Create Your Account
Already have an account? Sign in
Already have an account? Sign in
COLLAGEN DIRECT BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is entered into by and between:
The "Covered Entity," defined below, and
CollagenDirect ("Business Associate"),
and is effective as of the date the Covered Entity (or its authorized representative) creates or is provisioned with an account on the CollagenDirect Provider Portal and affirmatively accepts this Agreement (the "Effective Date").
By creating or activating an account in the CollagenDirect Provider Portal, the individual submitting registration represents and warrants that they (a) are authorized to bind the Covered Entity (e.g. physician practice, clinic, facility) to this Agreement, and (b) are entering this Agreement on behalf of that Covered Entity. The Parties enter this Agreement to comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Parts 160 and 164 (collectively, the "HIPAA Rules").
a. "Administrative Safeguards" means administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect Electronic Protected Health Information ("ePHI") and to manage the conduct of the Business Associate's workforce in relation to the protection of that information, as described in 45 C.F.R. § 164.308.
b. "Breach" has the meaning given in 45 C.F.R. § 164.402 and means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted by the HIPAA Rules which compromises the security or privacy of the Protected Health Information.
c. "Business Associate" has the meaning in 45 C.F.R. § 160.103. For purposes of this Agreement, "Business Associate" means CollagenDirect.
d. "Covered Entity" has the meaning in 45 C.F.R. § 160.103. For purposes of this Agreement, "Covered Entity" means the healthcare provider organization, physician, clinic, practice, or facility whose authorized representative registers for or uses the CollagenDirect Provider Portal to transmit or receive PHI.
e. "Designated Record Set" has the meaning in 45 C.F.R. § 164.501, and includes medical records, billing records, or other records used to make decisions about an Individual.
f. "HIPAA Rules" means the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule at 45 C.F.R. Parts 160 and 164, as amended.
g. "Individual" has the meaning in 45 C.F.R. § 160.103 and includes a Personal Representative consistent with 45 C.F.R. § 164.502(g).
h. "Physical Safeguards" means the physical measures, policies, and procedures to protect Business Associate's electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion, as described in 45 C.F.R. § 164.310.
i. "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Subparts A and E of Part 164.
j. "Protected Health Information" or "PHI" has the meaning in 45 C.F.R. § 160.103, and includes any individually identifiable health information, in any form or medium, that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
k. "Required by Law" has the meaning in 45 C.F.R. § 164.103.
l. "Secretary" means the Secretary of the U.S. Department of Health and Human Services ("HHS") or their designee.
m. "Security Incident" has the meaning in 45 C.F.R. § 164.304 and includes any attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI, or interference with system operations.
n. "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164.
o. "Technical Safeguards" means the technology and related policies and procedures that protect ePHI and control access to it, as described in 45 C.F.R. § 164.312.
p. "Unsecured Protected Health Information" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary under 45 C.F.R. § 164.402.
q. "Portal" means the CollagenDirect Provider Portal and related services, systems, databases, and workflows provided by Business Associate to Covered Entity for ordering wound care products, tracking status, and transmitting PHI for treatment, payment, and healthcare operations.
a. Business Associate will not use or disclose PHI other than as permitted by this Agreement or as Required by Law.
b. Business Associate will implement reasonable and appropriate safeguards, and comply with the Security Rule with respect to ePHI, to prevent uses or disclosures of PHI not authorized by this Agreement.
c. Business Associate will mitigate, to the extent practicable and in good faith cooperation with Covered Entity, any harmful effect of a known use or disclosure of PHI by Business Associate in violation of this Agreement.
d. Business Associate will report to Covered Entity, without unreasonable delay and in no event later than ten (10) business days after discovery, any use or disclosure of PHI not provided for in this Agreement, including any Breach of Unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware. The Parties acknowledge that Covered Entity is hereby deemed notified of routine and unsuccessful attempts to access systems that do not result in unauthorized access, use, or disclosure of PHI.
e. Business Associate will ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and obligations that apply to Business Associate with respect to such PHI.
f. Business Associate will make available its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity to the Secretary as required under the HIPAA Rules.
g. Business Associate will document disclosures of PHI and related information as necessary for Covered Entity to respond to an Individual's request for an accounting of disclosures under 45 C.F.R. § 164.528, and will provide that information to Covered Entity upon request.
h. Business Associate will make PHI in a Designated Record Set available to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524 (access of individuals to PHI).
i. Business Associate will make amendments to PHI in a Designated Record Set as directed or agreed to by Covered Entity under 45 C.F.R. § 164.526.
j. Business Associate may provide data aggregation services relating to the Covered Entity's healthcare operations, as that term is defined in 45 C.F.R. § 164.501.
k. To the extent Business Associate carries out one or more Covered Entity obligations under the HIPAA Rules, Business Associate will comply with the requirements of the HIPAA Rules that apply to Covered Entity in the performance of such obligations.
Business Associate will:
a. Implement, maintain, and document Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, including ensuring confidentiality, integrity, availability; protecting against threats; protecting against unauthorized uses/disclosures; and ensuring workforce compliance.
b. Ensure that any subcontractor or agent to whom it provides ePHI agrees to implement reasonable and appropriate safeguards consistent with this Section.
c. Cooperate in good faith with Covered Entity to mitigate potential or actual harm arising from any Breach or Security Incident caused by Business Associate or its subcontractors.
d. Make its policies, procedures, and required documentation relating to these safeguards available to Covered Entity and to the Secretary for purposes of determining Business Associate's compliance with the Security Rule.
a. Business Associate will not directly or indirectly sell PHI or use or disclose PHI for marketing or fundraising in violation of the HIPAA Rules.
b. Business Associate will track disclosures of PHI to the extent required for Covered Entity to meet its accounting obligations under the HIPAA Rules and HITECH.
c. Business Associate will limit its uses, disclosures, and requests of PHI to the "minimum necessary," consistent with 45 C.F.R. § 164.502(b) and applicable HHS guidance.
d. If Business Associate has knowledge of a pattern of activity or practice that constitutes a material breach of this Agreement, and termination of the underlying services is not feasible, Business Associate will report such breach to Covered Entity and, if required, to the Secretary.
e. To the extent Business Associate is deemed an agent of Covered Entity under HITECH, Business Associate acknowledges it may be directly subject to civil and criminal penalties under 42 U.S.C. § 1320d–5 and § 1320d–6, as amended.
f. Nothing in this Agreement creates an agency relationship between the Parties for any other purpose.
Except as otherwise limited in this Agreement, Business Associate may use and disclose PHI:
Business Associate will not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity.
Covered Entity will:
a. Provide Business Associate with its Notice of Privacy Practices under 45 C.F.R. § 164.520 and any updates that materially affect Business Associate's permitted uses or disclosures of PHI.
b. Inform Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate's permitted uses or disclosures.
c. Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to under 45 C.F.R. § 164.522, if such restriction affects Business Associate's permitted uses or disclosures.
d. Obtain any consents, authorizations, or other permissions required by HIPAA, HITECH, the HIPAA Rules, or applicable state law before disclosing PHI to Business Associate.
a. Term. This Agreement begins on the Effective Date and remains in effect until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is returned to Covered Entity or destroyed, or is otherwise protected as described in Section 7(c).
b. Termination for Cause. If Covered Entity becomes aware of a material breach of this Agreement by Business Associate, Covered Entity may provide written notice and an opportunity to cure. If Business Associate does not cure within the cure period specified by Covered Entity (not less than thirty (30) days), Covered Entity may terminate this Agreement.
c. Effect of Termination. Upon termination, Business Associate will return or destroy all PHI it maintains in any form on behalf of Covered Entity, including PHI held by subcontractors. If return or destruction is infeasible, Business Associate will notify Covered Entity and continue to protect the PHI in accordance with this Agreement.
a. Regulatory References. A reference in this Agreement to a section of the HIPAA Rules means the section as in effect, amended, and required for compliance.
b. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time to comply with HIPAA, the HIPAA Rules, HITECH, and other applicable law. CollagenDirect may update this Agreement prospectively. Covered Entity's continued use of the Portal after notice of a material update constitutes acceptance of the updated Agreement.
c. Survival. The obligations of Business Associate with respect to PHI that cannot feasibly be returned or destroyed under Section 7(c) shall survive termination of this Agreement for so long as Business Associate retains such PHI.
d. Interpretation. Any ambiguity in this Agreement shall be resolved to permit compliance with HIPAA, HITECH, and the HIPAA Rules.
e. Precedence. If any provision in another written or electronic service agreement between the Parties conflicts with this Agreement, this Agreement controls with respect to PHI, HIPAA, HITECH, and related privacy/security matters.
f. Ownership of PHI. All PHI that Business Associate, or any subcontractor or agent of Business Associate, creates, receives, maintains, or transmits on behalf of Covered Entity remains the property of Covered Entity.
g. Notice. Formal legal notices under this Agreement must be in writing and will be deemed delivered when actually received via hand delivery or overnight courier with confirmation, or three (3) business days after being sent via certified U.S. mail. Operational notices may be provided electronically.
h. Severability. If any provision of this Agreement is held invalid or unenforceable, that provision shall be severed and the remaining provisions shall remain in full force if consistent with the Parties' intent and applicable law.
i. Assignment. Neither Party may assign this Agreement without the other Party's prior written consent, except a Party may assign this Agreement without consent to a successor in interest to substantially all of its relevant business or assets.
j. Successors and Assigns. This Agreement is binding upon and inures to the benefit of the Parties and their permitted successors and assigns.
k. Waiver. A waiver of any breach is not a waiver of any other breach.
l. Governing Law / Venue. This Agreement is governed by the laws of the State of Texas, without regard to conflicts of laws rules. The Parties agree to the exclusive jurisdiction and venue of state or federal courts located in Bexar County, Texas.
m. HIPAA Compliance. Each Party will comply with HIPAA, HITECH, and the HIPAA Rules, as amended.
n. Use of Covered Entity Name/Logo. Business Associate will not publicly use Covered Entity's name, trade name, service mark, or logo without prior written consent, except as required for fulfillment, regulatory, audit, payer communications, or other Required by Law use.
Covered Entity agrees that:
END OF AGREEMENT
COLLAGENDIRECT / MD DME PRODUCT AND SERVICES AGREEMENT
Version 2025-10-29
This Product and Services Agreement ("Agreement") is entered into by and between (1) MD DME, LLC ("MD DME"), a Texas limited liability company, and (2) the physician practice, clinic, or provider organization whose authorized representative is accepting this Agreement ("Client").
Effective Date. This Agreement becomes effective on the date the Client (or its authorized representative) registers or is provisioned within the CollagenDirect Provider Portal and affirmatively accepts this Agreement.
CollagenDirect provides a secure ordering portal and workflow tools. CollagenDirect does not manufacture, dispense, fulfill, ship, bill, or collect payment for wound care products or Durable Medical Equipment ("Products"), and is not the supplier of record.
MD DME is a licensed Durable Medical Equipment supplier. MD DME is solely responsible for fulfillment, shipment, documentation, and (when applicable) billing and collection for Products.
Client acknowledges that:
a. Option A – Physician-Billed Orders.
MD DME supplies Products listed in Exhibit A. MD DME (as logistics/fulfillment partner) may pick, pack, ship, and deliver Products directly to Client's patients on Client's behalf and provide proof of delivery. Client bills payors through Client's own DME entity and insurance contracts.
Client remains solely responsible for: medical necessity; correct coding; claim submission; and all payer interactions, adjustments, recoupments, or repayments. MD DME is not responsible for the accuracy or sufficiency of codes or medical necessity determinations under Option A.
b. Option B – MD DME-Billed Orders.
Client may direct MD DME to fulfill and ship Products directly to the patient and to bill payors under MD DME's own supplier credentials. In this model, Client must provide MD DME with medical records and a valid Standard Written Order establishing medical necessity.
MD DME will:
After MD DME supplies proof of delivery, MD DME is not responsible for Client's ongoing record-keeping, audit defense, or payor documentation obligations, including obligations under 42 C.F.R. § 424.57(c)(12).
For Option A (physician-billed orders), Client shall pay MD DME's invoices in full on the following cycle:
a. Late invoices accrue service charges at 2% APR.
b. MD DME may suspend fulfillment for invoices more than 30 days past due, and may resume only after full payment is received.
c. Client (and any personal guarantor, if applicable) is jointly and severally liable for all unpaid amounts, including reasonable collection costs and attorney's fees. CollagenDirect is not liable for any such amounts.
Each Party will comply with all applicable federal and state laws and billing rules, including Medicare/Medicaid requirements regarding claims, coding, fraud, waste, and abuse.
The initial term is one (1) year from the Effective Date, automatically renewing for additional one (1) year terms unless either Party provides 30 days' written notice of non-renewal.
Client is not obligated to purchase exclusively from MD DME.
Either Party may terminate immediately if:
Upon termination, MD DME may complete orders already in process and must be paid for those orders consistent with Section 5.
Business information exchanged under this Agreement is confidential. Neither Party will disclose the terms of this Agreement to third parties except as required by law, payer audit, accreditation, lender/underwriter review, or legal counsel.
To the extent MD DME acts as a Business Associate, HIPAA obligations are governed by the applicable Business Associate Agreement, which is incorporated by reference.
Except for gross negligence or willful misconduct, MD DME's total liability to Client shall not exceed the total amounts actually paid by Client to MD DME during the then-current term.
Neither MD DME nor CollagenDirect will be liable for any indirect, special, incidental, consequential, punitive, or lost-profit damages.
Client agrees to indemnify and hold harmless MD DME and CollagenDirect (and their owners, officers, directors, and employees) from claims, penalties, costs, or liabilities arising out of (a) Client's clinical decisions or medical necessity determinations, (b) Client's billing and coding activities, or (c) Client's breach of this Agreement.
Texas law governs this Agreement.
Neither Party is liable for delays or failures caused by events beyond reasonable control, including natural disasters, infrastructure outages, or acts of terrorism.
Neither Party may assign this Agreement without written consent, except to a successor acquiring substantially all relevant assets or operations.
This Agreement is the complete and exclusive statement of the Parties' understanding regarding product fulfillment, billing responsibility, and payment terms. It may be amended only in a writing (including an electronic update notice accepted within the Portal) agreed to by both Parties.
By submitting registration through the CollagenDirect Provider Portal and checking the acceptance box, the signer certifies they are an authorized representative of the Client and agree on behalf of the Client to be bound by this Agreement.
CollagenDirect will capture and store: (i) the signer's name, (ii) practice name, (iii) the date/time of acceptance, (iv) the IP address and browser metadata at acceptance, and (v) the version of this Agreement. That captured record is deemed the Parties' binding electronic signature.
END OF AGREEMENT