BUSINESS ASSOCIATE AGREEMENT
Exhibit 10.6
This
Business Associate Agreement (“Agreement”) is entered into
this 22nd day of September, 2008, among Marquette Business Credit, Inc., d/b/a
Marquette Healthcare Finance, Standard Insurance Center, 000 XX Xxxxx Xxxxxx,
Xxxxx 0000, Xxxxxxxx, Xxxxxx 00000 (“Marquette”), Zynex, Inc., and
Zynex Medical, Inc. f/d/b/a Stroke Recovery Systems, 0000 Xxxxxxxxx Xxxxxx,
Xxxxx 000, Xxxxxxxxx, Xxxxxxxx 00000 (collectively, “Provider”).
Provider
is obligated to Marquette pursuant to a Loan and Security Agreement and other
loan documents (collectively, the “Loan
Documents”). Pursuant to the terms of the Loan Documents and
to effectuate Marquette’s lending to Provider, Provider will provide Marquette
with protected health information subject to the HIPAA Privacy Rule, defined
below.
The
parties intend by this Agreement to comply with the requirements of 45 CFR §
164.504(e), which permits Provider to Disclose Protected Health Information to
Marquette, and Marquette to receive or create Protected Health Information on
behalf of Provider, under a written agreement meeting the requirements of that
regulation. The parties therefore agree as follows:
1. Definitions.
1.1 Generally. Capitalized
terms used, but not otherwise defined, in this Agreement have the same meaning
as is given to those terms by the Privacy Rule, Security Rule, and the Loan
Documents.
1.1.1 “Electronic Protected Health
Information” shall have the same meaning as the term “electronic
protected health information” in 45 CFR § 160.103, limited, however, to the
information created or received by Marquette from or on behalf of
Provider.
1.1.2 "Privacy Rule" means 45 CFR
Part 160 and Part 164, Subparts A and E, which implement certain provisions of
the Health Insurance Portability and Accountability Act of 1996, Pub. L. No.
104-191 (“HIPAA”).
1.1.3 “Protected Health Information”
shall have the same meaning as the term “protected health information” in 45 CFR
§ 164.501. Unless otherwise specified, Protected Health Information
includes Electronic Protected Health Information.
1.1.4 “Security Incident” shall have
the same meaning as the term “security incident” in 45 CFR §
164.304.
Exhibit
10.6 - Page 1 of 7
1.1.5 “Security Rule” means the
Security Standards at 45 CFR Part 160, Part 162, and Part 164, subparts A
and C.
2. Obligations and Activities of
Marquette.
2.1 Permitted Uses and
Disclosures. Marquette shall not Use or Disclose Protected
Health Information other than as permitted or required by this Agreement or as
Required By Law.
2.2 Safeguards.
2.2.1 Marquette
shall Use appropriate safeguards to prevent Use or Disclosure of Protected
Health Information other than as provided for by this Agreement.
2.2.2 Marquette
shall implement administrative, physical, and technical safeguards in accordance
with the Security Rule that reasonably and appropriately protect the
confidentiality, integrity, and availability of Electronic Protected Health
Information that Marquette creates, receives, maintains, or transmits by or on
behalf of Provider.
2.3 Report of
Violations.
2.3.1 Marquette
will report to Provider any Use or Disclosure of Protected Health Information
not provided for by this Agreement of which Marquette becomes
aware.
2.3.2 Marquette
will report to Provider any Security Incident of which Marquette becomes
aware.
2.4 Subcontractors or
Agents. Marquette shall obtain a written agreement with any
agent or subcontractor to whom Marquette provides Protected Health Information
created or received for or from Provider. Such written agreement
shall provide that such agent or subcontractor is bound by the same restrictions
and conditions that apply through this Agreement to Marquette with respect to
such Protected Health Information.
2.5 Access. If
requested by Provider, Marquette shall provide Provider in a reasonable time and
manner access to Protected Health Information in a Designated Record
Set. If an Individual requests access to Protected Health Information
from Marquette directly, Marquette will forward such request to Provider and
take no direct action on such request. If Provider determines such
request is to be granted, then Marquette shall cooperate with Provider to
provide, at Provider’s direction, Protected Health Information to such
Individual in order to meet the requirements of 45 CFR §
164.524. Denials of access to Protected Health Information as
requested by an Individual are solely the responsibility of
Provider.
Exhibit
10.6 - Page 2 of 7
2.6 Amendments to Protected Health
Information.
2.6.1 If
Provider requests that Marquette make any amendment(s) to Protected Health
Information in a Designated Record Set, then Marquette will forward the relevant
records to Provider for amendment and accept and incorporate such amendment(s)
in the Protected Health Information as Provider directs or agrees to make
pursuant to 45 CFR § 164.526.
2.6.2 In the
event an Individual directly requests Marquette to amend Protected Health
Information in a Designated Record Set, Marquette will forward the relevant
records to Provider and take no direct action on the request. If
Provider determines such request is to be granted, then Marquette will cooperate
with Provider to amend, at Provider’s direction, Protected Health Information in
order to meet the requirements of 45 CFR § 164.526. Denials of
requests for amendment of Protected Health Information as requested by an
Individual are solely the responsibility of Provider.
2.7 Records
Available. Marquette shall make its internal practices, books,
and records relating to the Use and Disclosure of Protected Health Information
created or received for or from Provider available to the Provider, or to the
Secretary or the Secretary’s designee, in a reasonable time and manner for
purposes of determining Provider’s compliance with the Privacy
Rule.
2.8 Disclosure
Record. Marquette shall document Disclosures of Protected
Health Information and information related to such Disclosures as are required
for Provider to respond to a request by an Individual for an accounting of
Disclosures of Protected Health Information in accordance with 45 CFR §
164.528.
2.9 Accounting of
Disclosures.
2.9.1 Marquette
shall make available to Provider in a reasonable time and manner information
collected in accordance with Section 2.8 of this Agreement, so as to permit
Provider to respond to a request by an Individual for an accounting of
Disclosures of Protected Health Information in accordance with 45 CFR §
164.528.
2.9.2 In the
event of a request for an accounting made directly to Marquette by an
Individual, Marquette will forward such request to Provider and will take no
direct action on the request. If Provider determines to provide an
accounting to the Individual, then Marquette will make available to Provider the
information collected pursuant to Section 2.8 of this Agreement. All
preparation and delivery of accountings requested by Individuals shall be solely
the responsibility of Provider.
Exhibit
10.6 - Page 3 of 7
3. Permitted Uses and Disclosures by
Marquette.
3.1 General Use and Disclosure.
Except as otherwise limited in this Agreement, Marquette may Use or Disclose
Protected Health Information as is minimally necessary to lend, enforce security
interests, and perform functions, activities, or services for, or on behalf of,
Provider as specified in the Loan Documents. No Use or Disclosure of
Protected Health Information may be made by Marquette which would violate the
Privacy Rule or the policies and procedures of the Provider if done by
Provider.
3.2 Specific Uses and
Disclosures. Except as otherwise limited in this
Agreement:
3.2.1 Marquette
may Use Protected Health Information for the proper management and
administration of Marquette and to carry out the legal responsibilities of
Marquette.
3.2.2 Marquette
may Disclose Protected Health Information for the proper management and
administration of Marquette’s business if such Disclosures are Required By Law
or Marquette obtains reasonable assurances from the person to whom the
information is Disclosed that it will remain confidential and Used or further
Disclosed only as Required By Law or for the purpose for which it was Disclosed
to the person, and the person notifies Marquette of any instances of which it is
aware that the confidentiality of the information has been
breached.
3.2.3 Marquette
may Use Protected Health Information to provide Data Aggregation services to
Provider as permitted by 45 CFR § 164.504(e)(2)(i)(B).
3.2.4 Marquette
may Use Protected Health Information to report violations of law to appropriate
Federal and State authorities, consistent with 45 CFR §
164.502(j)(1).
3.2.5 Marquette
may Use Protected Health Information for the specific Uses and Disclosures
permitted by this Section 3.2 only as is minimally necessary for such Uses and
Disclosures.
3.3 Legal Process. If
Marquette receives a subpoena, a civil, criminal, or administrative demand, or
other legal process seeking production of or access to Protected Health
Information created or received for or from Provider, then Marquette will
promptly notify Provider of receipt of such legal
process. Contemporaneously with such notice to Provider, Marquette
will relinquish to Provider all control over such Protected Health Information
and the assertion of any defenses or privileges that may apply to production of
such Protected Health Information. Provider shall thereafter defend
and hold harmless Marquette respecting such legal process. In no
event, however, shall Marquette have an obligation under this Agreement to
disobey any order of any court or other government tribunal respecting
production of or access to Protected Health Information.
Exhibit
10.6 - Page 4 of 7
4. Obligations of
Provider.
4.1 Notice of Privacy
Practices. Provider shall notify Marquette of any
limitation(s) in, or revisions to, its notice of privacy practices provided in
accordance with 45 CFR § 164.520, to the extent that such limitation or revision
may affect Marquette's Use or Disclosure of Protected Health
Information.
4.2 Notice of
Revocation. Provider shall notify Marquette of any changes in,
or revocation of, authorization by an Individual to Use or Disclose Protected
Health Information, to the extent that such changes may affect Marquette's Use
or Disclosure of Protected Health Information.
4.3 Notice of
Restrictions. Provider shall notify Marquette of any
restriction on the Use or Disclosure of Protected Health Information that
Provider has agreed to in accordance with 45 CFR § 164.522, to the extent that
such restriction may affect Marquette's Use or Disclosure of Protected Health
Information.
5. Permissible Requests by
Provider. Provider may not request Marquette to Use or
Disclose Protected Health Information in any manner that would be impermissible
under the Privacy Rule if done by Provider; provided, however, Marquette may Use
or Disclose Protected Health Information for Data Aggregation or management and
administrative activities of Marquette, as provided in Section 3.
6. Term and
Termination.
6.1 Term. Unless
terminated for cause as specified below, the term of this Agreement shall extend
from the date of execution until (a) all of Provider’s obligations to Marquette
under any of the Loan Documents have been fully performed; and (b) all of the
Protected Health Information created or received for or from Provider is
destroyed or returned to Provider, or, if it is not feasible to return or
destroy all such Protected Health Information, protections are extended to such
Protected Health Information retained by Marquette in accordance with the
provisions of Section 7.2.
6.2 Termination for
Cause. Upon a material breach of this Agreement by Marquette,
Provider shall provide written notice of such material breach to Marquette and
afford Marquette not less than 30 days to cure such breach. In the
event that Marquette fails to cure such breach within 30 days, Provider may
terminate this Agreement for cause.
7. Return or Destruction of Protected
Health Information.
7.1 Upon
Termination. Except as otherwise provided herein, upon
termination for any reason, Marquette will return to Provider or destroy all
Protected Health Information created or received for or from
Provider. This provision applies to Protected Health Information in
the possession of subcontractors or agents of Marquette. Marquette
may not retain copies of Protected Health Information.
Exhibit
10.6 - Page 5 of 7
7.2 Maintenance of Protected Health
Information. If Marquette determines that returning or
destroying any Protected Health Information created or received for or from
Provider is not feasible, then Marquette shall (a) provide to Provider
notification of the conditions that make return or destruction of the affected
Protected Health Information not feasible; and (b) extend the protections of
this Agreement to such Protected Health Information and limit further Uses and
Disclosures of such Protected Health Information to those purposes that make the
return or destruction not feasible for so long as Marquette maintains such
Protected Health Information. The obligations of this Section 7.2
survive termination of this Agreement or the Loan Documents.
8. Marquette’s Right to a
Receiver. In the event that this Agreement terminates for any
reason, Provider defaults under the Loan Documents, or Marquette is otherwise in
any way denied access to Protected Health Information prior to fulfillment of
all of Provider’s obligations under the Loan Documents and such termination or
denial of access to the Protected Health Information would hinder in any way
Marquette’s administration or enforcement of the Loan Documents, then Marquette
shall be entitled to the appointment of a receiver as a matter of right and any
receiver may serve without bond. The receiver shall comply with all
directives from any court of competent jurisdiction regarding the Protected
Health Information. The receiver shall have all authority necessary
or desirable to Use the Protected Health Information to administer or enforce on
behalf of Marquette any term in the Loan Documents or any remedy provided by law
or in equity as such court may order to cause Provider to fulfill all of its
obligations under the Loan Documents.
9. Limitation of
Remedies. In no event shall Marquette be liable for any of
Provider’s incidental or consequential damages, including without limitation
damages for loss of reputation, lost revenue or profits, lost opportunities, or
injury to persons or property, arising from any breach of this
Agreement.
10. Choice of Law, Jurisdiction, Waiver
of Jury Trial, and Attorney Fees.
10.1 Choice of Law. This
Agreement shall be construed under the laws of the State of Oregon.
10.2 Jurisdiction and Waiver of
Jury. Any litigation, court proceeding, or action arising out of or
related in any way to this Agreement shall be brought in the state or federal
courts of the State of Oregon, and Provider hereby consents to the jurisdiction
of such Oregon courts. In all cases, the parties waive any right that
they might have to have any claim adjudicated by a jury.
10.3 Attorney Fees. In any
litigation, court proceeding, or action arising out of this Agreement, the
prevailing party shall be entitled to an award of attorney fees and costs,
including without limitation costs of depositions, experts, or any other
reasonably incurred expense of litigation at trial, on appeal, or in
bankruptcy.
Exhibit
10.6 - Page 6 of 7
11. Miscellaneous.
11.1 Regulatory
References. A reference in this Agreement to a section in
HIPAA, the Privacy Rule, or the Security Rule means the section as in effect or
as amended at the applicable time.
11.2 Amendment. The
Parties agree to amend this Agreement from time to time as is necessary for
Provider to comply with the requirements of the Privacy Rule and
HIPAA. Such amendment shall be in a writing signed by both
parties.
11.3 Construction. Any ambiguity in
this Agreement, or as between this Agreement and the Loan Documents, is to be
resolved so as to permit Provider to comply with the Privacy
Rule. This Agreement controls in case of a conflict between this
Agreement and the Loan Documents.
11.4 No Third-Party
Beneficiary. Marquette enters into this Agreement for the sole
purpose of maintaining the relationship embodied in the Loan
Documents. Provider enters into this Agreement for the sole purpose
of compliance with the Privacy Rule. Marquette and Provider do not
intend by this Agreement or the Loan Documents to benefit any third party,
including without limitation any Individual who is a subject of Protected Health
Information governed by this Agreement.
|
Marquette Business Credit,
Inc.,
d/b/a Marquette Healthcare
Finance:
By: /s/ Xxxxxxxx
Xxxxxxxxxx
Name:
Xxxxxxxx Xxxxxxxxxx
Title:
Senior Vice President
|
Zynex,
Inc.:
By: /s/ Xxxxxx
Xxxxxxxxx
Name:
Xxxxxx Xxxxxxxxx
Title:
Chief Executive Officer and President
Zynex Medical, Inc., f/d/b/a
Stroke Recovery
Systems:
By: /s/ Xxxxxx
Xxxxxxxxx
Name:
Xxxxxx Xxxxxxxxx
Title:
President
|
Exhibit 10.6 - Page 7 of 7
