BARD REACH Program Service Agreement:

BARD Peripheral Vascular is working with McKesson to provide this patient outreach service. There are no costs to your office associated with the use of this service.

You agree to and acknowledge the following rules of the BARD REACH Program:

  1. McKesson will reach out to your patients, on your behalf, to encourage them to contact you to schedule an initial consult following the implantation of a BARD optional filter. There is no guarantee that McKesson will be able to contact any patient and neither BARD nor McKesson assume any responsibility associated with patient follow-up.
  2. In exchange for this free service, you agree to assume all risk and liability with regard to your use of the system.
  3. Any patient level data captured in this program will be used solely for the purposes of performing the BARD REACH Program and in compliance with the McKesson Privacy Policy and McKesson will not share any identifiable patient level data with any other individual or organization, including BARD.
  4. The BARD REACH Program is subject to cancelation at any time. If the BARD REACH Program is cancelled, McKesson will provide notification to your practice via the contact information you have provided in this registration. Please see the McKesson Business Associate Agreement and McKesson Terms of Use for information on your ability to access patient level data following cancelation of the BARD REACH Program. It is your responsibility to maintain patient follow-up records in the normal course of your patient administration.
  5. The BARD REACH Program is not designed or intended to capture or maintain information regarding adverse events or patient medical care. McKesson Patient Care Representatives are trained to instruct patients to contact their physician directly in situations where a patient may request or advise the McKesson Patient Care Representative of medical health issues or inquiries.
  6. You represent and warrant that you and your staff are disclosing patient information to McKesson in compliance with applicable law, including any requisite authorization from the patient, and are solely responsible for the accuracy of the patient information provided. Further, you will defend and indemnify McKesson and any affiliate for any third party claims and all losses, including reasonable attorney fees, arising from your breach of this representation and warranty or failure to comply with applicable law.
  7. You agree to notify McKesson immediately should a patient ask for an accounting of disclosures.
BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("BAA") is entered into by and between McKesson Patient Relationship Solutions, a division of McKesson Specialty Arizona Inc. ("McKesson") and the organization ("Provider") that is registering for this service and is effective as of the completion of this registration (the "BAA Effective Date").

RECITALS
  1. McKesson is providing services to Provider with regard to Provider patients relating to Optional Inferior Cava Filters manufactured by BARD Peripheral Vascular, Inc., in conjunction with the above agreement (the "Underlying Agreement"), and Provider wishes to disclose certain information to McKesson in support of the Underlying Agreement , some of which may constitute Protected Health Information ("PHI") (defined below).
  2. Provider and McKesson acknowledge that McKesson obtains PHI pursuant to the Underlying Agreement only for the specific and limited purpose of administering certain patient outreach services offered by certain pharmaceutical or medical device manufacturers with respect to those manufacturers' products.
  3. Provider and McKesson intend to protect the privacy and provide for the security of PHI disclosed to McKesson pursuant to the Underlying Agreement in compliance with (i) the Health Insurance Portability and Accountability Act of 1996, Public Law No. 104-191 ("HIPAA"), and regulations promulgated thereunder by the U.S. Department of Health and Human Services (the "HIPAA Regulations"); and (ii) Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), also known as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Public Law No. 111-005 ("ARRA").
  4. The purpose of this BAA is to satisfy certain standards and requirements of HIPAA, the Privacy Rule and the Security Rule (as those terms are defined below), and the HITECH Act, including, but not limited to, Title 45, §§ 164.314(a)(2)(i), 164.502(e) and 164.504(e) of the Code of Federal Regulations ("C.F.R."), and 42 U.S.C. §§ 17931(a) and 17934(a).

In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the parties agree as follows:

  1. Definitions.
    1. Capitalized Terms. Capitalized terms used in this BAA and not otherwise defined herein shall have the meanings set forth in the Privacy Rule, the Security Rule, and the HITECH Act, which definitions are incorporated in this BAA by reference.
    2. "Breach" shall have the same meaning given to such term in 42 U.S.C. § 17921(1) and 45 C.F.R. § 164.402.
    3. "Designated Record Set" shall have the same meaning given to such term in 45 C.F.R. § 164.501.
    4. "Electronic Health Record" shall have same meaning given to such term in 42 U.S.C. § 17921(5).
    5. "Electronic Protected Health Information" or "Electronic PHI" shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. § 160.103, as applied to the information that McKesson creates, receives, maintains or transmits from or on behalf of Provider.
    6. "Individual" shall have the same meaning as the term "individual" in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
    7. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 162 and Part 164, Subparts A and E.
    8. "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 C.F.R. § 160.103, as applied to the information created or received by McKesson from or on behalf of Provider.
    9. "Required by Law" shall have the same meaning as the term "required by law" in 45 C.F.R. § 164.103.
    10. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee.
    11. "Security Incident" shall have the meaning given to such term in 45 C.F.R. § 164.304, but shall not include, (i) unsuccessful attempts to penetrate computer networks or servers maintained by McKesson and (ii) immaterial incidents that occur on a routine basis, such as general "pinging" or "denial of service" attacks.
    12. "Security Rule" shall mean the Security Standards at 45 C.F.R. Parts 160 and 162 and Part 164, Subparts A and C.
    13. "Unsecured PHI" shall have the same meaning given to such term under 42 U.S.C. § 17931(h), and guidance promulgated thereunder.
  2. Permitted Uses and Disclosures of PHI.
    1. Uses and Disclosures of PHI Pursuant to Underlying Agreement. Except as otherwise limited in this BAA, McKesson may use or disclose PHI to perform functions, activities or services for, or on behalf of, Provider as specified in Underlying Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Provider.
    2. Permitted Uses of PHI by McKesson. Except as otherwise limited in this BAA, McKesson may use solely for the purposes of carrying out the Underlying Agreement or as Required by Law.
    3. Permitted Disclosures of PHI by McKesson. Except as otherwise limited in this BAA, McKesson may disclose PHI solely as Required by Law or for the purposes of the carrying out the Underlying Agreement, provided that the disclosures are Required by Law, or McKesson obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed upon McKesson pursuant to this BAA), and that the person agrees to notify McKesson of any instances of which it is aware in which the confidentiality of the information has been breached. McKesson may use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1), but prior to making such use or disclosure, must use reasonable efforts to meet and confer with Provider regarding the circumstances that require such use or disclosure.
    4. Data Aggregation. Except as otherwise limited in this BAA, McKesson may use PHI to provide Data Aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B), including use of PHI for statistical compilations, reports, research and all other purposes allowed under applicable law. Disclosure Pursuant to Authorization. Without limiting the generality of the foregoing, McKesson reserves the right at its sole discretion to disclose an Individual's PHI in response to and in accordance with a valid authorization executed by such individual that meets the requirements set forth in the Privacy Rule. McKesson shall not affirmatively seek an Individual's authorization for any use or disclosure intended to further McKesson's own commercial purposes.
  3. Obligations of McKesson.

    1. Appropriate Safeguards.
      1. Privacy of PHI. McKesson shall develop, implement, maintain, and use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the Underlying Agreement and this BAA. The safeguards must reasonably protect PHI from any intentional or unintentional use or disclosure in violation of the Privacy Rule and this BAA, and limit incidental uses or disclosures made pursuant to a use or disclosure otherwise permitted by this BAA.
      2. Security of PHI. McKesson shall develop, implement, maintain, and use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI, as required by the Security Rule. McKesson shall comply with the provisions of 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316 relating to implementation of administrative, physical and technical safeguards with respect to Electronic PHI in the same manner that such provisions apply to a HIPAA business associate pursuant to the HITECH Act. McKesson shall also comply with any additional security requirements contained in the HITECH Act that are applicable to a business associate.
    2. Reporting of Improper Use or Disclosure, Security Incident or Breach. McKesson shall report to Provider any use or disclosure of PHI not provided for by the Underlying Agreement of which it becomes aware. McKesson shall report to Provider any Security Incident of which it becomes aware. McKesson shall notify Provider of any Breach of Unsecured PHI as soon as practicable, and no later than fifteen (15) days after discovery of such Breach. McKesson's notification to Provider of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by McKesson to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Provider would need to include in its notification, as such particulars are identified in 42 U.S.C. § 17932 and 45 C.F.R. § 164.404.
    3. McKesson's Agents. McKesson shall ensure that any agent or subcontractor to whom it provides PHI received from, or created or received by McKesson on behalf of Provider, agrees to the same restrictions and conditions that apply through this BAA to McKesson with respect to such PHI. McKesson shall ensure that any agent, including a subcontractor, to whom it provides Electronic PHI agrees to implement reasonable and appropriate safeguards to protect such information.
    4. Access to PHI. The parties do not intend for McKesson to maintain any PHI in a Designated Record Set for Provider. To the extent McKesson possesses PHI in a Designated Record Set, McKesson agrees to make such information available to Provider pursuant to 45 C.F.R. § 164.524 and 42 U.S.C. § 17935(e)(1), as applicable, within ten (10) business days of McKesson's receipt of a written request from Provider; provided, however, that McKesson is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Provider. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to McKesson, or inquires about his or her right to access, McKesson shall direct the Individual to Provider.
    5. Amendment of PHI.The parties do not intend for McKesson to maintain any PHI in a Designated Record Set for Provider. To the extent McKesson possesses PHI in a Designated Record Set, McKesson agrees to make such information available to Provider for amendment pursuant to 45 C.F.R. § 164.526 within twenty (20) business days of McKesson's receipt of a written request from Provider. If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to McKesson, or inquires about his or her right to amendment, McKesson shall direct the Individual to Provider.
    6. Documentation of Disclosures. McKesson agrees to document such disclosures of PHI and information related to such disclosures as would be required for Provider to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, and 42 U.S.C. § 17935(c), as applicable. McKesson shall document, at a minimum, the following information ("Disclosure Information"): (i) the date of the disclosure; (ii) the name and, if known, the address of the recipient of the PHI; (iii) a brief description of the PHI disclosed; (iv) the purpose of the disclosure that includes an explanation of the basis for such disclosure; and (v) any additional information required under the HITECH Act and any implementing regulations.
    7. Accounting of Disclosures. McKesson agrees to provide to Provider, within twenty (20) business days of McKesson's receipt of a written request from Provider, information collected in accordance with Section 3(f) of this BAA, to permit Provider to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, and 42 U.S.C. § 17935(c), as applicable.
    8. Governmental Access to Records. McKesson shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by McKesson on behalf of, Provider available to the Secretary for purposes of the Secretary determining Provider's compliance with the Privacy Rule and the Security Rule.
    9. Mitigation. To the extent practicable, McKesson will cooperate with Provider's efforts to mitigate a harmful effect that is known to McKesson of a use or disclosure of PHI not provided for in this BAA.
    10. Minimum Necessary. McKesson shall request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure, in accordance with 42 U.S.C. § 17935(b) and regulations promulgated thereunder.
    11. Limitations on Marketing and Fundraising. McKesson may use and disclose PHI for marketing purposes only as expressly directed by Provider, and in accordance with 42 U.S.C. § 17936(a). McKesson shall not use or disclose PHI for fundraising purposes.
    12. Limitation on Sale of Electronic Health Records and PHI. McKesson shall comply with the prohibition on the sale of Electronic Health Records and PHI set forth in 42 U.S.C. § 17935(d).
    13. HITECH Act Applicability. McKesson acknowledges that enactment of the HITECH Act amended certain provisions of HIPAA in ways that now directly regulate, or will on future dates directly regulate, McKesson under the Privacy Rule and Security Rule. To the extent not referenced or incorporated herein, requirements applicable to McKesson under the HITECH Act are hereby incorporated by reference into this BAA. McKesson agrees to comply with applicable requirements imposed under the HITECH Act, as of the effective date of each such requirement.
  4. Obligations of Provider.
    1. Notice of Privacy Practices. Provider shall notify McKesson of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect McKesson's use or disclosure of PHI. Provider shall provide such notice no later than fifteen (15) days prior to the effective date of the limitation.
    2. Notification of Changes Regarding Individual Permission. Provider shall notify McKesson of any change in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect McKesson's use or disclosure of PHI. Provider shall provide such notice no later than fifteen (15) days prior to the effective date of the change. Provider shall obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing McKesson with PHI.
    3. Notification of Restrictions to Use or Disclosure of PHI. Provider shall notify McKesson of any restriction to the use or disclosure of PHI that Provider has agreed to in accordance with 45 C.F.R. § 164.522 or 42 U.S.C. § 17935(a), to the extent that such restriction may affect McKesson's use or disclosure of PHI. Provider shall provide such notice no later than fifteen (15) days prior to the effective date of the restriction. If McKesson reasonably believes that any restriction agreed to by Provider pursuant to this Section may materially impair McKesson's ability to perform its obligations under the Underlying Agreement or this BAA, the parties shall mutually agree upon any necessary modification of McKesson's obligations under such agreements.
    4. Permissible Requests by Provider. Provider shall not request McKesson to use or disclose PHI in any manner that would not be permissible under the Privacy Rule, the Security Rule or the HITECH Act if done by Provider, except as permitted pursuant to the provisions of Sections 2(b), 2(c), 2(d), 2(e) and 2(f) of this BAA.
  5. Term and Termination.
    1. Term. The term of this BAA shall commence as of the BAA Effective Date, and shall terminate when all of the PHI provided by Provider to McKesson, or created or received by McKesson on behalf of Provider, is destroyed or returned to Provider or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with Section 5(c).
    2. Termination for Cause. Upon either party's knowledge of a material breach by the other party of this BAA, such party shall provide written notice to the breaching party detailing the nature of the breach and providing an opportunity to cure the breach within thirty (30) business days. Upon the expiration of such 30-day cure period, the non-breaching party may terminate this BAA and, at its election, the Underlying Agreement, if cure is not possible. If neither termination nor cure are possible, the non-breaching party shall report the violation to the Secretary as required by law
    3. Effect of Termination.
      1. Except as provided in paragraph (ii) of this Section 5(c), upon termination of the Underlying Agreement or this BAA for any reason, McKesson shall return or destroy all PHI received from Provider, or created or received by McKesson on behalf of Provider, and shall retain no copies of the PHI. This provision shall apply to PHI that is in the possession of subcontractors or agents of McKesson.
      2. If it is infeasible for McKesson to return or destroy the PHI upon termination of the Underlying Agreement or this BAA, McKesson shall: (i) extend the protections of this BAA to such PHI; (ii) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as McKesson maintains such PHI; and (iii) never disclose such PHI to another McKesson client or third party unless such information has been de-identified in accordance with the standards set forth in 45 C.F.R. § 164.514(b).
  6. Survival. The respective rights and obligations of McKesson under Section 5(c) of this BAA shall survive the termination of the BAA and the Underlying Agreement.
  7. Effect of BAA. In the event of any inconsistency between the provisions of this BAA and the Underlying Agreement, the provisions of the BAA shall control. In the event of inconsistency between the provisions of this BAA and mandatory provisions of the Privacy Rule, the Security Rule or the HITECH Act, as amended, or their interpretation by any court or regulatory agency with authority over McKesson or Provider, such interpretation shall control; provided, however, that if any relevant provision of the Privacy Rule, the Security Rule or the HITECH Act is amended in a manner that changes the obligations of McKesson or Provider that are embodied in terms of this BAA, then the parties agree to negotiate in good faith appropriate non-financial terms or amendments to this BAA to give effect to such revised obligations. Where provisions of the BAA are different from those mandated in the Privacy Rule, the Security Rule, or the HITECH Act, but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of the BAA shall control.
  8. General. This BAA is governed by, and shall be construed in accordance with, the laws of the State that govern the Underlying Agreement. Any action relating to this BAA must be commenced within (1) one year after the date upon which the cause of action accrued. Provider shall not assign this BAA without the prior written consent of McKesson, which shall not be unreasonably withheld. If any part of a provision of this BAA is found illegal or unenforceable, it shall be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this BAA shall not be affected. All notices relating to the parties' legal rights and remedies under this BAA shall be provided in writing to a party, shall be sent to its address set forth in the signature block below, or to such other address as may be designated by that party by notice to the sending party, and shall reference this BAA. This BAA may be modified, or any rights under it waived, only by a written document executed by the authorized representatives of both parties. Nothing in this BAA shall confer any right, remedy, or obligation upon anyone other than Provider and McKesson. This BAA is the complete and exclusive agreement between the parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications, and understandings (written and oral) regarding its subject matter.