Helia Care Policies

Last Updated: May 5, 2023

Business Associate Policy

Business Associate Policy

Your use of Helia Connect® may require Helia Care to create, receive, maintain or transmit Patient Data, which may be subject to: (i) applicable state law; (ii) the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); (iii) the Health Information Technology for Economic and Clinical Health Act (“HITECH”); and (iv) the regulations promulgated under those laws—applicable state law, HIPAA, HITECH and their implementing regulations are, collectively, “Privacy Laws”. If you are a “covered entity” (as defined under Privacy Laws), your use of Helia Connect® may cause Helia Care (“us”) to be considered a your “business associate” (as defined under Privacy Laws). Accordingly, you agree that this “Business Associate Policy” or “BA” shall be applicable only in the event and to the extent Helia Care meets, with respect to the Covered Entity, the definition of a Business Associate (as defined in the Privacy Laws).

1. Performance and Compliance With Law. We must work together in good faith to determine applicability of Privacy Laws, to comply with applicable Privacy Laws, and to amend this BA as necessary for you and us to comply with applicable Privacy Laws as those laws may be modified from time to time.

2. Ownership of PHI. The PHI, and all information provided to, accessed, created, used, and/or maintained under this BA, whether or not such information is de-identified in accordance with 45 C.F.R. § 164.514(b), is at all times your property.

3. Privileges. This BA does not waive or amend any attorney-customer privilege, attorney work-product doctrine, or any other similarly-applicable privilege or protection (each a “Privilege”).

4. Helia Care’s Obligations.

4.1 Uses and Disclosures. We will not use or disclose PHI except as permitted or required by this BA or as Required by Law. Except as otherwise set forth in this BA, we may:

(a) Use or disclose PHI to perform Services pursuant to the Agreement or this BA; provided that, such use or disclosure complies with Privacy Laws;

(b) Use PHI for our management and administration or to carry out our legal responsibilities;

(c) Provide Data Aggregation services relating to the Health Care Operations of Customer;

(d) Disclose PHI for the purposes in Section 5.1(b), if (i) the disclosure is Required By Law, or (ii) we obtain reasonable assurances from the persons to whom the PHI is disclosed that (A) the PHI will remain confidential and will not be used or further disclosed except as Required By Law or for the purpose for which it was disclosed to the person, and (B) the person will notify us of any instances of which it becomes aware that the confidentiality of the PHI has been breached; and

(e) Not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by you.

4.2 Safeguards. We will implement; (a) appropriate safeguards to prevent the use or disclosure of PHI, except as set forth in this BA; and (b) appropriate Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of EPHI.

4.3 Minimum Necessary. We may only use or disclose the minimum amount of PHI necessary for the purpose of the use or disclosure.

4.4 Subcontractors. We will ensure that any agents, including subcontractors, to whom we provide PHI or EPHI agrees to the same restrictions and conditions in this BA.

4.5 Access to or Amendment of PHI. If we maintain any PHI in a Designated Record Set, we must:

(a) provide access to the PHI in a Designated Record Set to authorized individuals as required by Privacy Laws and in the time, manner, and format designated by those individuals to the extent required by Privacy Laws; and

(b) make any amendment to PHI in a Designated Record Set requested by you or authorized individuals under 45 C.F.R. §164.526.

4.6 Restrictions on PHI. We must comply with any patient restrictions on the use and disclosure of PHI reasonably requested by you under Section 6.2 below.

4.7 Reporting of Violations and Security Incidents. We must promptly report to you: (i) any use or disclosure of PHI by us or a third party to which we disclosed PHI that is not contemplated by this BA, including any Breach of Unsecured PHI; and (ii) any Security Incident, of which we become aware. This BA constitutes sufficient notice of routine unsuccessful attempts at unauthorized access to ePHI such as pings and other broadcast attacks on firewalls, denial of service attacks, failed login attempts, and port scans. We must identify and respond internally to each suspected or known Security Incident and must mitigate, to the extent practicable, each Security Incident’s harmful effects, document the outcome, and provide that documentation to you on your request.

4.8 Accounting of PHI Disclosures. We must document and, at your request, report to you all disclosures of PHI required for you to provide an accounting under 45 C.F.R. §164.528 or other applicable Privacy Laws. If any person contacts us directly for such an accounting, we must direct that person to contact you.

4.9 Audits and Inspections. We must make our internal practices, books, and any records not covered by a Privilege relating to the use, disclosure, or compromise of PHI available: (a) to you so that it may determine compliance with applicable Privacy Laws and this BA; and (b) to the Secretary of the U.S. Department of Health and Human Services or other authorized lawful authority as required by law or authorized by you in writing.

4.10 HIPAA Obligations. To the extent we carry out any obligations of yours under HIPAA, we will comply with the HIPAA obligation that applies to you in the performance of such obligation.

5. Customer’s Obligations.

5.1 Authorizations. You must obtain all consents and authorizations Required By Law for you and us to fulfill their respective and joint obligations under applicable Privacy Laws and this BA.

5.2 Restrictions and Revocations. You must promptly notify us in writing of any changes in or revocation of an individual’s permission to use or disclose PHI, or restriction regarding the use or disclosure of an individual’s PHI that you have agreed to in accordance with 45 C.F.R. § 164.522, to the extent such change, revocation, or restriction may affect our use or disclosure of PHI.

5.3 Notice of Privacy Practices. You must promptly notify us in writing of any limitation in your Notice Of Privacy Practices that may affect our use or disclosure of PHI.

5.4 Confer. On any suspected or actual Breach, unauthorized disclosure of PHI, or breach of this BAA, you must confer in good faith with us in accordance with Section 4.7 above before notifying affected individuals or commencing any legal action.

6. Term and Termination.

6.1 Term. The term of this BA commences on the earlier of the day we receive any PHI or the acceptance date of the Agreement, Member Account, or Order Form and terminates on the day we complete its performance under the Agreement, Member Account, or Order Form and discharges all its obligations under this BA.

6.2 Bankruptcy. If a Party files a voluntary bankruptcy petition, makes a general assignment for the benefit of creditors, or fails to obtain a dismissal of an involuntary bankruptcy petition filed against it within 30 days of that filing, the other Party may deem this BA to be in material breach that cannot be cured under 11 U.S.C. §365(b)(1)(A) and may oppose assumption of this BA under 11 U.S.C. §365(c)(1). The Parties acknowledge that applicable law excuses the non-breaching Party from accepting performance of this BA’s obligations from or rendering performance under this BA to an entity other than the breaching Party for purposes of 11 U.S.C. §365(c)(1).

6.3 Breach. If we materially breaches this BA, you will provide us at least 30-days to cure the breach; provided that, if we do not cure the breach within the 30-day period, you may terminate this BA and the Member Account; provided, however, that if cure is not possible, you may immediately terminate this BA, the Agreement, and the Member Account.

6.4 Effect of Termination. When this BA terminates, we must return or destroy all PHI, but if we reasonably determine in our business judgment that returning or destroying the PHI is infeasible or Privacy Laws require or recommend that we maintain records containing PHI, we need not return or destroy the PHI and, for as long as we maintain the PHI, we must extend this BA’s protections to that PHI and limit further use and disclosure of the PHI solely to the purposes that make the return or destruction infeasible or contrary to Privacy Laws.

7. Miscellaneous.

7.1 Notices. The sole permissible method of giving any written notice under this BA is by email sent with a “read” receipt requested. Notice is deemed given and received when the sending Party receives the “read” receipt back from the receiving Party.

7.2 Entire Agreement. This BA, the Member Agreement, and the aforementioned policies constitute the entire agreement between the Parties and supersede all prior negotiations, discussions, representations, or proposals.

7.3 Interpretation. Any ambiguity in this BA must be resolved in favor of a meaning that permits both you and us to comply with Privacy Laws to the greatest extent possible and as consistently as possible with the Member Agreement and may not take into account who drafted this BA. “Including” is inclusive, meaning “including without limitation.”

7.4 Severability. If any provision of this BA is found to be invalid, all remaining provisions remain in full effect to the greatest extent possible.

7.5 Waiver. No failure by a Party to insist on strict compliance with any provision of this BA may be deemed to waive that provision or any other provision. A waiver is only effective if it is in writing signed and dated by both Parties.

7.6 No Third-Party Beneficiaries. There are no third-party beneficiaries to this BA. Our obligations are to you only.

7.7 Successors and Assigns. This BA inures to the benefit of and binds the Parties’ respective successors. No Party may assign this BA without the other Party’s prior written consent, which may be withheld for any reason.

7.8 LIMITATION OF LIABILITY. IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY TYPE OF INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, INDIRECT, OR CONSEQUENTIAL DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, UNDER ANY THEORY OF LIABILITY. OUR AGGREGATE LIABILITY TO CUSTOMER UNDER THIS BA SHALL NOT EXCEED THE AMOUNT ACTUALLY PAID TO HELIA CARE FOR THE PORTION OF THE WORK GIVING RISE TO SUCH LIABILITY, AND A RETURN OF SUCH AMOUNTS PREVIOUSLY PAID SHALL BE YOUR EXCLUSIVE REMEDY FOR ANY DAMAGES UNDER ANY THEORY OF LIABILITY.

7.9 Dispute Resolution; Governing Law. The Parties must confer in good faith in an attempt to resolve any dispute arising between them under this BA before resorting to court action. This BA will be governed by and construed in accordance with the laws of the state of Arizona, without reference to its conflict of laws provisions. With respect to any litigation based on, arising out of, or in connection with this BA, each party expressly submits to the personal jurisdiction of the Superior Court in and for the County of Maricopa, Arizona, or the United States District Court for the District of Arizona, and each party expressly waives, to the fullest extent permitted by law, any objection that such party may now or later have to the laying of venue of any such litigation brought in any such court referred to above, including without limitation, any claim that any such litigation has been brought in an inconvenient forum.