This Agreement is entered into by and between Customer and ISC INTERNATIONAL LIMITED (“ISC”) to set forth the terms and conditions under which protected health information, referred to herein as PHI, as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Regulations enacted thereunder, received by ISC on behalf of Customer may be used or disclosed.
This Agreement shall commence on the date it is executed by an authorized representative of ISC and the obligations herein shall continue in effect so long as ISC provides Customer with electronic messaging services or otherwise possesses any protected health information received on behalf of Customer and until all protected health information received by ISC on behalf of Customer is destroyed or removed, whichever event is last to occur.
- Customer and ISC hereby agree that the services provided by ISC to Customer consist exclusively of electronic messaging services and that in the course or providing the messaging services ISC does not create, modify, disclose, or use Protected Health Information (PHI). The parties acknowledge that the role or ISC with respect to PHI or any other information or data sent through ISC’s network is that of a conduit wherein Customer sends information or data through ISC’s network to third parties or Customer’s employee’s and wherein Customer receives information through ISC’s network from third parties or Customer’s employees. In the course or providing the messaging services ISC is not aware of whether or not a message contains PHI. In that ISC is a conduit messaging service, the parties understand and agree that ISC may not be a Business Associate as that term is defined and used by HIPAA. In any event ISC provides professional commercial messaging services and it is understood by ISC that any message sent through its network may contain PHI or other confidential information. Accordingly, ISC agrees to use reasonable efforts to maintain the confidentiality and integrity of all messages and utilize security standards so as to comply with HIPAA and any contractual provisions relating to the security, confidentiality and integrity of customer messages.
- Customer understands und agrees that (1) unless Customer subscribes to archiving services any message sent through ISC’s network is resident on ISC’s network for a finite period of time and the message and record of the message will become unavailable (2) All data is maintained by ISC in electronic format and any copy of the data provided pursuant to a valid request from customer, if available, will be provided in electronic format (3) Customer will need to identify any record by message number or other data such as date and time of transmission and sender and recipient numbers (4) to maintain the confidentiality and security of all other records and information on ISC’s network and to maintain compliance with HIPAA and this agreement no individual or entity or their legal representative will be given access to ISC’s network and any access to information on ISC’s network will be limited to viewing Customer’s individual records electronically to the extent they are available and can be located and supplied by ISC (5) due to established security standards a subject of a record cannot be provided with any information unless Customer provides ISC with requisite authority and assurances satisfactory to ISC that such release of information is properly authorized by the subject.
- ISC may use and disclose PHI received by ISC on behalf of Customer if necessary for the proper management and administration of ISC or to carry out ISC’s Iegal responsibilities, provided that any disclosure is (a) required by law, or (b) ISC obtains reasonable assurances from the person to whom the PHI is disclosed that (i) the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and (ii) Customer will be notified of any instances in which the confidentiality of the information is breached.
- ISC hereby agrees to maintain the security and privacy of all PHI in a manner consistent with the federal laws and regulations, Including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) amendments thereto and associated regulations.
- ISC further agrees not to use or disclose PHI except as expressly permitted by this Agreement, applicable law, or for the purpose of managing ISC’s own internal business processes consistent with Paragraph 3 herein.
- ISC shall not make records containing PHI available to any member of its workforce unless ISC has advised such person of ISC’s privacy and security policies, including the consequences for violation of such obligations. ISC shall take appropriate disciplinary action against any member of its workforce who uses or discloses protected health information in violations of this Agreement and applicable law.
- ISC shall not disclose PHI received by ISC on behalf of Customer to a person, including any agent or subcontractor of ISC but not including a member of ISC’s own workforce, until such person agrees in writing to maintain the confidentiality of such information to the extent required by the provisions of this Agreement and applicable Federal law.
- ISC agrees to use appropriate safeguards to prevent the use or disclosure of PHI not permitted by this Agreement or applicable law.
- ISC agrees to maintain a record of all unauthorized disclosures of PHI, including disclosures not made for the purposes of this Agreement. Such record shall include the date of the disclosure, the name and, if known, the address of the recipient of the PHI along with other relevant information which may be known to ISC. ISC shall cooperate with Customer to make a record available to an individual who is the subject of the record or Customer within five (5) business days of a request.
- ISC agrees to report to Customer any unauthorized use or disclosure of protected health information by ISC or its workforce or subcontractors and the remedial action taken or proposed to be taken with respect to such use or disclosure.
- ISC agrees to make its internal practices, books, and records relating to the use and disclosure of protected health information received from Customer, or created or received by ISC on behalf of Customer, available to the Secretary of the United States Department of Health and Human Services, for purposes of determining compliance with HIPAA.
- Subject to availability and the requirements of paragraph 2, within thirty (30) days of a written request by Customer, ISC shall allow a person who is the subject of PHI, such person’s legal representative, or Customer to have access to and to copy such person’s PHI maintained by ISC.
- Customer understands and agrees that ISC does not create, maintain, supplement or alter any records sent by Customer through ISC’s network and accordingly ISC does not have the ability to amend PHI sent through ISC’s network. Customer acknowledges that any amendment of PHI must be accomplished by Customer or some individual or entity other than ISC.
- Upon termination of this Agreement, ISC shall upon written request from Customer destroy all PHI received from Customer provided Customer identities the location of such PHI by message number or other means which allows ISC to identify the messages to be destroyed. Destruction shall be by electronic deletion. ISC shall retain no copies of such information. If the parties mutually agree that return or destruction of PHI not feasible, ISC shall continue to maintain the security and privacy of such PHI in a manner consistent with the obligations of this Agreement and as required by applicable law, and shall limit further use of the information to those purposes that make the return or destruction of the information infeasible. The duties hereunder to maintain the security and privacy of PHI shall survive the discontinuance of this Agreement. Any storage of a message or record beyond the normal duration of residency on ISC’s network, shall be subject to archiving charges.
- Customer may request amendment of this Agreement by providing ten (10) days prior written notice to ISC in order to maintain compliance with Federal law. Such notice shall contain the exact text of the requested amendment and shall conspicuously reference the 10-day time limit contained herein. Notice shall be sent by certified mail. ISC shall either accept such amendment or at ISC’s option elect to discontinue this Agreement. ISC’s failure to implement the requested change shall be deemed as its election to discontinue this Agreement. ISC’s duties hereunder to maintain the security and privacy of PHI shall survive such discontinuance. Customer and ISC may otherwise amend this Agreement by mutual written agreement. Customer’s termination or discontinuance of the Service Authorization Agreement between Customer and ISC shall be in accord with the terms and provisions of the Service Authorization Agreement.
- Customer shall pay ISC at ISC’s prevailing rates and charges for all actions taken by ISC pursuant to this Agreement including but not limited to the following: responding to requests to access PHI; providing access to data stored by ISC above and beyond access provided for in a Service Authorization Agreement; participation or supervision of any audits; responding to any inquiries from the United States Department of Health and Human Services; the destruction of any records or data; the provision of any certifications; all other actions taken by ISC which are outside of the scope of the Service Authorization Agreement or other contract with Customer.