CLIENT SERVICE AGREEMENT MASTER TERMS & CONDITIONS
(VER 2.1 EFFECTIVE November 1, 2022)
READ THE AGREEMENT CAREFULLY! IT CONTAINS LEGALLY BINDING OBLIGATIONS AND VERY IMPORTANT INFORMATION ABOUT THE CLIENT’S RIGHTS AND OBLIGATIONS, AS WELL AS LIMITATIONS AND EXCLUSIONS THAT MAY APPLY TO THE CLIENT. BY CLICKING ON THE “I AGREE” BUTTON ON THE SUBSCRIPTION FORM, THE CLIENT AGREES, ACCEPTS AND CONSENTS TO BE BOUND BY AND BECOMES A PARTY TO THE AGREEMENT. IF THE CLIENT DOES NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, CLICK THE “I DO NOT AGREE” BUTTON. IF THE CLIENT DOES NOT AGREE TO THE AGREEMENT, THE CLIENT MAY NOT PURCHASE THE SERVICES OR USE THE SERVICES OR PLATFORM.
Section 1 – DEFINITION OF TERMS
The following terms have the following meanings:
1.1 “Authorized Users” means officers, directors, managers, members, health care providers, and other employees, independent contractors, agents and representatives of or affiliated with the Client who have been designated by the Client from time to time pursuant to the Subscription to use the Services and Platform, subject to any limitations or restrictions set forth in the Subscription Form.
1.2 “Billing Period” means, unless otherwise provided in the Subscription Form or these Terms & Conditions, the period from the date within a calendar month until the date immediately preceding the same date in the next succeeding calendar month (or, if none, the last day of such succeeding calendar month). (By way of example, the period from January 15 through the following February 14 constitutes a Billing Period and the period from January 31 through the following February 28 constitutes a Billing Period.) The first Billing Period will begin on the date that the Client’s Subscription begins.
1.3 “Feedback” means feedback, suggestions, improvements, and recommendations regarding the Services and Platform.
1.4 “Patient” means an individual (or his or her authorized representative) who seeks to receive or does receive health care services or information from a Client or Authorized User by use of the Platform.
1.6 “Subscription Term” means the time from the date the Subscription commences until the effective date of its termination as provided in Section 8 of these Terms & Conditions (unless earlier terminated). Unless otherwise provided in the Subscription Form, the Subscription Term commences on the date the Client clicks the “I Agree” button on the Subscription Form.
Section 2 – THE SERVICES
2.1 Services. (a) During the Subscription Term, MediSprout will provide the Services and Platform to the Client for use by the Client, Authorized Users and Patients in accordance with and subject to the Agreement and the documentation included within the Platform. Client’s rights to access and use the Services and Platform are limited to the Subscription Term. The Services include without limitation making the Platform available to the Client, Authorized Users and Patients by which (1) the Client and Authorized Users may communicate with each other, (2) the Client and Authorized Users, on the one hand, and Patients, on the other, may communicate with each other, (3) if and when available, Client, Authorized Users and Patients may transmit, receive, access and store PHI (hereinafter defined) and other data, (4) if and when available, MediSprout may provide to the Client and Authorized Users data and data analysis, and (5) if and when available, MediSprout may provide to the Client, Authorized Users and Patients clinical education, guidance, research, recommendations or other information, provided that MediSprout does not and will not provide medical advice or services.
(b) MediSprout may from time to time make available data, information, material, products or services provided by third parties (“Third Party Services”) to assist, enhance or supplement the provision of the Services. As used in the Agreement, “Services” refers only to services provided by MediSprout and does not include Third Party Services even if such Third Party Services are included in any fees paid to MediSprout by Client, Authorized Users, Patients or others or are included in the Subscription Form.
2.2 Provision of Services. In providing the Services, MediSprout will
(a) host, operate, maintain, and support the Platform such that the Platform will perform in all material respects substantially in accordance with the Agreement and the documentation included in the Platform. The Client will timely notify MediSprout of any failure of the Platform to so perform known to the Client. If any failure of the Platform occurs, MediSprout’s only obligation is to use reasonable efforts to correct or provide a workaround for such failure within a commercially reasonable time, or if such correction or workaround is not possible in a commercially reasonable time, to refund the portion of the Subscription Fee paid by the Client for the specific non-conforming service during the period of non-conformance;
(b) from time to time provide to the Client, Authorized Users and Patients procedures by which the Client, Authorized Users and Patients may obtain access to and use the features and functions of the Platform, including, but not limited to, login information, accounts, access codes, account names and passwords, authentication protocols, websites, connectivity standards and protocols;
(c) provide to the Client, Authorized Users and Patients technical support to assist with the use of the Platform. MediSprout will serve as the sole point of contact and provider of technical support for all inquiries and requests for technical support with respect to the operation of the Platform from the Client’s personnel, Authorized Users and Patients. MediSprout may from time to time, change the scope of, service levels of, services provided by, and methods of accessing, such technical support and make changes to the Platform without any adjustment to the Subscription Fee, without any liability for any of such changes and (1) if any such change would not reasonably be expected to materially adversely affect Clients, Authorized Users and Patients generally, without prior notice, and (2) if any such change would reasonably be expected to materially adversely affect Clients, Authorized Users and Patients generally, then with at least thirty (30) days’ prior notice to the Client before it does so and, if the Client does not accept such change, then the Agreement will terminate thirty (30) days after the Client declined to accept such change. (If the Client fails to respond within thirty (30) days after such notice, the Client will be deemed to have accepted such change.) MediSprout will make commercially reasonable efforts to provide a timely response and suggested solutions to all such inquiries and support requests. Such technical support will include providing generally accessible online instructions (e.g., “Frequently Asked Questions”) and individualized help to resolve access and account management (e.g., login) or other technical issues and proposing (where known and available) a solution or fix for the issue. Certain changes to such technical services or to the Platform may require an adjustment to the Subscription Fee to which the Client will have to agree before such changes are implemented; and
(d) from time to time make available and implement upgrades, enhancements and error corrections to the Platform when such upgrades, enhancements and error corrections are generally made available to MediSprout’s other clients who are receiving the same or substantially similar Services.
2.3 Client Responsibilities Generally. (a) The Client will
(1) as between the Client and MediSprout, be solely responsible for notifying Authorized Users and Patients that they may access the Platform;
(3) encourage and facilitate use of the Platform by Authorized Users and Patients;
(4) as between the Client and MediSprout, be solely responsible for (A) the accuracy and completeness of medical advice provided by the Client or any Authorized User or of Patient data, (B) the performance of the information technology systems of the Client, any Authorized User or any Patient, (C) use of the Platform and the Patient data obtained through the Platform by the Client, any Authorized User or any Patient, including but not limited to any treatment recommendations or decisions made by the Client, any Authorized User or any Patient or, if not an Authorized User, any employee, consultant, medical staff member or agent of the Client or an Authorized User in reliance on Patient data obtained through the Platform, (D) any act and omission of the Client, an Authorized User or a Patient in connection with its use of the Platform, (E) the accuracy, quality, content, integrity and legality of the relationships and communications among the Client, Authorized Users and Patients when using the Platform, (F) the decision by the Client, an Authorized User or a Patient that the use of the Platform is appropriate for the evaluation of and communication with a Patient, and (G) the decision by the Client or an Authorized User that the use of the Platform between or among the Client and Authorized Users is appropriate for the evaluation and communication of medical or Patient data;
(5) not participate in, aid or encourage unauthorized access to or use of the Platform,
(6) use commercially reasonable efforts to prevent any unauthorized access to or use of the Platform, and notify MediSprout promptly of any such unauthorized access or use of which it becomes aware;
(7) use the Services and Platform only in accordance with and as expressly permitted by the Agreement, the documentation included in the Platform and applicable laws and regulations and, without limitation of the foregoing, only use the Services and Platform to use and exploit functionality made available to the Client by MediSprout; and
(8) reasonably cooperate with MediSprout as necessary for MediSprout to provide the Services and Platform and perform its obligations under the Agreement.
(b) The Client will not directly or indirectly (and will not retain, assist, solicit or encourage others to directly or indirectly)
(1) make the Services or Platform available to any third party other than Authorized Users and Patients or only as necessary to use Third Party Services,
(2) resell, lease, distribute, transfer or otherwise make available the Services or Platform except in accordance with the Agreement;
(3) use the Platform to store or transmit infringing, libelous, malicious or otherwise unlawful or tortious material, or to store or transmit material or information (including PHI) in violation of the rights of others;
(4) use the Services or Platform to store or transmit malicious code;
(5) use or access the Services or Platform in any way that threatens the integrity, performance, or availability of the Services or Platform or any data therein;
(6) attempt to gain unauthorized access to the Services or Platform or to the communications or data processed or transmitted through the Platform or Services or stored on the Platform;
(7) decompile, disassemble, or reverse engineer the Services or Platform, in whole or in part; or
(8) use or access the Services or Platform to create (or have created by a third party) a competing or similar service or platform, or to copy any features of the Services or Platform including but not limited to visual appearance, site design and workflows.
The Client will take reasonable actions (including such reasonable actions as MediSprout may request from time to time) to deter and prevent Authorized Users and Patients from taking any of the actions described in Sections 2.3(b)(1) through (8).
(c) Without limitation of its other rights and remedies, MediSprout may (but is not obligated to) restrict or prohibit use of or access to the Services and Platform, or the communications or data processed or transmitted through the Platform, by the Client, an Authorized User, a Patient or a third party if MediSprout reasonably suspects that the use of or access to the Platform by the Client, Authorized User, Patient or third party is not in compliance with the Agreement, the documentation included within the Platform or applicable laws or regulations, or otherwise threatens the Services, Platform or the communications or data processed or transmitted through the Platform. However, MediSprout will have no liability if it does not restrict or prohibit such use or access.
Section 3 – FEES AND PAYMENTS
3.1 Subscription Fees. (a) To the extent provided in the Subscription Form, the Client has agreed to pay a subscription fee (“Subscription Fee”) for the Services and a fee for Third Party Services (“Third Party Service Fee”) (such Subscription Fee and Third Party Service Fee collectively, the “Fees”).
(b) The Client will, in order to pay the Fees, maintain with MediSprout a valid credit card and hereby authorizes MediSprout to charge to such card the amount of the Fees when due. Unless otherwise provided in the Subscription Form, the Fees incurred in any Billing Period will be due on the first day following the end of such Billing Period. If any such credit card charge is not completed and paid in full for any reason (other than MediSprout’s failure to properly submit information necessary to process such charge), then the Client will immediately pay such amount to MediSprout together with an administrative fee of $100.00. Not less often than monthly, MediSprout will provide to the Client a statement showing each charge MediSprout makes to such credit card.
(c) MediSprout may from time to time change the amount of any Fee or any other fee or charge under the Agreement. It will provide at least thirty (30) days’ prior notice to the Client before it does so. If the Client does not accept the change, then the Agreement will terminate thirty (30) days after the Client declined to accept such change. If the Client fails to respond within thirty (30) days after such notice, the Client will be deemed to have accepted the change.
3.2. Payments Generally. (a) The Client will pay when due all amounts owed by it to MediSprout as provided in the Agreement.
(b) If any amount owed by the Client to MediSprout under the Agreement (in respect of any Fee or otherwise) remains unpaid for more than five (5) days after it is due, then, without limitation of its other rights and remedies as provided in the Agreement or by law, (1) MediSprout may charge a late charge at the rate of 1% per month (or portion thereof without proration), which the Client also agrees to pay with such unpaid amount, and (2) MediSprout may suspend its provision of the Services and access to and use of the Platform by the Client and Authorized Users until the Client has paid the full balance owed (including any administrative processing fees and late charges). If any payment by the Client is made by check and such check is returned for any reason, then the Client will pay an additional fee of $100.00. All Fees and other amounts paid by the Client under the Agreement are non-refundable.
(c) Fees and other amounts payable by the Client to MediSprout under the Agreement do not include any taxes of any jurisdiction that may be assessed or imposed upon the Services, Platform or Third Party Services, including but not limited to sales, use, excise, value added, personal property, export, import and withholding taxes. The Client will directly pay any such taxes assessed (excluding only taxes based upon MediSprout’s net income). The Client will promptly reimburse MediSprout for any such taxes which may be paid by MediSprout. If the Client has provided MediSprout with proof of its tax exempt status and the Client’s tax exempt status changes, the Client will notify MediSprout immediately of such change and the Client will be liable for all such taxes. If the Client fails to notify MediSprout of such change, the Client will be liable for the payment of any tax related penalties or interest assessed against MediSprout or the Client as a result of such failure.
(d) The Client will provide any necessary authorizations to allow MediSprout to make charges against its credit card in accordance with the Agreement and will update its credit card information with MediSprout as necessary.
(e) Client will pay all costs of enforcement by MediSprout of the payment of amounts owed by the Client to MediSprout, including but not limited to any court costs and reasonable attorneys’ fees.
Section 4 – EXCLUSIONS AND LIMITATIONS OF WARRANTIES; FORCE MAJEURE
4.1 Exclusions and Limitations of Warranties. (a) EXCEPT AS OTHERWISE EXPRESSLY STATED IN THE AGREEMENT, THE SERVICES AND PLATFORM ARE PROVIDED “AS IS” AND “AS AVAILABLE”. MEDISPROUT MAKES NO REPRESENTATIONS OR WARRANTIES, ORAL OR WRITTEN, EXPRESS OR IMPLIED, ARISING FROM COURSE OF DEALING, COURSE OF PERFORMANCE, USAGE OF TRADE, OR OTHERWISE, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INTERFERENCE, OR NON-INFRINGEMENT. MEDISPROUT MAKES NO REPRESENTATIONS OR WARRANTIES, NOR SHALL MEDISPROUT HAVE ANY LIABILITY WITH RESPECT TO, ANY THIRD PARTY SERVICES. MEDISPROUT MAKES NO REPRESENTATIONS OR WARRANTIES, NOR SHALL MEDISPROUT HAVE ANY LIABILITY, WITH RESPECT TO THIRD PARTY SERVICES. MEDISPROUT MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE SERVICES OR PLATFORM WILL MEET THE REQUIREMENTS OF THE CLIENT, AN AUTHORIZED USER OR A PATIENT OR THAT THE PROVISION OF THE SERVICES OR THE OPERATION OF THE PLATFORM WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR FREE. NO ORAL ADVICE OR WRITTEN INFORMATION GIVEN BY MEDISPROUT OR ITS EMPLOYEES, LICENSORS, AGENTS OR REPRESENTATIVES WILL CREATE A WARRANTY. ANY ACCESS TO OR USE OF THE SERVICES AND PLATFORM IS VOLUNTARY AND AT THE SOLE RISK OF THE USER.
(b) MEDISPROUT WILL HAVE NO LIABILITY WITH RESPECT TO ANY PERFORMANCE PROBLEM, DELAY, OR OTHER MATTER TO THE EXTENT ATTRIBUTABLE TO ANY UNAUTHORIZED OR IMPROPER USE OR MODIFICATION OF THE SERVICES OR PLATFORM, ANY UNAUTHORIZED COMBINATION WITH OTHER SERVICES, PLATFORMS, SOFTWARE, HARDWARE, OR TECHNOLOGY, ANY ACT OR OMISSION BY THE CLIENT, AN AUTHORIZED USER, A PATIENT OR OTHER THIRD PARTY, CELLULAR, WIRELESS OR WIRED CONNECTIONS, OR THE INTERNET. AS BETWEEN THE CLIENT AND MEDISPROUT, THE CLIENT IS SOLELY RESPONSIBLE FOR ALL COMMUNICATIONS (INCLUDING THE CONTENT OF COMMUNICATIONS) AMONG THE CLIENT, AUTHORIZED USERS, PATIENTS OR ANY OTHER THIRD PARTY, ANY FAILURE BY THE CLIENT, AN AUTHORIZED USER OR PATIENT TO KEEP A SCHEDULED APPOINTMENT, OR THE RESULTS OBTAINED FROM THE USE OF, OR RELIANCE ON, THE SERVICES AND PLATFORM.
(c) MEDISPROUT WILL HAVE NO LIABILITY WITH RESPECT TO ANY ACTIONS, OMISSIONS, SERVICES OR PRODUCTS OF THIRD PARTIES (INCLUDING BUT NOT LIMITED TO (1) THIRD PARTIES WHO PROVIDE OR RECEIVE DATA (INCLUDING PHI) THROUGH, TO OR FROM MEDISPROUT, OR WHO PROVIDE OR RECEIVE DATA (INCLUDING PHI) TO OR FROM ANY HEALTH CARE PROVIDER, FACILITY, PATIENT OR AUTHORIZED USER, AND (2) AUTOMATED INTERFACES OR OTHER CONNECTIONS OF THIRD PARTIES AND AUTOMATED SYSTEMS OF THIRD PARTIES WHICH ACCESS, RETRIEVE OR PROVIDE DATA (INCLUDING BUT NOT LIMITED TO PHI)).
(e) MEDISPROUT MAKES NO REPRESENTATION OR WARRANTY AS TO, OR ANY ENDORSEMENT OF, THE CLIENT, ANY HEALTH CARE PROVIDER, FACILITY, AUTHORIZED USER OR OTHER THIRD PARTY, THE QUALIFICATIONS, CREDENTIALS OR ABILITIES OF THE CLIENT, ANY HEALTH CARE PROVIDER, FACILITY, AUTHORIZED USER OR OTHER THIRD PARTY, THE QUALITY OF SERVICES PROVIDED BY THE CLIENT, ANY HEALTH CARE PROVIDER, FACILITY, AUTHORIZED USER OR OTHER THIRD PARTY OR THAT ANY PARTICULAR MEDICATION OR TREATMENT IS SAFE, APPROPRIATE OR EFFECTIVE FOR A PARTICULAR PATIENT. MEDISPROUT HAS NO OBLIGATION TO VERIFY THE QUALIFICATIONS, CREDENTIALS OR ABILITIES OF THE CLIENT, ANY HEALTH CARE PROVIDER, FACILITY, AUTHORIZED USER OR OTHER THIRD PARTY AND MEDISPROUT WILL HAVE NO LIABILITY IF ANY HEALTH CARE PROVIDER, FACILITY, AUTHORIZED USER OR OTHER THIRD PARTY LACKS APPROPRIATE QUALIFICATIONS, CREDENTIALS OR ABILITIES TO PROVIDE THE SERVICES THE CLIENT, SUCH HEALTH CARE PROVIDER, FACILITY OR OTHER THIRD PARTY IS PROVIDING.
(f) MEDISPROUT DOES NOT CONTROL, SUPPLY, ENDORSE OR WARRANT ANY THIRD PARTY SERVICES OR ANY INFORMATION, MEDICAL ADVICE, PRODUCTS, SERVICES OR MERCHANDISE SUPPLIED BY THE CLIENT, ANY HEALTH CARE PROVIDER, FACILITY, AUTHORIZED USER OR OTHER THIRD PARTY.
(g) NEITHER THE SERVICES NOR THE PLATFORM PROVIDED BY MEDISPROUT CONSTITUTES MEDICAL ADVICE.
(h) MediSprout does not warrant that data that is transmitted by or received from third parties through the Services or the Platform will be free of infections or viruses, worms, Trojan horses or other code that contains contaminating or destructive properties.
(i) MediSprout and its technology service providers cannot and do not warrant against errors, omissions, delays, interruptions or losses, including loss of data. The use of the Services and Platform by the Client and Authorized Users is at the Client’s own discretion and risk, and the Client is solely responsible for any damages to its devices or loss of data that results from the use of the Services or Platform. Users of the Services and Platform are responsible for maintaining a means external to the Services and Platform for the reconstruction of any lost data.
(j) TO THE FULLEST EXTENT PERMITTED BY LAW, IN NO EVENT WILL MEDISPROUT BE LIABLE TO ANY PARTY IN PRIVITY TO THE AGREEMENT OR ANY THIRD PARTY FOR ANY DIRECT, INDIRECT, PUNITIVE, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES OF ANY KIND (WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE), STRICT LIABILITY OR OTHER THEORY, INCLUDING DAMAGES FOR LOSS OF PROFITS, USE OR DATA, LOSS OF OTHER INTANGIBLES, LOSS OF SECURITY OF SUBMISSIONS (INCLUDING UNAUTHORIZED INTERCEPTION BY THIRD PARTIES OF ANY SUBMISSIONS) RELATING TO OR ARISING OUT OF THE AGREEMENT, OR THE USE OF, OR THE INABILITY TO USE, THE SERVICES OR PLATFORM, INCLUDING BUT NOT LIMITED TO ANY INFORMATION OR DATA MADE AVAILABLE THROUGH THE SERVICES OR PLATFORM, ANY THIRD PARTY SERVICES OR ANY SERVICES PERFORMED BY THE CLIENT, ANY AUTHORIZED USER, ANY OTHER HEALTH CARE PROVIDER OR OTHER THIRD PARTY (INCLUDING BUT NOT LIMITED TO CLAIMS OF MEDICAL MALPRACTICE AGAINST THE CLIENT, ANY AUTHORIZED USER, OTHER HEALTH CARE PROVIDER OR OTHER THIRD PARTY), EVEN IF MEDISPROUT IS ADVISED BEFOREHAND OF THE POSSIBILITY OF SUCH DAMAGES, EXCEPT AS PROVIDED IN SECTIONS 2.2(A) AND 7.1 OF THESE TERMS & CONDITIONS. MEDISPROUT’S TOTAL LIABILITY FOR ANY REASON OR CAUSE UNDER THE AGREEMENT OR IN RESPECT OF THE SERVICES OR PLATFORM WILL UNDER NO CIRCUMSTANCES EXCEED THE AMOUNT OF THE SUBSCRIPTION FEES ACTUALLY PAID BY THE CLIENT TO MEDISPROUT IN THE THREE (3) BILLING PERIODS (OR PORTION THEREOF) PRECEDING THE EVENT GIVING RISE TO THE CLAIM OF LIABILITY.
(k) NO ACTION OR CLAIM OF ANY TYPE RELATING TO THE AGREEMENT MAY BE BROUGHT OR MADE BY THE CLIENT MORE THAN ONE YEAR AFTER THE CLIENT FIRST HAD OR SHOULD HAVE HAD KNOWLEDGE OF THE BASIS FOR THE ACTION OR CLAIM, WHICHEVER IS EARLIER.
(m) The Client and MediSprout have freely and openly negotiated the Agreement, or the Client has had the opportunity to do so, including but not limited to the pricing, with the knowledge that MediSprout’s liability is to be limited in accordance with the provisions of the Agreement.
4.2 Force Majeure. Except with respect to the Client’s payment obligations, neither the Client nor MediSprout will be liable for, nor shall either the Client or MediSprout be considered in breach of the Agreement due to, any failure to perform its obligations under the Agreement as a result of a cause beyond its control, including but not limited to any act of God or a public enemy, act of any military, civil or regulatory authority, change in any law or regulation, fire, flood, earthquake, storm or other like event, disruption or outage of communications (including the Internet or other networked environment), power or other utility, labor problem, unavailability of supplies, epidemic, pandemic or any other cause which could not have been prevented by the non-performing party with reasonable care.
Section 5 – PHI; CONFIDENTIAL INFORMATION
5.1 PHI. The Client acknowledges and understands that use of the Services and Platform will require provision of and access to certain protected health information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996, and associated regulations, as amended from time to time (“HIPAA”). To comply with the applicable provisions of HIPAA, the Agreement is deemed to include the Business Associate Agreement set forth in Schedule A (“BAA”).
(b) The Client acknowledges and understands that in connection with each Patient’s use of the Services and Platform, such Patient may make certain authorizations with respect to the transmission, receipt, storage and use of the Patient’s PHI and de-identified aggregated PHI.
5.2 Confidentiality. The Client or MediSprout may from time to time disclose to the other confidential and proprietary information of the Client or MediSprout, respectively (such disclosing party, a “Disclosing Party”, and such recipient, a “Recipient”). Any such information (other than PHI) which is identified as confidential at the time of its disclosure is referred to as “Confidential Information”. Each of the Client and MediSprout, when acting as a Recipient, will hold the Disclosing Party’s Confidential Information in confidence and will not disclose such Confidential Information to others or use such Confidential Information for any purpose (other than in connection with the Agreement) except as approved in writing by the Disclosing Party. A Recipient’s obligations under this Section 5.2 will not extend to Confidential Information which (a) such Recipient is required to disclose by law, (b) at the time of disclosure to such Recipient is, or thereafter becomes, part of the public domain through no fault or action of such Recipient, (c) prior to disclosure to such Recipient by the Disclosing Party was, or after disclosure to such Recipient by the Disclosing Party is, lawfully received by such Recipient on a non-confidential basis, (d) is independently developed by such Recipient or (e) consists solely of the fact that the Agreement has been entered into, the identity of the Client and MediSprout and the types of services included in the Agreement. If a Recipient is required by law to disclose any such Confidential Information, it will, to the extent practicable, give the Disclosing Party a reasonable opportunity prior to such disclosure to obtain a protective order. The Recipient will limit its use of and access to the Disclosing Party’s Confidential Information to only those of its employees or representatives whose responsibilities require such use or access. The Recipient will advise all such employees and representatives, before they receive access to or possession of any of the Disclosing Party’s Confidential Information, of the confidential nature of the Confidential Information and require them to abide by the terms of this Section.
Section 6 – OWNERSHIP
(b) MediSprout (and its licensors, where applicable) owns all right, title and interest (including all related patent, copyright, trademark, trade secret, intellectual property and other ownership rights) in and to the Services and Platform. All right, title and interest in and to the Services and Platform (including all related patent, copyright, trademark, trade secret, intellectual property and other ownership rights) are and will remain the sole and exclusive property of MediSprout (and its licensors, where applicable). Any copy, modification, revision, enhancement, adaptation, translation, or derivative work of or created from or relating to the Services or Platform (including but not limited to whether created alone or jointly by or on behalf of the Client or MediSprout) and any Feedback relating thereto will be solely and exclusively owned by MediSprout (or its licensors, where applicable), as shall any and all patent rights, copyrights, trade secret rights, trademark rights, and all other proprietary rights, worldwide therein and thereto. The Client, for itself, Authorized Users and Patients, hereby assigns to MediSprout all right, title and interest, including all intellectual property rights, in any Feedback, derivative works, modifications, enhancements, or improvements related to the Services or Platform that the Client, any of its representatives, any Authorized User or any Patient acting under or in connection with the Subscription provides, proposes, creates, conceives, authors or develops relating to the Agreement, Services or Platform. The Client will execute and deliver (or cause its representatives, Authorized Users and Patients to execute and deliver) any additional documents which MediSprout deems reasonably necessary or appropriate to register, perfect, maintain, protect, or enforce MediSprout’s rights described above and the intent of this Section 6.1.
(c) Subject to compliance with the Agreement by the Client, Authorized Users and Patients, MediSprout grants to the Client, Authorized Users and Patients a limited, revocable, non-exclusive, nontransferable and non-sub-licensable license to use the Services and Platform only to the extent contemplated by the Agreement and solely during the Subscription Term for its own use and solely (1) in the case of the Client and Authorized Users, to communicate with each other, (2) in the case of the Client and Authorized Users, on the one hand, and Patients, on the other, to communicate with each other, and (3) if and when available, in the case of the Client, Authorized Users and Patients, to communicate with third parties. For purposes of the preceding sentence, “communicate” includes, if and when available, transmitting to or receiving data (including without limitation a Patient’s PHI) from a third party, and adding to, accessing and retrieving from, and storing in a Patient’s electronic file such Patient’s data (including without limitation such Patient’s PHI). The license granted hereby does not include the right to, and none of the Client, any Authorized User or Patient will in any event, (A) further license, sublicense, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available in any way or to any person or entity the Services or Platform except as specifically and only to the extent provided in the Agreement or as otherwise specifically approved in writing by MediSprout, (B) modify or make derivative works based upon the Services or Platform, (C) copy, frame, mirror or utilize any framing techniques to alter, remove or enclose any part or content of any of the Services or Platform, (D) reverse engineer, decompile, modify or otherwise attempt to discover the source code of the Services or Platform, (E) use or access the Services or Platform in order to (i) design or build a competitive or similar product or service, (ii) design or build a product or service using similar ideas, features, functions or graphics, or (iii) copy any ideas, features, functions or graphics, (F) launch, store or transmit an automated program or script, including, but not limited to, web spiders, web crawlers, web robots, web ants, web indexers, bots, viruses, worms, time bombs, Trojan Horses, or other harmful or malicious code, files, scripts, agents or programs (including but not limited to any program which may make multiple server requests per second or unduly burdens or hinders the operation or performance of any of the Services or Platform), (G) interfere with or disrupt the integrity or performance of any of the Services or Platform, or (H) attempt to gain unauthorized access to the Services or Platform.
(d) A violation by the Client of this Section 6.1 will be deemed to be a material and incurable breach of the Agreement and, in such event, without limitation of its other rights and remedies, MediSprout will have the right, in addition to retaining all monies paid under the Agreement, immediately upon notice to the Client to refuse to provide or terminate its provision of the Services and access to and use of the Platform by the Client and Authorized Users, and to obtain an injunction or specific performance without the posting of a bond or other security.
Section 7 – INDEMNIFICATION
7.2 Indemnification by the Client. The Client will defend, indemnify and hold harmless MediSprout, its affiliates and each of its or their officers, directors, shareholders, managers, members, employees, independent contractors, agents, representatives licensors, suppliers, partners and their heirs, representatives, successors and assigns (MediSprout and such persons collectively, “MediSprout Indemnitees”) from and against all Damages which a MediSprout Indemnitee may incur as a result of or arising out of (a) a breach by the Client of any of its representations, warranties or agreement in the Agreement, (b) claims caused by or resulting directly or indirectly from use of the Services or Platform by the Client, an Authorized User or Patient other than in accordance with the Agreement and the documentation included in the Platform, (c) claims caused by or resulting directly or indirectly from use of any Third Party Services by the Client, an Authorized User or Patient, (d) claims caused by or resulting directly or indirectly from an infringement or allegation of infringement of any third party’s rights arising as a result of any action or omission by the Client, an Authorized User or Patient, and (e) any third party claim resulting from (1) the IP Exclusions, (2) the Client’s or an Authorized User’s relationship with a Patient or the practice of medicine or provision of professional services, and (3) communications between or among the Client, an Authorized User or a Patient or the Client, an Authorized User or Patient with a third party, or use by any of them of the Services or Platform, except to the extent the claim is subject to infringement indemnification by MediSprout under Section 7.1. MediSprout agrees to give the Client (A) prompt written notice of such claim, (B) authority to control and direct the defense or settlement of such claim, and (C) such information and assistance as the Client may reasonably request, at the Client’s expense, in connection with such defense or settlement. Notwithstanding the foregoing, the Client will not settle any third-party claim without the prior written consent of MediSprout. MediSprout may participate in such defense at its own expense by counsel of its choice.
Section 8 – TERMINATION
8.1 Termination. (a) The Client or MediSprout may terminate the Agreement immediately on giving notice to the other if the other
(1) commits a material breach (including but not limited to any nonpayment when due of any Fee) and, in the case of a material breach capable of being cured, failed to cure that breach (A) in the case of a breach which consisted of nonpayment by the Client of any amount due under the Agreement, within five (5) days after the date such payment was due or (B) in the case of any other breach which is capable of being cured, within thirty (30) days after the receipt of a notice in writing to cure such breach; or
(2) (A) files for bankruptcy, (B) becomes or is declared insolvent, or is the subject of any proceedings related to its liquidation, insolvency or the appointment of a receiver or similar officer for it, (C) makes an assignment for the benefit of all or substantially all of its creditors, or (D) enters into an agreement for the cancellation, extension, or readjustment of substantially all of its obligations; provided, however, if the non-terminating party provides adequate assurances regarding its ability to continue performing, the other party may not terminate.
(b) The Client may terminate the Agreement as provided in Sections 2.2(c) and 3.1(c) of these Terms & Conditions.
(c) MediSprout may terminate the Agreement as provided in Sections 6.1(d), 7.1 and 9.3(a) of these Terms & Conditions.
(d) At any time on or after the second anniversary of the start of the Subscription Term, the Client or MediSprout may, for any or no reason, end the Subscription Term and thereby terminate the Agreement. Such termination will be effective (1) at the end of the calendar month in which termination was initiated by the Client by clicking a cancel subscription button within its account or (2) if termination was initiated by MediSprout, on the thirtieth (30th) day after MediSprout notifies the Client of such termination (or such later date as may be specified in such notice).
(e) Upon any termination of the Agreement, whether under this Section 8.1 or otherwise,
(1) the Client will, and will cause Authorized Users (other than Authorized Users who have their own agreements with MediSprout) to, discontinue all access and use of the Services and Platform (including but not limited to the Client terminating any links to the Platform on its websites and discontinuing use of or terminating any URLs associated with the Platform);
(2) Medisprout will terminate access by the Client and Authorized Users to the Platform;
(3) the Client will remain liable for all payments due to MediSprout under the Agreement with respect to the period ending on the date of termination and any other amounts due to MediSprout; and
(4) the Client will be given the opportunity to (A) continue to have MediSprout store the Client’s data and the PHI of the Client’s Patients in a manner in which the Client will have access to and be able to retrieve such data and PHI, (b) transfer its data and the PHI of its Patients to another storage medium, or (c) delete such data and PHI to the extent provided below. If MediSprout continues to store such data and PHI so that the Client can access and retrieve it, (i) such storage, access and retrieval will continue to be subject to this Agreement, (ii) MediSprout may from time to time transfer such data and PHI to one or more servers or other storage media which MediSprout owns, leases or licenses, and (iii) at any time which is more than 30 days after such termination, MediSprout may require that the Client pay to MediSprout a fee to store such data and PHI. If the Client elects to transfer its data and the PHI of its Patients to another storage medium, MediSprout may in its discretion either delete such data and PHI to the extent provided below or store it at MediSprout’s expense. If such data and PHI is to be deleted, MediSprout will use commercially reasonable efforts to delete such data and PHI; however, it may be impossible to remove such data and PHI without some residual information being retained by MediSprout, and MediSprout may be required by law, applicable industry or professional standards or best practices or our agreement with a facility or patient to retain certain information. MediSprout may elect not to delete data if doing so would adversely affect the operation or integrity of MediSprout’s systems. MediSprout may also keep such data for archival, audit, accounting, business operations or other purposes. In addition, MediSprout has no obligation to delete any data or information a Patient provides on a medical history or similar form or on the account of the Client or facility to which a Patient’s medical history or other information that identifies the Patient as an individual was submitted through the Services or Platform.
Except as provided above, MediSprout generally retains data and other records only as long as necessary and as required for its business operations, for archival purposes, and to satisfy legal requirements. When determining the appropriate retention period for data, MediSprout takes into account various criteria, such as the amount, nature, and sensitivity of the data, potential risk of harm from unauthorized use or disclosure, purposes for which MediSprout processes the data, whether MediSprout can achieve those purposes through other means, and business operations and legal requirements.
Section 9 – MISCELLANEOUS
9.1 Compliance with Laws. The Client and MediSprout each will comply with all applicable laws and regulations in connection with its business, operations and obligations under the Agreement.
9.2 Notice. All notices, requests, demands, consents or other communications required or permitted by the terms of the Agreement will be given in writing and delivered to the address set forth on the Subscription Form of the Client or MediSprout, and will be deemed to have been given (a) on the date of service if served personally, (b) on the fourth day after mailing, if mailed by first class registered or certified mail, postage prepaid and addressed to the Client or MediSprout, (c) on the next day if sent by a nationally recognized courier service for next day service and so addressed and if there is evidence of acceptance of receipt, or (d) on the date of transmission if sent by electronic mail and addressed to the Client or MediSprout at the electronic mail address of the Client or MediSprout set forth on the Subscription Form provided there is evidence of successful delivery of an electronic mail communication to such electronic mail address. The Client or MediSprout may change its address or electronic mail address for purposes of notice by giving notice thereof to the other in the manner provided in this Section 9.2, provided that notice of a change of address or electronic mail address will be effective only upon receipt.
9.3 Assignment; No Third Party Beneficiaries. (a) The Agreement is binding on, and inures to the benefit of, each of the Client and MediSprout and its respective successors and permitted assigns. The Client may not, without MediSprout’s prior consent, which may not be unreasonably withheld, assign, delegate, pledge, or otherwise transfer the Agreement or any of its rights or obligations under the Agreement, whether voluntarily or by operation of law, except that the Client may assign and delegate this Agreement in its entirety without MediSprout’s consent to the purchaser of all or substantially all of the Client’s assets or to the surviving entity of a merger, consolidation or conversion to which the Client is a constituent party. A sale or transfer of any or all of the Client’s equity interests will not be considered as such a prohibited assignment or delegation. However, if the Client assigns and delegates the Agreement in connection with a sale of assets, merger, consolidation or conversion to which it is a constituent party, or one or more sales or transfers of the Client’s equity interests occurs such that a majority of voting equity interests is held or controlled by Persons who did not hold or control such a majority on the date the Subscription Term began, then MediSprout may, upon notice, terminate the Agreement. MediSprout may assign or delegate the Agreement, or any of its rights or obligations under the Agreement, without the consent of the Client.
(b) The obligations of MediSprout in the Agreement run to and are for the benefit of only the Client and do not run to or benefit any Authorized User, Patient, or other third party. Under no circumstances will any Person be considered a third party beneficiary of the Agreement.
9.4 Independent Contractor; No Solicitation. The relationship between the Client and MediSprout under the Agreement is that of independent contractors and not partners, joint venturers or agents. The Client agrees that during the Subscription Term and for one year thereafter it will not directly or indirectly employ, retain, solicit or attempt to solicit, or induce or encourage the departure or resignation of any of the employees or contractors working for MediSprout. The Client understands and agrees that soliciting, inducing, hiring or retaining MediSprout employees or contractors may result in serious damages to MediSprout and its business and acknowledges that MediSprout may hold the Client liable for any damages and may seek any legal or equitable relief, including but not limited to an injunction or specific performance (and without the posting of a bond or other security), available to MediSprout under applicable law.
9.5 Entire Understanding. The Agreement contains the entire agreement of the Client and MediSprout with respect to its subject matter, and supersedes all prior proposals, marketing materials, negotiations and other written or oral communications between them with respect to such subject matter. In the event of any conflict between these Terms & Conditions and the Subscription Form, the Subscription Form will govern.
9.6 Modification and Waiver. No modification of the Agreement, and no waiver of any breach of the Agreement, will be effective unless in writing and signed or confirmed (in hard copy, electronically, by electronic mail, or by clicking an “I Agree” or similar button, or otherwise) by the Client and MediSprout. No waiver of any breach of the Agreement, and no course of dealing between the Client and MediSprout, will be construed as a waiver of any subsequent breach of the Agreement.
9.7 Severability. If any provision of the Agreement is held to be illegal, invalid or unenforceable, in whole or in part, (a) such unenforceable portion of the Agreement will be deemed severed from the Agreement, (b) the validity and enforceability of the remaining provisions of the Agreement will not be affected or impaired, and (c) the Agreement will be deemed to be amended in order to effect, to the maximum extent allowable by law, the original intent of such provision.
9.8 Electronic Copies/Reproduction Deemed an Original; Counterparts. The Client and MediSprout may electronically store and preserve the Agreement. Any reproduction of the Agreement containing a replication of both parties’ assent to the Agreement and derived from either party’s electronic storage system will be deemed to be original, authentic and a “writing”, and may serve in the place of an original signed document for all purposes. Any amendment, waiver, consent or other writing required to be signed or confirmed under the Agreement may be signed or confirmed in counterparts, each of which will be considered to be an original and all of which, taken together, will constitute one and the same instrument. The exchange of copies of such instrument and of signature pages by PDF transmission will constitute effective execution and delivery of such instrument and may be used in lieu of the original instrument for all purposes. A signature delivered by PDF transmission will be considered an original signature for any purpose whatsoever.
9.9 Governing Law and Venue. THE AGREEMENT WILL BE GOVERNED BY AND INTERPRETED IN ACCORDANCE WITH THE LAWS OF THE STATE OF NEW YORK WITHOUT GIVING EFFECT TO PRINCIPLES OF CONFLICTS OF LAWS, WITH SUBSTANTIVE RIGHTS IN PATENTS, COPYRIGHTS, FEDERAL TRADEMARKS AND FEDERAL TRADE SECRETS GOVERNED BY THE LAWS OF THE UNITED STATES. ANY DISPUTE ARISING UNDER OR RELATING IN ANY WAY TO THE AGREEMENT WILL BE RESOLVED EXCLUSIVELY BY FINAL AND BINDING ARBITRATION IN WHITE PLAINS, NEW YORK UNDER THE RULES OF THE AMERICAN ARBITRATION ASSOCIATION, EXCEPT THAT THE CLIENT OR MEDISPROUT MAY BRING A CLAIM RELATED TO INTELLECTUAL PROPERTY RIGHTS OR A BREACH BY CLIENT OF ANY PROVISION OF SECTION 9.4, OR SEEK TEMPORARY AND PRELIMINARY SPECIFIC PERFORMANCE AND INJUNCTIVE RELIEF, IN ANY COURT OF COMPETENT JURISDICTION, WITHOUT THE POSTING OF BOND OR OTHER SECURITY. THE PARTIES AGREE TO THE EXCLUSIVE PERSONAL AND SUBJECT MATTER JURISDICTION AND VENUE OF THE COURTS LOCATED IN WESTCHESTER COUNTY, NEW YORK, FOR ANY CLAIM RELATED TO THE AGREEMENT WHICH IS NOT REQUIRED TO BE RESOLVED BY ARBITRATION. The Client agrees that any claim it may have against MediSprout, including but not limited to MediSprout’s past and present employees and agents, will be brought individually and the Client will not join such claim with claims of any other person or entity or bring, join or participate in a class action against MediSprout. Each of the Client and MediSprout agrees that service of process may be made upon it by using the notice procedure set forth in the Agreement (except electronic mail) and hereby waives trial by jury.
9.10 Further Assurances. The Client and MediSprout each agrees to execute and deliver any and all instruments and documents which the other may reasonably request, or as may be necessary or expedient, to effect the purposes of the Agreement.
9.11. Publicity. In addition to such marketing and publicity provided for in the Subscription Form, the Client authorizes MediSprout to use the Client’s name and logo and a description of the Services on MediSprout’s website, in any list of MediSprout’s clients, in MediSprout’s advertising and marketing materials (including but not limited to press releases) and in a case study.
9.12. Construction. The headings of the Sections in the Agreement are inserted for convenience of reference only and will not constitute a part thereof. Unless otherwise specifically provided, references in these Terms & Conditions to Schedules and Sections are to Schedules attached to these Terms & Conditions and to Sections of these Terms & Conditions. Where the context so requires, the use in the Agreement of any gender will be deemed to refer also to any other gender. The Agreement will be deemed to have been drafted jointly by MediSprout and Client and no presumption, inference or burden of proof will arise favoring or disfavoring either of them by virtue of the authorship of any provision of the Agreement
9.13. Survival. The provisions of Sections 2.3, 3, 4, 5, 6, 7, 8.1(e), 9.4, 9.9 and 9.13 of these Terms & Conditions will survive any termination of the Agreement.
Schedule A – Business Associate Agreement
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (the “BAA”) is effective as of the start of the Subscription Term (as defined in the Subscription Form) (the “Effective Date”) by and between the Client which has submitted a Subscription Form (“Subscription Form”) for a subscription for services to be provided to Client (“Covered Entity”) by Medisprout, Inc. (“Business Associate”). Covered Entity and Business Associate may be referred to individually as a “Party” and collectively as “Parties.”
Covered Entity and Business Associate are parties to the Subscription Agreement pursuant to which Business Associate provides certain services to Covered Entity. In connection with Business Associate’s services, Business Associate creates, receives, maintains or transmits PHI from or on behalf of Covered Entity, which information is subject to protection under the Federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104191, the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009; and related regulations promulgated by the Secretary (collectively, “HIPAA”).
(a) General. Terms used, but not otherwise defined, in this BAA shall have the same meaning given to those terms by HIPAA, as in effect or as amended from time to time.
(i) Electronic PHI. “Electronic PHI” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to the information that Business Associate creates, receives, maintains, or transmits from or on behalf of Covered Entity.
(ii) Protected Health Information. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity.
(iii) Qualified Service Organization Agreement. “Qualified Service Organization Agreement” shall have the same meaning as defined in 42 CFR 2.12(c)(4).
(iv) Services Agreement. “Services Agreement” shall mean any present or future agreements, either written or oral, including the Subscription Agreement, between Covered Entity and Business Associate under which Business Associate provides services to Covered Entity which involve the use or disclosure of PHI. The Services Agreement is amended by and incorporates the terms of this BAA.
2. Obligations and Activities of Business Associate.
(a) Use and Disclosure. Business Associate agrees not to use or PHI other than as permitted or required by the Services Agreement, this BAA or as Required By Law. Business Associate shall comply with the provisions of this BAA relating to privacy and security of PHI and all present and future provisions of HIPAA that relate to the privacy and security of PHI and that are applicable to Business Associate. Without limiting the foregoing, to the extent the Business Associate will carry out one or more of the Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligations.
(b) Qualified Service Organization. Business Associate acknowledges that it may also be a Qualified Service Organization as defined in 42 CFR 2.11 and as such: (i) acknowledges that, to the extent it receives, stores, processes or otherwise deals with any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program, it is fully bound by the regulations in 42 CFR Part 2; and (ii) if necessary, will resist in judicial proceedings any efforts to obtain access to any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program, except as permitted by 42 CFR Part 2.
(c) Appropriate Safeguards. Business Associate agrees to use appropriate safeguards and comply, where applicable, with the Security Rule to prevent the use or disclosure of the PHI other than as provided for by this BAA. Without limiting the generality of the foregoing sentence, Business Associate will:
(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI as required by the Security Rule; and
(ii) Ensure that any Subcontractor to whom Business Associate provides Electronic PHI agrees in writing to implement reasonable and appropriate safeguards and comply, where applicable, with the Security Rule to protect Electronic PHI and comply with the other requirements of Section 2(a) above.
(d) Reporting. Business Associate agrees to promptly report to Covered Entity any of the following:
(i) Any use or disclosure of PHI not permitted by this BAA of which Business Associate becomes aware.
(ii) Any Security Incident of which Business Associate becomes aware.
In addition, Business Associate agrees to notify Covered Entity without unreasonable delay and in no event more than thirty (30) days following the discovery of a Breach of Unsecured PHI. A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach. Any notice of a Security Incident or Breach of Unsecured PHI shall include the identification of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during such Security Incident or Breach as well as any other relevant information regarding the Security Incident or Breach. Any such notice shall be directed to Covered Entity as set forth in the Services Agreement.
(e) Subcontractors. Business Associate shall ensure that any Subcontractor to whom Business Associate provides PHI received from, or created, maintained, received or transmitted by, Business Associate on behalf of Covered Entity agrees in writing to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such information.
(f) Access to Designated Record Sets. To the extent that Business Associate possesses or maintains PHI in a Designated Record Set, Business Associate agrees to provide access, at the request of Covered Entity to PHI in a Designated Record Set, to Covered Entity in order to meet the requirements under HIPAA Regulations.If an Individual makes a request for access to PHI directly to Business Associate, Business Associate shall notify Covered Entity of the request within three (3) business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
(g) Amendments to Designated Record Sets. To the extent that Business Associate possesses or maintains PHI in a Designated Record Set, Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to HIPAA Regulations at the request of Covered Entity or an Individual. If an Individual makes a request for an amendment to PHI directly to Business Associate, Business Associate shall notify Covered Entity of the request within three (3) business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
(h) Access to Books and Records. Business Associate agrees to make its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
(i) Requests for Accountings. Business Associate agrees to provide to Covered Entity, within thirty (30) days of a request by Covered Entity, information to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA, HIPAA Regulations and the HITECH Act.If an Individual makes a request for an accounting directly to Business Associate, Business Associate shall notify Covered Entity of the request within three (3) business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
3. Permitted Uses and Disclosures by Business Associate.
(a) Services Agreement. Except as otherwise limited in this BAA, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Services Agreement, provided that such use or disclosure would not violate HIPAA if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
(b) Use for Administration of Business Associate. Except as otherwise limited in this BAA, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
(c) Disclosure for Administration of Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that (i) disclosures are Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
(d) Data Aggregation. Except as otherwise limited in this BAA, Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Data aggregation services involve the combining by the Business Associate of (a) PHI created or received by a Business Associate in its capacity as the Business Associate of a Covered Entity with (b) PHI received by the Business Associate in its capacity as a Business Associate of another Covered Entity, to permit data analyses that relate to the health care operations of the respective Covered Entities.
(e) De-identification. Business Associate may de-identify PHI pursuant to 45 C.F.R. §164.514(b). Following such de-identification, the resulting information no longer qualifies as PHI and is no longer subject to this BAA.
4. Permissible Requests by Covered Entity. Except as set forth in Section 3 of this BAA, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
5. Term and Termination.
(a) Term. This BAA shall be effective as of the date of this BAA and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created, received or maintained by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.
(b) Termination for Cause. Upon either Party’s knowledge of a material breach by the other Party of the terms of this BAA, the non-breaching Party shall either:
(i) Provide an opportunity for the other Party to cure the breach or end the violation. If such Party does not cure the breach or end the violation within thirty (30) days, the non-breaching Party shall terminate: (A) this BAA; (B) all of the provisions of the Services Agreement that involve the use or disclosure of PHI; and (C) such other provisions, if any, of the Services Agreement as the non-breaching Party designates in its sole discretion; or
(ii) Notwithstanding anything contained in the Services Agreement to the contrary, if the other Party has breached a material term of this BAA and cure is not possible, immediately terminate: (A) this BAA; (B) all of the provisions of the Services Agreement that involve the use or disclosure of PHI; and (C) such other provisions, if any, of the Services Agreement as the non-breaching Party designates in its sole discretion.
(c) Effect of Termination.
(i) Except as provided in Section 5(c)(ii), upon termination of this BAA, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of Subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
(ii) In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.