(c), the parties agree that “agents” and “subcontractors” do not include any service provider to Mingle with respect to any services that would not make such entity a Business Associate, as such term is defined in Privacy Standards.
d. Reporting of Disclosures of PHI. Mingle will report to Covered Entity any use or disclosure of PHI in violation of these Business Associate Terms of which it becomes aware, including Breaches of Unsecured PHI and any Security Incident of which it becomes aware.
e. Agreements by Third Parties. Mingle will require that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Mingle agree to the same restrictions, conditions, and requirements that apply to Mingle with respect to such PHI.
f. Access to Information. Upon receipt of a request by Covered Entity for access to PHI about an individual contained in a Designated Record Set, Mingle will make available to Covered Entity such PHI as necessary for the Covered Entity to comply with 45 C.F.R. § 164.524. In the event any individual directly requests Mingle to provide access, amend, or provide an accounting of disclosures of, PHI, Mingle will forward such request to Covered Entity.
g. Availability of PHI for Amendment. Upon receipt of a request from Covered Entity for the amendment of an individual’s PHI or a record regarding an individual contained in a Designated Record Set, Mingle will provide such information to Covered Entity for amendment and/or incorporate any such amendments in the PHI as necessary for the Covered Entity to comply with 45 C.F.R. § 164.526.
h. Accounting of Disclosures. Mingle will make available to Covered Entity the information in Mingle’s possession as necessary for Covered Entity to comply with 45 C.F.R. § 164.528.
i. Availability of Books and Records. Mingle will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Mingle on behalf of, Covered Entity available to the Secretary of the Department of Health and Human Services, upon request, for purposes of determining Covered Entity’s compliance with the Privacy Standards or Security Standards.
3. Obligations of Covered Entity
a. Limitation. Covered Entity will not request that Mingle use or disclose PHI in any manner that would not be permissible under the Privacy Standards or the Security Standards if done directly by Covered Entity, except as otherwise permitted under Paragraph 2(a) of these Business Associate Terms.
b. Special Limitations and Restrictions. Covered Entity will notify Mingle of any limitation(s) in the notice of privacy practices of Covered Entity under 45 C.F.R. § 164.520; any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI; and any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such limitation, changes, revocation, or restriction may affect Mingle’s use or disclosure of PHI.
c. Minimum Necessary. Covered Entity represents that, to the extent Covered Entity provided PHI to Mingle, such PHI is the minimum necessary PHI for the accomplishment of Mingle’s purposes.
d. Consents. Covered Entity represents that, to the extent Covered Entity provided PHI to Mingle, Covered Entity has obtained the consents, authorizations and/or other forms of legal permission required under Privacy Standards and other applicable laws.
a. Term. The Term of these Business Associate Terms will commence when Covered Entity begins using the Services and will terminate upon the termination or expiration of the Terms of Service or use of the Services, or the date terminated under this Section 4 of these Business Associate Terms, whichever is sooner.
b. Termination upon Breach of Provisions Applicable to PHI. In the event of an actual material breach of these Business Associate Terms that has not been cured within 30 business days of Mingle’s receipt of written notice specifying the nature or circumstances of the alleged breach, the Terms of Service may be terminated by Covered Entity upon an additional 30 business days written notice to Mingle.
c. Effect of Termination. In the event of termination or expiration of the Terms of Service or use of the Services, these Business Associate Terms will terminate subject to Mingle’s duty to return or destroy PHI as set forth in Section 4(d) below.
d. Return or Destruction of PHI upon Termination. Upon termination of these Business Associate Terms, Mingle will either return or destroy all PHI in Mingle’s possession, and Mingle will not retain any copies of destroyed PHI. If return or destruction of PHI is infeasible or if it necessary for Mingle to retain PHI for Mingle’s own management and administration or to carry out Mingle’s legal responsibilities, Mingle will provide written notice to Covered Entity describing such conditions or necessity , and Mingle will extend the protections of these Business Associate Terms to such PHI, limit further uses and disclosures thereof to those purposes for which the PHI was retained, for so long as Mingle maintains such PHI, and return to Covered Entity or destroy such PHI when the reasons for retaining such PHI no longer exist.
e. Survival. The obligations of the parties under this Section 4 will survive the termination of these Business Associate Terms.
5. General Provisions
b. Amendment. The parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of these Business Associate Terms may be required to ensure compliance with such developments. We may revise these Business Associate Terms from time to time and the most current version will always be posted on our website. Changes take effect upon posting. If a revision, in our sole discretion, is material we will notify you (for example via email to the email address associated with your account). By continuing to access or use the Services after revisions become effective, you agree to be bound by the revised Business Associate Terms. If you do not agree to the new terms, you must discontinue your use of the Services.
c. Questions. If you have any questions related to these Business Associate Terms, please use our Contact Legal form and put “Business Associate Terms Inquiry” into the subject line of your message.