END USER LICENSE AGREEMENT
THIS AGREEMENT (or "EULA") IS A LEGAL AGREEMENT BETWEEN THE PERSON, COMPANY, OR ORGANIZATION THAT HAS LICENSED THIS PRODUCT ("YOU" OR "CUSTOMER") AND SEAMLESS MEDICAL SYSTEMS, LLC, A DELAWARE LIMITED LIABILITY COMPANY (THE “COMPANY”). BY INSTALLING AND USING THE PRODUCT, CUSTOMER ACCEPTS THE PRODUCT AND AGREES TO THE TERMS OF THIS AGREEMENT. READ THIS AGREEMENT CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AND USING THE PRODUCT. BY INSTALLING AND/OR USING THE PRODUCT, YOU ARE CONFIRMING YOUR ACCEPTANCE OF THE PRODUCT AND AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO BE BOUND BY THESE TERMS, OR DO NOT HAVE AUTHORITY TO BIND THE CUSTOMER TO THESE TERMS, THEN DO NOT INSTALL AND/OR USE THE PRODUCT.
THIS EULA SHALL APPLY ONLY TO THE PRODUCT SUPPLIED BY THE COMPANY HEREWITH REGARDLESS OF WHETHER OTHER PRODUCT IS REFERRED TO OR DESCRIBED HEREIN.
FOR PURPOSES OF THIS EULA, “PRODUCT” SHALL MEAN THE COMPANY’S PROPRIETARY “SNAP” PROGRAM, AND CORRESPONDING DOCUMENTATION, ASSOCIATED MEDIA, PRINTED MATERIALS, AND ONLINE OR ELECTRONIC DOCUMENTATION. ANY UPDATES TO THE PRODUCT WHICH YOU ARE ENTITLED TO RECEIVE AND THAT HAVE BEEN PROVIDED TO YOU BY THE COMPANY SHALL ALSO BE CONSIDERED THE PRODUCT FOR PURPOSES OF THIS AGREEMENT.
FOR PURPOSES OF THIS EULA, “SERVICES” SHALL MEAN THE SERVICES PROVIDED BY THE COMPANY IN CONNECTION WITH THE PRODUCT, AND CORRESPONDING DOCUMENTATION, ASSOCIATED MEDIA, PRINTED MATERIALS, AND ONLINE OR ELECTRONIC DOCUMENTATION.
Scope of License. This license granted to you for the Product by the Company is limited to a non-exclusive and non-transferable license to use the Product on any (i) portable tablet device that you own or control and the Company and Product supports; and (ii) other computer system that you own or control in connection with your business which may access the Product for use in compliance with this Agreement. This license does not allow you to use the Product on any device that you do not own or control and which is not used in connection with your business. You may not rent, lease, lend, sell, redistribute or sublicense the Product. You may not copy (except as may expressly be permitted by this license), decompile, reverse engineer, disassemble, attempt to derive the source code of, modify, or create derivative works of the Product, any updates, or any part thereof. Any attempt to do so is a violation of the rights of the Company. If you breach this restriction, you may be subject to prosecution and damages. The terms of the license will govern any upgrades provided by the Company that replace and/or supplement the original Product, unless such upgrade is accompanied by a separate license in which case the terms of that license will govern. You shall not use the Product to develop any product having the same primary function as the Product.
You agree that the Company may audit your use of the Product for compliance with these terms at any time, upon reasonable notice. In the event that such audit reveals any use of the Product by you other than in full compliance with the terms of this Agreement, you shall reimburse the Company for all reasonable expenses related to such audit in addition to any other liabilities you may incur as a result of such non-compliance.
The license rights granted under this Agreement may be limited to the first 14 days after you first install the Product unless you supply information required to activate your licensed copy in the manner described during the setup sequence of the Product. You may need to activate the Product through the use of the Internet or telephone and additional charges may apply. There may be technological measures in the Product that are designed to prevent unlicensed or illegal use of the Product. You agree that the Company may use those measures and you agree to follow any requirements regarding such technological measures. You may not alter the contents of a hard drive or computer system or portable tablet device to enable the use of the Trial Version of the Product for an aggregate period in excess of the 14 day trial period, disclose the results of performance benchmarks obtained using the Trial Version to any third party or use the Trial Version of the Software for a purpose other than the sole purpose of determining whether to purchase a full license following the expiration of the 14 day trial period.
You may not sell, transfer or assign any of your rights under this EULA unless as part of a sale or transfer of all of your business, provided you retain no copies and the recipient agrees to the terms of this EULA. You may not sell, assign or transfer any trial version of the Product.
Consent to Use of Technical Data. You agree that the Company may collect and use technical data and related information, including but not limited to technical information about your device, system and application product, and peripherals, that is gathered periodically to facilitate the provision of product updates, product support and other services to you (if any) related to the Product and Services. The Company may use this information, as long as it is in a form that does not personally identify you, to improve its products or to provide services or technologies to you. .
Product and Data Security.
1. Use and Disclosure of Patient Data. The Product is an electronic patient registration module which will collect, store and wirelessly transmit patient data (“Patient Data”), including protected health information, as that term is defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”). The Patient Data will initially be entered or input onto a portable tablet device of Customer using the Product, and Customer may transmit Patient Data wirelessly to a data server hosted by Company. Customer will access the Patient Data on the data server hosted by Company to integrate the Patient Data into Customer’s practice management system or electronic health records system (“Practice Systems”), either directly to the Practice Systems to the extent Customer’s system is interoperable with the Product, or indirectly by downloading and saving an electronic or hard copy of the Patient Data record. The Company is obligated to house Customer’s Patient Data on a data server hosted by Company only for a maximum time period of thirty (30) days from the date the Patient Data is originally received by the Company, although Company may elect, but is not obligated to, house and/or store Patient Data of Customer for a longer period of time. Customer will retain ownership of Customer’s Patient Data. The Company will not use or disclose Customer’s Patient Data obtained by the Company through Customer’s use of the Product except (a) to administer and manage the business of Company, including administration of the Product, (b) to satisfy applicable legal requirements, (c) to comply with any limited data use or other agreements that may be entered into between Company and Customer, including making “de-identified” patient data, which is cleansed of all patient identifying information under HIPAA, as set forth in 45 C.F.R. § 164.574, or otherwise using and aggregating de-identified patient data for the benefit of Customer and other users of the Product, and (d) in compliance with the terms of Exhibit A, which is intended to include all provisions required in a “business associate contract” under HIPAA. In performing their mutual obligations under this Agreement, Customer and Company will each comply with applicable provisions of HIPAA in their use and disclosure of Patient Data.
2. Data Security Provided by the Company. The Company (through a third party) will host data servers and other mechanisms that will store, protect and provide controlled access to Customer’s Patient Data (the “System”). The System will be physically secure and provide the appropriate technical security measures required for Patient Data and required by law, including current HIPAA regulations. The Company will make best efforts to comply with future HIPAA regulations concerning data security. The Company will also make best efforts to ensure that its policies and procedures regarding the Company’s access to the Patient Data stored on the System respect the privacy and confidentiality of the Patient Data and maintain the overall integrity of the System. The Company will implement policies and procedures consistent with any security standards applicable to it as a business associate under HIPAA.
3. Data Security Provided by the Customer. Customer is independently responsible for protecting the privacy and security of the Patient Data contained on any portable tablet device of Customer or Customer’s Practice Systems. Customer is also independently responsible for timely downloading or otherwise transferring the Patient Data housed on the Company’s hosted data server to Customer’s medical records system, and for determining the amount of Patient Data to be downloaded or otherwise transferred to Customer’s medical records system. Customer will establish and implement, within the appropriate time frame, any privacy and security policies or procedures that are necessary to ensure that Customer’s own operations and its use of the Product satisfy all requirements of HIPAA. The Product is intended to assist with the accuracy of and improve accessibility to the Patient Data, but Customer acknowledges that neither the Product nor the System determine the content of Customer’s medical records or the Patient Data. As with manually kept records, the Product and/or the System may contain errors, whether resulting from incorrect recording of information, software errors, or other causes. Customer and its authorized users are solely responsible for ensuring that errors that may occur in the Patient Data obtained through use of the Product and the System are corrected and that patient care is not compromised on account of such errors. Customer further recognizes and acknowledges that physicians and other authorized users of the Product should use the Product as a resource in the exercise of professional medical judgment and Customer acknowledges that the Company does not practice medicine.
1.
Additional Obligations. You agree to implement any health data privacy practices and protocols provided to you by the Company for use of the Product. You agree to adhere to the requirements for Data Security set forth above. Your failure to do so may result in an immediate termination of your license.
Ownership of the Product. The foregoing license gives you limited license to use the Product. The Company and any of its licensor’s or affiliates retain all right, title and interest, including all copyright and intellectual property rights, in and to, the Product and all copies thereof. All rights not specifically granted in this EULA, including Federal and International Copyrights, are reserved by the Company. You may not remove or alter any trademark, trade names, product names, logo, copyright or other proprietary notices, legends, symbols or labels in or displayed by the Product. This EULA does not authorize you to use the Company’s or its licensors' or affiliates’ names or any of their respective trademarks.
Termination. The license is effective until terminated by you or the Company; provided however, that you must provide the Company with no less than 30 days written notice of your intent to terminate this license (subject to the “Exclusive Remedy” paragraph set forth below). Your rights under this license will terminate automatically without notice from the Company if you fail to comply with any term(s) of this license. Upon termination of the license, you shall cease all use of the Product, and destroy all copies, full or partial, of the Product.
Third Party Services; Third Party Materials. The Product may enable access to the Company’s and third party services and web sites (collectively and individually, "Third Party Services"). Use of Third Party Services may require Internet access and that you accept additional terms of service.
You understand that by using any of the Third Party Services, you may encounter content that may be deemed offensive, indecent, or objectionable, which content may or may not be identified as having explicit language, and that the results of any search or entering of a particular URL may automatically and unintentionally generate links or references to objectionable material. Nevertheless, you agree to use the Third Party Services at your sole risk and that the Company shall not have any liability to you for content that may be found to be offensive, indecent, or objectionable.
Certain Third Party Services may display, include or make available content, data, information, applications or materials from third parties (“Third Party Materials”) or provide links to certain third party web sites. By using the Third Party Services, you acknowledge and agree that the Company is not responsible for examining or evaluating the content, accuracy, completeness, timeliness, validity, copyright compliance, legality, decency, quality or any other aspect of such Third Party Materials or web sites. The Company does not warrant or endorse and does not assume and will not have any liability or responsibility to you or any other person for any Third Party Services, Third Party Materials or web sites, or for any other materials, products, or services of third parties.
You agree that any Third Party Services may contain proprietary content, information and material that is protected by applicable intellectual property and other laws, including but not limited to copyright, and that you will not use such proprietary content, information or materials in any way whatsoever except for permitted use of the Third Party Services. No portion of the Third Party Services may be reproduced in any form or by any means. You agree not to modify, rent, lease, loan, sell, distribute, or create derivative works based on the Third Party Services, in any manner, and you shall not exploit the Third Party Services in any unauthorized way whatsoever, including but not limited to, by trespass or burdening network capacity. You further agree not to use the Third Party Services in any manner to harass, abuse, stalk, threaten, defame or otherwise infringe or violate the rights of any other party, and that the Company is not in any way responsible for any such use by you, nor for any harassing, threatening, defamatory, offensive or illegal messages or transmissions that you may receive as a result of using any of the Third Party Services.
The Company, and its licensor and affiliates, reserve the right to change, suspend, remove, or disable access to any Third Party Services at any time without notice. In no event will the Company be liable for the removal of or disabling of access to any such Third Party Services. The Company may also impose limits on the use of or access to certain Third Party Services, in any case and without notice or liability.
NO WARRANTY: YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT USE OF THE PRODUCT IS AT YOUR SOLE RISK AND THAT THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY AND EFFORT IS WITH YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE PRODUCT AND ANY SERVICES PERFORMED OR PROVIDED BY THE PRODUCT ARE PROVIDED "AS IS" AND “AS AVAILABLE”, WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, AND THE COMPANY HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH RESPECT TO THE PRODUCT AND ANY SERVICES, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTABILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF ACCURACY, OF QUIET ENJOYMENT, AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS. THE COMPANY DOES NOT WARRANT AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE PRODUCT, THAT THE FUNCTIONS CONTAINED IN, OR SERVICES PERFORMED OR PROVIDED BY, THE PRODUCT WILL MEET YOUR REQUIREMENTS, THAT THE OPERATION OF THE PRODUCT OR SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT DEFECTS IN THE PRODUCT OR SERVICES WILL BE CORRECTED. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY THE COMPANY OR ITS AUTHORIZED REPRESENTATIVE SHALL CREATE A WARRANTY. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR LIMITATIONS ON APPLICABLE STATUTORY RIGHTS OF A CONSUMER, SO THE ABOVE EXCLUSION AND LIMITATIONS MAY NOT APPLY TO YOU.
TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL THE COMPANY BE LIABLE FOR PERSONAL INJURY, OR ANY INCIDENTAL, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR USE OR INABILITY TO USE THE PRODUCT, HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT OR OTHERWISE) AND EVEN IF THE COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF LIABILITY FOR PERSONAL INJURY, OR OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY TO YOU.
Exclusive Remedy. Your exclusive remedy based on the above is to contact the Company via the applicable product review or request channels provided by the Company. Provided that any non-compliance with the above warranty is reported in writing to the Company no more than ninety (90) days following delivery of the Product to you, the Company may remedy any reported deficiencies in any future replacement, upgrade or supplement of the Product in the Company’s sole discretion. If the Company does not remedy any reported deficiencies as set forth in this paragraph, you shall have the right to terminate this license immediately by delivering written notice to the Company. The Company shall have no responsibility to you if the Product has been altered in any way, or if the Product has been damaged by misuse, accident, abuse, modification or misapplication, or if the failure arises out of use of the Product with any device other than a portable tablet device or computer system with specifications appropriate for use and access of the Product. Any such misuse, accident, abuse, modification or misapplication of the Product will void the warranty above. THIS REMEDY IS THE SOLE AND EXCLUSIVE REMEDY AVAILABLE TO YOU FOR BREACH OF EXPRESS OR IMPLIED WARRANTIES WITH RESPECT TO THE PRODUCT AND RELATED DOCUMENTATION, IF ANY.
Indemnification. YOU AGREE TO INDEMNIFY AND TO HOLD HARMLESS THE COMPANY, AND THE COMPANY’S AGENTS, EMPLOYEES, MEMBERS, MANAGERS, OFFICERS, DIRECTORS, ATTORNEYS, AND THEIR RESPECITIVE SUCCESSORS AND ASSIGNS, FROM ANY CLAIMS, DAMAGES, LOSSES, CAUSES OF ACTION, WHETHER AVAILABLE AT LAW OR EQUITY, ARISING OR RESULTING FROM (1) YOUR FAILURE TO COMPLY WITH THE TERMS OF THIS LICENSE, INCLUDING THE REQUIREMENTS OF HIPAA OR OTHER HEALTH INFORMATION PRIVACY AND SECURITY LAWS AND REGULATIONS; (2) THE USE OF THE PRODUCT; OR (3) FROM THE USE OF ANY DEVICE WHICH USES OR ACCESS THE PRODUCT, BY YOU OR ANY OF YOUR AGENTS, EMPLOYEES, MEMBERS, MANAGERS, OFFICERS, DIRECTORS, SHAREHOLDERS, CUSTOMERS, AND PATIENTS.
Compliance With Laws. You may not use or otherwise export or re-export the Product except as authorized by United States law and the laws of the jurisdiction in which the Product was obtained. In particular, but without limitation, the Product may not be exported or re-exported (a) into any U.S. embargoed countries or (b) to anyone on the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By using the Product, you represent and warrant that you are not located in any such country or on any such list. You also agree that you will not use these products for any purposes prohibited by United States law, including, without limitation, the development, design, manufacture or production of nuclear, missiles, or chemical or biological weapons.
General
This EULA shall be governed by the internal laws of the State of New Mexico, without giving effect to principles of conflict of laws. You hereby consent to the exclusive jurisdiction and venue of the state courts sitting in Santa Fe County, New Mexico, or the federal courts in the District of New Mexico to resolve any disputes arising under this EULA. In each case this EULA shall be construed and enforced in accordance with the laws of the State of Delaware.
This EULA contains the complete agreement between the parties with respect to the subject matter hereof, and supersedes all prior or contemporaneous agreements or understandings, whether oral or written. You agree that any varying or additional terms contained in any purchase order or other written notification or document issued by you in relation to the Product licensed hereunder shall be of no effect. The failure or delay of the Company to exercise any of its rights under this EULA or upon any breach of this EULA shall not be deemed a waiver of those rights or of the breach.
No Company agent or employee is authorized to make any amendment to this EULA unless such amendment is in writing and signed by a duly authorized representative of the Company.
If any provision of this EULA shall be held by a court of competent jurisdiction to be contrary to law, that provision will be enforced to the maximum extent permissible, and the remaining provisions of this EULA will remain in full force and effect.
All questions concerning this EULA shall be directed to: Seamless Medical Systems, LLC, 560 Montezuma Avenue, Santa Fe, New Mexico, 87501 Attention: President and Chief Executive Officer. For purposes of this EULA, any notice to the Company shall be deemed delivered 3 days after deposit in U.S. Mail, or upon the date of receipt shown on the Return Receipt, if mailed by Certified Mail, Return Receipt Requested, postage prepaid, or upon delivery and read confirmation of any electronic transmission.
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is entered into by and between the “Covered Entity,” “CE” or “Customer” and SEAMLESS MEDICAL SYSTEMS, LLC (the “Business Associate,” “BA” or “Company”), collectively referred to herein the “Parties” or individually as a “Party”.
Background and Purpose.
The Parties have entered into, and may in the future enter into one or more written agreements that may require that Company be provided with, have access to and/or create Protected Health Information (the “Underlying Agreement”) pursuant to which Company may be considered a “Business Associate” of Covered Entity as defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) including all pertinent regulations (45 CFR Parts 160 and 64) issued by the U.S. Department of Health and Human Services (the “HIPAA Regulations”) as either have been amended by Subtitle D of the Health Information Technology of Economic and Clinical Health Act (the “HITECH Act”), as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. §§ 17921, 17931-17932 & 17934.
Definitions.
Unless otherwise defined in this Agreement, all capitalized terms used in this Agreement shall have the meanings ascribed in the HIPAA Regulations, provided, however, that “PHI” and “ePHI” shall mean Protected Health Information and Electronic Protected Health Information, respectively, as defined in 45 C.F.R. § 160.103, limited to the information Company received from or created or received on behalf of Covered Entity as Covered Entity’s Business Associate. “Privacy Rule” shall mean the Standards of Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E, as amended by the HITECH Act and as may otherwise be amended from time to time.
Permitted Uses and Disclosures by Business Associate.
Except as otherwise limited in the Underlying Agreement and/or this Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in this Agreement, provided that such use or disclosure would not violate the Privacy Rule or the HITECH Act if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity, as follows:
a. Permitted Uses. Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Business Associate shall not use PHI in any manner that would constitute a violation of the Privacy Rule or the HITECH Act if so used by the Covered Entity.
b. Data Aggregation. Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B) to the extent specifically required under the Agreement.
c. Permitted Disclosures. Business Associate shall not disclose PHI except for the purpose of performing the Business Associate’s obligations under the Underlying Agreement or this Agreement. If Business Associate discloses PHI to a third party, Business Associate must obtain, prior to making any such disclosure, (i) reasonable written assurances from such third party that such PHI will be held confidential as provided pursuant to this Agreement and only disclosed as required by law or for the purposes for which it was disclosed to such third party, and (ii) a written agreement from such third party to notify Business Associate within 24 hours of the discovery of any breaches, as defined in Section (D)(1), or suspected breaches of confidentiality of the PHI.
d. Reporting Violations. Business Associate may use Protected Health Information to report violations of the law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
Prohibited Uses and Disclosures.
e. Fundraising & Marketing. Business Associate shall not use or disclosure PHI for fundraising or marketing purposes or any other purpose not permitted by this Agreement, the Underlying Agreement or the Privacy Rule or HITECH Act, unless (1) Business Associate obtains the prior written consent of Covered Entity, which such consent shall not be unreasonably withheld but shall be consistent with Covered Entity’s notice of privacy practices and marketing/fundraising policies, and (2) Business Associate seeks and obtains prior authorization for such fundraising or marketing activities from each individual whose PHI is sought to be used by Business Associate for such purposes.
f. Restrictions. Business Associate shall not disclose PHI to a health plan for payment or health care operations purposes if the patient has requested this special restriction, and has paid out of pocket in full for the health care item or service to which the PHI solely relates, as required by 42 U.S.C. § 17935(a).
g. Remuneration. Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, unless Covered Entity obtains a valid Authorization from the Individual including specifications of whether the PHI can be further exchanged for remuneration by the receiving entity or as permitted by the HITECH Act, described in 42 U.S.C. § 17935(d)(2). Business Associate shall not directly or indirectly receive payment in exchange for making certain communications to individuals about a non-healthcare related or third party product or service that encourages the recipient to purchase or use the product or service unless (i) the communication describes only a drug or biologic that is currently being prescribed for the recipient of the communication; or (ii) Covered entity obtained a valid Authorization from the Individual. However, Business Associate can make such a communication on behalf of the Covered Entity, within the scope of the Business Associate contract, and pursuant to Covered Entity’s Notice of Privacy Practices and any valid Authorization from the Individual. This prohibition shall not affect payment by Covered Entity to Business Associate for services provided pursuant to the Underlying Agreement.
h. Re-creation of Information. Business Associate may not use PHI received or created pursuant to the Agreement to create information that is not individually identifiable health information (De-identified Information), unless specifically provided in the Agreement or unless Covered Entity gives its written permission to do so, in writing and in advance.
Obligations and Activities of Business Associate.
i. Compliance. Business Associate shall be directly responsible for full compliance with the relevant requirements of the Privacy Rule and the HITECH Act to the same extent as Covered Entity.
j. Appropriate Safeguards. Business Associate shall implement appropriate safeguards as are necessary to prevent the use or disclosure of PHI and electronic PHI, otherwise than as permitted by the Underlying Agreement or this Agreement, including, but not limited to, administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the PHI and electronic PHI, in accordance with 45 CFR §§ 164.308, 164.310, and 164.312. Business Associate shall comply with the policies and procedures and documentation requirements of the HIPAA Security Rule, including but not limited to, 45 CFR § 164.316 and the HITECH Act, 42 U.S.C. § 17931.
k. Business Associate’s Agents. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees in writing to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. This provision shall not, however, be deemed to provide Business Associate with a right to assign or subcontract its responsibilities, except as specifically provided in the Underlying Agreement. In the event Business Associate creates, maintains, receives or transmits electronic PHI on behalf of the Covered Entity, Business Associate shall implement the safeguards required by the Section 4(B) above with respect to electronic PHI. Business Associate shall implement and maintain sanctions against agents and subcontractors, if any, that violate such restrictions and conditions. Business Associate shall terminate any agreement with an agent or subcontractor, if any, who fails to abide by such restrictions and obligations.
l. Duties of Business Associate Involving Breach or Unauthorized Access, Use or Disclosure of PHI.
Discovery of Breaches. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to the Business Associate, or by exercising reasonable diligence would have been known to the Business Associate.
Reporting of Improper Access, Use or Disclosure. Business Associate shall promptly report to Covered Entity in writing of any access, use or disclosure of PHI not permitted by this Agreement or the Underlying Agreement, and any Breach of Unsecured PHI of which it becomes aware. Written notice shall contain: (a) the date of discovery of the Breach; (b) a listing of the identification of individuals and/or classes of individuals who are subject to the Breach; and (c) a general description of the nature of the Breach. Business Associate shall provide Covered entity with updates of information concerning the details of such Breach and the final results of its Risk Assessment as required in Section 4(D)(4) as needed to ensure that such information remains current.
Notification of Breach. Business Associate shall notify Covered Entity promptly after discovery of any suspected or actual breach of security, intrusion or unauthorized use or disclosure of PHI of which Business Associate becomes aware and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. Business Associate shall take prompt corrective action to cure any such deficiencies and any action pertaining to such unauthorized disclosure required by applicable federal and state laws and regulations.
Risk Assessment and Investigation. Business Associate shall perform an appropriate risk assessment immediately following the discovery of any unauthorized access, use or disclosure of PHI to determine whether use, access, or disclosure is one that “poses a significant risk of financial, reputational, or other harm to the individual.” In performing the Risk Assessment, Business Associate should consider a combination of factors such as: (a) who impermissibly used the PHI or to whom the PHI was impermissible disclosed; (b) was the impermissibly disclosed PHI returned prior to it being accessed for improper purpose; and (c) the type and amount of PHI involved in the impermissible use or disclosure. The results of such Risk Assessment shall be provided to Covered Entity in writing without unreasonable delay and in no case later than 30 days from the date of discovery of the unauthorized access, use or disclosure, unless the Parties mutually agree to extend such 30 day deadline or if a law enforcement official determines that a notification would impede investigation or cause damage to national security. In addition to the Risk Assessment conducted by Business Associate, Covered Entity reserves the right to conduct its own investigation of any unauthorized access, use or disclosure of PHI occurring at any facility, site or location of Business Associate, its agents or subcontractors or through any systems under the control of the Business Associate, its agents or subcontractors. Business Associate shall cooperate with Covered Entity to conduct such investigation. Covered Entity agrees to provide advance notice of such investigation and to protect the confidentiality of all confidential and proprietary information of Business Associate to which Covered Entity has access during the course of such investigation.
Mitigation of Harm. In the event of a Breach of Unsecured PHI, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement or the Underlying Agreement, such as promptly obtaining assurance from the recipient that the information will not be further used or disclosed in a confidentiality agreement or will be destroyed.
Notification to the Individual. It is the sole responsibility of the Covered Entity to notify its patients of any breach of PHI. At no time is the Business Associate to contact or speak directly to any of Covered Entity’s patients/individuals who are the subject of any Breach. Any such inquiries should be directed to the Covered Entity’s Compliance and/or Privacy Officer. Business Associate shall cooperate with Covered Entity as necessary to provide such notification and any details pertaining to any Breach of PHI.
Cooperation of Law Enforcement. Business Associate shall cooperate with Covered Entity in the event law enforcement officials institute an investigation that involves a Breach of PHI under this Agreement.
Notification to Media. For a Breach of Unsecured PHI involving more than 500 individuals, it is solely the responsibility of Covered Entity to notify the media and appropriate law enforcement and federal and state agencies as required by the HITECH Act, 45 CFR § 164.406. At no time is the Business Associate to contact or speak directly to the media without the prior authorization of Covered Entity. Business Associate shall cooperate with Covered Entity as necessary to provide such notification to the media.
Unsuccessful Security Incidents. The parties agree that this section satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted, but Unsuccessful Security Incidents. For purposes of this Section, “Unsuccessful Security Incidents” shall mean activity such as pings and other broadcast attacks on firewalls, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of electronic PHI.
m. Access to PHI. Business Associate agrees to provide access, at the request of Covered Entity, and in a time and manner mutually agreed upon by both parties, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered entity, to an Individual in order to meet the requirements under 45 CFR § 164.524.
n. Governmental Access to Records. Business Associate agrees to make its internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI received from, or credit or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or to the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
o. Minimum Necessary. Business Associate agrees to use, disclose, and request (i) to the extent practicable, only the limited data set of PHI excluding direct identifiers, as defined in 45 C.F.R. § 164.514(e)(2) of the Privacy Rule; or, if needed by the entity, (ii) the minimum necessary PHI to accomplish the intended purpose of the use, disclosure, or request based on the Underlying Agreement. Business Associate agrees that prior to a disclosure, Business Associate shall determine what constitutes minimum necessary PHI to accomplish the intended purpose.
p. Data Ownership. Business Associate acknowledges that Business Associate has no ownership rights with respect to the PHI, other than those ownership rights set forth in the Underlying Agreement.
q. Amendments of PHI. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, in a time and manner mutually agreed upon by both parties.
r. Accounting of Disclosures. Business Associate and its agents or subcontractors shall make available to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under the privacy Rule and the HITECH Act as determined by Covered Entity. Business Associate agrees to implement a process that allows for an accounting to be collected and maintained by Business Associate and its agents or subcontractors for at least six years prior to the request. However, accounting of disclosures from an Electronic Health Record for treatment, payment or health care operations purposes are required to be collected and maintained for only three years prior to the request, and only to the extent that Business Associate maintains an electronic health record and is subject to this requirement. At a minimum, the information collected and maintained shall include: (i) the date of disclosure; (ii) the name of the entity or person who received the PHI and if known, the address of the entity or person; (iii) a brief description of PHI disclosed; and (iv) a brief statement of purpose of the disclosure that reasonably informs the individual of the basis fro the disclosure, or a copy of the individual’s authorization or a copy of the written request for disclosure.
Term and Termination.
s. Term. The Obligations of Business Associate set forth herein shall commence on the Effective Date and shall terminate when the Underlying Agreement terminates and all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, the terms of this Agreement are extended to cover such information and survive termination of this Agreement.
t. Termination With Cause. A breach by either Party, or its agents or subcontractors, if any, of any provision of this Agreement, as reasonably determined by the other Party, shall constitute a material breach of this Agreement. If a Party breaches this Agreement, the other Party may, in its discretion: (i) immediately terminate this Agreement; (ii) provide an opportunity for the other Party to cure the breach or end the violation and terminate this Agreement if the other Party does not promptly cure the breach within a period not to exceed fourteen (14) days; or (iii) report the violation to the Secretary if neither termination nor cure is feasible.
u. Immediate Termination. Either Party may terminate this Agreement effective immediately if (i) the other Party is named as a defendant in a criminal proceeding for a violation of the Privacy Rule, HIPAA, HITECH or other security or privacy laws, or (ii) there is a finding or stipulation that the other Party has violated any standard or requirement of the Privacy Rule, HIPAA, HITECH, or other security or privacy laws in any administrative or civil proceeding in which the Party is involved.
v. Termination of Underlying Agreements. If this Agreement is terminated by a Party for cause, that Party may also terminate any and all agreements between Covered Entity and Business Associate, including the Underlying Agreement between Covered Entity and Business Associate.
w. Effect of Termination.
Except as provided in Section 5(D)(2) of this Agreement, upon termination of the Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
The provisions of this Section shall survive termination of this Agreement.
x. Remedies In Event of Breach. Business Associate expressly acknowledges and agrees that the breach, or threatened breach, by it of any provision of this Agreement may cause Covered Entity to be irreparably harmed and that Covered Entity may not have an adequate remedy at law. Therefore, Business Associate agrees that upon such breach, or threatened breach, Covered Entity will be entitled to seek injunctive relief to prevent Business Associate from commencing or continuing any action constituting such breach without having to post a bond or other security and without having to prove the inadequacy of any other available remedies. Nothing in this Section will be deemed to limit or abridge any other remedy available to Covered Entity at law or in equity. The provisions of this Section shall survive termination of this Agreement.
Obligations of Covered Entity to Inform Business Associate of Privacy Practices and Individual Restrictions.
y. Notice of Privacy Practices. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such notice.
z. Changes in Permitted Use. Covered Entity shall provide Business Associate with written notice of any changes in, or revocation of, permission by Individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
aa. Restrictions of Use. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522 and HITECH § 13405(a).
bb. Permissible Requests. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule or HITECH Act if done by Covered Entity, unless the Underlying Agreement includes provisions for, data aggregation or management and administrative activities of Business Associate.
General Provisions.
cc. Regulatory References. A reference in this Agreement to a section in the Privacy Rule and HITECH Act means the section as in effect or as amended during the Term of this Agreement.
dd. Amendment. If any modification to this Agreement is Required by Law or required by HITECH or any other federal or state law affecting this Agreement, or if Covered Entity reasonably concludes that an amendment to this Agreement is needed because of a change in federal or state law or industry standards, Covered Entity shall notify Business Associate of such proposed modifications (“Legally Required Modifications”). Such Legally Required Modifications shall be deemed accepted by Business Associate and this Agreement so amended if Business Associate does, not, within thirty (30) calendar days following the date of the notice (or within such other time period as may be mandated by applicable state or federal law), deliver to Covered Entity its written rejection of such Legally Required Modifications. With regard to any amendments to this Agreement that are not Legally Required Modifications, this Agreement shall be changed, modified or amended only by an instrument in writing signed by a duly authorized representative of each of the Parties, effective as of the date stipulated therein and attached hereto.
ee. Survival. The respective rights and obligations of Business Associate with respect to PHI shall survive the termination of this Agreement.
ff. Interpretation. Should there by any conflict between the language of this Agreement and any other Agreement entered into between the Parties, the language of an provisions of this Agreement shall control and prevail unless the Parties specifically refer in a subsequent written agreement to this Agreement by its title and date and specifically state that the provisions of the later written agreement shall control over this Agreement. Any ambiguity in this Agreement shall be solved to permit Covered Entity to comply with the Privacy Rule and HITECH Act.
gg. Governing Law. This Agreement shall be construed in accordance with, interpreted and governed by the laws of the State of New Mexico without regard to any other state’s conflicts of law provisions. Any action or proceeding regarding this Agreement shall be instituted and conducted in the County where Business Associate is located. The provisions of this Section 8(E) shall survive the termination of this Agreement.
hh. Notices. Any notices required or permitted hereunder shall be sufficiently given if sent by registered or certificated mail, postage prepaid, or personally delivered, addressed or delivered to the addresses set forth below in the signatures of this Agreement or to such other addresses as shall be furnished in writing by either party to the other party; and any such notice shall be deemed to have been given, if mailed, as of the date mailed, and, if personally delivered, as of the date delivered. Notices pertaining to unauthorized use or access of PHI or Breaches of PHI shall be submitted to the Covered Entity’s Compliance and/or Privacy Officer with contact information of Business Associate’s designated representative responsible for investigating such incidents.
ii. Entire Agreement. This Agreement contains the entire understanding between Business Associate and Covered Entity regarding the subject matter hereof, and shall supersede any other oral or written discussions, agreements, understandings, and representations between the Covered Entity and Business Associate of every kind and nature, including any provision in any former Business Associate Agreement between the parties. No modification, addition to or waiver of any right, obligation or default shall be effective unless in writing and signed by the party against whom the same is sought to be enforced. No delay or failure of either party to exercise any right or remedy available hereunder, at law or in equity, shall act as a waiver of such right or remedy, and any waiver shall not waive any subsequent right, obligation or default.
jj. Severability. If any provision of this Agreement is determined by a court of competent jurisdiction to be invalid, void, or unenforceable, the remaining provisions of this Agreement shall continue in full force and effect.
Except as set forth specifically above, the terms of the Underlying Agreement remain in full force and effect.
IN WITNESS WHEROF, the parties have hereunto caused this Agreement to be executed by their respective duly authorized representatives as of the date set forth below.
