MTM NETWORK PARTICIPATION AGREEMENT
This MTM Network Participation Agreement (the “Agreement”) by and between OUTCOMES INCORPORATED, an IOWA CORPORATION (“Outcomes”) and the accepting party ("Vendor") is entered into effective the date first accepted by Outcomes by virtue of its posting of this agreement electronically on www.outcomesmtm.com and by Vendor by virtue of its authorized representative electronically accepting the terms and conditions of this Agreement and thereby acknowledging his or her acceptance of such terms (the "Effective Date") in order for Vendor to participate in the Outcomes Medication Therapy Management services network.
Outcomes is in the business of Medication Therapy Management Service program administration and provides such administrative service to entities including, but not limited to health plans, insurers and other purchasers of health care services or benefits under Client Agreement(s).
Outcomes has developed a system for the delivery of Medication Therapy Management Services to Members of Clients through entities such as Vendor and other various chain, independent, health system and consultant pharmacists.
Vendor seeks to deliver Medication Therapy Management Services to Members of Clients pursuant to one or more Client Agreements.
Vendor seeks to receive compensation from Outcomes for the delivery of such Medication Therapy Management Services through use of the Outcomes System.
In consideration of the mutual promises, covenants, terms and conditions contained in this Agreement, the parties agree as follows:
ARTICLE I – DEFINITIONS
For purposes of this Agreement, the following terms shall have the meanings set forth below:
1.1 “Client” means an individual or entity that has contracted with Outcomes to obtain MTM on behalf of one or more Member.
1.2 “Client Agreement” means a contractual agreement between Outcomes and a Client to cover payment for MTM delivered to Members in accordance with this Agreement.
1.3 “Medication-related Problem” means a health care issue related to the sub-optimal use of pharmaceuticals and shall include, without limitation, treatment failures, adverse drug reactions, medication errors, medication compliance problems, and cost-efficacy issues.
1.4 “Medication Therapy Management” and “MTM” means the services provided by pharmacists to facilitate the achievement of positive therapeutic and economic results from medication therapy as specifically described in Outcomes Policies & Procedures.
1.5 “Member” and “Members” means a person eligible to receive MTM as notified in writing to Outcomes by Client.
1.6 “MTM Center” means a pharmacy, clinic, office, or other consultant setting designated by Vendor to provide MTM using the Outcomes System pursuant to this Agreement and subject to Outcomes’ approval.
1.7 “MTM Pharmacist” means a pharmacist designated by Vendor to provide MTM using the Outcomes System pursuant to this Agreement and subject to Outcomes’ approval.
1.8 “MTM Provider” means an MTM Pharmacist and/or an MTM Center.
1.9 “Outcomes Policies & Procedures” means the policies and standard procedures for the provision of MTM in the Outcomes System as may be amended by Outcomes from time to time.
1.10 “Outcomes System” means the system developed by Outcomes for the delivery, documentation, billing, administration, advertising, promotion, or sale of MTM, including all copyrights, icons, forms, guides, logos, materials, media, processes, programming, protocols, reports and their format, pricing, data organization, source code, object code, service claims, techniques, trademarks, training and other associated documents or procedures developed by Outcomes.
1.11 “Outcomes Training Program” means instructional course work and curriculum designed and/or designated by Outcomes to train pharmacists and/or other pharmacy personnel on the delivery, documentation, billing, and administration of MTM in the Outcomes System as may be adjusted by Outcomes from time to time.
1.12 “Prescriber” means any person legally authorized to prescribe pharmaceuticals for a Member.
1.13 “Term” means the term of this Agreement as specified in Article V.
1.14 “Vendor/MTM Center” means Vendor and each MTM Center.
ARTICLE II – OUTCOMES OBLIGATIONS
2.1 Access. Outcomes shall provide Vendor/MTM Center with web-based access to necessary portions of the Outcomes System for the sole purpose of documenting and administering the provision of MTM by MTM Providers, excluding reasonable periods
CORP TEMPLATE (2017/02)
of system downtime and disruption of internet service beyond Outcomes’ reasonable control. Such access shall not include internet connectivity, which shall be the responsibility of the Vendor/MTM Center. Outcomes may limit MTM Center access to only specific Members and/or Clients. Outcomes reserves the right to suspend any MTM Provider’s access to the Outcomes System if, in Outcomes’ reasonable discretion, such MTM Provider has failed to comply with this Agreement, any applicable laws or regulations, or Outcomes Policies & Procedures or is otherwise detrimental to Outcomes.
2.2 Warranty. Outcomes represents that it has the right to grant Vendor/MTM Center access to the Outcomes System and that, to the best of its knowledge, neither the Outcomes System, nor Vendor/MTM Center’s use or possession thereof, will violate or infringe any patent, copyright, trade secret or other proprietary right of any third party.
2.3 Contracting. Outcomes represents to Vendor/MTM Center that it has secured a Client Agreement with each Client to cover payment for MTM delivered to Members in accordance with this Agreement. Vendor/MTM Center is a third party beneficiary of such Client Agreements.
2.4 Payment Rates. Outcomes shall compensate Vendor/MTM Center for the provision of MTM delivered to Members in accordance with the rates properly adjudicated within the Outcomes System upon claim approval. Under no circumstances shall Outcomes be required to compensate Vendor/MTM Center for provision of MTM to any person who is not a Member nor for any service which was not provided in accordance with Outcomes Policies and Procedures.
2.5 Payment Cycle. Outcomes shall compensate Vendor/MTM Center for the provision of MTM on no less than a monthly basis with payment distributed no less than fifteen (45) days following the close of each month. Payment will be made by Outcomes to the Vendor/MTM Center using the address information appearing as Accounting Information, as provided to Outcomes by Vendor. To avoid frequent de minimis payments, Outcomes reserves the right to accumulate amounts due until a minimum threshold of fifty dollars ($50) is payable. Upon termination of this Agreement, Outcomes shall compensate Vendor/MTM Center for all outstanding balances without regard to de minimis thresholds herein.
2.6 Limitations. Vendor/MTM Center understands and affirms that Outcomes serves as the payment processor between Client and Vendor/MTM Center for the provision of MTM and that payment for MTM to Vendor/MTM Center is expressly conditioned upon Outcomes’ receipt of funds from the Client. In the event of Client default in payment, Outcomes and Vendor/MTM Center agree to cooperate in good faith to obtain payment in-full from Client for all services rendered. Vendor/MTM Center reserves the right to suspend provision of MTM to any Member for whom Client’s late payment to Outcomes results in deficient payment to Vendor/MTM Center.
2.7 Insurance. Outcomes shall obtain and maintain in effect a program of self-insurance or a policy of insurance from a recognized carrier for general liability coverage purposes in such coverage amounts as is deemed reasonable and customary, or as required by law.
2.8 Technical Support. Outcomes shall maintain technical support as described in the Outcomes Policies & Procedures.
ARTICLE III – VENDOR OBLIGATIONS
3.1 MTM Centers. Vendor shall provide Outcomes with the National Counsel of Prescription Drug Programs (NCPDP) number for the MTM Center it wished to contract under this Agreement. Outcomes reserves the right to remove any MTM Center if, in Outcomes’ reasonable discretion, such MTM Center is detrimental to Outcomes or has failed to comply with this Agreement, any applicable laws or regulations, or Outcomes Policies & Procedures.
3.2 MTM Provision. Vendor/MTM Center shall ensure that only MTM Pharmacists practicing in conjunction with MTM Centers provide MTM pursuant to this Agreement. Vendor/MTM Center shall not subcontract the provision of MTM services without Outcomes’ prior written authorization.
3.3 Staffing. Vendor/MTM Center shall maintain a sufficient number of MTM Pharmacists on duty at each MTM Center, along with sufficient facilities, equipment, and support personnel in order to provide MTM to Members in a timely and appropriate manner.
3.4 Clients. Vendor/MTM Center herein:
(a) authorizes Outcomes to act as its agent to accept all payments from Clients for MTM provided pursuant to this Agreement.
(b) authorizes Outcomes to accept all claims activity reports, remittance reports and other reports from Clients for MTM provided pursuant to this Agreement.
(c) shall accept compensation from Outcomes as payment in-full for MTM provided pursuant to this Agreement, in accordance with the payment rate adjudicated within the Outcomes System upon claim approval.
(d) shall indemnify and hold Clients harmless from any liability resulting from Outcomes’ failure to pay Vendor/MTM Center any amounts already paid by Client to Outcomes for MTM provided pursuant to this Agreement.
(e) shall abide by applicable terms of the Client Agreements that may not be included in this Agreement or the Outcomes Policies & Procedures. In the event Outcomes determines Vendor/MTM Center to be in violation of an applicable term of one or more Client Agreements, Outcomes shall provide notice of such violation to Vendor/MTM Center and the parties hsall either determine a mutually agreeable corrective action plan or proceed with termination in accordance with Article V.
(f) acknowledges and agrees that Client is a third party beneficiary of this Agreement.
CORP TEMPLATE (2017/02)
3.5 Credentials. Vendor/MTM Center shall, at its own expense, maintain all licenses, certifications, permits and other prerequisites required by law to provide MTM pursuant to this Agreement.
3.6 Disclaimers. Vendor/MTM Center acknowledges and agrees that all clinical and therapeutic decisions relating to the provision of MTM shall be the exclusive responsibility of Vendor, MTM Providers, Members, Prescribers and other health care professionals. Neither Outcomes nor Client shall be liable for any acts or omissions of Vendor or any MTM Provider. Neither Outcomes nor Client warrants any aspect, either express or implied, of any MTM provided by any MTM Provider.
3.7 Warranty. Vendor warrants that it has the right to and hereby contracts for services on behalf of MTM Centers whose NCPDP number has been provided to OutcomesMTM by Vendor and binds those MTM Centers to all relevant provisions and obligations herein including, but not limited to, section 6.5 Indemnification. Further, in the event that Vendor provides MTM to Medicare beneficiaries, the additional warranties set forth in Exhibit A shall apply.
3.8 Insurance. Vendor/MTM Center shall obtain and maintain in effect a policy of insurance for general and professional liability coverage purposes from a recognized carrier in such coverage amounts as is deemed reasonable and customary, or as required by law, for similar entities doing business in the state in which Vendor/MTM Center is located. Such coverage shall include no less than the following;
(a) Workers compensation insurance as required by the laws of the state in which work is being performed;
(b) Comprehensive general liability insurance with limits for bodily injury and property damage of $1,000,000 in the aggregate and per occurrence;
(c) Errors and omissions coverage with limits of $3,000,000 per occurrence;
(d) Cyber Liability, including coverage for privacy, in an amount not less than $3,000,000 per occurrence.
Vendor shall provide evidence of insurance, if requested, upon execution of this agreement. Any claims made policy shall be maintained for a minimum of 3 years after the expiration or termination of this agreement.
3.9 Vendor Administrator. Vendor/MTM Center shall at all times designate one or more Vendor Administrators. In the event an unauthorized individual gains access to protected health information, Vendor/MTM Center shall indemnify and hold Clients and Outcomes harmless from any liability resulting from any breached information.
3.10 Policies and Procedures. Vendor/MTM Center shall abide by the policies and procedures set forth in Outcomes Policies & Procedures.
3.11 Activity. Outcomes reserves the right to monitor and record all activity of any person using the Outcomes System.
3.1 Reporting. Vendor/MTM Center shall notify Outcomes in writing of (1) any unauthorized use or disclosure of Protected Health Information not permitted by this Agreement, including Breaches of Unsecured Protected Health Information as required by 45 C.F.R. Section 410; and (2) any Security Incident, without unreasonable delay and in no case later than 10 calendar days after discovery [45 U.S.C. Section 17921; 45 C.F.R. Section 164.410; 45 C.F.R. Section 164.504(e)(2)(ii)(C); 45 C.F.R. 314(a)(2)(i)(C)].
ARTICLE IV – CONFIDENTIALITY
4.1 Confidential Information. Except to the extent explicitly allowed under the terms of this Agreement, the parties hereto:
(a) agree to keep in confidence during the Term of this Agreement and subsequent thereto all eligibility, financial, and other information identified by a Party as proprietary (“Confidential Information”).
(b) shall not disclose to third parties or use such Confidential Information other than as needed to fulfill its obligations under this Agreement, except as otherwise specifically authorized in writing by the other Party or as required by law.
Information in the public domain on the effective date of this Agreement or subsequently entering the public domain without breach by any of the parties is not Confidential Information.
4.2 Proprietary Nature of Outcomes System. Vendor/MTM Center acknowledges that the Outcomes System, Outcomes Policies & Procedures, and Outcomes Training Program (including, without limitation, the System and all rights associated with trade secrets, copyrights, trade names, service marks and trademarks related thereto) as well as improvements, developments, derivatives or modifications to the Outcomes System (whether made by Outcomes or Vendor/MTM Center) constitutes Confidential Information and valuable proprietary assets of Outcomes, and that this Agreement shall not and does not provide the Vendor/MTM Center with any ownership interest therein, whether as a licensee or otherwise. Vendor/MTM Center and its respective employees, agents and representatives shall hold all information and material relating to the Outcomes System in confidence with the exception of information and material in the public domain on the effective date of this Agreement or subsequently entering the public domain without breach by Vendor/MTM Center. Further, Vendor/MTM Center agrees not to use for its own or another’s benefit or to reveal any such information and material to any other person or entity except for uses explicitly authorized hereunder during the Term of this Agreement. This obligation shall survive the termination of this Agreement.
CORP TEMPLATE (2017/02)
4.3 Reverse Engineering. Except as expressly permitted in the Agreement, Vendor/MTM Center shall not directly or indirectly do any of the following: (a) access, use, sell, distribute, sublicense, broadcast, or commercially exploit the Outcomes System or any rights under the Agreement, including, without limitation, any access or use of the Outcomes System on a service bureau basis or for any Vendor/MTM Center processing services beyond the scope specified in this Agreement (such as for any third parties on a rental or sharing basis); (b) knowingly introduce any infringing, obscene, libelous, or otherwise unlawful data or material into the System; (c) copy, modify, or prepare derivative works based on the Outcomes System; (d) reverse engineer, decompile, disassemble, or attempt to derive source code from the Outcomes System; or (e) remove, obscure, or alter any intellectual property right or confidentiality notices or legends appearing in or on any aspect of the Outcomes System.
4.4 Equitable Relief. Vendor/MTM Center acknowledges the value of Outcomes' proprietary rights and the irreparable injury that would result from violation of the provisions of Section 4.2 and 4.3. Accordingly, Vendor/MTM Center agrees that Outcomes shall be entitled to seek injunctive or other equitable relief to prevent the threatened or further actual breach of Section 4.2 and 4.3.
4.5 Return of Confidential Information. Promptly upon the termination of this Agreement, Vendor/MTM Center shall return to Outcomes all of Outcomes' confidential information and materials and all copies of such information and materials, if any, in its possession.
4.6 Vendor Protection. Outcomes shall not use any name, trademark, service mark, trade name or other commercial or product designation belonging to Vendor/MTM Center without the prior written consent of Vendor in each instance, except for use in the routine course of business, which may include, but not necessarily be limited to, Client reporting, network management, and publication of directories.
4.7 Survival. The obligations of this Article IV shall survive the termination of this agreement.
ARTICLE V – TERM AND TERMINATION
5.1 The Term of this Agreement shall commence as of the Effective Date and shall continue until terminated by either Outcomes or Vendor, at any time, with or without cause, upon 30 days written notice to the other party.
ARTICLE VI – GENERAL PROVISIONS
6.1 Audit. Outcomes or its designee, which may include but not necessarily be limited to, the Centers for Medicare and Medicaid Services (CMS), US Department of Health and Human Services (HHS), US Comptroller General, or Client shall retain rights to reasonably audit for the Term and a period of ten (10) years from the termination of this Agreement any pertinent contracts, books, documents, papers, and records of Vendor/MTM Center that pertain to any aspect of the Vendor’s/MTM Center’s duties or obligations under this Agreement. Vendor/MTM Center agrees to maintain such records for the period contemplated and make them available for inspection and audit upon ten (10) days written notice.
6.2 Counterparts. This Agreement or any addendum or amendment to this Agreement may be executed in counterparts, all of which taken together shall be deemed one original agreement, and shall be binding upon the parties hereto notwithstanding that all parties hereto are not signatory to the same counterpart.
6.3 Exclusivity. This Agreement is not exclusive and nothing herein shall be construed to prohibit the parties hereto from entering into similar agreements with other parties.
6.4 Gender and Number. Whenever used in this Agreement and as required by context, the masculine gender includes the feminine and/or neuter, and the singular number includes the plural.
6.5 Indemnification. The parties hereto agree to indemnify and hold the other party harmless from and against any claims, damages, losses, liabilities and expenses, including court costs and reasonable attorneys' fees, incurred by the other party to the extent that such claims, damages, losses, liabilities or expenses arise out of or are based upon the indemnifying party's gross negligence or willful misconduct in the performance of such indemnifying party's duties under this Agreement. These indemnification obligations shall survive termination of the Agreement.
6.6 Independent Contractors. Nothing in this Agreement shall create or be deemed or construed to create any relationship between the parties other than that of independent entities contracting with each other solely for the purpose of effecting the provisions of this Agreement. Neither the parties, nor any of their respective representatives, shall be construed to be the agent, employee, or representative of the other, nor shall any of the foregoing parties have any express or implied right or authority to assume or create any obligation or responsibility on behalf of or in the name of the other.
6.7 Jurisdiction. This Agreement is intentionally silent with regard to jurisdiction and venue and shall be governed in accordance with conflict of law provisions.
6.8 Laws and Regulations. The parties shall comply with all federal, state and local laws, rules, and regulations which are applicable to carrying out its obligations under this Agreement. In the event it is determined by any governmental agency that any regulatory license or approval of this Agreement or any activity undertaken by the parties under this Agreement's terms and conditions is required, then the parties:
(a) shall be bound by and govern themselves in accordance with the requirements of the regulating entities unless and to the extent that the parties challenge such requirements, and
(b) agree to cooperate and assist one another in obtaining such license and complying with such approvals and to modify this Agreement to the extent necessary to accommodate any such license or approvals.
CORP TEMPLATE (2017/02)
6.9 Equal Opportunity. As applicable, each party and its subcontractors shall abide by the requirements of 41 CFR 60-300.5(a) and 60-741.5(a). These regulations prohibit discrimination against qualified individuals on the basis of protected veteran status or disability, and require affirmative action by covered prime contractors (as that term is defined in 41 CFR 60-300.2(p)) and subcontractors to employ and advance in employment qualified protected veterans and individuals with disabilities.
6.10 HIPAA. Both parties warrant they are familiar with requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its accompanying regulations, and will comply with all applicable HIPAA requirements in the course of this contract. Both parties warrant they will cooperate with either party in the course of performance and coordination with either party’s privacy officials and other documents that are necessary to keep both parties in compliance with HIPAA, including but not limited to the Business Associate Addendum (attached hereto as Exhibit B), which both parties agree to execute contemporaneous with this Agreement.
6.11 Notices. Any notice required or permitted hereunder shall be made in writing by certified mail, return receipt requested, addressed to the parties as hereinafter specified. For administrative simplification, such correspondence may alternatively be sent via regular mail, facsimile, electronic mail, or other manner; provided a voluntary, non-automated receipt confirmation is generated from receiving party.
If to Outcomes: OUTCOMES INCORPORATED
ATTENTION: LEGAL DEPARTMENT
505 MARKET STREET, SUITE 200
WEST DES MOINES, IA 50266-3861
ELECTRONIC MAIL: firstname.lastname@example.org
6.11 Section Headings. The section headings used in this Agreement have been inserted for convenience of reference only and shall not in any way modify or restrict any of its terms or provisions.
6.12 Severability. In the event one or more of the provisions contained in this Agreement are declared invalid, illegal, or unenforceable in any respect, the validity, legality, and enforceability of the remaining provisions shall not in any way be impaired thereby unless the effect of such invalidity is to substantially impair or undermine any of the party's rights and benefits hereunder.
6.13 Waiver. The failure of any party hereto to insist in any one or more instances upon performance of any terms or conditions of this Agreement shall not be construed as a waiver of future performance of any such term, covenant, or condition and the obligations of such party with respect thereto shall continue in full force and effect.
6.14 Replacement. This Agreement supersedes all prior agreements between the parties with respect to its subject matter and constitutes (along with the Exhibits referenced herein) a complete and exclusive statement of the terms of the agreement between the parties with respect to its subject matter.
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed by their authorized representatives as of the Effective Date.
CORP TEMPLATE (2017/02)
EXHIBIT A – MEDICARE BENEFICIARY ADDITIONAL WARRANTIES
In the event that Vendor provides MTM to Medicare beneficiaries, Vendor warrants (and agrees to attest upon Outcomes’ request) the following with respect to any provision of MTM to Medicare beneficiaries:
(a) Vendor’s MTM Providers, employees, governing body members, officers and directors complete HIPAA/HITECH training within the first ninety (90) days of employment/contracting, and annually thereafter;
(b) Vendor’s MTM Providers, employees, governing body members, officers and directors complete the standardized general CMS compliance and Fraud, Waste and Abuse (“FWA”) training and education module developed by the Centers for Medicare & Medicaid Services (“CMS”) within the first ninety (90) days of employment/contracting, and annually thereafter;
(c) Vendor has adopted an effective compliance program which includes, at a minimum, written policies, procedures, and standards of conduct that articulate the Vendor’s commitment to comply with all applicable federal and state laws; a conflict of interest reporting and review process; designation of a compliance officer and compliance committee; a process to communicate compliance related requirements to MTM Providers, governing body members, officers and directors; a process for individuals and downstream entities to report suspected FWA and compliance issues; a policy that protects individuals and downstream entities from retaliation when reporting suspected compliance and FWA issues; widely-publicized disciplinary standards; a process for identifying and monitoring compliance and FWA risks; and a policy requiring prompt response and correction to detected compliance issues;
(d) Vendor has implemented policies and procedures to document the review of the Office of Inspector General (“OIG”), General Services Administration (“GSA”) and Systems Award Management (“SAM”) exclusion lists prior to initial hire/contracting and monthly thereafter to ensure that all of Vendor’s downstream entities (including their employees, officers and governing body directors) and Vendor employees, including managers, officers, and governing body directors responsible for administering or delivering Medicare Part D or Medicare Advantage services are not excluded from participating in federally funded healthcare programs according to the OIG and GSA exclusion lists. Vendor further warrants that Vendor will promptly remove from providing such services on behalf of Outcomes any of Vendor’s MTM Providers or employees and/or any of Vendor’s downstream entities or their employees that are excluded from participating in federally funded healthcare programs according to these exclusion lists;
(e) Vendor agrees to report compliance or FWA concerns to Outcomes, CMS or the Client. Reporting should occur within five (5) business days of discovery; if there is an immediate impact to beneficiary access to care and/or a financial strain, please report immediately but at least within twenty-four (24) hours. Outcomes and the Client has a no-tolerance policy for retaliation or retribution against any employee or Vendor for good-faith reporting of FWA.
(f) Vendor (including Vendor’s employees and MTM Providers performing Part D or Medicare Advantage services relative to a Part D Plan Sponsor or Medicare Advantage Organization) agrees to read and comply with any written compliance policies and procedures and standards of conduct made available by Outcomes, or comparable policies, procedures, or standards of conduct of its own that meet applicable CMS requirements;
(g) Vendor has implemented written record retention policies and procedures to ensure that any documents, books and records that substantiate compliance with this attestation or related to Entity’s performance of its obligations as a provider of Medicare Part D or Medicare Advantage services are retained for a period of at least ten (10) years and Vendor will provide CMS, or its designee with access to such records if requested; and
Vendor warrants that neither Vendor nor any downstream or related entity utilized by Vendor to provide MTM to Medicare beneficiaries on behalf of Outcomes utilizes an offshore vendor and/or subcontractor to provide said services. Vendor further attests that neither Vendor nor any downstream or related entity utilized by Vendor provides protected health information or “PHI” (as such term is defined at 45 C.F.R. §160.103) of a Medicare beneficiary to any offshore vendor and/or subcontractor. For the purposes of this attestation, the term “offshore” shall refer to any country that is not one of the fifty United States or one of the following United States Territories: American Samoa, Guam, Northern Marianas, Puerto Rico and the Virgin Islands.
CORP TEMPLATE (2017/02)
EXHIBIT B – BUSINESS ASSOCIATE ADDENDUM
This Business Associate Addendum (“Addendum”) supplements and is made a part of the Agreement by and between Vendor and Outcomes.
Capitalized terms used, but not otherwise defined, in this Addendum shall have the respective meanings assigned to such terms by the Administrative Simplification section of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their implementing regulations as amended from time to time (collectively, “HIPAA”).
Vendor is a Covered Entity. In the performance of the Agreement entered into between Outcomes and Covered Entity before, on, or after the date of this Addendum, Outcomes may receive Protected Health Information from or on behalf of Covered Entity (“PHI”). The parties acknowledge and agree that Covered Entity is a “Covered Entity” under HIPAA. This Addendum is only applicable to Outcomes to the extent that Outcomes functions as a business associate (as defined under 45 C.F.R. § 160.103) in providing services to, or on behalf of, Covered Entity. In accordance with the foregoing, the Parties’ rights and obligations under this Addendum shall have no force or effect unless, and until such time as, Outcomes is a business associate of Covered Entity in accordance with HIPAA. Subject to the foregoing, Outcomes and Covered Entity agree as follows:
D.1 Permitted Uses and Disclosures of PHI.
(a) Except as otherwise limited in this Addendum, Outcomes may use or disclose PHI to perform functions, activities, or services for, or on behalf of, the Covered Entity as specified in the Agreement, provided that such use or disclosure would not violate HIPAA if done by the Covered Entity.
(b) Outcomes may also use and/or disclose PHI for the following purposes:
(i) Outcomes may use PHI for Outcomes’ proper management and administration or to carry out its legal responsibilities.
(ii) Outcomes may disclose PHI for the proper management and administration of Outcomes, provided that disclosures are Required By Law (as that term is defined under 45 C.F.R. §164.103), or Outcomes obtains reasonable assurances from the third party to whom the information is disclosed that such third party shall: (1) protect the confidentiality of the PHI; (2) use or further disclose the PHI only as Required By Law or for the purpose for which it was disclosed to the person; and (3) notify Outcomes of any instances of which it is aware in which the confidentiality of the PHI has been breached.
(iii) Outcomes may “de-identify” PHI in accordance with 45 CFR §164.514 or create a Limited Data Set and use or disclose: (1) “de-identified” information in a manner consistent with and permitted by HIPAA; and (2) Limited Data Set information in a manner consistent with and permitted by HIPAA subject to a separate “Data Use Agreement” to be entered into by the parties.
(iv) Outcomes may use PHI to provide Data Aggregation services related to the Health Care Operations of the Covered Entity.
D.2 Protection of PHI. Outcomes shall use reasonable and appropriate safeguards to prevent use or disclosure of the PHI other than as permitted by this Addendum.
D.3 Reporting and Mitigation. Outcomes shall take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Outcomes of a use or disclosure of PHI by Outcomes in violation of this Addendum. If Outcomes becomes aware of a use or disclosure of PHI in violation of this Addendum by Outcomes or by a third party to which Outcomes disclosed PHI, Outcomes shall report any such use or disclosure to Covered Entity without unreasonable delay. Outcomes shall, following the discovery of a breach of Unsecured PHI, notify Covered Entity of the Breach in accordance with 45 C.F.R. §164.410 without unreasonable delay and in no case later than 60 days after discovery of the Breach.
D.4 Minimum Necessary Standard. To the extent required by the “minimum necessary” requirements of HIPAA, Outcomes shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure. Covered Entity represents that, to the extent Covered Entity provides PHI to Outcomes, such information is the minimum necessary PHI for the accomplishment of Outcomes’ purpose.
D.5 Subcontractors. Except as otherwise permitted by Section 1(b)(ii) above, Outcomes shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits PHI on behalf of Outcomes. Outcomes shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Outcomes under this Addendum.
D.6 Availability of Books and Records. Outcomes shall make Outcomes’ internal practices, books, and records relating the use and disclosure of PHI received from, or created or received by Outcomes on behalf of, Covered Entity available to the Secretary, in a reasonable time and manner, for purposes of the Secretary determining Covered Entity’s and Outcomes’ compliance with HIPAA.
D.7 Documentation of Disclosures. Outcomes shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures PHI in accordance with 45 C.F.R. §164.528.
D.8 Accounting of Disclosures. Within fifteen (15) business days of notice by Covered Entity to Outcomes that it has received a request for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies), Outcomes shall make available to Covered Entity such information as is in Outcomes’ possession and is required for Covered Entity
CORP TEMPLATE (2017/02)
to make the accounting required by 45 C.F.R. §164.528. If Outcomes receives a request directly from an individual pursuant to 45 C.F.R. §164.528 it shall, within ten (10) business days, forward such accounting request to Covered Entity.
D.9 Access to Information. Within fifteen (15) business days of a request by Covered Entity for access to PHI about an Individual contained in any Designated Record Set of Covered Entity and maintained by Outcomes, Outcomes shall make available to Covered Entity such PHI for so long as Outcomes maintains such information in the Designated Record Set. If Outcomes receives a request for access to PHI directly from an Individual, Outcomes shall forward such request to Covered Entity within ten (10) business days. Covered Entity shall be solely responsible for making determinations with respect to the provision of access to the individual of such PHI and/or denial of the same (including the creation and/or maintenance of any notifications and/or documents in connection therewith).
D.10 Availability of PHI for Amendment. Within fifteen (15) business days of receipt of a request from Covered Entity for the amendment of an Individual’s PHI contained in any Designated Record Set of Covered Entity maintained by Outcomes, Outcomes shall provide such information to Covered Entity for amendment and incorporate any such amendments in the PHI (for so long as Outcomes maintains such information in the Designated Record Set) as required by 45 C.F.R. §164.526. If the Covered Entity denies an individual’s request to amend such PHI, Outcomes shall incorporate into the PHI any of the statements and/or documents that the Covered Entity has created or received with respect to such denial; provided that, the Covered Entity has provided Outcomes with a copy of such statement and/or documents. If Outcomes receives a request for amendment to PHI directly from an Individual, Outcomes shall forward such request to Covered Entity within ten (10) business days. Covered Entity shall be solely responsible for making determinations with respect to the amendment of such PHI pursuant to an individual’s request and/or the denial of such request (including the creation and/or maintenance of any notification and/or creation of documents in connection therewith).
D.11 Electronic PHI/Security Obligations.
(a) For purposes of this Agreement, “Electronic PHI” shall have the same meaning as “Electronic Protected Health Information” as that term is defined by HIPAA within 45 CFR § 160.103. Specifically, Electronic PHI shall include PHI that is transmitted by Electronic Media (as defined by HIPAA within 45 CFR § 160.103), or that is maintained in Electronic Media. In addition, for purposes of this Addendum, “Security Incident” shall have the same meaning as that term is defined by HIPAA within 45 CFR § 164.304. (i.e., “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with the system operations in an information system”).
(b) Outcomes shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of any Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity as required by HIPAA. Outcomes shall comply with the HIPAA Security Rule (i.e., 45 C.F.R. Part 160 and Subparts A and C of Part 164).
(c) Outcomes shall report to Covered Entity any Security Incident of which if becomes aware in the following time and manner: (i) any actual, successful Security Incident will be reported to Covered Entity in writing, within ten (10) business days of the date on which Outcomes first becomes aware of such Security Incident, and (ii) any attempted, but unsuccessful Security Incident of which Outcomes becomes aware will be reported to Covered Entity orally or in writing upon the written reasonable request of Covered Entity. If the HIPAA Security Regulations are amended to remove the requirement to report unsuccessful attempts at unauthorized access, the requirement to report such unsuccessful attempts shall no longer apply as of the effective date of that amendment.
D.12 Obligations of Covered Entity.
(a) Covered Entity shall not request that Outcomes use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by Covered Entity.
(b) Covered Entity warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Outcomes. Covered Entity shall notify Outcomes of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Outcomes’ use or disclosure of PHI. Covered Entity shall not agree to any restriction on the use or disclosure of PHI under 45 CFR § 164.522 that restricts Outcomes’ use or disclosure of PHI under this Addendum unless such restriction is Required By Law or Outcomes grants its written consent, which consent shall not be unreasonably withheld.
(c) Except as Required By Law, with Outcomes’ consent, or as set forth in the Agreement or this Addendum, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Outcomes’ use or disclosure of PHI under the Agreement.
D.13 Term. The term of this Addendum (the “Term”) shall be effective as of the Effective Date, and shall terminate when all of the PHI provided by Covered Entity to Outcomes, or created or received by Outcomes on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is infeasible to return or destroy any such PHI Outcomes agrees to extend the terms of this Addendum, and the protections afforded hereby, to such information, in accordance with the provisions in Section 15 of this Addendum.
D.14 Termination Upon Breach of Provisions Applicable to PHI. Any other provision of the Agreement notwithstanding, the Agreement and this Addendum may be terminated by either party (the “Non-Breaching Party”) upon 30 days written notice to the other party (the “Breaching Party”) in the event that the Breaching Party materially breaches any provision contained in this Addendum in any material respect and such breach is not cured within such 30-day period.
D.15 Return or Destruction of Health Information. Upon termination of this Addendum, for any reason, Outcomes shall return or destroy all PHI received from Covered Entity or created or received by Outcomes on behalf of Covered Entity and which Outcomes still maintains in any form. This provision shall apply to all such PHI in the possession of Subcontractors or agents of Outcomes. Notwithstanding the forgoing, if Outcomes determines that returning or destroying such PHI is infeasible, then Outcomes shall provide to Covered Entity notification of the conditions that make return or destruction infeasible, which may include without limitation, the need for Outcomes to retain such information for purposes of audits by by the Centers for Medicare and Medicaid Services (CMS). Upon mutual agreement that return or destruction of PHI is infeasible, such agreement not to be unreasonably
CORP TEMPLATE (2017/02)
withheld, Outcomes shall extend the protections of this Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long Outcomes maintains such PHI.
D.16 HIPAA Amendments. The parties acknowledge and agree that the Health Information Technology for Economic and Clinical Health Act and its implementing regulations impose requirements with respect to privacy, security and breach notification applicable to Business Associates (collectively, the “HITECH BA Provisions”). The HITECH BA Provisions and any other future amendments to HIPAA affecting Business Associate agreements are hereby incorporated by reference into this Addendum as if set forth in this Addendum in their entirety, effective on the later of the Effective Date of this Addendum or such subsequent date as may be specified by HIPAA.
D.17 No Third Party Beneficiaries. The parties have not created and do not intend to create by this Addendum any third party rights, including, but not limited to, third party rights for patients.
D.18 Interpretation. Any ambiguity in this Addendum shall be resolved in favor of a meaning that permits Covered Entity and Outcomes to comply with the HIPAA.
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed by their authorized representatives as of the Effective Date.