BUSINESSASSOCIATE AGREEMENT

 

---

---

 

 

 

 

 

 

This Business Associate Agreement (“Agreement”) is entered into this 22nd day of September, 2008, among Marquette Business Credit, Inc., d/b/a Marquette Healthcare Finance, Standard Insurance Center, 900 SW Fifth Avenue, Suite 1920, Portland, Oregon 97204 (“Marquette”), Zynex, Inc., and Zynex Medical, Inc. f/d/b/a Stroke Recovery Systems, 8002 Southpark Circle, Suite 100, Littleton, Colorado 80120 (collectively, “Provider”).

 

Provider is obligated to Marquette pursuant to a Loan and Security Agreement and other loan documents (collectively, the “Loan Documents”).  Pursuant to the terms of the Loan Documents and to effectuate Marquette’s lending to Provider, Provider will provide Marquette with protected health information subject to the HIPAA Privacy Rule, defined below.

 

The parties intend by this Agreement to comply with the requirements of 45 CFR § 164.504(e), which permits Provider to Disclose Protected Health Information to Marquette, and Marquette to receive or create Protected Health Information on behalf of Provider, under a written agreement meeting the requirements of that regulation.  The parties therefore agree as follows:

 

1. Definitions.

 

1.1 Generally.  Capitalized terms used, but not otherwise defined, in this Agreement have the same meaning as is given to those terms by the Privacy Rule, Security Rule, and the Loan Documents.

 

1.1.1 “Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited, however, to the information created or received by Marquette from or on behalf of Provider.

 

1.1.2 "Privacy Rule" means 45 CFR Part 160 and Part 164, Subparts A and E, which implement certain provisions of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (“HIPAA”).

 

1.1.3 “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 164.501.  Unless otherwise specified, Protected Health Information includes Electronic Protected Health Information.

 

1.1.4 “Security Incident” shall have the same meaning as the term “security incident” in 45 CFR § 164.304.

 

 

1.1.5 “Security Rule” means the Security Standards at 45 CFR Part 160, Part 162, and Part 164, subparts A and C.

 

2. Obligations and Activities of Marquette.

 

2.1 Permitted Uses and Disclosures.  Marquette shall not Use or Disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law.

 

2.2 Safeguards.

 

2.2.1 Marquette shall Use appropriate safeguards to prevent Use or Disclosure of Protected Health Information other than as provided for by this Agreement.

 

2.2.2 Marquette shall implement administrative, physical, and technical safeguards in accordance with the Security Rule that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that Marquette creates, receives, maintains, or transmits by or on behalf of Provider.

 

2.3 Report of Violations.

 

2.3.1 Marquette will report to Provider any Use or Disclosure of Protected Health Information not provided for by this Agreement of which Marquette becomes aware.

 

2.3.2 Marquette will report to Provider any Security Incident of which Marquette becomes aware.

 

2.4 Subcontractors or Agents.  Marquette shall obtain a written agreement with any agent or subcontractor to whom Marquette provides Protected Health Information created or received for or from Provider.  Such written agreement shall provide that such agent or subcontractor is bound by the same restrictions and conditions that apply through this Agreement to Marquette with respect to such Protected Health Information.

 

2.5 Access.  If requested by Provider, Marquette shall provide Provider in a reasonable time and manner access to Protected Health Information in a Designated Record Set.  If an Individual requests access to Protected Health Information from Marquette directly, Marquette will forward such request to Provider and take no direct action on such request.  If Provider determines such request is to be granted, then Marquette shall cooperate with Provider to provide, at Provider’s direction, Protected Health Information to such Individual in order to meet the requirements of 45 CFR § 164.524.  Denials of access to Protected Health Information as requested by an Individual are solely the responsibility of Provider.

 

 

2.6 Amendments to Protected Health Information.

 

2.6.1 If Provider requests that Marquette make any amendment(s) to Protected Health Information in a Designated Record Set, then Marquette will forward the relevant records to Provider for amendment and accept and incorporate such amendment(s) in the Protected Health Information as Provider directs or agrees to make pursuant to 45 CFR § 164.526.

 

2.6.2 In the event an Individual directly requests Marquette to amend Protected Health Information in a Designated Record Set, Marquette will forward the relevant records to Provider and take no direct action on the request.  If Provider determines such request is to be granted, then Marquette will cooperate with Provider to amend, at Provider’s direction, Protected Health Information in order to meet the requirements of 45 CFR § 164.526.  Denials of requests for amendment of Protected Health Information as requested by an Individual are solely the responsibility of Provider.

 

2.7 Records Available.  Marquette shall make its internal practices, books, and records relating to the Use and Disclosure of Protected Health Information created or received for or from Provider available to the Provider, or to the Secretary or the Secretary’s designee, in a reasonable time and manner for purposes of determining Provider’s compliance with the Privacy Rule.

 

2.8 Disclosure Record.  Marquette shall document Disclosures of Protected Health Information and information related to such Disclosures as are required for Provider to respond to a request by an Individual for an accounting of Disclosures of Protected Health Information in accordance with 45 CFR § 164.528.

 

2.9 Accounting of Disclosures.

 

2.9.1 Marquette shall make available to Provider in a reasonable time and manner information collected in accordance with Section 2.8 of this Agreement, so as to permit Provider to respond to a request by an Individual for an accounting of Disclosures of Protected Health Information in accordance with 45 CFR § 164.528.

 

2.9.2 In the event of a request for an accounting made directly to Marquette by an Individual, Marquette will forward such request to Provider and will take no direct action on the request.  If Provider determines to provide an accounting to the Individual, then Marquette will make available to Provider the information collected pursuant to Section 2.8 of this Agreement.  All preparation and delivery of accountings requested by Individuals shall be solely the responsibility of Provider.

 

 

3. Permitted Uses and Disclosures by Marquette.

 

3.1 General Use and Disclosure. Except as otherwise limited in this Agreement, Marquette may Use or Disclose Protected Health Information as is minimally necessary to lend, enforce security interests, and perform functions, activities, or services for, or on behalf of, Provider as specified in the Loan Documents.  No Use or Disclosure of Protected Health Information may be made by Marquette which would violate the Privacy Rule or the policies and procedures of the Provider if done by Provider.

 

3.2 Specific Uses and Disclosures.  Except as otherwise limited in this Agreement:

 

3.2.1 Marquette may Use Protected Health Information for the proper management and administration of Marquette and to carry out the legal responsibilities of Marquette.

 

3.2.2 Marquette may Disclose Protected Health Information for the proper management and administration of Marquette’s business if such Disclosures are Required By Law or Marquette obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and Used or further Disclosed only as Required By Law or for the purpose for which it was Disclosed to the person, and the person notifies Marquette of any instances of which it is aware that the confidentiality of the information has been breached.

 

3.2.3 Marquette may Use Protected Health Information to provide Data Aggregation services to Provider as permitted by 45 CFR § 164.504(e)(2)(i)(B).

 

3.2.4 Marquette may Use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).

 

3.2.5 Marquette may Use Protected Health Information for the specific Uses and Disclosures permitted by this Section 3.2 only as is minimally necessary for such Uses and Disclosures.

 

3.3 Legal Process.  If Marquette receives a subpoena, a civil, criminal, or administrative demand, or other legal process seeking production of or access to Protected Health Information created or received for or from Provider, then Marquette will promptly notify Provider of receipt of such legal process.  Contemporaneously with such notice to Provider, Marquette will relinquish to Provider all control over such Protected Health Information and the assertion of any defenses or privileges that may apply to production of such Protected Health Information.  Provider shall thereafter defend and hold harmless Marquette respecting such legal process.  In no event, however, shall Marquette have an obligation under this Agreement to disobey any order of any court or other government tribunal respecting production of or access to Protected Health Information.

 

 

4. Obligations of Provider.

 

4.1 Notice of Privacy Practices.  Provider shall notify Marquette of any limitation(s) in, or revisions to, its notice of privacy practices provided in accordance with 45 CFR § 164.520, to the extent that such limitation or revision may affect Marquette's Use or Disclosure of Protected Health Information.

 

4.2 Notice of Revocation.  Provider shall notify Marquette of any changes in, or revocation of, authorization by an Individual to Use or Disclose Protected Health Information, to the extent that such changes may affect Marquette's Use or Disclosure of Protected Health Information.

 

4.3 Notice of Restrictions.  Provider shall notify Marquette of any restriction on the Use or Disclosure of Protected Health Information that Provider has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Marquette's Use or Disclosure of Protected Health Information.

 

5. Permissible Requests by Provider.   Provider may not request Marquette to Use or Disclose Protected Health Information in any manner that would be impermissible under the Privacy Rule if done by Provider; provided, however, Marquette may Use or Disclose Protected Health Information for Data Aggregation or management and administrative activities of Marquette, as provided in Section 3.

 

6. Term and Termination.

 

6.1 Term.  Unless terminated for cause as specified below, the term of this Agreement shall extend from the date of execution until (a) all of Provider’s obligations to Marquette under any of the Loan Documents have been fully performed; and (b) all of the Protected Health Information created or received for or from Provider is destroyed or returned to Provider, or, if it is not feasible to return or destroy all such Protected Health Information, protections are extended to such Protected Health Information retained by Marquette in accordance with the provisions of Section 7.2.

 

6.2 Termination for Cause.  Upon a material breach of this Agreement by Marquette, Provider shall provide written notice of such material breach to Marquette and afford Marquette not less than 30 days to cure such breach.  In the event that Marquette fails to cure such breach within 30 days, Provider may terminate this Agreement for cause.

 

7. Return or Destruction of Protected Health Information.

 

7.1 Upon Termination.  Except as otherwise provided herein, upon termination for any reason, Marquette will return to Provider or destroy all Protected Health Information created or received for or from Provider.  This provision applies to Protected Health Information in the possession of subcontractors or agents of Marquette.  Marquette may not retain copies of Protected Health Information.

 

 

7.2 Maintenance of Protected Health Information.  If Marquette determines that returning or destroying any Protected Health Information created or received for or from Provider is not feasible, then Marquette shall (a) provide to Provider notification of the conditions that make return or destruction of the affected Protected Health Information not feasible; and (b) extend the protections of this Agreement to such Protected Health Information and limit further Uses and Disclosures of such Protected Health Information to those purposes that make the return or destruction not feasible for so long as Marquette maintains such Protected Health Information.  The obligations of this Section 7.2 survive termination of this Agreement or the Loan Documents.

 

8. Marquette’s Right to a Receiver.  In the event that this Agreement terminates for any reason, Provider defaults under the Loan Documents, or Marquette is otherwise in any way denied access to Protected Health Information prior to fulfillment of all of Provider’s obligations under the Loan Documents and such termination or denial of access to the Protected Health Information would hinder in any way Marquette’s administration or enforcement of the Loan Documents, then Marquette shall be entitled to the appointment of a receiver as a matter of right and any receiver may serve without bond.  The receiver shall comply with all directives from any court of competent jurisdiction regarding the Protected Health Information.  The receiver shall have all authority necessary or desirable to Use the Protected Health Information to administer or enforce on behalf of Marquette any term in the Loan Documents or any remedy provided by law or in equity as such court may order to cause Provider to fulfill all of its obligations under the Loan Documents.

 

9. Limitation of Remedies.  In no event shall Marquette be liable for any of Provider’s incidental or consequential damages, including without limitation damages for loss of reputation, lost revenue or profits, lost opportunities, or injury to persons or property, arising from any breach of this Agreement.

 

10. Choice of Law, Jurisdiction, Waiver of Jury Trial, and Attorney Fees.

 

10.1 Choice of Law.  This Agreement shall be construed under the laws of the State of Oregon.

 

10.2 Jurisdiction and Waiver of Jury. Any litigation, court proceeding, or action arising out of or related in any way to this Agreement shall be brought in the state or federal courts of the State of Oregon, and Provider hereby consents to the jurisdiction of such Oregon courts.  In all cases, the parties waive any right that they might have to have any claim adjudicated by a jury.

 

10.3 Attorney Fees. In any litigation, court proceeding, or action arising out of this Agreement, the prevailing party shall be entitled to an award of attorney fees and costs, including without limitation costs of depositions, experts, or any other reasonably incurred expense of litigation at trial, on appeal, or in bankruptcy.

 

 

11. Miscellaneous.

 

11.1 Regulatory References.  A reference in this Agreement to a section in HIPAA, the Privacy Rule, or the Security Rule means the section as in effect or as amended at the applicable time.

 

11.2 Amendment.  The Parties agree to amend this Agreement from time to time as is necessary for Provider to comply with the requirements of the Privacy Rule and HIPAA.  Such amendment shall be in a writing signed by both parties.

 

11.3 Construction. Any ambiguity in this Agreement, or as between this Agreement and the Loan Documents, is to be resolved so as to permit Provider to comply with the Privacy Rule.  This Agreement controls in case of a conflict between this Agreement and the Loan Documents.

 

11.4 No Third-Party Beneficiary.  Marquette enters into this Agreement for the sole purpose of maintaining the relationship embodied in the Loan Documents.  Provider enters into this Agreement for the sole purpose of compliance with the Privacy Rule.  Marquette and Provider do not intend by this Agreement or the Loan Documents to benefit any third party, including without limitation any Individual who is a subject of Protected Health Information governed by this Agreement.

 

Marquette Business Credit, Inc., d/b/a Marquette Healthcare Finance:         By: /s/ Jennifer Sheasgreen Name: Jennifer Sheasgreen Title: Senior Vice President

Zynex, Inc.:           By: /s/ Thomas Sandgaard Name: Thomas Sandgaard Title: Chief Executive Officer and President   Zynex Medical, Inc., f/d/b/a Stroke Recovery Systems:       By: /s/ Thomas Sandgaard Name: Thomas Sandgaard Title: President

 

 

 

 

---

---