NETWORK PARTICIPATION AGREEMENT

Transcription

1 NETWORK PARTICIPATION AGREEMENT THIS NETWORK PARTICIPATION AGREEMENT ( Agreement ) is entered into on the date(s) indicated below, by and between the undersigned physician (hereinafter Physician ; and for purposes of this Agreement Physician shall be deemed to apply to any individual Physician as well as the entity or group which employs or otherwise contracts with Physician for the provision of health services) and Gulf South Quality Network, L.L.C. ( GSQN ). WHEREAS, GSQN is engaged in the development and implementation of an active and ongoing program to evaluate and modify practice patterns by participating physicians and create a high degree of interdependence and cooperation among the participating physicians to control costs and ensure quality, and which may include: (1) establishing mechanisms to monitor and control utilization of health care services that are designed to control costs and assure quality of care; (2) selectively choosing network physicians who are likely to further these efficiency objectives; and (3) the significant investment of capital, both monetary and human, in the necessary infrastructure and capability to realize the claimed efficiencies (the Clinical Integration Program or CI Program ); and WHEREAS, pursuant to such Clinical Integration Program, GSQN s purpose is to coordinate, on a non-exclusive basis, contracts on behalf of its participating physicians with purchasers of health care services including, but not limited to: employers, trusts, insurance companies, health maintenance organizations, and preferred provider organizations (all hereinafter "Purchasers"); and WHEREAS, Physician desires to participate in both GSQN's Clinical Integration Program and its contracting activities with Purchasers; NOW THEREFORE, for such additional real and valuable consideration, the sufficiency of which the parties hereby acknowledge, GSQN and Physician agree as follows: 1. The Parties. GSQN is a Louisiana limited liability company organized for the purpose of developing and operating the Clinical Integration Program described herein. Physician is a duly licensed physician in the State of and is affiliated with or sponsored by, one of the members of GSQN. 2. The Purpose. The purpose of this Agreement is to identify the conditions of participation and the commitment of Physician to the GSQN CI Program. 3. Membership and Participation Criteria. Consistent with the purpose of this Agreement, Physician shall abide by the Membership and Participation Criteria set forth in Exhibit A. 4. Transparency. GSQN shall make available for review by Physician all policies, procedures, standards, criteria and requirements developed by GSQN, and as modified from time to time by the GSQN Board of Managers (collectively, the GSQN Policies ), including, but not limited to, those regarding:

2 a. GSQN enrollment, credentialing and membership; b. The Clinical Integration Program; c. Purchaser contracting; d. Incentives and bonus payments; and e. Accountability and remediation. 5. Contracting. In accordance with GSQN's Policies, Physician shall participate in GSQN's contracting activities with Purchasers: a. Physician shall designate GSQN to act as its agent in negotiations with Purchasers for contracts that obligate Physician to provide medical services to individuals who are beneficiaries under the health benefit plans of such Purchasers ( Clinically Integrated Purchaser Contracts ). b. Physician agrees to participate in such Clinically Integrated Purchaser Contracts negotiated by GSQN, including compliance with any and all fee schedules, payment criteria, standards, policies, procedures, programs, rules and regulations ("Purchaser Contract Terms"). c. GSQN shall provide Physician with all relevant Purchaser Contract Terms. d. During the Term, GSQN shall have the right to utilize the name, trademarks, logos and symbols identifying Physician, consistent with and in furtherance of the CI Program. 6. Confidentiality. The parties acknowledge that during the term of this Agreement they will receive confidential information of the other, including confidential information of GSQN Members. Accordingly, the parties agree that: a. Neither Physician nor GSQN shall disclose to any unauthorized third party, including, without limitation GSQN Members or other participating practices or groups, confidential and proprietary information collected or exchanged pursuant to the GSQN Policies or this Agreement ("Confidential Information"), unless such disclosure is required by law or is authorized in writing by the other party. Any disclosure on the part of Physician to GSQN pursuant to this Agreement shall not be deemed to constitute a transfer, assignment or license of the same and such information shall remain the sole and exclusive property of Physician. This Confidential Information includes, but is not limited to: i. fee schedules and payment criteria of any Clinically Integrated Purchaser Contract; 2

3 ii. iii. iv. clinical data and information collected from Physician; clinical data and information collected by GSQN from GSQN Members; performance results regarding individual physicians, including Physician; and v. business operations, practices and procedures of Physician or Physicians practice affiliates, including staffing, strategies and financial plans and budgets, contractual relationships or terms, practice management procedures, health information technology systems and/or systems or processes related to the specific operation of Physician's practice (as opposed to the provision of medical services to patients). b. Notwithstanding the foregoing, Physician may disclose Purchaser Contract Terms to his or her employees, agents, or attorneys with a need to know and who have undertaken a similar duty of nondisclosure. Physician shall comply with federal and state law applicable to the disclosure of Confidential Information. With regard to patient identifiable information shared by Physician with GSQN under this Agreement, GSQN shall be deemed the business associate of Physician pursuant to the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), and the parties shall execute and abide by the terms of the HIPAA Business Associate Addendum attached to this Agreement as Exhibit B. Upon the termination of this Agreement for any reason, the parties shall immediately return and/or destroy any Confidential Information exchanged between the parties, including any originals or copies of policies, procedures, clinical data and information and performance results pertaining to GSQN, GSQN Members, or participating physicians. The parties agree that failure to abide by this Section will cause irreparable injury and, therefore, agree that in the event of a breach of this Section, each party shall be entitled to enforce these covenants in equity by way of injunction to restrain the violation, threatened violation or continued violation thereof, without the requirement to post bond, and that such application for such an injunction shall be without prejudice to any other right of action that may accrued to such party by reason of the breach. 7. Nonexclusivity. It is acknowledged that Physician provides professional medical and related services directly or through third party payors apart from its participation in the CI Program. Nothing in this Agreement shall prohibit Physician from contracting with any third party payor (or other purchaser) whether pursuant to any prior, existing or future contracts (or an amendment to any of the foregoing) that is not a party to a contract with GSQN. Without limiting the foregoing, this nonexclusivity provision shall further permit Physician 3

4 to contract with, own or otherwise affiliate with any clinically integrated network or other association of providers. 8. Term and Termination. This Agreement shall commence on the effective date noted below and shall continue until terminated by either party by providing 60 days prior written notice. Furthermore, GSQN may immediately terminate this Agreement at any time should GSQN discover that any information contained in the Physician's Participating Physician Application is false, or that Physician is in violation of this Agreement, including without limitation the Membership and Participation Criteria set forth in Exhibit A. Upon termination, relevant GSQN Policies or Purchaser Contract Terms may require Physician to continue to treat patients until an orderly transition of care can take place. 9. General Provisions. a. Independent Contractors. GSQN and Physician are separate and independent entities. Nothing in this Agreement shall be construed or be deemed to create a relationship of employer and employee or principal and agent or any relationship other than that of independent entities contracting with each other solely for the purpose of carrying out the terms and conditions of this Agreement. Neither party shall have any express or implied right of authority to assume or create any obligation or responsibility on behalf of or in the name of the other party or to bind the other party in any manner except as set forth herein. b. Waiver of Default. The waiver by either party of this Agreement of any one or more defaults, if any, on the part of the other, shall not be construed to operate as a waiver of any other future defaults, either under the same or different terms, conditions, or covenants contained in this Agreement, in its Exhibits, or in written notice hereunder. c. Entire Understanding/No Third Party Beneficiaries. This Agreement and Exhibits which are attached hereto, and any other specifically referenced materials constitute the entire understanding between GSQN and Physician with respect to the subject matter hereof. This Agreement is not intended to confer upon any person other than the Parties any rights or remedies hereunder, other than those specifically set forth within this Agreement. d. Maintenance of Records after Termination. Physician shall maintain records and provide such information to GSQN, and to appropriate state and federal authorities as may be necessary for compliance by GSQN or any payor organization with which GSQN contracts with the provisions of applicable laws. This obligation of Physician is not terminated upon a termination of this Agreement whether by rescission or otherwise. 4

5 e. Severability. In the event any term or provision of this Agreement is rendered invalid or unenforceable, the remainder of the provisions of this Agreement shall remain in full force and effect. f. Amendments. Except as specifically provided in this Agreement, this Agreement may be amended at any time only by the written agreement of the parties; provided, however, that amendments may be made as may be required by a payor under contract with GSQN for continued compliance with federal and state laws and regulations applicable to this Agreement by giving written notice of the Amendment to Physician. g. Applicable Law. This Agreement shall be governed in all respects by the law of the State of Louisiana. h. Assignment. This Agreement shall be binding upon and inure to the benefit of the parties hereto. This Agreement shall not be assignable by either of the parties hereto, except that GSQN may assign this Agreement to an affiliate of GSQN, without the written consent of the other party. i. Notice. All notices, requests, demands and other communications hereunder shall be in writing and shall be deemed to have been duly given when hand delivered, when deposited in the United States mail, if mailed by certified or registered mail, return receipt requested, postage prepaid, or if delivered by a nationally recognized overnight delivery service to the following addresses: If to GSQN: Gulf South Quality Network, L.L.C N. Causeway Blvd. Suite 710 Metairie, Louisiana If to Physician: At the address listed for Physician in the books and records of GSQN or to such other address, and to the attention of such other person or officer as any party may designate in writing. Unless otherwise specified herein, all notices given hereunder shall be deemed to have been received by the party to which it was addressed (a) immediately upon personal delivery, (b) three (3) business days after the date of posting of notice sent by registered or certified mail, or (c) on the date shown on the signature confirmation of the overnight service. j. Group Contracting. In the event that the "Physician" party to this Agreement, is an entity and not an individual physician, then the entity hereby represents and warrants that it has the ability to enter into this 5

6 Agreement and to bind the individual physicians associated with its organization, and further that such entity shall obligate each physician member to comply with the relevant terms of this Agreement, as if such individual physician were a party to the contract, THUS AGREED by the parties hereto on the dates indicated below, but with an effective date of, 2012, regardless of when executed. PHYSICIAN: (Physician s Signature) Date (Physician s Printed Name (Printed name of Group Practice) (Medical Billing Tax ID) GULF SOUTH QUALITY NETWORK, L.L.C. Jeffrey Griffin, M.D., Chairman Date 6

7 EXHIBIT A TO NETWORK PARTICIPATION AGREEMENT MEMBERSHIP AND PARTICIPATION CRITERIA I. PURPOSE: In order to meet the standards established for Clinical Integration ( CI ) by the Federal Trade Commission and U.S. Department of Justice, and for purposes of administering the GSQN CI Program, GSQN is required to maintain selection criteria for its participating physicians and physician practices. II. SCOPE: Gulf South Quality Network (GSQN) management, staff, and participating physician practices. III IV EXCEPTIONS: None DEFINITIONS: A. Clinical Integration shall have the meaning set forth in the 1996 Joint Statements of Antitrust Enforcement Policy in Health Care by the Federal Trade Commission and U.S. Department of Justice:... an active and ongoing program to evaluate and mods practice patterns by the network's physician participants and create a high degree of interdependence and cooperation among the physicians to control costs and ensure quality. This program may include: (1) establishing mechanisms to monitor and control utilization of health care services that are designed to control costs and assure quality of care; (2) selectively choosing network physicians who are likely to further these efficiency objectives; and (3) the significant investment of capital, both monetary and human, in the necessary infrastructure and capability to realize the claimed efficiencies. B. Clinical Integration Program shall mean the active and ongoing program of clinical quality, efficiency, and cost effectiveness initiatives developed, implemented, and operated by GSQN on behalf of and in collaboration with GSQN Members and GSQN participating physician practices. V. PROCEDURE(s): To become and remain a participating physician in GSQN, a person must be a physician or a medical entity through which the physician practices medicine (collectively Physician ), and such Physician must continually meet the following membership criteria: a. Status as a participating Physician in Gulf South Quality Network will be limited to Physicians who are designated as the following: i. Active staff at GSQN Member ii. Affiliate staff at GSQN Member iii. Courtesy staff at GSQN Member iv. Primary Care Physician who utilizes a Hospitalist Program at a GSQN Participating Hospital b. If a physician within a medical practice is applying to be a participating Physician of GSQN, all of the physician members of the practice must apply for membership, with the following exceptions: A-1

8 VI. i. The non-applying physician(s) of the practice is part of a hospitalbased specialty (i.e. Anesthesiology, Emergency Medicine, Pathology, Radiology); ii. The non-applying physician(s) of the practice intends to retire within 3 years; iii. The non-applying physician(s) of the practice do not meet any of iv. the criteria listed in Section 1(a) of this Exhibit; The non-applying physician of the practice has a separate tax id number, or v. The applying physician member(s) have been approved by the GSQN Board of Managers and: 1. Are capable of participating in the Clinical Integration program (i.e. can and will provide access to the required data to track and report on physician member performance); and 2. Will allow the GSQN to negotiate CI contracts on their behalf. c. In order to continue as a participating Physician within GSQN, a Physician must actively participate in the GSQN Clinical Integration Program ("CI Program"), which participation shall include, but not be limited to, performance relative to improvement of efficiency, quality, and utilization standards and meeting all of the Participation Criteria of the CI Program. d. A Physician who otherwise meets the standards set forth above shall no longer qualify for membership in Company if such physician has been or becomes excluded from participation in Medicare, Medicaid, or any other Federal health care program. REFERENCES/CITATIONS: A. Federal Trade Commission and the U.S. Department of Justice, Statements of Antitrust Enforcement Policy in Health Care, Statement 8 available at last visited November 3, B. Federal Trade Commission and the U.S. Department of Justice, Improving Health Care: a Dose of Competition, last visited November 3, C. Medicare Payment Advisory Commission (MedPAC), 2005 Report to Congress, Chapter 4, pdf, last visited November 3, VII. RESPONSIBILITY: GSQN management, GSQN Board of Managers, GSQN Clinical Integration Committee. A-2

9 EXHIBIT B TO NETWORK PARTICIPATION AGREEMENT BUSINESS ASSOCIATE CONTRACT THIS BUSINESS ASSOCIATE CONTRACT ("BA Contract") is by and between Gulf South Quality Network, L.L.C. ( GSQN ), a Louisiana limited liability company with its principal place of business at 4200 Houma Boulevard, Metairie, Louisiana as the Business Associate, and the undersigned physician (hereinafter "Physician" or "Covered Entity"); and for purposes of this Agreement, "Physician" shall be deemed to apply to any individual Physician, as well as the entity or group which employs or otherwise contracts with Physician for the provision of health services) as the Covered Entity. This BA Contract has been entered into in conjunction with the Network Participation Agreement by and between the parties and is incorporated into and made a part of the Network Participation Agreement. RECITALS WHEREAS, Physician has entered into a Network Participation Agreement with GSQN whereby Physician will participate in a clinical integration program coordinated by GSQN; and WHEREAS, to assist GSQN in providing the clinical integration program, GSQN has entered into a Services Agreement with TECHNOLOGY TOOL(S), to provide data-based patient-care quality assessment and improvement products, services and support; and WHEREAS, TECHNOLOGY TOOL(S) products, services and support include, among other things, patient-care quality performance measurement tools, comparative provider performance metrics, Medicare Physician Quality Reporting System (PQRS) registry reporting, pay-for-performance protocol services, and clinical integration support; and WHEREAS, as part of the Services Agreement, TECHNOLOGY TOOL(S), as business associate has entered into a business associate contract with GSQN, as the covered entity, whereby TECHNOLOGY TOOL(S) agrees to adhere to the Privacy and Security Rules and HITECH with respect to any Protected Health Information received from GSQN pursuant to such agreement; and WHEREAS, Covered Entity recognizes that GSQN and TECHNOLOGY TOOL(S) will need to access, use and disclose Covered Entity's Protected Health Information in the course of furnishing TECHNOLOGY TOOL(S)' quality assessment and improvement products, services and support for and on behalf of Covered Entity pursuant to the Services Agreement; NOW, THEREFORE, for and in consideration of the foregoing Recitals, which form a part of this BA Contract, GSQN and Covered Entity mutually accept the terms of this BA Contract set forth below in accordance with the requirements of the Privacy and Security Rules and HITECH so that GSQN and TECHNOLOGY TOOL(S) may access, use and disclose Covered Entity's Protected Health Information in connection with furnishing TECHNOLOGY TOOL(S)' quality assessment and improvement products, services and support for and on behalf of Covered Entity. TERMS OF AGREEMENT 1. Definitions. The following capitalized terms have the following meaning when used in this BA Contract: 1

10 a) Business Associate has the meaning ascribed to that term by 45 C.F.R and, for purposes of this BA Contract, is GSQN. b) C.F.R. means the Code of Federal Regulations. c) Covered Entity has the meaning ascribed to that term by 45 C.F.R and, for purposes of this BA Contract, is the party other than GSQN. d) Data Aggregation has the meaning ascribed to that term by 45 C.F.R e) Designated Record Set has the meaning ascribed to that term by 45 C.F.R and, for purposes of this BA Contract, is a Designated Record Set maintained by or on behalf of GSQN for the benefit of Covered Entity. f) DHHS means the U.S. Department of Health and Human Services, its Secretary and its various components. g) Electronic Health Record has the meaning ascribed to that term by HITECH 13400(5). h) Electronic Protected Health Information or ephi has the meaning ascribed to that term in 45 C.F.R and, for purposes of this BA Contract, is ephi that GSQN or an entity acting on its behalf (such as TECHNOLOGY TOOL(S)) creates, receives, maintains or transmits for or on behalf of Covered Entity. i) Encryption has the meaning ascribed to that term by 45 C.F.R j) Health Care Operations has the meaning ascribed to that term by 45 C.F.R , as clarified by HITECH 13406(a). k) HITECH means the Health Information Technology for Economic and Clinical Health Act (which is part of Public Law ). l) Individual has the meaning ascribed to that term by 45 C.F.R m) Limited Data Set means the minimum PHI i) reasonably necessary for GSQN and TECHNOLOGY TOOL(S) to perform functions and activities for the health care industry and its participants with respect to Health Care Operations, research (as defined by 45 C.F.R ) and public health activities (as described in Privacy Rule (b)); and ii) from which have been removed all of the direct identifiers specified in Privacy Rule (e)(2). n) Privacy Rule means the federal regulation promulgated at 45 C.F.R. Part 164, Subpart E. o) Protected Health Information or PHI has the meaning ascribed to that term by 45 C.F.R and, for purposes of this BA Contract, is PHI that GSQN or TECHNOLOGY TOOL(S) creates or receives for or on behalf of Covered Entity and includes ephi and Unsecured PHI. p) Required By Law has the meaning ascribed to that term by 45 C.F.R

11 q) Security Rule means the federal regulation promulgated at 45 C.F.R. Part 164, Subpart C. r) Unsecured Protected Health Information or Unsecured PHI has the meaning ascribed to that term by 45 C.F.R and, for purposes of this BA Contract, is Unsecured PHI that GSQN or TECHNOLOGY TOOL(S) creates, receives, maintains, or transmits for or on behalf of Covered Entity. 2. Independent Contractor. GSQN and TECHNOLOGY TOOL(S) are independent contractors with respect to Covered Entity in that TECHNOLOGY TOOL(S) furnishes, pursuant to the Services Agreement, quality assessment and improvement products, services and support for and on behalf of Covered Entity, but does not and is not authorized to represent or otherwise serve as agent of Covered Entity. 3. Privacy of Protected Health Information. a) Permitted Uses and Disclosures. GSQN and TECHNOLOGY TOOL(S) are permitted to use, disclose and request PHI for the following functions and activities: i) To perform and assist with the performance of the functions, activities and services specified in the Services Agreement. ii) iii) iv) To perform and assist with the performance of Health Care Operations for or on behalf of Covered Entity or for or on behalf of any organized health care arrangement (as defined by 45 C.F.R ) in which Covered Entity participates. To perform and assist with the performance of Health Care Operations for or on behalf of another covered entity that involve any of the quality assessment and improvement or performance evaluation activities identified in paragraphs (1) and (2) of the definition of Health Care Operations at 45 C.F.R , provided that both Covered Entity and the other covered entity have or had a relationship with the Individual who is the subject of the PHI to be used or disclosed and that PHI pertains to that relationship. To provide Data Aggregation services relating to the Health Care Operations of Covered Entity. v) To assist with the performance of treatment activities (as defined by 45 C.F.R ) of Covered Entity or of another health care provider. vi) To assist with the performance of payment activities (as defined by 45 C.F.R ) of Covered Entity, of another covered entity, or of another health care provider. vii) To de-identify PHI to create de-identified health information in accordance with the requirements of Privacy Rule (b), and to create Limited Data Sets from PHI in accordance with the requirements of Privacy Rule (e)(2). 3

12 viii) ix) As authorized by an Individual pursuant to an authorization that complies with the requirements of Privacy Rule For the Business Associate s proper management and administration or to carry out its legal responsibilities, provided that with respect to disclosure of PHI either: A) The disclosure is Required By Law; or B) The Business Associate obtains reasonable assurance from any person or entity to which the Business Associate will disclose the PHI that the person or entity will 1) Hold the PHI in confidence and use or further disclose the PHI only for the purposes for which the Business Associate disclosed the PHI to the person or entity or as Required By Law; and 2) Promptly notify the Business Associate of any instance of which the person or entity becomes aware in which the confidentiality of the PHI was breached. b) Minimum Necessary. The Business Associate will, in its performance of the functions, activities and services involving PHI permitted by this BA Contract, make reasonable efforts to use, disclose, or request only the minimum PHI that the Business Associate determines is reasonably necessary to accomplish the intended purpose of the use, disclosure or request as required by Privacy Rule (b)(1) and HITECH 13405(b), except with respect to those uses and disclosures to which the minimum necessary limitation does not apply as specified in Privacy Rule (b)(2). c) Prohibition on Unauthorized Use or Disclosure. i) TECHNOLOGY TOOL(S) will neither use nor disclose PHI except as permitted or required by this BA Contract or in writing by Covered Entity, or as Required By Law. ii) Except as set forth in Section 3(a) above regarding Data Aggregation and the Business Associate s proper management and administration, this BA Contract cannot authorize the Business Associate to use or disclose PHI in a manner that will violate the Privacy Rule if done by Covered Entity. Accordingly, except for Data Aggregation and the Business Associate s proper management and administration as permitted by Section 3(a) above, Covered Entity does not and will not authorize or otherwise direct the Business Associate to use or disclose PHI in a manner that will violate the Privacy Rule if done by Covered Entity. 4. Security of Protected Health Information to be in force at the effective date of this BA Contract: a) Privacy Protections. The Business Associate will implement, maintain, and use appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, including to reasonably safeguard PHI from 4

13 any intentional or unintentional use or disclosure in violation of the Privacy Rule and to reasonably limit incidental uses or disclosures made pursuant to a use or disclosure permitted by this BA Contract. b) Security Safeguards. The Business Associate will implement, maintain, and use administrative, technical, and physical safeguards in compliance with the standards and implementation specifications of Security Rule , , and so as to reasonably and appropriately protect the confidentiality, integrity, and availability of ephi as required by the Security Rule and HITECH. c) Encryption. The Business Associate will, to the extent reasonable and practicable, encrypt ephi in its custody that is at rest or in motion using Encryption that is at least as stringent as the technologies and methodologies that DHHS deems, in guidance published on its web site pursuant to HITECH 13402(h)(2), renders PHI unusable, unreadable, or indecipherable to unauthorized persons or entities. 5. Subcontractors and Agents. The Business Associate will require any subcontractor or agent, to which TECHNOLOGY TOOL(S) discloses PHI, to provide reasonable written assurance that such subcontractor or agent will comply with the same privacy protection and security safeguard obligations with respect to such PHI that are applicable to the Business Associate under this BA Contract. 6. Individual Rights. a) Access. The Business Associate will, within 20 days following Covered Entity's request, make available to Covered Entity PHI in a Designated Record Set and, only to the extent that the Business Associate uses or maintains an Electronic Health Record for or on behalf of Covered Entity, PHI in electronic format in the Electronic Health Record, so that Covered Entity may meet its access obligations under Privacy Rule and, if applicable, under HITECH 13405(e). b) Amendment. The Business Associate will, upon receipt of written notice from Covered Entity, amend PHI in a Designated Record Set so that Covered Entity may meet its amendment obligations under Privacy Rule c) Disclosure Accounting. The Business Associate will record and retain for at least 6 years the disclosure information specified by Privacy Rule for each PHI disclosure that TECHNOLOGY TOOL(S) makes that is accountable under Privacy Rule and, only to the extent that TECHNOLOGY TOOL(S) uses or maintains an Electronic Health Record for or on behalf of Covered Entity, the Business Associate will record and retain for at least 3 years the disclosure information specified by HITECH 13405(c) for PHI disclosures made through an Electronic Health Record that the Business Associate uses or maintains for or on behalf of Covered Entity, so that Covered Entity may meet its disclosure accounting obligations under Privacy Rule and, if applicable, 5

14 HITECH 13405(c). The Business Associate will, within 30 days following Covered Entity's request, report to Covered Entity the disclosure information retained by the Business Associate that is pertinent to an Individual's request for disclosure accounting. d) Restriction Agreements. The Business Associate will comply with any agreement that Covered Entity makes that restricts use or disclosure of PHI pursuant to Privacy Rule (a), provided that Covered Entity notifies the Business Associate in writing of the restriction obligations that the Business Associate must follow. Covered Entity will promptly notify the Business Associate in writing of the termination of any such restriction agreement and instruct the Business Associate whether any PHI will remain subject to the terms of the restriction agreement notwithstanding its termination. e) Confidential Communications. The Business Associate will comply with any requirement to use confidential communication about PH pursuant to Privacy Rule (b), provided that Covered Entity notifies the Business Associate in writing of the confidential communication requirement that the Business Associate must follow. Covered Entity will promptly notify the Business Associate in writing of the termination of any such confidential communication requirement. 7. Privacy Breach, Security Breach, Security Incidents and Mitigation. a) Privacy Breach Notification. The Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this BA Contract or in writing by Covered Entity. The Business Associate will investigate and make the report to Covered Entity not more than 10 days after TECHNOLOGY TOOL(S) learns of such non-permitted use or disclosure. b) Security Breach Notification. i) The Business Associate will provide Covered Entity notice after the Business Associate discovers a breach caused by the acquisition, access, use or disclosure of Unsecured PHI that is not permitted by the Privacy Rule and that poses a significant risk of financial, reputational, or other harm to any Individual. ii) The Business Associate will provide the notice to Covered Entity without unreasonable delay and in no event later than thirty (30) days following the Business Associate s discovery of the breach, provided that TECHNOLOGY TOOL(S) may delay notice to Covered Entity for the duration specified in writing by a law enforcement official (or for up to 30 days if the law enforcement official fails to specify the duration in writing within such 30 days) who states to the Business Associate that such notice would impede a criminal investigation or cause damage to national security. 6

15 iii) The Business Associate s notice shall include, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or that the Business Associate reasonably believes has been, acquired, accessed, used or disclosed during the breach, and provide as much of the information specified in 45 C.F.R (c) as is available to the Business Associate at the time of its notice, and promptly thereafter as such information may become available to the Business Associate, in order to assist Covered Entity with its notification obligations. c) Security Incident Notification. i) The Business Associate will, upon learning of a successful unauthorized access, use, or disclosure of ephi, report this type of security incident to Covered Entity in accordance Section 7(a) above if such security incident caused a privacy breach and in accordance with Section 7(b) above if such security incident caused a security breach. ii) The Business Associate will, upon learning of a successful unauthorized modification or destruction of ephi or interference with system operations in TECHNOLOGY TOOL(S)' information systems, report this type of security incident to Covered Entity within 10 days after the Business Associate learns of such successful security incident. iii) The Business Associate will record any attempted, but unsuccessful unauthorized access, use, disclosure, modification, or destruction of ephi or interference with system operations in the Business Associate s information systems of which the Business Associate is aware. The Business Associate s will retain such records for at least 12 calendar months following the recording of each such attempted, but unsuccessful security incident and will make such records available to Covered Entity within 10 days of receipt of Covered Entity's request for them. d) Mitigation. The Business Associate will mitigate or assist Covered Entity to mitigate, to the extent practicable, any harmful effect known to the Business Associate of a privacy breach or security incident. 8. Termination. a) Termination for Breach. i) Covered Entity may terminate this BA Contract, if feasible, upon learning of a pattern of activity or practice by the Business Associate that constitutes a material breach of this BA Contract that the Business Associate fail to cure within 30 days after receipt of written notice from Covered Entity identifying the material breach. In this event, the Network Participation Agreement between the Business Associate and all Covered Entities will 7

16 ii) terminate. Covered Entity may exercise this termination right by providing the Business Associate written notice of termination, stating the failure to cure the material breach of the BA Contract that provides the basis for the termination. Any such termination shall be effective on the date specified in Covered Entity's notice of termination to the Business Associate. If termination of this BA Contract for material breach by the Business Associate is not feasible, Covered Entity may report the problem to DBES. The Business Associate may terminate this BA Contract, if feasible, upon learning of a pattern of activity or practice by Covered Entity that constitutes a material breach of this BA Contract that Covered Entity fails to cure within 30 days after receipt of written notice from the Business Associate identifying the material breach. The Business Associate may exercise this termination right by providing Covered Entity written notice of termination, stating the failure to cure the material breach of the BA Contract that provides the basis for the termination. In this event, the Network Participation Agreement between the Business Associate and all Covered Entities will terminate. Any such termination will be effective on the date specified in the Business Associate's notice of termination to Covered Entity. If termination of this BA Contract for material breach by Covered Entity is not feasible, the Business Associate may report the problem to DHES. b) Right to Terminate on Change in Law. Either party may terminate this BA Contract as provided by Section 14 below if a statute or regulation or amendment to a statute or regulation affects the obligations of a party under this BA Contract. In this event, the Network Participation Agreement between the Business Associate and all Covered Entities will terminate. A party may exercise this termination right by giving the other party written notice of such termination at least 60 days before the compliance date for such statute or regulation or amendment to statute or regulation. c) Termination on Conclusion of Services Agreement. This BA Contract will terminate upon termination or other conclusion of the Services Agreement. d) Obligations on Termination. i) Return or Destruction of Certain PHI Not Feasible. The data elements of PHI that the Business Associate incorporates into its registries and its other quality assessment and improvement products, services and support offerings for Covered Entity that cannot feasibly be returned or destroyed upon termination of this BA Contract or otherwise without compromising the integrity and effectiveness of such registries and such quality assessment and improvement products, services and support offerings and the system operations of the Business Associate's information systems 8

17 ii) iii) are consequently infeasible to return or destroy. Upon termination of this BA Contract, the Business Associate will limit their further use or disclosure of such data elements of PHI to the purposes that make their return or destruction infeasible, and such data elements of PHI will continue to be subject to the privacy protections and security safeguards of this BA Contract for as long as such data elements of PHI remain in the Business Associate s custody. The Business Associate shall give prior written notice to Covered Entity before such data is destroyed, and if destroyed, provide Covered Entity with written notice of destruction. Return or Destruction of Other PHI. The Business Associate will, within 30 days following termination of this BA Contract, return to Covered Entity or destroy all PHI, other than the data elements of PHI for which return or destruction is not feasible for the reasons explained in Section 8(d)(i) above. Destruction if the Business Associate is dissolved. In the event that the Business Associate is dissolved, such entity will provide notice to Covered Entity of its intention to destroy all PHI, and will subsequently destroy all PHI within 30 days of dissolution. 9. De-Identified Health Information. The Business Associate may retain, use and disclose de-identified health information it creates from PHI, and such retention, use and disclosure shall not be subject to this BA Contract. 10. Limited Data Sets. The Business Associate may retain, use and disclose each Limited Data Set it creates from PHI, provided that the Business Associate has entered into a data use agreement with Covered Entity with respect to the Limited Data Set that satisfies the requirements of Privacy Rule (e)(4). The Business Associate s retention, use and disclosure of Limited Data Sets shall be regulated by the data use agreement and shall not be subject to this BA Contract. 11. DHHS Audit and Inspection of Internal Practices, Books, and Records. a) Inspection. The Business Associate will make its internal practices, books, and records relating to its use and disclosure of PHI available to DHHS to determine Covered Entity's compliance with the Privacy Rule. b) Audit. The Business Associate will submit to audit by DHHS with respect to the Business Associate s compliance with the applicable requirements of the Privacy and Security Rules and MECH. 12. Indemnity. Each party agrees it will indemnify and hold harmless the other party and any of the other party's affiliates, officers, directors, employees or agents from and against any claim, cause of action, liability, damage, cost or expense, including attorneys' fees and court or proceeding costs, arising out of or in connection with any non-permitted use or disclosure of PHI or other breach of this BA Contract by the party. 9

18 13. Notices. Any notice that a party is required or desires to give under this BA Contract shall be delivered in a manner that is consistent with the Network Participation Agreement. 14. Amendment. Upon the compliance date of a statute or regulation or amendment to statute or regulation that affects either party's obligations under this BA Contract, this BA Contract will automatically amend such that the obligations imposed on the parties by this BA Contract remain in compliance with all applicable statutes and regulations then in effect, unless a party elects to terminate this BA Contract in accordance with Section 8(b) above. 15. Conflicts. The terms and conditions of this BA Contract will override and control any conflicting term or condition of the Network Participation Agreement or any other agreement or understanding between the parties. THUS AGREED by the parties hereto on the dates indicated below, but with an effective date of, 2012, regardless of when executed. PHYSICIAN (Physician's Signature) Date (Physician's Printed Name) (Printed Name of Group Practice) (Medical Billing Tax ID) GULF SOUTH QUALITY NETWORK, L.L.C. Jeffrey Griffin, M.D., Chairman Date 10