1. LICENCE AND SUPPORT
1.1 Subject to the terms and conditions of this Agreement, (i) Listrunner will provide End User with access to the cloud-based information management services provided by Listrunner as described at www.listrunnerapp.com (“Services”) through the Internet, and (ii) Listrunner hereby grants to End User a limited, non-exclusive, non-transferable, non-sublicensable license to internally use (a) the Listrunner mobile application and related software with the specifications generally promulgated by Listrunner from time to time (the “Software”), and (b) the documentation, training materials or other materials supplied by Listrunner (the “Other Listrunner Materials”). (The Software and Other Listrunner Materials are collectively referred to herein as the “Licensed Materials.”)
1.2 Subject to the terms hereof, Listrunner will provide reasonable support to End User for the Licensed Materials. If requested by Listrunner, End User will designate an employee who will be responsible for all matters relating to this Agreement (“Primary Contact”). End User may change the individual designated as Primary Contact at any time by providing written notice to Listrunner.
2. RESTRICTIONS AND RESPONSIBILITIES
2.1 End User will not, and will not permit any third party to: use the Licensed Materials for any purpose other than as specifically authorized in Section 1, or in such a manner that would enable any unlicensed person to access the Licensed Materials; reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas or algorithms of the Services or Licensed Materials, documentation or data related to the Services or Licensed Materials (provided that reverse engineering is prohibited only to the extent such prohibition is not contrary to applicable law); modify, translate, or create derivative works based on the Services or Licensed Materials; except as expressly permitted herein, use the Services or Licensed Materials or software for timesharing or service bureau purposes or for any purpose other than its own internal use; use the Services, Licensed Materials or software other than in accordance with this Agreement and in compliance with all applicable laws and regulations (including but not limited to any privacy laws, and laws and regulations concerning intellectual property, consumer and child protection, obscenity or defamation); or use the Licensed Materials in any manner that (1) is harmful, fraudulent, deceptive, threatening, abusive, harassing, tortious, defamatory, vulgar, obscene, libelous, or otherwise objectionable (including without limitation, accessing any computer, computer system, network, software, or data without authorization, breaching the security of another user or system, and/or attempting to circumvent any user authentication or security process), (2) impersonates any person or entity, including without limitation any employee or representative of Listrunner, or (3) contains a virus, trojan horse, worm, time bomb, unsolicited bulk, commercial, or “spam” message, or other harmful computer code, file, or program (including without limitation, password guessing programs, decoders, password gatherers, keystroke loggers, cracking tools, packet sniffers, and/or encryption circumvention programs).
2.2 End User will cooperate with Listrunner in connection with the performance of this Agreement by making available such personnel and information as may be reasonably required, and taking such other actions as Listrunner may reasonably request. End User will also cooperate with Listrunner in establishing a password or other procedures for verifying that only designated employees of End User have access to any administrative functions of the Licensed Materials.
2.3 End User hereby agrees to indemnify and hold harmless Listrunner against any damages, losses, liabilities, settlements and expenses (including without limitation costs and attorneys’ fees) in connection with any claim or action that arises from an alleged violation of the foregoing or otherwise from End User’s use of Services or Licensed Materials (including, without limitation, in connection with any Content (as defined below)). Listrunner has no obligation to monitor End User’s use of the Licensed Materials.
2.4 End User will be responsible for maintaining the security of End User’s device, hardware, account, passwords (including but not limited to administrative and user passwords) and files, and for all uses of End User account with or without End User’s knowledge or consent. End User will comply with Listrunner’s device security instructions, posted on Listrunner’s website.
2.5 End User agrees that the Licensed Material shall not be considered a part of any EHR.
2.6 End User further acknowledges, agrees to and is bound by the Business Associate Agreement attached hereto as Exhibit A.
3.1 Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose information relating to the Disclosing Party’s technology or business (hereinafter referred to as “Proprietary Information” of the Disclosing Party). Without limiting the foregoing, the Licensed Materials are Listrunner Proprietary Information.
3.2 The Receiving Party agrees: (i) not to divulge to any third person any such Proprietary Information, (i) to give access to such Proprietary Information solely to those employees and contractors with a need to have access thereto for purposes of this Agreement and who are bound by confidentiality and non-use obligations at least as protective as those herein, and (iii) to take the same security precautions to protect against disclosure or unauthorized use of such Proprietary Information that the party takes with its own proprietary information, but in no event will a party apply less than reasonable precautions to protect such Proprietary Information. The Disclosing Party agrees that the foregoing will not apply with respect to any information that the Receiving Party can document (a) is or becomes generally available to the public without any action by, or involvement of, the Receiving Party, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party. Nothing in this Agreement will prevent the Receiving Party from disclosing Proprietary Information pursuant to any judicial or governmental order, provided that the Receiving Party gives the Disclosing Party reasonable prior notice of such disclosure to contest such order. In any event, Listrunner may collect data with respect to and report on the aggregate response rate and other aggregate measures of the Licensed Materials’ performance and End User’s usage of the Services and/or Licensed Materials; provided that Listrunner will not identify End User as the source of any such data without End User’s prior written consent.
3.3 Each party acknowledges and agrees that the other may suffer irreparable damage in the event of a breach of the terms of Sections 1.1, 2.1 or 3.2 of this Agreement and that such party will be entitled to seek injunctive relief (without the necessity of posting a bond) in the event of any such breach.
3.4 Both parties will have the right to disclose the existence but not the terms and conditions of this Agreement, unless such disclosure is approved in writing by both Parties prior to such disclosure, or is included in a filing required to be made by a party with a governmental authority (provided such party will use reasonable efforts to obtain confidential treatment or a protective order) or is made on a confidential basis as reasonably necessary to potential investors or acquirers.
INTELLECTUAL PROPERTY RIGHTS
4.1 Except as expressly set forth herein, Listrunner alone (and its licensors, where applicable) will retain all intellectual property rights relating to the Services and/or Licensed Materials and any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by End User or any third party relating to the Licensed Materials, which are hereby assigned to Listrunner. End User will not copy, distribute, reproduce or use any of the foregoing except as expressly permitted under this Agreement. This Agreement is not a sale and does not convey to End User any rights of ownership in or related to the Licensed Materials, or any intellectual property rights.
4.2 End User shall not remove, alter or obscure any of Listrunner’s (or its licensors’) copyright notices, proprietary legends, trademark or service mark attributions, patent markings or other indicia of Listrunner’s (or its licensors’) ownership from the Licensed Materials. Additionally, End User agrees to reproduce and include Listrunner’s (and its licensors’) proprietary and copyright notices on any copies of the Licensed Materials, or on any portion thereof, including reproduction of the copyright notice.
4.3 Listrunner may obtain and process Content (as defined below) only to perform its obligations and provide the Services under this Agreement, and End User hereby grants Listrunner all rights and licenses necessary for it (and its contractors on its behalf) to do so. End User and its licensors shall (and End User hereby represents and warrants that they do) have and retain all right, title and interest (including, without limitation, sole ownership of) all content and data provided by or on behalf of End User or made available or otherwise distributed through use of the Services and/or Licensed Materials (“Content”) and the intellectual property rights with respect to that Content. If Listrunner receives any notice or claim that any Content, or activities hereunder with respect to any Content, may infringe, misappropriate or violate rights of a third party or any applicable law or regulation (a “Claim”), Listrunner may (but is not required to) terminate this Agreement and End User will indemnify Listrunner from all liability, damages, settlements, attorney fees and other costs and expenses in connection with any such Claim, as incurred.
4.4 Listrunner shall indemnify and hold End User harmless from liability to unaffiliated third parties resulting from infringement by the Services or Licensed Materials of any United States patent or any copyright or misappropriation of any trade secret, provided Listrunner is promptly notified of any and all threats, claims and proceedings related thereto and given reasonable assistance and the opportunity to assume sole control over defense and settlement; Listrunner will not be responsible for any settlement it does not approve. The foregoing obligations do not apply with respect to portions or components of the Licensed Materials (i) not created by Listrunner, (ii) resulting in whole or in part in accordance from Listrunner specifications, (iii) that are modified after delivery by Listrunner, (iv) combined with other products, processes or materials where the alleged infringement relates to such combination, (v) where End User continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (vi) where End User’s use of the Licensed Materials is not strictly in accordance with this Agreement and all related documentation.
PAYMENT OF FEES
5.1 Unless stated otherwise to the contrary, for the purposes of this Agreement, there are no fees associated with the license grant to use the Licensed Materials.
6.1 This Agreement shall continue until the one (1) year anniversary of the Effective Date (the “Initial Term”), and will automatically renew for subsequent one (1) year terms (each, a “Renewal Term” and together with the Initial Term, the “Term”) unless a party hereto provides the other party with written notice of its intent not to renew the Agreement at least thirty (30) days prior to the end of the then-current Term. This Agreement may be terminated in accordance with this Section 6.
6.2 Either party may terminate this Agreement at any time upon written notice to the other.
6.3 End User’s access to the Licensed Materials, and any licenses granted hereunder, shall terminate upon any termination of this Agreement. The following Sections will survive any termination of this Agreement: 2 through 6, and 8 through 11.
7. END USER SOFTWARE SECURITY
Listrunner represents and warrants that it will not knowingly include, in any Listrunner software released to the public and provided to End User hereunder, any computer code or other computer instructions, devices or techniques, including without limitation those known as disabling devices, trojans, or time bombs, that are intentionally designed to disrupt, disable, harm, infect, defraud, damage, or otherwise impede in any manner, the operation of a network, computer program or computer system or any component thereof, including its security or user data. If, at any time, Listrunner fails to comply with the warranty in this Section, End User may promptly notify Listrunner in writing of any such noncompliance. Listrunner will, within thirty (30) days of receipt of such written notification, either correct the noncompliance or provide End User with a plan for correcting the noncompliance. If the noncompliance is not corrected or if a reasonably acceptable plan for correcting them is not established during such period, End User may terminate this Agreement as its sole and exclusive remedy for such noncompliance.
8. WARRANTY DISCLAIMER
THE LICENSED MATERIALS, SOFTWARE AND LISTRUNNER PROPRIETARY INFORMATION AND ANYTHING PROVIDED IN CONNECTION WITH THIS AGREEMENT ARE PROVIDED "AS-IS," WITHOUT ANY WARRANTIES OF ANY KIND. LISTRUNNER AND ITS LICENSORS HEREBY DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. LISTRUNNER SPECIFICALLY DISCLAIMS ANY WARRANTY FOR USE OF THE LICENSED MATERIALS, SOFTWARE AND LISTRUNNER PROPRIETARY INFORMATION OUTSIDE THE UNITED STATES.
9. LIMITATION OF LIABILITY
IN NO EVENT WILL LISTRUNNER, ITS AFFILIATES, OR ITS LICENSORS BE LIABLE FOR ANY INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF THE LICENSED MATERIALS OR ANYTHING PROVIDED IN CONNECTION WITH THIS AGREEMENT, ANY DELAY OR INABILITY TO USE THE LICENSED MATERIALS OR ANYTHING PROVIDED IN CONNECTION WITH THIS AGREEMENT OR OTHERWISE ARISING FROM THIS AGREEMENT, INCLUDING WITHOUT LIMITATION, LOSS OF REVENUE OR ANTICIPATED PROFITS OR LOST BUSINESS OR LOST SALES, WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE, EVEN IF LISTRUNNER HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.
THE TOTAL LIABILITY OF LISTRUNNER AND ITS LICENSORS, WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, WILL NOT EXCEED, IN THE AGGREGATE, THE GREATER OF (i) ONE THOUSAND UNITED STATES DOLLARS ($1,000), OR (ii) THE FEES PAID TO LISTRUNNER HEREUNDER IN THE THREE MONTH PERIOD ENDING ON THE DATE THAT A CLAIM OR DEMAND IS FIRST ASSERTED. THE FOREGOING LIMITATIONS WILL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.
10. U.S. GOVERNMENT MATTERS
Notwithstanding anything else, End User may not provide to any person or export or re-export or allow the export or re-export of the Licensed Materials or any software or anything related thereto or any direct product thereof (collectively “Controlled Subject Matter”), in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority. Without limiting the foregoing End User acknowledges and agrees that the Controlled Subject Matter will not be used or transferred or otherwise exported or re-exported to countries as to which the United States maintains an embargo (collectively, “Embargoed Countries”), or to or by a national or resident thereof, or any person or entity on the U.S. Department of Treasury’s List of Specially Designated Nationals or the U.S. Department of Commerce’s Table of Denial Orders (collectively, “Designated Nationals”). The lists of Embargoed Countries and Designated Nationals are subject to change without notice. Use of the Licensed Materials is representation and warranty that the user is not located in, under the control of, or a national or resident of an Embargoed Country or Designated National. The Controlled Subject Matter may use or include encryption technology that is subject to licensing requirements under the U.S. Export Administration Regulations. As defined in FAR section 2.101, any software and documentation provided by Listrunner are “commercial items” and according to DFAR section 252.2277014(a)(1) and (5) are deemed to be “commercial computer software” and “commercial computer software documentation.” Consistent with DFAR section 227.7202 and FAR section 12.212, any use modification, reproduction, release, performance, display, or disclosure of such commercial software or commercial software documentation by the U.S. Government will be governed solely by the terms of this Agreement and will be prohibited except to the extent expressly permitted by the terms of this Agreement.
If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. This Agreement is not assignable, transferable or sublicensable by either party except with the other party’s prior written consent, provided that Listrunner may transfer and assign this Agreement without consent to a successor in the event of the sale of all or substantially all of its business or assets to which this Agreement relates. Both parties agree that this Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in a writing signed or otherwise agreed to by Listrunner, except as otherwise provided herein. No agency, partnership, joint venture, or employment is created as a result of this Agreement and End User does not have any authority of any kind to bind Listrunner in any respect whatsoever. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; and upon receipt, if sent by certified or registered mail (return receipt requested), postage prepaid. Listrunner will not be liable for any loss resulting from a cause over which it does not have direct control. This Agreement will be governed by the laws of the State of California, U.S.A. without regard to its conflict of laws provisions. The federal and state courts sitting in San Mateo County, California, U.S.A. will have proper and exclusive jurisdiction and venue with respect to any disputes arising from or related to the subject matter of this Agreement. End User agrees to participate in press announcements, case studies, trade shows, or other forms reasonably requested by Listrunner. Unless and until End User notifies Listrunner in writing to the contrary, Listrunner is permitted to disclose that End User is one of its customers to any third-party at its sole discretion, and to place ’s name and logo on its website and marketing materials for this purpose.
EXHIBIT A - HIPAA BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“BA Agreement”), is between the business entity who agrees to these Terms and Conditions through the Listrunner mobile application (“Covered Entity”) and Commure, Inc. (“Business Associate”), and is effective as of the date of acceptance of the Terms and Conditions by the Covered Entity (“Effective Date”).
Business Associate provides certain services to Covered Entity pursuant to the terms of the Terms and Conditions above (the “Services Agreement”). This BA Agreement is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (as defined below) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity as described in the Services Agreement.
This BA Agreement shall apply to the extent Business Associate does create or receive Protected Health Information from or on behalf of Covered Entity, which information is subject to protection under the Federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104191 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”), and related regulations promulgated by the Secretary (“HIPAA Regulations”).
In light of the foregoing and the requirements of HIPAA, the HITECH Act, and HIPAA Regulations, Business Associate and Covered Entity agree to be bound by the following terms and conditions.
For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:
- General. Terms used, but not otherwise defined, in this BA Agreement shall have the same meaning given to those terms by HIPAA, the HITECH Act and HIPAA Regulations as in effect or as amended from time to time.
- Breach. “Breach” shall have the same meaning as the term “breach” in the HITECH Act, Section 13400(1).
- Electronic Health Record. “Electronic Health Record” shall have the same meaning as the term “electronic health record” in the HITECH Act, Section 13400(5).
- Electronic Protected Health Information. “Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to the information that Business Associate creates, receives, maintains, or transmits from or on behalf of Covered Entity.
- Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
- Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164.
- Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
- Required By Law. “Required by Law” shall have the same meaning as the term “required by law” in 45 CFR § 160.103.
- Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
- Security Rule. “Security Rule” shall mean the Security Standards at 45 CFR Part 160 and Part 164.
- Services Agreement. “Services Agreement” shall mean any present or future agreements, either written or oral, between Covered Entity and Business Associate under which Business Associate provides services to Covered Entity which involve the use or disclosure of Protected Health Information, including the Terms and Conditions above.
- Unsecured Protected Health Information. “Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in the HITECH Act, Section 13402(h)(1).
2. Obligations and Activities of Business Associate.
a. Use and Disclosure. If Personal Health Information is created by or disclosed to Business Associate, Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by the Services Agreement, this BA Agreement or as Required By Law. Business Associate shall comply with the provisions of this BA Agreement relating to privacy and security of Protected Health Information and all present and future provisions of HIPAA, the HITECH Act and HIPAA Regulations that relate to the privacy and security of Protected Health Information and that are applicable to Covered Entity and/or Business Associate. Business Associate shall not (i) use or disclose Protected Health Information for fundraising or marketing purposes, except as provided under the Agreement and consistent with the HITECH Act, or (ii) directly or indirectly receive remuneration in exchange for Protected Health Information, except with the prior written consent of Covered Entity and as permitted by the HITECH Act, provided, however, this prohibition shall not affect payment by Covered Entity to Business Associate for services provided pursuant to the Agreement.
Appropriate Safeguards. Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of the Protected Health Information other than as provided for by this BA Agreement. Without limiting the generality of the foregoing sentence, Business Associate will:
- Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information as required by the Security Rule; Business Associate will comply with the applicable requirements, policies, procedures and documentation requirements of the Security Rule;
- Ensure that any agent, including a subcontractor, to whom Business Associate provides Electronic Protected Health Information agrees in writing to implement reasonable and appropriate safeguards to protect Electronic Protected Health Information; and
- Promptly report to Covered Entity in writing of any access, use or disclosure of Protected Health Information not permitted by the Agreement or applicable law and any Security Incident of which Business Associate becomes aware. In addition, Business Associate shall, following the discovery of any Breach of Unsecured Protected Health Information, notify Covered Entity in writing of such breach without unreasonable delay and in no case later than thirty (30) days after discovery. The notice shall include the following information if known (or can be reasonably obtained) by Business Associate: (1) contact information for the individuals who were or who may have been impacted by the Breach (e.g., first and last name, mailing address, street address, phone number, email address), (2) a brief description of the circumstances of the Breach, including the date of the Breach and date of discovery, (3) a description of the types of Unsecured Protected Health Information involved in the Breach (e.g., names, social security numbers, date of birth, addresses, account numbers of any type, and similar information), and (4) a brief description of what the Business Associate has done or is doing to investigate the Breach and mitigate harm to the individuals impacted by the Breach. A Breach is considered “discovered” as of the first day on which the Breach is known to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach.
- Reporting. Business Associate agrees to promptly report to Covered Entity in writing any access, use or disclosure of Protected Health Information not permitted by this BA Agreement, and any Security Incident, as defined in the Security Rule, of which Business Associate becomes aware.
- Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate or its employees, officers or agents in violation of the requirements of this BA Agreement (including, without limitation, any Security Incident or Breach of Unsecured Protected Health Information). Business Associate agrees to reasonably cooperate and coordinate with Covered Entity in the investigation of any violation of the requirements of this BA Agreement and/or any Security Incident or Breach. Business Associate shall also reasonably cooperate and coordinate with Covered Entity in the preparation of any reports or notices to the Individual, a regulatory body or any third party required to be made under HIPAA, HIPAA Regulations, the HITECH Act, or any other Federal or State laws, rules or regulations, provided that any such reports or notices shall be subject to the prior written approval of Covered Entity.
- Minimum Necessary. Business Associate (and its agents or subcontractors) shall request, use and disclose only the minimum amount of Protected Health Information necessary to accomplish the purpose of the request, use or disclosure.
- Agents and Subcontractors. Business Associate shall ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by, Business Associate on behalf of Covered Entity agrees in writing to the same restrictions and conditions that apply through this BA Agreement to Business Associate with respect to such information.
- Access to Designated Record Sets. To the extent that Business Associate possesses or maintains Protected Health Information in a Designated Record Set, Business Associate agrees to provide access, at the request of Covered Entity, to Protected Health Information in a Designated Record Set created or received by Business Associate solely on behalf of Covered Entity only, to Covered Entity or, as directed by Covered Entity, to an Individual as is necessary for the Covered Entity to meet the requirements under HIPAA Regulations. If an Individual makes a request for access to Protected Health Information directly to Business Associate, Business Associate shall notify Covered Entity of the request within five (5) business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
- Amendments to Designated Record Sets. To the extent that Business Associate possesses or maintains Protected Health Information in a Designated Record Set, Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to HIPAA Regulations at the request of Covered Entity or an Individual, as is necessary for the Covered Entity to comply with its obligations under HIPAA Regulations within ten (10) business days of such request. If an Individual makes a request for an amendment to Protected Health Information directly to Business Associate, Business Associate shall notify Covered Entity of the request within five (5) business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
- Access to Books and Records. Business Associate agrees to make its relevant internal practices, books, records (including applicable Protected Health Information), policies and procedures relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity (collectively “BA Records”) available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
- Accountings. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with HIPAA, HIPAA Regulations and the HITECH Act.
- Requests for Accountings. Business Associate agrees to provide to Covered Entity or an Individual, in the time and manner designated by the Covered Entity, information collected in accordance with Section 2(j) of this BA Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with HIPAA, HIPAA Regulations and the HITECH Act. If an Individual makes a request for an accounting directly to Business Associate, Business Associate shall notify Covered Entity of the request within five (5) business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
3. Permitted Uses and Disclosures by Business Associate.
a. Services Agreement. Except as otherwise limited in this BA Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity in order to perform the services and/or products as specified in the Services Agreement, provided that such use or disclosure would not violate HIPAA, HIPAA Regulations or the HITECH Act if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
b. Use for Administration of Business Associate. Except as otherwise limited in this BA Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
c. Disclosure for Administration of Business Associate. Except as otherwise limited in this BA Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that (i) disclosures are Required by Law, or (ii) Business Associate obtains reasonable written assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and a written agreement from the person to immediately notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
4. Permissible Requests by and Obligations of Covered Entity.
Covered entity shall:
a. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI under this BAA.
b. Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate's permitted or required uses and disclosures of PHI under this BAA.
c. Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under Section 3 of this BAA.
5. Term and Termination.
a. Term. This BA Agreement shall be effective as of the Effective Date of this BA Agreement and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
b. Material Breach by Business Associate. Upon Covered Entity’s knowledge of a material breach by Business Associate of the terms of this BA Agreement, Covered Entity shall either:
- Provide an opportunity for Business Associate to cure the breach or end the violation within a reasonable time frame not to exceed 30 days. If Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, Covered Entity shall terminate by written notice to the Business Associate: (A) this BA Agreement; (B) all of the provisions of the Services Agreement that involve the use or disclosure of Protected Health Information; and (C) such other provisions, if any, of the Services Agreement as Covered Entity designates in its sole discretion;
- If Business Associate has breached a material term of this BA Agreement and cure is not possible, immediately terminate: (A) this BA Agreement; (B) all of the provisions of the Services Agreement that involve the use or disclosure of Protected Health Information; and (C) such other provisions, if any, of the Services Agreement as Covered Entity designates in its sole discretion; or
- If neither termination nor cure are feasible, Covered Entity shall report the violation to the Secretary.
c. Material Breach by Covered Entity. If Business Associate knows of a pattern of activity or practice of Covered Entity that constitutes a material breach or violation of the Covered Entity’s obligations under the Agreement or other arrangement, the Business Associate may provide an opportunity for the Covered Entity to cure the breach or end the violation within a reasonable time frame not to exceed 30 days; or terminate this BA. If the Covered Entity does not cure such breach or end such violation within the time prescribed by the Business Associate, or Business Associate otherwise opts to terminate this BA in light of such breach or violation, then the Business Associate shall terminate by written notice to the Covered Entity: (A) this BA Agreement; (B) all of the provisions of the Services Agreement that involve the use or disclosure of Protected Health Information; and (C) such other provisions, if any, of the Services Agreement as the Business Associate designates in its sole discretion.
d. Effect of Termination.
- Except as provided in Section 5(d)(ii), upon termination of this BA Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
- In the event that Business Associate determines that maintaining the Protected Health Information is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities, Business Associate shall extend the protections of this BA Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. Business Associate shall only retain only that Protected Health Information which is necessary for business associate to continue its proper management and administration or to carry out its legal responsibilities.
6. Compliance with HIPAA Transaction Standards.
When providing its services and/or products, Business Associate shall comply with all applicable HIPAA standards and requirements (including, without limitation, those specified in 45 CFR Part 162) with respect to the transmission of health information in electronic form in connection with any transaction for which the Secretary has adopted a standard under HIPAA (“Covered Transactions”). Business Associate will make its services and/or products compliant with HIPAA’s standards and requirements no less than thirty (30) days prior to the applicable compliance dates under HIPAA. Business Associate represents and warrants that it is aware of all current HIPAA standards and requirements regarding Covered Transactions, and Business Associate shall comply with any modifications to HIPAA standards and requirements which become effective from time to time. Business Associate shall require all of its agents and subcontractors (if any) who assist Business Associate in providing its services and/or products to comply with the terms of this Section 6.
a. Regulatory References. A reference in this BA Agreement to a section in HIPAA, HIPAA Regulations, or the HITECH Act means the section as in effect or as amended or modified from time to time, including any corresponding provisions of subsequent superseding laws or regulations.
b. Amendment. The Parties agree to take such action as is necessary to amend the Services Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA, the HIPAA Regulations and the HITECH Act.
c. Survival. The respective rights and obligations of Business Associate under Section 5(d) of this BA Agreement shall survive the termination of the Services Agreement or this BA Agreement.
d. No Third Party Beneficiaries. Nothing express or implied in the Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
e. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to implement and comply with HIPAA, HIPAA Regulations and the HITECH Act.
f. Miscellaneous. The terms of this BA Agreement are hereby incorporated into the Services Agreement. In the event of a conflict between the terms of this BA Agreement and the terms of the Services Agreement, the terms of this BA Agreement shall prevail. The terms of the Services Agreement which are not modified by this BA Agreement shall remain in full force and effect in accordance with the terms thereof. This BA Agreement shall be governed by, and construed in accordance with, the laws of the State of California, exclusive of conflict of law rules. The Services Agreement together with this BA Agreement constitutes the entire agreement between the parties with respect to the subject matter contained herein, and this BA Agreement supersedes and replaces any former business associate agreement or addendum entered into by the parties. This BA Agreement may be executed in counterparts, each of which when taken together shall constitute one original. Any PDF or facsimile signatures to this BA Agreement shall be deemed original signatures to this BA Agreement. No amendments or modifications to the BA Agreement shall be effected unless executed by both parties in writing.