Last Updated: 4/26/2017
THIS IS A LEGALLY BINDING AGREEMENT between Lee RCM LLC, a Delaware limited liability company (together with its subsidiaries, “leeRCM,” “we” or “us”), and you. BY CLICKING “I AGREE,” OR BY OTHERWISE SIGNING-UP OR FOR AN ACCOUNT, OR BY ACCESSING OR USING THE APPLICATION (AS DEFINED IN YOUR VOBGETTER SERVICES AGREEMENT), YOU ARE ENTERING INTO THIS HEALTHCARE PROVIDER USER AGREEMENT (THIS “AGREEMENT”) AND YOU AGREE TO BE BOUND BY ITS TERMS AND CONDITIONS. Please read this Agreement carefully, and do not sign-up for an account or use the Application if you are unwilling or unable to be bound by this Agreement. You and we are collectively referred to as the “Parties.”
- Definitions. Capitalized terms not otherwise defined herein shall have the meanings ascribed to them in your VOBGetter Agreement (the “Services Agreement”).
- Payment. All fees and charges associated with your account shall be payable whether or not the Application is used during the applicable payment period as set forth in your Services Agreement. You will pay all applicable taxes, including sales or use taxes, payable in respect of the goods and services provided under this Agreement and any penalties or interest owing on those taxes. leeRCM reserves the right to increase the Monthly Application Fees prior to the commencement of any renewal of the Term, with any such increases effective at Renewal. In the event payment is not made by the due date, leeRCM may discontinue your Service and/or charge the greater of $250 per month per invoice or a Five Percent (5%) late fee for each month each invoice remains unpaid, as allowed by law. A reconnection fee equal to one (1) month’s Service Fee shall be assessed to re-establish connection after termination due to non-payment. You shall pay all costs of collection, including but not limited to attorneys' fees and costs in legal proceedings.
- Third-Party Payment. Fees and charges may be paid by a third party, with the consent of leeRCM, upon your execution of an authorization letter. Such third-party payment will remain in effect for the entire term that the third party provides services to you. You acknowledge and agree that (a) during such term, you shall not be billed by leeRCM for use of the Application, the cost of which shall be paid for entirely by the third party, and (b) that such third party shall not at any time attempt to bill, charge or recoup in any manner any fees and costs due and payable.
- Professional Judgment; Professional Responsibility. You acknowledge and agree that the Application is not intended to be used as a diagnostic tool, to provide medical diagnoses or determinations, to determine correct billing codes, to guarantee availability of insurance coverage, or to guarantee assumptions of receipt of payment for services rendered. You are solely responsible for using due care and exercising your independent professional judgment with regard to patient payment code determination, and determination of insurance availability or payment. You acknowledge that you are solely responsible for ensuring that your users follow appropriate procedures, as required by law and professional standards, for medical records, data handling and coding in using the Application with respect to the creation, modification, backup and storage of medical, payment and administrative records. You will be solely responsible for the professional and technical services you provide. leeRCM makes no representations concerning the completeness, accuracy or utility of any information in the Application, or concerning the qualifications or competence of persons who placed it there. leeRCM has no liability for the consequences to you or your patients of your use of the Application.
- License Grant. leeRCM grants to you and your Users a revocable, limited, personal, non-exclusive, nontransferable, non-sub licensable license (a "License") for the Term of your Agreement to: (a) access and use the Application; (b) possess and use electronic and hard-copy written materials of leeRCM such as manuals and guidelines for use of the Application ("leeRCM Materials"; as such materials become available), in each case only in conjunction with your lawful use of the Application hereunder.
- Beta Features. If you are invited to access any beta features of the Service or you access any beta features of the Service, you acknowledge that: (a) such features have not been made commercially available by leeRCM; (b) such features may not operate properly, be in final form or fully functional; (c) such features may contain errors, design flaws or other problems; (d) it may not be possible to make such features fully functional; (e) use of such features may result in unexpected results, corruption or loss of data, or other unpredictable damage or loss; (f) such features may change and may not become generally available; and (g) leeRCM is not obligated in any way to continue to provide or maintain such features for any purpose in providing the ongoing Service. These beta features are provided AS IS, with all faults. You assume all risk arising from use of such features, including, without limitation, the risk of damage to your computer system or the corruption or loss of data.
- leeRCM Intellectual Property. You shall have no right or interest in respect of any corporate names, trade names, trademarks, service marks, logo, symbol or copyrighted materials or patented or patent-pending processes ("Intellectual Property") owned by leeRCM, or of the goodwill associated with such Intellectual Property, and you hereby acknowledge that all such rights and goodwill are, and shall remain, vested in leeRCM.
Except as otherwise expressly permitted in writing by leeRCM, you will not reverse engineer, decompile, disassemble, or otherwise attempt to discover or reduce to human readable form the source code of the Service, except to the extent allowed under any applicable law. If applicable law permits such activities, any information so discovered must be promptly disclosed to leeRCM, and shall be deemed to be leeRCM’s confidential proprietary information. You will not access the service for the purposes of copying the flow, process, or any other Intellectual Property belonging to leeRCM for the purposes of incorporating any such intellectual property into a competitive product.
- Indemnification. You hereby agree to indemnify, defend, and hold harmless leeRCM and other users, and leeRCM’s and their respective affiliates, officers, directors, employees and agents, from and against any claim, cost or liability, including reasonable attorneys’ fees, arising out of or relating to: (a) the use of the Application by you or your workforce; (b) any breach by you or your workforce of any representations, warranties or agreements contained in this Agreement; (c) the actions of any person gaining access to the Application under credentials assigned to you or a member of your workforce; (d) the actions of anyone using credentials assigned to you or any member of your workforce that adversely affects the Application or any information accessed through the Application; and (e) your negligent or willful misconduct, or that of any member of your workforce. Your indemnification obligations in this Agreement (including this Section) are cumulative, and are not intended to, nor do they, limit your indemnification obligations elsewhere in this Agreement or at law, even if such obligations arise or are occasioned or triggered by a single assertion, claim, circumstance, action, event or transaction.
- De-Identification. We may de-identify information that you or your workforce input or upload onto the Application, and use and disclose de-identified information for any purpose whatsoever. In consideration of our provision of the Application, you hereby transfer and assign to leeRCM all right, title and interest in and to all such de-identified information.
- Consent to Electronic Communication. You understand that leeRCM may send you communications or data regarding the Application, including but not limited to (a) notices about your use of the Application, including any notices concerning violations of use; (b) updates; and (c) promotional information and materials regarding products and services offered by leeRCM and any of its marketing partners, via electronic mail. leeRCM will give you the opportunity to opt out of receiving promotional information and materials, but you acknowledge that the use of email to provide notices and updates is essential to performance under this Agreement.
- Warranties. Each Party hereby represents and warrants to the other, at all times during the Term and at such other times as may be indicated, that it:
- Is duly organized or incorporated and validly existing under the laws of the jurisdiction of its organization, unless the Party is an individual, and is duly qualified in all jurisdictions in which it does business;
- Has all requisite powers, licenses and permits to perform its duties and obligations under this Agreement, including authority to bind the organizations to the terms contained herein;
- Shall comply with, and as applicable, shall require its directors, officers, employees to, agents and representatives to comply with its duties and obligations pursuant to this under this Agreement, including but not limited to duties and obligations which survive the termination of this Agreement;
- Shall comply with, and as applicable, shall require its directors, officers, employees, agents and representatives to comply with all applicable laws, including all applicable information protection laws
- Services Warranty Disclaimer. ACCESS TO THE APPLICATION AND THE INFORMATION CONTAINED ON THE APPLICATION IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT ANY WARRANTY OF ANY KIND, AND LEERCM DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT AND TITLE. YOU ARE SOLELY RESPONSIBLE FOR ANY AND ALL ACTS OR OMISSIONS TAKEN OR MADE IN RELIANCE ON THE APPLICATION OR THE INFORMATION IN THE APPLICATION, INCLUDING INACCURATE OR INCOMPLETE INFORMATION. LEERCM DOES NOT REPRESENT OR WARRANT THAT THE APPLICATION MATERIALS OR CONTENT WILL MEET THE REQUIREMENTS OF ANY PERSON OR WILL BE COMPATIBLE OR WORK WITH ANY OTHER SOFTWARE OR SYSTEMS OR OPERATE ERROR-FREE OR CONTINUOUSLY. YOU AGREE THAT LEERCM HAS MADE NO AGREEMENTS, REPRESENTATIONS OR WARRANTIES OTHER THAN THOSE EXPRESSLY SET FORTH IN THIS AGREEMENT, AND THAT NO FUTURE AGREEMENT, REPRESENTATION OR WARRANTY OF LEERCM WITH REGARD TO INFORMATION, GOODS OR SERVICES PROVIDED UNDER THIS AGREEMENT SHALL BE EFFECTIVE UNLESS EXPRESSLY STATED IN A WRITTEN AMENDMENT TO THIS AGREEMENT SIGNED BY LEERCM.
YOU HEREBY ACKNOWLEDGE THAT A QUOTE OF BENEFITS AND/OR AUTHORIZATION DOES NOT GUARANTEE PAYMENT OR VERIFY ELIGIBILITY. PAYMENT OF BENEFITS ARE SUBJECT TO ALL TERMS, CONDITIONS, LIMITATIONS, AND EXCLUSIONS OF THE MEMBER’S CONTRACT AT TIME OF SERVICE.
- Carrier Lines. YOU ACKNOWLEDGE THAT ACCESS TO THE APPLICATION WILL BE PROVIDED OVER VARIOUS FACILITIES AND COMMUNICATIONS LINES, AND INFORMATION WILL BE TRANSMITTED OVER LOCAL EXCHANGE AND INTERNET BACKBONE CARRIER LINES AND THROUGH ROUTERS, SWITCHES, AND OTHER DEVICES (COLLECTIVELY, “CARRIER LINES”) OWNED, MAINTAINED, AND SERVICED BY THIRD-PARTY CARRIERS, UTILITIES, AND INTERNET SERVICE PROVIDERS, ALL OF WHICH ARE BEYOND LEERCM’S CONTROL. LEERCM ASSUMES NO LIABILITY FOR, OR RELATING TO, THE INTEGRITY, PRIVACY, SECURITY, CONFIDENTIALITY, OR USE OF ANY INFORMATION WHILE IT IS TRANSMITTED ON THE CARRIER LINES, OR ANY DELAY, FAILURE, INTERRUPTION, INTERCEPTION, LOSS, TRANSMISSION, OR CORRUPTION OF ANY DATA OR OTHER INFORMATION ATTRIBUTABLE TO TRANSMISSION ON THE CARRIER LINES. USE OF THE CARRIER LINES IS SOLELY AT YOUR RISK AND IS SUBJECT TO ALL APPLICABLE LOCAL, STATE, NATIONAL, AND INTERNATIONAL LAWS.
- Unauthorized Access; Lost or Corrupt Data. LEERCM IS NOT RESPONSIBLE FOR UNAUTHORIZED ACCESS TO YOUR DATA, FACILITIES OR EQUIPMENT BY PERSONS USING THE APPLICATION OR FOR UNAUTHORIZED ACCESS TO, ALTERATION, THEFT, CORRUPTION, LOSS OR DESTRUCTION OF YOUR DATA FILES, PROGRAMS, PROCEDURES, OR INFORMATION THROUGH THE APPLICATION, WHETHER BY ACCIDENT, FRAUDULENT MEANS OR DEVICES, OR ANY OTHER MEANS. YOU ARE SOLELY RESPONSIBLE FOR VALIDATING THE ACCURACY OF ALL OUTPUT AND REPORTS, AND FOR PROTECTING YOUR DATA AND PROGRAMS FROM LOSS BY IMPLEMENTING APPROPRIATE SECURITY MEASURES. YOU HEREBY WAIVE ANY DAMAGES OCCASIONED BY LOST OR CORRUPT DATA, INCORRECT REPORTS, OR INCORRECT DATA FILES RESULTING FROM PROGRAMMING ERROR, OPERATOR ERROR, EQUIPMENT OR SOFTWARE MALFUNCTION, SECURITY VIOLATIONS, OR THE USE OF THIRD-PARTY SOFTWARE. LEERCM IS NOT RESPONSIBLE FOR THE CONTENT OF ANY INFORMATION TRANSMITTED OR RECEIVED THROUGH OUR PROVISION OF THE APPLICATION.
- Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND EXCEPT WITH RESPECT TO A PARTY'S DUTIES OF CONFIDENTIALITY AND INDEMNIFICATION SET FORTH HEREIN, IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT SUCH DAMAGES ARE FORESEEABLE OR THAT PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. LEERCM SHALL HAVE NO LIABILITY FOR THE FINANCIAL LOSSES, DAMAGES, AND/OR PENALTIES SUSTAINED BY YOU DUE TO A FAILURE OF THE APPLICATION, CONTENT, IMPLEMENTATION SERVICE OR SUPPORT SERVICE TO COMPLY WITH AN APPLICABLE FEDERAL OR STATE STANDARD, INCLUDING BUT NOT LIMITED TO A STANDARD RELATED TO THE PROVISION OF PROFESSIONAL SERVICES. IN NO EVENT WILL LEERCM'S TOTAL LIABILITY TO YOU HEREUNDER EXCEED THE AGGREGATE FEES PAID OR PAYABLE UNDER THIS AGREEMENT IN THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM, NOT TO EXCEED $2,500. YOU AGREE THAT YOU MAY NOT CHALLENGE THIS PROVISION AS BEING UNREASONABLE.
- Force Majeure. Neither Party will be responsible for its failure or delay in performing its obligations (other than an obligation to pay amounts when due) under this Agreement when and to the extent such failure or delay is caused by: acts of God, fire or explosion, labor stoppages or other industrial disturbances, actions of any government agency, shortage of materials, acts of terrorism, or the stability or availability of the Internet or a portion thereof, or such other similar event that is outside the reasonable control of the affected Party (each a "Force Majeure Event"). Notwithstanding the foregoing, if a Force Majeure event(s) continues for a period in excess of thirty (30) days, you shall have the right to, upon prior written notice to leeRCM, terminate the Agreement without any further obligation or liability, provided leeRCM has not resumed delivery of the affected Service prior to your delivery of such written notice of termination.
- Severability. Any provision of this Agreement that shall prove to be invalid, void, or illegal, shall in no way affect, impair, or invalidate any other provision of this Agreement. Such other provisions shall remain in full force and effect and the unenforceable term or provision shall be replaced by such enforceable term or provision as comes closest to the intention underlying the unenforceable term or provision.
Waiver. No term of this Agreement shall be deemed waived and no breach excused, unless such waiver or consent shall be in writing and signed by the Party claimed to have waived or consented. Any consent by any Party to, or waiver of a breach by the other, whether expressed or implied, shall not constitute a consent to, waiver of, or excuse for any other different or subsequent breach.
- Complete Understanding; Amendments. This Agreement contains the entire understanding of the Parties, and there are no other written or oral understandings or promises between the Parties with respect to the subject matter of this Agreement other than those contained or referenced in this Agreement. The most current version of this Agreement shall apply, and that this Agreement may be revised by leeRCM from time to time, without prior notice.
- No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall confer, upon any person or entity other than the Parties and their respective successors or assigns any rights, remedies, obligations, or liabilities whatsoever.
- Relationship between Parties. Nothing contained in this Agreement shall constitute or be construed to create, a partnership, joint venture, agency or any other relationship between the Parties besides that of independent contractors. Neither Party shall have authority to contract for or bind the other Party in any manner whatsoever.
- Electronic Transactions. The Application gives you the ability to enter into agreements, authorizations, consents and applications, or engage in other transactions electronically. YOU ACKNOWLEDGE THAT YOUR ELECTRONIC SUBMISSIONS VIA THE APPLICATION IN CONNECTION WITH SUCH ACTIVITIES CONSTITUTE YOUR ACKNOWLEDGMENT THEREOF AND YOUR AGREEMENT AND INTENT TO BE BOUND BY SUCH AGREEMENTS AND TRANSACTIONS, AND APPLIES TO ALL RECORDS RELATING TO SUCH TRANSACTIONS. You represent and warrant that you have the authority to take such actions.
- Assignment. You will have no right to assign your Agreement, in whole or in part, by sale of assets, merger, transfer of equity, operation of law or otherwise, without leeRCM’s prior written consent, which may be withheld at leeRCM’s sole and absolute discretion. Any attempt to assign your Agreement, without such consent, will be void, of no effect and shall constitute a breach of the Agreement and subject you to immediate termination of your Agreement. Subject to the foregoing, the Agreement will bind and inure to the benefit of each Party's successors and assigns.
- Applicable Law. Your Services Agreement, any and all Addenda thereto, and this Agreement, shall be interpreted consistently with federal law applicable to the Parties, including but not limited to HIPAA and HITECH, provided that state law issues shall be exclusively interpreted according to the laws of the State of Florida, without regard to choice of law principles.
- Dispute Resolution; Jurisdiction and Venue. The parties agree to resolve any controversy, dispute, or claim arising out of or relating to your purchase of any product or service from leeRCM by binding Arbitration administered by the American Arbitration Association, in Miami-Dade County, Florida. In the event of a dispute involving Intellectual Property, including copyright, trademark, trade secrets, or any other cause of action provided for by law, venue shall be proper in the appropriate Federal or State Court, as dictated by the cause of action, with jurisdiction over Miami-Dade County, Florida. The prevailing party in any dispute arising out of or related to this Agreement shall be awarded reasonable attorney's fees and other costs.
- Headings. All section headings contained in this Agreement are to be considered for reference purposes only, and are not intended to define or limit the scope of any provisions of this Agreement.
Business Associate Agreement
This Business Associate Agreement (the “HIPAA Agreement”), effective upon the date of execution of Customer’s leeRCM Services Agreement (the “Effective Date”), is entered into by and between lee RCM, LLC (“leeRCM”) and the Customer, (Customer and leeRCM each a “Party” and collectively the “Parties”).
The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), the HIPAA Privacy rule (“Privacy Rule”), 45 C.F.R. Parts 160 and 164, and the HIPAA Security Rule (“Security Rule”), 45 C.F.R. Parts 160, 162 and 164, require Customer to enter into a written agreement with a leeRCM in order to protect the privacy and security of individually identifiable health information (“Protected Health Information,” or “PHI”). To fulfill the obligations to Customer pursuant to either an existing or contemporaneously executed Services Agreement for services to be provided to Customer, the Parties enter into this HIPAA Agreement to protect PHI and, intending to be bound, hereby agree to the following:
Terms used, but not otherwise defined, in this HIPAA Agreement shall have the meanings set forth below.
- “Breach” shall mean:
- IN GENERAL - The term “breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.
- EXCEPTIONS - The term “breach” does not include:
- Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of Customer or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of Part II, 45 C.F.R. Parts 160 and 164.
- Any inadvertent disclosure by a person who is authorized to access PHI at Customer or a business associate to another person authorized to access PHI at the same Customer or business associate, or organized health care arrangement in which Customer participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of Part II, 45 C.F.R. Parts 160 and 164.
- A disclosure of protected health information where Customer or leeRCM has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Except as provided in paragraph (B) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not otherwise permitted is presumed to be a breach unless Customer or leeRCM, as applicable, demonstrates that there is a low probability that the protected health information has been com-promised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
- “Designated Record Set” shall mean a group of records maintained by or for Customer that is (i) the medical records and billing records about Individuals maintained by or for Customer, (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for Customer; or (iii) used, in whole or in part, by or for Customer to allow its customers to make decisions about Individuals. As used herein the term “Record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Customer.
- “Electronic Protected Health Information” shall mean Protected Health Information transmitted by Electronic Media or maintained in Electronic Media.
- “Electronic Media” shall mean (1) electronic storage media on which data is or may be recorded electronically, including computer hard drives and any digital memory medium that is removable or transportable, such as magnetic tape or disk, optical disk, or digital memory card; and (ii) transmission data used to exchange information already in electronic storage media, including, for example, the Internet, extranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.
- “Health Care Operations” shall mean activities including: (i) quality assessment and improvement activities (outcomes, evaluation and development of clinical guidelines), population-based activities relating to improving health or reducing health care costs, and related activities that do not include treatment; (ii) peer and entity review, education, credentialing activities; (iii) except as prohibited by 42 C.F.R. § 164.502(a)(5)(i) underwriting, enrollment premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits; (iv) conducting or arranging for medical review, legal services, and auditing services, including fraud and abuse detection and compliance programs; (v) business planning and development; (vi) business management and general administrative activities of the entity; and (vii) licensure/accreditation.
- “Individual” shall have the same meaning given such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
- “Individually Identifiable Health Information” shall mean information that is a subset of health information, including demographic information collected from an Individual, and (i) is created or received by Customer or leeRCM on behalf of Customer; and (ii) relates to the past, present, or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual; and identifies the Individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
- “Payment” shall mean (i) except as prohibited by 45 C.F.R. § 164.502(a)(5)(i) the activities undertaken by Customer (“Covered Entity”) to obtain premiums or to determine or fulfill its responsibility for coverage and the provision of benefits under the Covered Entity’s health plan(s); or (ii) a covered health care provider or health plan’s activity to obtain or provide reimbursement for the provision of health care. Such activities include eligibility/coverage determinations, risk adjusting, billing, claims management and collection activities, health care data processing, reviews of health care services with respect to medical necessity, coverage under the Covered Entity’s health plans, appropriateness of care, or justification of charges; utilization review activities (including prior authorization), disclosure to consumer reporting agencies relating to the collection of premiums or reimbursement.
- “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E.
- “Privacy Standards” shall mean the Standard for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164.
- “Protected Health Information” or “PHI” shall mean Individually Identifiable Health Information that is (i) transmitted by Electronic Media, (ii) maintained in any medium constituting Electronic Media; or (iii) transmitted or maintained in any other form or medium. "Protected Health Information" shall not include (i) education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. § 1232g, (ii) records described in 20 U.S.C. § 1232g(a)(4)(B)(iv), employment records held by Customer in its role as an employer; and regarding a person who has been deceased for more than 50 years.
- “Required By Law” shall have the same meaning as the term “required by law” in 45 C.F.R. 164.103.
- “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
- “Security Incident” shall mean any attempted or successful unauthorized access, use, disclosure, modification or destruction of information or systems operations in an electronic information system.
- “Security Rule” shall mean the Security Standards at 45 C.F.R. Parts 160, 162 and 164.
- "Program Agreement" collectively refers to and means leeRCM Gold Certified Biller Program Agreement entered between leeRCM and Customer.
- Subcontractor" means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.
- “Treatment” shall mean the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party, including Customer and/or leeRCM; consultation between health care providers relating to an Individual; or the referral of an Individual for health care from one health care provider to another.
- The HIPAA Agreement.
- Incorporation of agreements. The Program Agreement between Customer and leeRCM hereby incorporates the terms of this Agreement. In the event of conflict between the terms governing HIPAA and confidentiality of patient data and files between in the Program Agreement and this HIPAA Agreement, the terms and conditions of the HIPAA Agreement shall govern.
- Use and Disclosure of PHI to Provide Services. Except as otherwise permitted by this Agreement, the Program Agreement or HIPAA, the Privacy Rule, the Security Rule or the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”), leeRCM will use and disclose Protected Health Information only as permitted or required by the terms of this HIPAA Agreement, to the extent required to fulfill leeRCM’s obligations under the Program Agreement or to perform any other related function, activity or service specifically requested by Customer in writing, or as Required By Law. All other uses not authorized by this HIPAA Agreement are prohibited. Specifically, leeRCM is prohibited from using to harm or to the detriment of Customer any information learned or gathered by Customer as part of its performance of the HIPAA Agreement.
- Responsibilities of leeRCM.
leeRCM agrees to:
- Use or further disclose only the minimum necessary PHI in performing the activities required under the Program Agreement between the Parties.
- Not use or further disclose PHI except as permitted under this HIPAA Agreement, HIPAA, the Privacy Rule, the Security Rule, the Recovery Act and applicable state law or regulation, each as amended from time to time.
- Establish, implement, and enforce all appropriate safeguards to prevent the use or disclosure of Protected Health Information other than pursuant to the terms and conditions of this HIPAA Agreement.
- Take reasonable steps to ensure that its employees’ actions or omissions do not cause leeRCM to breach the terms of this HIPAA Agreement.
- Document disclosures of PHI in accordance with 45 C.F.R. 164.528, in order for Customer to respond to a request from an Individual for an accounting of disclosures of PHI or in order for leeRCM to respond to a request for an accounting to the extent required by the Recovery Act.
- Report to Customer in writing any use or disclosure of the PHI of which leeRCM becomes aware that is not permitted by this HIPAA Agreement within five days of leeRCM’s discovery of such use or disclosure.
- Mitigate, to the extent practicable, any harmful effect that is known to leeRCM of a use or disclosure of PHI by leeRCM in violation of this HIPAA Agreement.
- Enter into a written agreement with any Subcontractors or agents that receives, creates, maintains or transmits PHI received by leeRCM on behalf of Customer, binding such subcontractors or agents to the same restrictions, terms and conditions that apply to leeRCM pursuant to this HIPAA Agreement with respect to such PHI, including the requirement that the Subcontractor or agent, as applicable, implement reasonable and appropriate safeguards to protect any electronic PHI that is disclosed to it by leeRCM.
- Upon Customer’s request and within 10 days of such request, provide to Customer all required information to permit Customer to respond to a request from an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528.
- Maintain the integrity of any PHI transmitted by or received from Customer.
- Provide Customer or, as directed by Customer, to an Individual to whom the PHI relates, the rights of access, amendment, and accounting as set forth in 45 C.F.R. 164.524, 45 C.F.R. 164.526 and 45 C.F.R. 164.528.
- Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Customer. leeRCM shall implement policies and procedures regarding such safeguards.
- Promptly report to Customer, in writing, any Security Incident of which leeRCM becomes aware.
- Notify Customer of any Breach within 5 (five) days of discovery by leeRCM as required by federal law. Delay in notification may only be allowed under the Recovery Act § 13402(g) and 45 C.F.R. 164.412. The notice shall include the identification of each Individual whose unsecured PHI has been, or is reasonably believed by leeRCM to have been accessed, acquired, or disclosed during such Breach.
- Comply with requested restrictions on the disclosure of PHI as communicated to leeRCM by Customer if the disclosure is to a health plan for the purposes of carrying out Payment or Health Care Operations (and is not for the purpose of carrying out Treatment) and the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.
- Limit required use and disclosure of PHI, to the extent practicable, to the limited data set as defined by 42 C.F.R. 164.514(e)(2), or the minimum necessary to accomplish the intended purpose of such disclosure, subject to exceptions set forth in the Privacy Rule.
- If leeRCM maintains Electronic Health Records as that term is defined in Section 13400 of the Recovery Act and an Individual requests a copy of such records, transmit the electronic records directly to an entity or person designated by the Individual, provided that any such choice is clear, conspicuous, and specific. Any fee charged for such electronic records shall not exceed leeRCM’s labor costs.
- If leeRCM knows of a pattern of activity or practice of Customer that constitutes a material breach or violation of Customer’s obligations under this HIPAA Agreement, unless Customer successfully takes steps to cure the Breach or end the violation after receipt of notice from leeRCM, then leeRCM shall terminate this HIPAA Agreement and the Program Agreement or, if not feasible, notify the Secretary.
- Be subject to the application of civil and criminal penalties for violation of Sections 13401 and 13404(a) and (b) of Part 1 of the HITECH Act.
- To the extent leeRCM is carrying out one or more obligations of Customer under 45 C.F.R. Part 164, Subpart E, leeRCM shall comply with the requirements of Subpart E that apply to Customer in the performance of such obligation(s).
- leeRCM shall keep such records and submit such compliance reports in such time and manner and containing such information as the Secretary may determine to be necessary to enable the Secretary to ascertain whether leeRCM has complied or is complying with the applicable administrative simplification provisions. leeRCM shall also cooperate with the Secretary if the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of leeRCM to determine whether leeRCM is complying with the applicable administrative simplification provisions.
- Permitted Disclosures by leeRCM.
- Use PHI in its possession for proper management and administration of its duties under the Program Agreement or to fulfill any of its legal responsibilities under the Program Agreement.
- Disclose PHI in its possession to third-parties for proper management and administration, or to fulfill any of its legal responsibilities under this HIPAA Agreement or the Program Agreement; provided that (i) the disclosures are Required By Law, as provided for in 45 C.F.R. § 164.103, or (ii) leeRCM has received written assurances from the third party that the PHI will be held confidentially, and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the third party, and that the third party will notify leeRCM of any instances of which it is aware in which the confidentiality of the PHI has been breached, as required under 45 C.F.R. § 164.504(e)(4).
- De-identify any and all PHI, provided that the de-identification conforms to the requirements of 45 C.F.R. § 164.514(b), and further provided that leeRCM maintains the documentation required by 45 C.F.R. § 164.514(b), which may be in the form of a written assurance from leeRCM. Pursuant to 45 C.F.R. § 164.502(d), de-identified information does not constitute PHI and is not subject to the terms of the HIPAA Agreement.
- Responsibilities of Customer.
- Notify leeRCM in writing of any restriction to the use or disclosure of Protected Health Information that Customer has agreed to in accordance with 45 C.F.R. § 164.522 or a restriction pursuant to the Recovery Act § 13405 (a) to which Customer’s compliance was mandatory to the extent such restriction may affect leeRCM’s use or disclosure of Protected Health Information. Before agreeing to any restriction on use or disclosure permitted under 45 C.F.R. § 164.522, but not mandated under the Recovery Act § 13405(a), Customer shall advise leeRCM of the contemplated restrictions and leeRCM shall, as promptly as practicable, advise Customer of the additional costs Customer will incur to implement such restriction.
Notify leeRCM of any changes to, or withdrawal of, the consent or authorization of an Individual provided to Customer pursuant to 45 C.F.R. § 164.506 or § 164.508 to the extent such changes may affect leeRCM's ability to perform its obligations under this HIPAA Agreement.
- Access to PHI. Within five (5) days of a request by Customer for access to PHI maintained by leeRCM, leeRCM shall make PHI available to Customer, or at the written direction of Customer, to an Individual to whom such PHI relates or his or her authorized representative. In the event any Individual requests access to PHI directly from leeRCM, leeRCM shall, within five (5) days, forward such request to Customer. Any denials of access to the PHI requested shall be the responsibility of Customer.
- Amendment of PHI. leeRCM shall make PHI available to Customer and will amend PHI as instructed by Customer, in a manner consistent with the Privacy Rule within ten (10) days of receipt of a request from Customer for the amendment of patient’s PHI.
- Accounting for Disclosures of PHI. Within thirty (30) days of notice by Customer to leeRCM that it has received a request for an accounting of disclosures of PHI, leeRCM shall make available to Customer such information as is in leeRCM’s possession required for Customer to satisfy the accounting of disclosures requirement set forth in the Privacy Rule. In the event the request for an accounting is delivered directly to leeRCM, leeRCM shall, within five (5) days, forward the request to Customer. It shall be Customer’s responsibility to prepare and deliver any such accounting requested.
- Individual Rights Regarding Designated Record Sets. If leeRCM maintains any PHI that could be construed to be part of a Designated Record Set of Customer, leeRCM shall (i) provide access to, and permit inspection and copying of, PHI by Customer, or if directed by Customer, an individual who is the subject of the PHI under conditions and limitations required under 45 C.F.R. § 164.524, as it may be amended from time-to-time, and (ii) amend PHI maintained by leeRCM as requested by Customer. leeRCM shall respond to any request from Customer for access by an individual within five (5) days of such request and shall make any amendment requested by Customer within ten (10) days of such request. Any information requested under this Section 9 shall be provided in the form or format requested, if it is readily producible in such form or format. leeRCM may charge a reasonable fee based upon leeRCM’s labor cost in responding to a request for electronic information (or a cost-based fee for the production of non-electronic media copies). Customer shall determine whether a denial is appropriate or an exception applies. leeRCM shall notify Customer within five (5) days of receipt of any request for access or amendment by an individual. Customer shall determine whether to grant or deny access or amendment requested by the individual. leeRCM shall have a process in place for receiving requests for amendments and for appending such requests to the Designated Record Set, as requested by Customer.
Notwithstanding the above, leeRCM shall not permit access to any record if such access would violate leeRCM’s ethical responsibilities or any other privilege that may be applicable to leeRCM. To the maximum extent permitted by law, Customer hereby reserves and retains any and all privileges in which Customer has an interest with respect to leeRCM’s performance of its obligations under this section. The parties acknowledge that Customer retains the right to waive any privilege with regard to its own records and to expressly instruct leeRCM to provide access to those records as a result of that waiver. In the event Customer decides to waive any privilege, Customer shall provide leeRCM with written notice of that waiver before leeRCM shall act on such decision.
- Records and Audit. If leeRCM receives a request, made by or on behalf of HHS, requiring leeRCM to make available its internal practices, books, and records relating to the use and disclosure of PHI to HHS for the purpose of determining compliance of Customer with the Privacy Standards, then leeRCM shall promptly notify Customer that leeRCM has received such request. Except as otherwise set forth below, leeRCM shall make its books and records relating to the use and disclosure of PHI by Customer available to HHS and its authorized representatives for purposes of determining compliance of Customer with the Confidentiality Requirements.
To the maximum extent permitted by law, Customer hereby reserves and retains any and all privileges in which Customer has an interest with respect to leeRCM’s performance of its obligations under this Section 10. leeRCM, to the maximum extent permitted by law, hereby reserves and retains any and all privileges or rights. This section shall not be construed to require leeRCM to disclose or produce communications subject to any privileges or rights with respect to materials that analyze, evaluate or discuss the implications of PHI. Notwithstanding the above, in no event shall leeRCM delay complying with a request of HHS or its authorized representatives if such delay appears reasonably likely to result in any penalty, fine or other liability being levied or imposed upon Customer (such likelihood to be determined in the sole discretion of Customer), and Customer has instructed leeRCM in writing to disclose the information requested by HHS or its authorized representatives. The Parties acknowledge that Customer retains the right to: (i) waive any privilege with regard to books and records, and (ii) expressly instruct leeRCM to provide HHS and its authorized representatives with such books and records in the event of such waiver.
- Government Access. leeRCM will make its internal policies, procedures, books, and records relating to use and disclosure of PHI (excluding the actual PHI) received from, or created or received by leeRCM on behalf of Customer, available to the Secretary for purposes of determining Customer compliance with the HIPAA Privacy and Security Rules, subject to any privileges covering leeRCM.
- Representations and Warranties.
Each Party represents and warrants to the other Party:
- That all of its employees, agents, representatives and members of its workforce, whose services may be used to fulfill obligations under this HIPAA Agreement are, or shall be, appropriately informed of the terms of this HIPAA Agreement and are under legal obligation to each Party, respectively, by contract or otherwise, sufficient to enable each Party to fully comply with all provisions of this HIPAA Agreement.
- That it will reasonably cooperate with the other Party in the performance of the mutual obligations under this HIPAA Agreement.
- Term. Unless otherwise terminated as provided in Section 14, this HIPAA Agreement shall become effective on the Effective Date and is fully incorporated, as if fully set forth therein, with the Program Agreement (the “Termination Date”).
- Automatic Termination. This HIPAA Agreement will automatically terminate without any further action of the Parties upon termination of leeRCM’s representation of Customer; provided, however, certain provisions and requirements of this HIPAA Agreement shall survive such expiration or termination in accordance with Section 15.
- Termination for Cause. Either Party may immediately terminate this HIPAA Agreement, the Program Agreement and any related agreements if the Party makes the determination that the other Party has breached a material term of this HIPAA Agreement. Alternatively, and in the sole discretion of the non-breaching Party, the non-breaching Party may choose to provide the breaching Party with written notice of the existence of the Breach and provide the breaching Party thirty (30) calendar days to cure said breach upon mutually agreeable terms. Failure by the breaching Party to cure said breach or violation in the manner set forth above shall be grounds for immediate termination of the Program Agreement by the non-breaching Party. If termination is not feasible, Customer shall report the problem to the Secretary.
- Effect of Termination. Upon termination of this HIPAA Agreement, leeRCM agrees to return or destroy all PHI in whatever form or medium (including any Electronic Media under leeRCM's custody or control) received from Customer, created, received, transmitted or maintained by leeRCM on behalf of Customer, including all copies of any data or compilations derived from PHI that are in the possession of subcontractors or agents of leeRCM. leeRCM shall retain no copies of the PHI. leeRCM will complete such return or destruction as promptly as possible, following termination, cancellation, expiration or other conclusion of this HIPAA Agreement. leeRCM is obligated to demonstrate to Customer that it is not feasible that the PHI be returned to Customer or destroyed and Customer will make a determination whether the reasons are sufficient to make return or destruction of PHI not feasible. If such a determination is made, leeRCM shall extend the protections of this HIPAA Agreement to such PHI and limit further uses and disclosure of such PHI. leeRCM shall disclose no information which in any way may harm or cause damage to Customer.
Indemnity. leeRCM shall indemnify Customer for any damages suffered by Customer as a result of leeRCM breaching any term of this HIPAA Agreement. Damages shall include any fine or other charges assessed against Customer as a result of leeRCM disclosing any information covered by this HIPAA Agreement for any purpose other than performance of leeRCM's duties under the Service Agreement. leeRCM shall be responsible for all cost of Breach Notification and Breach Remediation caused by leeRCM breaching this HIPAA Agreement.
- Third-Party Beneficiaries. Nothing in this HIPAA Agreement shall be construed to create third-party beneficiary rights in any person or entity.
- Amendments; Waiver. This HIPAA Agreement may not be modified, nor shall any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties. The failure of either Party to enforce at any time any provision of this HIPAA Agreement shall not be construed to be a waiver of such provision, nor in any way to affect the validity of this HIPAA Agreement or the right of either Party thereafter to enforce each and every such provision.
- Notices. Any notice or other communication required or desired to be given to any Party under this HIPAA Agreement shall be in writing and shall be deemed given when (a) deposited in the United States mail, first-class postage prepaid, and addressed to that Party at the address for such Party set forth below; (b) the next business day immediately following delivery to Federal Express, or any other similar express delivery service for next-day delivery to that Party at that address; or (c) sent by facsimile transmission, with electronic confirmation, to that Party at its facsimile number set forth below. Any Party may change its address or facsimile number for notices under this HIPAA Agreement by giving the other party notice of such change.
Customer: (Company Address and Notice Information Listed in the Services Agreement)
leeRCM: lee RCM LLC
Todd Lee, CEO
1625 S Congress Ave., Ste. 300
Delray Beach, FL 33445
Notice of change of address of a Party shall be given in writing to the other Party as provided above
- Governing Law, Venue and Attorney Fees and Costs. This HIPAA Agreement shall be governed by and construed in accordance with the laws of the State of Florida. In the event of any litigation in connection with, arising out of, or related to this HIPAA Agreement, the Parties agree that the Circuit Court of Miami-Dade County, Florida shall be the exclusive venue and jurisdiction for any litigation. At the option of Customer, the United States District Court for the Southern District of Florida, Miami-Dade Division, shall be the exclusive venue and jurisdiction for any litigation. Should legal action ever be necessary to enforce the terms of this HIPAA Agreement, the prevailing Party will be entitled to receive from the other Party all litigation expenses incurred in connection therewith, including but not limited to reasonable attorneys' fees, paralegal fees, expert and investigator fees, and costs, on all levels, including any appeals, if any.
- Assignment. Neither Party may assign this HIPAA Agreement without the prior written consent of the other.
- Compliance with Law; Regulatory Changes. It is the Parties’ intent to comply strictly with all applicable laws, including without limitation, HIPAA, Medicare or Medicaid statutes, state statutes, or regulations (collectively, the “Regulatory Laws”), in connection with this HIPAA Agreement. In the event there shall be a change in the Regulatory Laws, or in the reasoned interpretation of any of the Regulatory Laws or the adoption of new federal or state legislation, any of which are reasonably likely to materially and adversely affect the manner in which either Party may perform or be compensated under this HIPAA Agreement or which shall make this HIPAA Agreement unlawful, the Parties shall immediately enter into good faith negotiations regarding a new arrangement or basis for compensation pursuant to this HIPAA Agreement that complies with the law, regulation or policy and that approximates as closely as possible the economic position of the Parties prior to the change. In addition, the Parties hereto have negotiated and prepared the terms of this HIPAA Agreement in good faith with the intent that each and every one or the terms, covenants and conditions herein be binding upon and inure to the benefit of the respective Parties. To the extent this HIPAA Agreement is in violation of applicable law, then the Parties agree to negotiate in good faith to amend this HIPAA Agreement, to the extent possible consistent with its purposes, to conform to law.
- Severability. In the event any provision of this HIPAA Agreement is held to be unenforceable for any reason, the unenforceability thereof shall not affect the remainder of this HIPAA Agreement, which shall remain in full force and effect and enforceable in accordance with its terms.
- Binding Effect. The provisions of this HIPAA Agreement shall be binding upon and shall inure to the benefit of the Parties and their respective heirs, executors, administrators, legal representatives, successors and assigns.
- Headings. All section headings contained in this HIPAA Agreement are to be considered for reference purposes only, and are not intended to define or limit the scope of any provisions of this HIPAA Agreement.